Drop Remediation Tracker

Current security control state for the Phenom Drop pipeline. All findings active and deployed.
Tags:
Categories:

Status Dashboard

Last Updated: 2026-03-09 Overall Status: GREEN: All 4 fail-safe scenarios pass. All findings remediated.

Fail-Safe Scenarios

# Scenario Status Resolution
1 Reverse shell in .mp4 GREEN Files land inert in S3. Magic byte detection + ClamAV reject non-media.
2 Unauthenticated file access GREEN Both S3 buckets block public access. API Gateway password-protected.
3 Chain of custody GREEN SHA-256 hash embedded in S3 metadata, verified against uploaded bytes.
4 GPS metadata leak GREEN metadata-stripper Lambda creates EXIF/GPS-free copy at public/ prefix. 
graph LR
    S1("Scenario 1<br/>Reverse Shell") --> G1("GREEN")
    S2("Scenario 2<br/>Unauth Access") --> G2("GREEN")
    S3("Scenario 3<br/>Chain of Custody") --> G3("GREEN")
    S4("Scenario 4<br/>GPS Leak") --> G4("GREEN")

    style G1 fill:#51cf66,color:#fff
    style G2 fill:#51cf66,color:#fff
    style G3 fill:#51cf66,color:#fff
    style G4 fill:#51cf66,color:#fff

Critical Findings

ID Finding Current State Component
C1 ClamAV fail-closed Active: ClamAV enabled; Lambda fails closed on init failure file-validator Lambda
C2 Metadata stripping Active: metadata-stripper Lambda strips EXIF/GPS/IPTC/XMP before public copy metadata-stripper Lambda
C3 SVG blocked Active: image/svg+xml absent from allowed_image_types; magic byte check enforces true type variables.tf
C4 Hash binding Active: SHA-256 embedded in S3 object metadata at URL generation; file-validator verifies on upload presigned-url-gen + file-validator
C5 GDPR marketing consent Active: Brevo enrollment gated behind explicit opt-in; marketing_consent field enforced server-side drop-hash-log.py
C6 Admin API auth Active: API key required for all admin endpoints; key loaded from .drop-admin-key drop-hash-log.py
C7 Upload validation Active: fileHash and email both required; HTTP 400 if either absent drop-hash-log.py

High Findings

ID Finding Current State Component
H1 Body size limit (10 MB) Active: 10 MB maximum request body enforced server-side drop-hash-log.py
H2 CORS origin restriction Active: Explicit per-environment allowlist; no wildcard; applied to both S3 and backend variables.tf + drop-hash-log.py
H3 API Gateway access logging Active: Structured JSON logging to CloudWatch; 90-day retention api-gateway.tf
H4 Content-Length enforcement Active: fileSize required; presigned URL includes ContentLength; S3 rejects mismatched uploads presigned-url-gen Lambda
H5 Privacy Policy Active: “Phenom Drop Media Submissions” section live covering data collection, retention, processing privacy-policy.html
H6 Data retention policy Active: 90-day retention with automated cleanup drop-hash-log.py

Medium Findings

ID Finding Current State Component
M1 Presigned URL expiry Active: 10-minute (upload_expiry_seconds = 600) variables.tf
M2 Email regex validation Active: Server-side regex enforced drop-hash-log.py
M3 Rate limiting Active: Rate limiting on verify-password endpoint drop-hash-log.py
M4 Security headers (nginx) Active: Security headers configured in nginx nginx.dev.conf
M5 Consent checkbox (UI) Active: Consent checkbox present in upload form drop.html
M6 Log retention (90 days) Active: CloudWatch log group retention set to 90 days variables.tf

Security Baseline

All controls below are active and verifiable:

  1. All 4 fail-safe scenarios pass end-to-end validation
  2. All 7 critical controls (C1-C7) are active
  3. All 6 high controls (H1-H6) are active
  4. All 6 medium controls (M1-M6) are active
  5. GPS/EXIF stripping confirmed operational via metadata-stripper Lambda
  • /docs/security/drop-security-audit/: Full audit report with finding details
  • Phenom Drop Overview: Pipeline architecture and feature documentation
  • Phenom Infrastructure: Terraform modules where infrastructure fixes are applied

Last modified June 22, 2026: docs(#383): GlitchTip runbook + register in nest-ops asset index (#384) (fbe78ef)