Skip to content

[Security] VOD Download URL Lacks Signed Token Authentication #540

New issue
New issue
Open
Open
[Security] VOD Download URL Lacks Signed Token Authentication#540
Labels
securitySecurity vulnerabilities
@filthyrake

Description

@filthyrake
filthyrake
opened on Feb 1, 2026

Summary

The download URL generation in VOD management returns a direct path without cryptographic signing. While the comment mentions signed URLs, the implementation does not include them.

Impact

Severity: MEDIUM

An attacker who captures a download URL could share it with unauthorized users. While the original access check happened, the URL itself is not time-limited or user-bound.

Files Affected

  • /api/studio_vod.py (lines 449-494, specifically 483-494)

Recommended Fix

  1. Implement HMAC-signed URLs with expiration timestamp embedded
  2. Verify signature server-side before serving download
  3. Include user_id in the signed payload to prevent URL sharing

References

  • CWE-284 (Improper Access Control)
  • OWASP A01:2021 Broken Access Control

🤖 Generated by automated security review

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerabilities

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions