Skip to content

Security: reject legacy short access keys on RTMP and stats auth#84

Closed
cursor[bot] wants to merge 2 commits into
mainfrom
cursor/application-security-review-a7c2
Closed

Security: reject legacy short access keys on RTMP and stats auth#84
cursor[bot] wants to merge 2 commits into
mainfrom
cursor/application-security-review-a7c2

Conversation

@cursor

@cursor cursor Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Security review summary

Scheduled scan at commit 40e5850 found 1 new medium-severity issue (issue #83) and ships a fix on this branch.

MEDIUM — Legacy sub-32-character access keys remain valid on RTMP and stats authentication paths (src/db.rs)

Verification

  • cargo test — 94 tests passing
  • Added legacy_short_access_keys_are_rejected_at_lookup regression test

Operator follow-up

Deployments that previously created short custom keys must rotate publish/play/stats keys via the API after upgrading; rejected legacy keys will fail auth until rotated.

Open in Web View Automation 

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

cursoragent and others added 2 commits July 15, 2026 02:08
… paths

HTTP stream creation already enforces 32+ character publish/play/stats
keys, but RTMP authorization and public stats lookups still accepted
shorter values present in upgraded SQLite databases. Reject sub-minimum
keys at lookup time so grandfathered weak keys cannot be brute-forced
over RTMP or the rate-limited /stats endpoints.

Co-authored-by: Alexander Wagner <info@alexanderwagnerdev.com>
@AlexanderWagnerDev AlexanderWagnerDev deleted the cursor/application-security-review-a7c2 branch July 15, 2026 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants