Highlights
Auth Bypass: 11 prior fixes. Scrutinize any change in this area.
common/src/main/java/com/hmdm/rest/filter/AuthFilter.java: most-fixed (2 issues). Treat as high-risk during review.
13 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns
The bug types that recur here, drawn from past fixes, not open vulnerabilities.
Auth Bypass: Session and context validation historically relied on mutable cookie values and lacked validation against verified database user records, allowing privilege escalation. Developers must ensure the security context is continuously re-initialized against the active database state.
Command Injection: Arbitrary shell execution of the 'aapt' tool allowed command injection through unsanitized file paths and metadata. This was resolved by replacing runtime command execution with a structured parser (APKFileAnalyzer).
Auth Bypass: The platform used a static, hardcoded JWT signing secret that allowed attackers to forge administrative tokens. This requires a strong, dynamically generated cryptographically random key initialized at startup.