https://blog.abhipraya.dev/tags/security/Recent content in Security on Daffa AbhiprayaHugoen-us© Daffa AbhiprayaWed, 15 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w3-security/Wed, 15 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w3-security/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>Two weeks of security work that span the whole stack. Week 1 (2-8 Apr) closed two OWASP A01 (Broken Access Control) gaps — one in our own code, one caught during a teammate&rsquo;s code review — and added Sentry observability to Celery tasks so background job failures stop disappearing silently. Week 2 (9-15 Apr) patched a high-severity axios SSRF (GHSA-3p68-rc4w-qgx5) that <code>pnpm audit</code> caught in a routine MR pipeline. The pattern across the two weeks: fix boundaries in our own code, and keep dependencies patched via automated audit.</p>https://blog.abhipraya.dev/ppl/part-a/qa/Thu, 09 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-a/qa/<p>Quality tools are useless if they are not enforced. Our project had SonarQube analyzing every commit, schema fuzzing running against our API, and load tests measuring latency, but every single one of them was set to <code>allow_failure: true</code>. Violations were silently ignored, real bugs slipped through, and nobody noticed because the pipeline was always green. This blog covers how we turned those advisory checks into blocking gates, built automated CI reporting so reviewers could actually see the results, and watched the tools catch a JWT vulnerability, a production crash, and 31 code quality violations that had been accumulating for weeks.</p>https://blog.abhipraya.dev/ppl/part-b/s2w2-security/Mon, 30 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w2-security/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>Two security-relevant features merged this week that directly address OWASP Top 10 vulnerabilities: blocking inactive accounts from authenticating (SIRA-215) and enforcing session limits with proper invalidation (SIRA-214). SAST results are now also surfaced automatically on every MR via the CI report system.</p> <hr> <h2 id="owasp-a07-authentication-failures"> <a class="anchor" href="#owasp-a07-authentication-failures" data-anchor="owasp-a07-authentication-failures" aria-hidden="true">#</a> OWASP A07: Authentication Failures </h2> <p>OWASP A07 covers broken authentication, including cases where deactivated or suspended accounts can still access the system. Before SIRA-215 (MR !104), deactivating a user in the admin panel only prevented login via the UI — a valid JWT issued before deactivation still passed every auth check.</p>https://blog.abhipraya.dev/ppl/part-b/s2w1-security/Mon, 23 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w1-security/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>This week I addressed a critical security vulnerability flagged by SonarQube and hardened the CI pipeline so security issues block merges instead of being silently reported.</p> <h2 id="the-jwt-vulnerability-sonarqube-s5659"> <a class="anchor" href="#the-jwt-vulnerability-sonarqube-s5659" data-anchor="the-jwt-vulnerability-sonarqube-s5659" aria-hidden="true">#</a> The JWT Vulnerability (SonarQube S5659) </h2> <p>SonarQube flagged <code>dependencies.py:34</code> as a <strong>CRITICAL vulnerability</strong>: <code>jwt.get_unverified_header()</code> reads the JWT header without verifying the signature. This enables the <strong>alg:none attack</strong>, where an attacker crafts a token with <code>&quot;alg&quot;: &quot;none&quot;</code> in the header, causing the library to skip signature verification entirely.</p>https://blog.abhipraya.dev/ppl/part-b/s1w3-security/Fri, 13 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s1w3-security/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>This week addressed four security areas: JWT algorithm validation hardening (reviewed MR !63), encryption key management in CI (MR !68), client PII encryption in the database seeder (reviewed MR !80), and ongoing SAST scanning via the CI pipeline.</p> <h2 id="jwt-algorithm-validation-preventing-algnone-attacks"> <a class="anchor" href="#jwt-algorithm-validation-preventing-algnone-attacks" data-anchor="jwt-algorithm-validation-preventing-algnone-attacks" aria-hidden="true">#</a> JWT Algorithm Validation: Preventing alg:none Attacks </h2> <p>MR !63 (by adipppp, which I reviewed) hardened the JWT decoding logic against the <strong>alg:none attack</strong>, one of the most well-known JWT vulnerabilities (OWASP A07:2021, Identification and Authentication Failures).</p>