name: security-review
description: Runs a full security review of DedupEndNote covering OWASP Top 10 plus DoS and resource-exhaustion risks. Use when the user asks for a security review, security audit, vulnerability check, or mentions OWASP. Already-fixed risks (path traversal, DOM XSS, error exposure, actuator hardening) are noted as closed so the review focuses on remaining concerns: DoS via large uploads and unbounded concurrent runs, user file namespace collisions in the shared upload directory, WebSocket topic access, missing HTTP security headers, and RIS input content validation. Outputs a prioritised finding list with severity, location, and recommended fix.
DedupEndNote Security Review
Application context (read before reviewing)
- Spring Boot 4.0 / Java 21, port 9777, fat JAR, no authentication — intentional public tool
- 150 MB upload limit; virtual threads for concurrent dedup runs; WebSocket progress reporting
- All uploads land in a single shared directory — no per-user or per-session isolation
- O(n²) pair comparison bucketed by year; large files are CPU- and memory-intensive
Already fixed — do not re-report unless regression found:
| Risk | Fix |
|---|
| Path traversal (upload, download, start endpoints) | UtilitiesService.resolveInUploadDir validates all user-supplied filenames |
| DOM-based XSS via filename | All .html(userValue) sinks replaced with .text() / $('<span>').text() |
| Error / stack-trace exposure | GlobalExceptionHandler returns generic messages; log.error only |
| Actuator over-exposure | management.endpoints.web.exposure.include=health,info in dev profile |
Review checklist
Report each finding as: [SEVERITY] file:line — risk — fix.
Severity scale: Critical / High / Medium / Low / Info.
DoS and resource exhaustion ← primary focus for this project
User file namespace collisions
WebSocket
OWASP A01 — Broken Access Control
OWASP A02 — Cryptographic Failures
OWASP A03 — Injection
OWASP A05 — Security Misconfiguration
OWASP A06 — Vulnerable Components
OWASP A07 — Auth / Identity failures (accepted risk)
OWASP A08 — Software & Data Integrity
OWASP A09 — Logging & Monitoring
OWASP A10 — SSRF
Output format
[SEVERITY] Short title
Location : file:line (or "N/A — design-level")
Risk : one sentence
Fix : concrete recommendation
End with a summary table: open findings by severity, and a list of risks accepted by design.
Reference
.plans/2026-06-02-1615-owasp-risk-analysis.md — full original analysis and what each priority tier fixed.