[C2] Unauthenticated downloads.rs: hardcoded prod relay URL + default API-key fallback + false support-embedding docstring #11

Open
opened 2026-06-05 17:35:00 -07:00 by azcomputerguru · 0 comments

Severity: Critical

Component(s): server

Affected file(s):

  • server/src/api/downloads.rs

Problem:
downloads.rs contains a hardcoded production relay URL plus a "managed-agent" default API-key fallback, and a support-download docstring that claims it embeds a value it does not actually embed.

Recommended fix:
Move the URL and key into Config/AppState, have handlers take State, implement (or correct the docstring for) support embedding, and remove the default key.

Remediation phase: P0 (SPEC-019)

From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding C2) and REMEDIATION-PLAN.md (P0).

**Severity:** Critical **Component(s):** server **Affected file(s):** - `server/src/api/downloads.rs` **Problem:** `downloads.rs` contains a hardcoded production relay URL plus a "managed-agent" default API-key fallback, and a support-download docstring that claims it embeds a value it does not actually embed. **Recommended fix:** Move the URL and key into `Config`/`AppState`, have handlers take `State`, implement (or correct the docstring for) support embedding, and remove the default key. **Remediation phase:** P0 (SPEC-019) From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding C2) and REMEDIATION-PLAN.md (P0).
azcomputerguru added the severity:criticalcomponent:serversecurity labels 2026-06-05 17:35:00 -07:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: azcomputerguru/guru-connect#11