48 lines
1.6 KiB
Plaintext
48 lines
1.6 KiB
Plaintext
# ATP Work Session: 2026-06-16 Project Analysis
|
|
|
|
## Objective
|
|
|
|
Introduce a docs/ workflow scaffold and record a read-only full-project analysis focused on architecture, security, quality, and domain behavior.
|
|
|
|
## Constraints
|
|
|
|
- Do not modify `src/`.
|
|
- Do not modify `pom.xml`.
|
|
- Documentation and project guidance files only.
|
|
|
|
## Files Added
|
|
|
|
- `docs/index.md`
|
|
- `docs/analysis/README.md`
|
|
- `docs/analysis/2026-06-16-project-analysis.md`
|
|
- `docs/security/README.md`
|
|
- `docs/security/security-remediation-checklist.md`
|
|
- `docs/architecture/README.md`
|
|
- `docs/development/README.md`
|
|
- `docs/adr/README.md`
|
|
- `CLAUDE.md`
|
|
- `.atp/work-session`
|
|
- `.serena/project.yml`
|
|
|
|
## Files Updated
|
|
|
|
- `docs/db-update-query-generator.md`
|
|
- `docs/user-signup-schema.md`
|
|
|
|
## Findings
|
|
|
|
- SQL injection surface was not found in scanned mapper/controller code because MyBatis mapper SQL uses `#{}` binding and no `${}` dynamic replacement was found.
|
|
- Password storage uses PBKDF2-SHA256 with 210,000 iterations.
|
|
- Most state-changing endpoints use `CsrfTokens.isValid`.
|
|
- `POST /login` and `POST /signup` do not validate CSRF and are the primary MED security gap.
|
|
- Prototype leftovers include `abstracts`, `header.jspf`, and empty `GameCatalog`.
|
|
- Likes/comments have mapper/schema traces but the game detail UI persists them only in `localStorage`.
|
|
- Tests are currently insufficient for security regressions.
|
|
|
|
## Next Work
|
|
|
|
- B1: Add CSRF validation to login/signup.
|
|
- B2: Remove or document prototype dead code.
|
|
- B3: Connect likes/comments to server persistence after policy decisions.
|
|
- B4: Pin Spring Boot release version, harden session cookies, and add dependency CVE scanning.
|