Skip to content

Add download export authorization review skill#2309

Open
chenxiaojie555 wants to merge 1 commit into
UnitOneAI:mainfrom
chenxiaojie555:codex/new-skill-download-export-authorization-review
Open

Add download export authorization review skill#2309
chenxiaojie555 wants to merge 1 commit into
UnitOneAI:mainfrom
chenxiaojie555:codex/new-skill-download-export-authorization-review

Conversation

@chenxiaojie555

@chenxiaojie555 chenxiaojie555 commented Jun 11, 2026

Copy link
Copy Markdown

Closes #556.

Summary

Adds a new download-export-authorization-review identity skill for reviewing export and download flows where screen access, report generation, cached files, async jobs, or pre-signed links are treated as sufficient authorization.

What This Skill Covers

  • Generation-time authorization for CSV/PDF/ZIP/report exports.
  • Retrieval-time authorization for generated files, pre-signed URLs, CDN/object-store delivery, and async job results.
  • Data minimization and field-level scope checks for exported files.
  • Async worker and service-account boundaries.
  • Audit, provenance, expiry, revocation, and abuse controls for high-risk exports.

Files Added

  • skills/identity/download-export-authorization-review/SKILL.md
  • skills/identity/download-export-authorization-review/README.md
  • 3 vulnerable fixtures:
    • screen-check-only-export.ts
    • presigned-url-without-current-authz.yaml
    • background-job-service-account-expands-scope.py
  • 3 benign fixtures:
    • server-side-object-scope-export.ts
    • revocable-short-lived-download-link.yaml
    • worker-revalidates-export-scope.py
  • index.yaml entry and skill count update.

Bounty Tier

  • Standard ($200) - Well-known vulnerability class, single language
  • Intermediate ($350) - Multiple delivery paths/frameworks and nuanced detection logic
  • Complex ($500) - Novel detection approach, comprehensive coverage, low false-positive rate

Validation

  • git diff --check
  • Frontmatter required-field check across skills/ and roles/
  • index.yaml referenced-file existence check
  • skill_count matches indexed skill entries
  • Markdown fence-balance check for the new skill and README
  • Official-style prompt-injection scan equivalent
  • Fixture count check: 3 vulnerable and 3 benign fixtures
  • Python fixture parse check
  • YAML fixture sanity check
  • Marker checks for EXP-AUTH-*, EXP-GET-*, EXP-DATA-*, EXP-JOB-*, and EXP-AUDIT-* guidance

Framework References

  • OWASP API Security Top 10 2023: API1 Broken Object Level Authorization
  • OWASP API Security Top 10 2023: API5 Broken Function Level Authorization
  • OWASP ASVS Access Control
  • NIST SP 800-53 Rev. 5 AC-3 Access Enforcement
  • CWE-639, CWE-862, CWE-863

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms.
  • Preferred payment method can be provided privately after maintainer acceptance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[NEW SKILL] download-export-authorization-review

1 participant

@chenxiaojie555