Security context

What an agent needs to avoid regressing past fixes and find the next vuln in this repo.

bricks-cloud/BricksLLM
main @ c7d80a6
23
Fixes
0
CVEs
HIGH
Peak severity
Highlights
Auth Bypass: 15 prior fixes. Scrutinize any change in this area.
internal/policy/policy.go: most-fixed (4 issues). Treat as high-risk during review.
11 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns

The bug types that recur here, drawn from past fixes, not open vulnerabilities.

Auth Bypass: Misconfigured path prefix and provider access validations historically allowed bypasses of target provider boundaries (e.g., Bedrock or vLLM routes). Strict validation of the correlation between requested endpoint paths and approved provider configurations must be enforced.
Auth Bypass: The proxy middleware layer is prone to execution bypasses, such as ignoring policy inspection results, missing nil checks on policy inputs, or skipping limit enforcement during downstream unmarshalling failures.
Auth Bypass: Flaws in evaluating consumer identity fields (e.g., using an unpopulated UserId field instead of Id) or off-by-one errors in rate limit math let users exceed defined usage and cost thresholds.