Session: 46898342-7a27-4682-b9f4-2c996e20b7d7
Date: 2026-03-11
Project: /run/media/morpheuslord/Personal_Files/Projects/ACVAS/SIMULATIONS/TEST_SUBJECTS/NudR-Stateless-API-main
You have insufficient permissions for this operation. Missing scopes: model.request. Check that you have the correct role in your organization (Reader, Writer, Owner) and project (Member, Owner), and if you're using a restricted API key, that it has the necessary scopes.
| Metric | Value |
|---|---|
| Total Files Analyzed | 76 |
| Distinct Vulnerabilities | 46 |
| Critical | 8 |
| High | 6 |
| Medium | 32 |
| Low | 0 |
| With PoC | 8 |
| Languages | python |
Severity: MEDIUM | CVSS: None | CWE: None
File: app/main.py Line(s): 37
35 | host="0.0.0.0",
36 | port=8000,
>>> 37 | reload=True,
38 | reload_dirs=["app"],
39 | )
Severity: MEDIUM | CVSS: None | CWE: None
File: app/chat/constants.py Line(s): 10
8 | # ββ Redis key builders ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
9 |
>>> 10 | @dataclass(frozen=True)
11 | class _ChatKeys:
12 | @staticmethod
Severity: MEDIUM | CVSS: None | CWE: None
File: app/chat/service.py Line(s): 68
66 | """
67 | AND both parties' consent for the given media type.
>>> 68 | Returns True only if BOTH users have granted the relevant consent.
69 | """
70 | if msg_type not in MEDIA_MSG_TYPES:
Severity: MEDIUM | CVSS: None | CWE: None
File: app/core/rate_limit.py Line(s): 21
19 | window_seconds: int,
20 | ) -> bool:
>>> 21 | """Return True if request is within limit, False if exceeded."""
22 | key = f"rl:{endpoint}:{ip}"
23 | count = await r.incr(key)
Severity: MEDIUM | CVSS: None | CWE: None
File: app/core/risk_db.py Line(s): 19
17 |
18 | def check_risky_ip(ip: str) -> bool:
>>> 19 | """Return True if the IP is flagged as active in the risky_ips table."""
20 | sb = get_supabase()
21 | try:
Severity: MEDIUM | CVSS: None | CWE: None
File: app/core/security.py Line(s): 67
65 | def validate_public_key(public_key_b64: str) -> bytes:
66 | """
>>> 67 | Validates that the submitted value is a valid 32-byte X25519 public key.
68 | Rejects: wrong length, all-zeros, all-ones.
69 | """
Generic: Hard-coded Elliptic Curve
Severity: MEDIUM | CVSS: None | CWE: None
File: app/core/session.py Line(s): 13
11 |
12 |
>>> 13 | @dataclass(frozen=True)
14 | class SessionInfo:
15 | token: str
Severity: MEDIUM | CVSS: None | CWE: None
File: app/core/crypto/abstracts.py Line(s): 27
25 | def sign_not_supported(self) -> None:
26 | """
>>> 27 | X25519 keys are for key agreement ONLY.
28 | Raise NotImplementedError to document the constraint.
29 | """
Generic: Hard-coded Elliptic Curve
Severity: MEDIUM | CVSS: None | CWE: None
File: app/core/crypto/agreement.py Line(s): 10
8 |
9 |
>>> 10 | class X25519KeyAgreement(BaseKeyAgreement):
11 |
12 | def derive_shared_secret(
Generic: Hard-coded Elliptic Curve
Severity: MEDIUM | CVSS: None | CWE: None
File: app/core/crypto/backup.py Line(s): 33
31 | ) -> dict:
32 | if len(private_key_bytes) != 32:
>>> 33 | raise CryptoViolationError("Private key must be 32 bytes (X25519)")
34 |
35 | salt = nacl_random(16)
Generic: Hard-coded Elliptic Curve
Severity: MEDIUM | CVSS: None | CWE: None
File: app/core/crypto/keys.py Line(s): 12
10 | class DeviceKeyPair(BaseKeyPair):
11 | """
>>> 12 | X25519 key pair for one device.
13 | Private key bytes are stored in a mutable bytearray so they
14 | can be deterministically zeroed via zero_private_key().
Generic: Hard-coded Elliptic Curve
Severity: MEDIUM | CVSS: None | CWE: None
File: app/db/redis_client.py Line(s): 13
11 | async def init_redis() -> None:
12 | global _redis
>>> 13 | _redis = aioredis.from_url(settings.redis_url, decode_responses=True)
14 | try:
15 | await _redis.ping()
Severity: MEDIUM | CVSS: None | CWE: None
File: app/feed/constants.py Line(s): 10
8 | # ββ Redis key builders ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
9 |
>>> 10 | @dataclass(frozen=True)
11 | class _FeedKeys:
12 | @staticmethod
Severity: HIGH | CVSS: None | CWE: None
File: app/feed/service.py Line(s): 48
46 | """
47 | Build a flat string-keyed dict suitable for HSET in Redis.
>>> 48 | Applies anon masking: when anon_mode is true, hidden fields are omitted entirely.
49 | """
50 | anon = _to_bool(row.get("anon_mode", False))
Severity: MEDIUM | CVSS: None | CWE: None
File: app/feed/types.py Line(s): 11
9 |
10 |
>>> 11 | @dataclass(frozen=True)
12 | class FeedTokenResponse:
13 | websocket_token: str
Severity: MEDIUM | CVSS: None | CWE: None
File: app/routes/auth/signup.py Line(s): 504
502 | "user_id": user_id,
503 | "anon_mode": False,
>>> 504 | "read_receipts": True,
505 | "role_mode": role_mode_clean,
506 | "vibe": vibe_clean,
Severity: CRITICAL | CVSS: None | CWE: CWE-327
File: app/routes/auth/signup.py Line(s): 66
64 | }
65 |
>>> 66 | VALID_ROLE_MODES = {"HUNTER", "ANIMAL"}
67 | VALID_VIBES = {
68 | "adventurous_explorer", "sensual_storyteller", "playful_muse",
The DES cipher was found, which is widely considered to be broken.
NVD References:
- CVE-1999-0007 Information from SSL-encrypted sessions via PKCS #1.
- CVE-2002-2058 (CVSS: 7.5 HIGH) TeeKai Tracking Online 1.0 uses weak encryption of web usage statistics in data/userlog/log.txt, which allows remote attackers to identify IP's visiting the site by dividing each octet by the MD5 hash
- CVE-2005-2946 (CVSS: 7.5 HIGH) The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptographically strong algorithm, which makes it easier for remote attackers to forge certif
Severity: MEDIUM | CVSS: None | CWE: None
File: app/routes/chat/ws.py Line(s): 137
135 |
136 | try:
>>> 137 | while True:
138 | data = await ws.receive_json()
139 |
Severity: MEDIUM | CVSS: None | CWE: None
File: app/routes/feed/ws.py Line(s): 107
105 |
106 | try:
>>> 107 | while True:
108 | data = await ws.receive_json()
109 |
Severity: MEDIUM | CVSS: None | CWE: None
File: app/routes/keys/backup.py Line(s): 55
53 | .select("device_ids,public_values,private_values,conversation_keys")
54 | .eq("user_id", session.user_id)
>>> 55 | .order("created_at", desc=True)
56 | .limit(1)
57 | .execute()
Severity: MEDIUM | CVSS: None | CWE: None
File: app/routes/keys/register.py Line(s): 2
1 | """
>>> 2 | POST /keys/register β register an X25519 public key for a device.
3 |
4 | Security:
Generic: Hard-coded Elliptic Curve
Severity: MEDIUM | CVSS: None | CWE: None
File: app/routes/keys/upload.py Line(s): 106
104 | # Ensure values are valid base64; server does not attempt decryption.
105 | try:
>>> 106 | base64.b64decode(pub_val, validate=True)
107 | except Exception:
108 | raise ValueError("public_values entries must be valid base64")
Severity: MEDIUM | CVSS: None | CWE: None
File: app/routes/keysync/ws.py Line(s): 81
79 |
80 | try:
>>> 81 | while True:
82 | raw = await ws.receive_text()
83 | try:
Severity: MEDIUM | CVSS: None | CWE: None
File: app/routes/settings/profile.py Line(s): 238
236 |
237 | if payload.anon_mode is not None:
>>> 238 | if payload.anon_mode is True:
239 | sb = get_supabase()
240 | try:
Severity: MEDIUM | CVSS: None | CWE: None
File: app/utils/key_exchange_helpers.py Line(s): 60
58 | return False
59 |
>>> 60 | return True
61 |
62 |
Severity: MEDIUM | CVSS: None | CWE: None
File: app/ws/token_maker.py Line(s): 34
32 |
33 |
>>> 34 | @dataclass(frozen=True)
35 | class WSTokenResult:
36 | token: str
Severity: MEDIUM | CVSS: None | CWE: None
File: scripts/run_server.py Line(s): 19
17 | host="0.0.0.0",
18 | port=8000,
>>> 19 | reload=True,
20 | reload_dirs=["app"],
21 | )
Severity: HIGH | CVSS: None | CWE: None
File: terraform/lambda/rotate_origin_secret.py Line(s): 98
96 | {
97 | "ref": ORIGIN_HEADER_RULE_REF,
>>> 98 | "expression": "true",
99 | "description": "NudR origin secret for origin authentication",
100 | "action": "rewrite",
Severity: CRITICAL | CVSS: None | CWE: CWE-798
File: testing/chat/run_chat_tests.py Line(s): 75
73 |
74 | TS = str(int(time.time()))
>>> 75 | PASSWORD = "Str0ng!ChatTest_2026"
76 |
77 | PHOTOS_DIR = Path(__file__).resolve().parent.parent / "signup" / "photos"
NVD References:
- CVE-2000-1139 The installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the "Exchange User Account" vulnerability.
- CVE-2005-0496 (CVSS: 9.8 CRITICAL) Arkeia Network Backup Client 5.x contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system and possibly execute arbitrary commands.
- CVE-2005-3716 (CVSS: 7.5 HIGH) The SNMP daemon in UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel WIND 2.6 has hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive
Severity: HIGH | CVSS: None | CWE: None
File: testing/chat/run_chat_tests.py Line(s): 87
85 | prefix = "0" * difficulty
86 | nonce = 0
>>> 87 | while True:
88 | candidate = str(nonce)
89 | digest = hashlib.sha256(f"{challenge}{candidate}".encode()).hexdigest()
Severity: MEDIUM | CVSS: None | CWE: None
File: testing/chat/run_chat_tests.py Line(s): 8
6 | 1. Signup User A (female) and User B (male)
7 | 2. Signin both
>>> 8 | 3. Register X25519 public keys
9 | 4. Mutual like via feed WS β MATCH_CONFIRMED
10 | 5. GET /chat/token β verify token generation
Generic: Hard-coded Elliptic Curve
Severity: HIGH | CVSS: None | CWE: None
File: testing/cli/nudr_cli.py Line(s): 131
129 | prefix = "0" * difficulty
130 | nonce = 0
>>> 131 | while True:
132 | candidate = str(nonce)
133 | digest = hashlib.sha256(f"{challenge}{candidate}".encode()).hexdigest()
Severity: CRITICAL | CVSS: None | CWE: CWE-798
File: testing/cli/setup_accounts.py Line(s): 58
56 |
57 | TS = str(int(time.time()))
>>> 58 | PASSWORD = "Str0ng!CliTest_2026"
59 | PHOTOS_DIR = Path(__file__).resolve().parent.parent / "signup" / "photos"
60 | PHOTO1 = PHOTOS_DIR / "photo1.jpg"
NVD References:
- CVE-2000-1139 The installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the "Exchange User Account" vulnerability.
- CVE-2005-0496 (CVSS: 9.8 CRITICAL) Arkeia Network Backup Client 5.x contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system and possibly execute arbitrary commands.
- CVE-2005-3716 (CVSS: 7.5 HIGH) The SNMP daemon in UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel WIND 2.6 has hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive
Severity: MEDIUM | CVSS: None | CWE: None
File: testing/cli/setup_accounts.py Line(s): 108
106 | prefix = "0" * difficulty
107 | nonce = 0
>>> 108 | while True:
109 | candidate = str(nonce)
110 | digest = hashlib.sha256(f"{challenge}{candidate}".encode()).hexdigest()
Severity: MEDIUM | CVSS: None | CWE: None
File: testing/cli/setup_accounts.py Line(s): 3
1 | #!/usr/bin/env python3
2 | """
>>> 3 | Bootstrap 2 test accounts with X25519 key pairs for the interactive CLI.
4 |
5 | Creates User A (female) and User B (male), signs them in, registers X25519
Generic: Hard-coded Elliptic Curve
Severity: CRITICAL | CVSS: None | CWE: CWE-798
File: testing/feed/run_feed_tests.py Line(s): 75
73 | VERIFICATION = PHOTOS_DIR / "verification.jpg"
74 |
>>> 75 | PASSWORD = "Str0ng!Feed_Test1"
76 |
77 | # ββ Data pools ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
NVD References:
- CVE-2000-1139 The installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the "Exchange User Account" vulnerability.
- CVE-2005-0496 (CVSS: 9.8 CRITICAL) Arkeia Network Backup Client 5.x contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system and possibly execute arbitrary commands.
- CVE-2005-3716 (CVSS: 7.5 HIGH) The SNMP daemon in UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel WIND 2.6 has hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive
Severity: HIGH | CVSS: None | CWE: None
File: testing/feed/run_feed_tests.py Line(s): 144
142 | prefix = "0" * difficulty
143 | nonce = 0
>>> 144 | while True:
145 | candidate = str(nonce)
146 | digest = hashlib.sha256(f"{challenge}{candidate}".encode()).hexdigest()
Severity: CRITICAL | CVSS: None | CWE: CWE-798
File: testing/key_exchange/run_key_exchange_tests.py Line(s): 78
76 |
77 | TS = str(int(time.time()))
>>> 78 | PASSWORD = "Str0ng!KxTest_2026"
79 |
80 | KEYS_DIR = Path(__file__).resolve().parent
NVD References:
- CVE-2000-1139 The installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the "Exchange User Account" vulnerability.
- CVE-2005-0496 (CVSS: 9.8 CRITICAL) Arkeia Network Backup Client 5.x contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system and possibly execute arbitrary commands.
- CVE-2005-3716 (CVSS: 7.5 HIGH) The SNMP daemon in UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel WIND 2.6 has hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive
Severity: MEDIUM | CVSS: None | CWE: None
File: testing/key_exchange/run_key_exchange_tests.py Line(s): 92
90 | prefix = "0" * difficulty
91 | nonce = 0
>>> 92 | while True:
93 | candidate = str(nonce)
94 | digest = hashlib.sha256(f"{challenge}{candidate}".encode()).hexdigest()
Severity: MEDIUM | CVSS: None | CWE: None
File: testing/key_exchange/run_key_exchange_tests.py Line(s): 8
6 | 1. Signup User A (female) and User B (male)
7 | 2. Signin both
>>> 8 | 3. Register X25519 public keys (2 devices each) via POST /keys/register
9 | 4. Obtain feed tokens β mutual "like" over feed WS β MATCH_CONFIRMED
10 | 5. Obtain keysync token β KEY_EXCHANGE_INIT β KEY_EXCHANGE_COMPLETE
Generic: Hard-coded Elliptic Curve
Severity: CRITICAL | CVSS: None | CWE: CWE-798
File: testing/settings/run_settings_tests.py Line(s): 115
113 | flush_drop_and_rate(r, ip)
114 |
>>> 115 | password = "Str0ng!Settings_1"
116 | form = {
117 | "email": f"settings_test_{TS}@example.com",
NVD References:
- CVE-2000-1139 The installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the "Exchange User Account" vulnerability.
- CVE-2005-0496 (CVSS: 9.8 CRITICAL) Arkeia Network Backup Client 5.x contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system and possibly execute arbitrary commands.
- CVE-2005-3716 (CVSS: 7.5 HIGH) The SNMP daemon in UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel WIND 2.6 has hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive
Severity: HIGH | CVSS: None | CWE: None
File: testing/settings/run_settings_tests.py Line(s): 63
61 | prefix = "0" * difficulty
62 | nonce = 0
>>> 63 | while True:
64 | candidate = str(nonce)
65 | digest = hashlib.sha256(f"{challenge}{candidate}".encode()).hexdigest()
Severity: CRITICAL | CVSS: None | CWE: CWE-798
File: testing/signin/run_signin_tests.py Line(s): 43
41 | BASE_URL = os.getenv("API_BASE_URL", "http://localhost:8000")
42 | ORIGIN_SECRET = os.getenv("ORIGIN_SECRET", "your-cloudflare-injected-secret")
>>> 43 | REDIS_URL = os.getenv("REDIS_URL", "redis://:supersecretpassword123@192.168.1.64:6379/0")
44 | POW_DIFFICULTY = int(os.getenv("POW_DIFFICULTY", "4"))
45 |
NVD References:
- CVE-2000-1139 The installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the "Exchange User Account" vulnerability.
- CVE-2005-0496 (CVSS: 9.8 CRITICAL) Arkeia Network Backup Client 5.x contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system and possibly execute arbitrary commands.
- CVE-2005-3716 (CVSS: 7.5 HIGH) The SNMP daemon in UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel WIND 2.6 has hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive
Severity: MEDIUM | CVSS: None | CWE: None
File: testing/signin/run_signin_tests.py Line(s): 65
63 | prefix = "0" * difficulty
64 | nonce = 0
>>> 65 | while True:
66 | candidate = str(nonce)
67 | digest = hashlib.sha256(f"{challenge}{candidate}".encode()).hexdigest()
Severity: CRITICAL | CVSS: None | CWE: CWE-798
File: testing/signup/run_signup_tests.py Line(s): 38
36 | BASE_URL = os.getenv("API_BASE_URL", "http://localhost:8000")
37 | ORIGIN_SECRET = os.getenv("ORIGIN_SECRET", "your-cloudflare-injected-secret")
>>> 38 | REDIS_URL = os.getenv("REDIS_URL", "redis://:supersecretpassword123@192.168.1.64:6379/0")
39 | POW_DIFFICULTY = int(os.getenv("POW_DIFFICULTY", "4"))
40 | SIGNUP_URL = f"{BASE_URL}/auth/signup"
NVD References:
- CVE-2000-1139 The installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the "Exchange User Account" vulnerability.
- CVE-2005-0496 (CVSS: 9.8 CRITICAL) Arkeia Network Backup Client 5.x contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system and possibly execute arbitrary commands.
- CVE-2005-3716 (CVSS: 7.5 HIGH) The SNMP daemon in UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel WIND 2.6 has hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive
Severity: MEDIUM | CVSS: None | CWE: None
File: testing/signup/run_signup_tests.py Line(s): 56
54 | prefix = "0" * difficulty
55 | nonce = 0
>>> 56 | while True:
57 | candidate = str(nonce)
58 | digest = hashlib.sha256(f"{challenge}{candidate}".encode()).hexdigest()
You have insufficient permissions for this operation. Missing scopes: model.request. Check that you have the correct role in your organization (Reader, Writer, Owner) and project (Member, Owner), and if you're using a restricted API key, that it has the necessary scopes.
| Check | Count | Severity | Description |
|---|---|---|---|
| π’ Magic Numbers | 868 | LOW | Unlabeled numeric constant 32 in app/config.py line 57. Extract to a named c... |
| π Code Duplication | 588 | MEDIUM | Identical 6-line block found in: app/main.py:33, scripts/run_server.py:15. C... |
| π Long Functions | 51 | MEDIUM | Function respond_to_consent_request in app/chat/service.py spans 60 lines (t... |
| π Swallowed Exceptions | 44 | MEDIUM | Exception silently swallowed in app/core/image_scanner.py line 127. At minimum... |
| π High Complexity | 35 | HIGH | Function scan_image in app/core/image_scanner.py has cyclomatic complexity o... |
| ποΈ Dead Imports | 23 | LOW | annotations is imported but never used in app/chat/service.py... |
| π’ Inefficient Patterns | 14 | LOW | Using global keyword makes code harder to test and reason about. Use parameter... |
| πͺ Deep Nesting | 11 | MEDIUM | Function chat_websocket in app/routes/chat/ws.py has nesting depth of 14 (th... |
- [MEDIUM] Long function
respond_to_consent_request(): 60 lines (line 249) Functionrespond_to_consent_requestinapp/chat/service.pyspans 60 lines (threshold: 50). Long functions are harder to test, review, and maintain - [MEDIUM] Long function
submit_report(): 77 lines (line 502) Functionsubmit_reportinapp/chat/service.pyspans 77 lines (threshold: 50). Long functions are harder to test, review, and maintain. - [MEDIUM] Long function
get_sync_messages(): 51 lines (line 583) Functionget_sync_messagesinapp/chat/service.pyspans 51 lines (threshold: 50). Long functions are harder to test, review, and maintain. - [MEDIUM] High complexity in
scan_image(): 19 (line 61) Functionscan_imageinapp/core/image_scanner.pyhas cyclomatic complexity of 19 (threshold: 10). Consider decomposing into smaller functions. - [MEDIUM] Long function
scan_image(): 77 lines (line 61) Functionscan_imageinapp/core/image_scanner.pyspans 77 lines (threshold: 50). Long functions are harder to test, review, and maintain. - [MEDIUM] Swallowed exception (except + pass) (line 127)
Exception silently swallowed in
app/core/image_scanner.pyline 127. At minimum, log the error to aid debugging. - [MEDIUM] Swallowed exception (except + pass) (line 63)
Exception silently swallowed in
app/core/crypto/keys.pyline 63. At minimum, log the error to aid debugging. - [MEDIUM] High complexity in
build_masked_profile(): 20 (line 45) Functionbuild_masked_profileinapp/feed/service.pyhas cyclomatic complexity of 20 (threshold: 10). Consider decomposing into smaller functions. - [MEDIUM] High complexity in
profile_hash_to_client_dict(): 17 (line 90) Functionprofile_hash_to_client_dictinapp/feed/service.pyhas cyclomatic complexity of 17 (threshold: 10). Consider decomposing into smaller fun - [MEDIUM] High complexity in
score_candidate(): 19 (line 125) Functionscore_candidateinapp/feed/service.pyhas cyclomatic complexity of 19 (threshold: 10). Consider decomposing into smaller functions. - [HIGH] High complexity in
_compute_pool_inner(): 27 (line 196) Function_compute_pool_innerinapp/feed/service.pyhas cyclomatic complexity of 27 (threshold: 10). Consider decomposing into smaller functions. - [MEDIUM] Long function
_compute_pool_inner(): 168 lines (line 196) Function_compute_pool_innerinapp/feed/service.pyspans 168 lines (threshold: 50). Long functions are harder to test, review, and maintain. - [MEDIUM] Long function
fetch_profile_for_feed(): 53 lines (line 432) Functionfetch_profile_for_feedinapp/feed/service.pyspans 53 lines (threshold: 50). Long functions are harder to test, review, and maintain. - [MEDIUM] Swallowed exception (except + pass) (line 155)
Exception silently swallowed in
app/feed/service.pyline 155. At minimum, log the error to aid debugging. - [MEDIUM] Swallowed exception (except + pass) (line 165)
Exception silently swallowed in
app/feed/service.pyline 165. At minimum, log the error to aid debugging. - [MEDIUM] High complexity in
signin(): 20 (line 60) Functionsignininapp/routes/auth/signin.pyhas cyclomatic complexity of 20 (threshold: 10). Consider decomposing into smaller functions. - [MEDIUM] Long function
signin(): 125 lines (line 60) Functionsignininapp/routes/auth/signin.pyspans 125 lines (threshold: 50). Long functions are harder to test, review, and maintain. - [HIGH] High complexity in
signup(): 74 (line 215) Functionsignupinapp/routes/auth/signup.pyhas cyclomatic complexity of 74 (threshold: 10). Consider decomposing into smaller functions. - [MEDIUM] Long function
signup(): 302 lines (line 215) Functionsignupinapp/routes/auth/signup.pyspans 302 lines (threshold: 50). Long functions are harder to test, review, and maintain. - [MEDIUM] Long function
get_chat_token(): 54 lines (line 34) Functionget_chat_tokeninapp/routes/chat/token.pyspans 54 lines (threshold: 50). Long functions are harder to test, review, and maintain.
Manifest(s): requirements.txt
| Package | Version |
|---|---|
| Pillow | ==11.1.0 |
| PyNaCl | ==1.5.0 |
| argon2-cffi | ==23.1.0 |
| cryptography | >=44.0.0 |
| fastapi | ==0.115.6 |
| pydantic | [email]==2.10.4 |
| pydantic-settings | ==2.7.1 |
| python-multipart | ==0.0.20 |
| redis | [hiredis]==5.2.1 |
| supabase | ==2.11.0 |
| uvicorn | [standard]==0.34.0 |
Total Dependency CVEs: 12 (0 critical, 0 high, 0 with available fix)
| CVE | Package | Version | CVSS | Severity | Fix Available | Fix Version |
|---|---|---|---|---|---|---|
| GHSA-33c7-2mpw-hg34 | uvicorn | [standard]==0.34.0 | None | UNKNOWN | β No | - |
| GHSA-f97h-2pfx-f59f | uvicorn | [standard]==0.34.0 | None | UNKNOWN | β No | - |
| PYSEC-2020-150 | uvicorn | [standard]==0.34.0 | None | UNKNOWN | β No | - |
| PYSEC-2020-151 | uvicorn | [standard]==0.34.0 | None | UNKNOWN | β No | - |
| GHSA-5jqp-qgf6-3pvh | pydantic | [email]==2.10.4 | None | UNKNOWN | β No | - |
| GHSA-mr82-8j83-vxmv | pydantic | [email]==2.10.4 | None | UNKNOWN | β No | - |
| PYSEC-2021-47 | pydantic | [email]==2.10.4 | None | UNKNOWN | β No | - |
| GHSA-wp53-j4wj-2cfg | python-multipart | 0.0.20 | None | UNKNOWN | β No | - |
| GHSA-mrfv-m5wm-5w6w | PyNaCl | 1.5.0 | None | UNKNOWN | β No | - |
| GHSA-79v4-65xg-pq4g | cryptography | 44.0.0 | None | UNKNOWN | β No | - |
| GHSA-r6ph-v2qm-q3c2 | cryptography | 44.0.0 | None | UNKNOWN | β No | - |
| GHSA-cfh3-3jmp-rvhc | Pillow | 11.1.0 | None | UNKNOWN | β No | - |
- uvicorn β GHSA-33c7-2mpw-hg34:
- uvicorn β GHSA-f97h-2pfx-f59f:
- uvicorn β PYSEC-2020-150:
- uvicorn β PYSEC-2020-151:
- pydantic β GHSA-5jqp-qgf6-3pvh:
- pydantic β GHSA-mr82-8j83-vxmv:
- pydantic β PYSEC-2021-47:
- python-multipart β GHSA-wp53-j4wj-2cfg:
- PyNaCl β GHSA-mrfv-m5wm-5w6w:
- cryptography β GHSA-79v4-65xg-pq4g:
| Category | Name | Findings | Status |
|---|---|---|---|
| A01 | Broken Access Control | 0 | β No Issues |
| A02 | Cryptographic Failures | 1 | |
| A03 | Injection | 0 | β No Issues |
| A04 | Insecure Design | 0 | β No Issues |
| A05 | Security Misconfiguration | 0 | β No Issues |
| A06 | Vulnerable and Outdated Components | 12 | |
| A07 | Identification and Authentication Failures | 7 | |
| A08 | Software and Data Integrity Failures | 0 | β No Issues |
| A09 | Security Logging and Monitoring Failures | 0 | β No Issues |
| A10 | Server-Side Request Forgery | 0 | β No Issues |
Scan Quality Score: 75/100
| Check | Status | Notes |
|---|---|---|
| Static Analysis | β | SAST tools ran successfully |
| Pattern Screening | β | Regex-based pattern scanning |
| SCA (Dependencies) | β | Dependency CVE scanning |
| Secret Detection | β | Credential pattern scanning |
Module-level dependency graph showing import relationships.
graph LR
revoke_consent -->|calls| upsert_consent
create_consent_request -->|calls| _expire_stale_consent_requests
create_consent_request -->|calls| ConsentAlreadyGranted
respond_to_consent_request -->|calls| upsert_consent
get_pending_consent_requests -->|calls| _expire_stale_consent_requests
persist_message -->|calls| _redis_set
persist_message -->|calls| _supabase_insert
submit_report -->|calls| _safe_id
ws_error -->|calls| ws_msg
scan_image -->|calls| _detect_format
scan_image -->|calls| _detect_trailing_bytes
scan_image -->|calls| _estimate_metadata_size
scan_image -->|calls| ScanResult
scan_image -->|calls| ImageScanError
scan_image -->|calls| _check_content_type_mismatch
scan_image -->|calls| _check_lsb_uniformity
record_violation -->|calls| drop_ip
record_duplicate_attempt -->|calls| drop_ip
dispatch -->|calls| _get_ip
sanitize_dict -->|calls| sanitize_str
make_session_token -->|calls| sign_token
create_session -->|calls| _session_key
create_session -->|calls| SessionInfo
validate_session -->|calls| _session_key
validate_session -->|calls| SessionInfo
revoke_session -->|calls| _session_key
encrypt_for_backup -->|calls| _derive_key
encrypt_for_backup -->|calls| _zero_bytes
decrypt_from_backup -->|calls| _derive_key
decrypt_from_backup -->|calls| _zero_bytes
__del__ -->|calls| zero_private_key
init_redis -->|calls| _redis_url_for_log
build_masked_profile -->|calls| _to_bool
build_masked_profile -->|calls| _to_json_str
build_masked_profile -->|calls| compute_age
profile_hash_to_client_dict -->|calls| _from_json_str
compute_feed_pool -->|calls| _compute_pool_inner
_compute_pool_inner -->|calls| _extract_target_gender
_compute_pool_inner -->|calls| score_candidate
_compute_pool_inner -->|calls| build_masked_profile
fetch_profile_for_feed -->|calls| build_masked_profile
fetch_profile_for_feed -->|calls| profile_hash_to_client_dict
fetch_photos_for_viewer -->|calls| _is_viewer_pro
signin -->|calls| _extract_risk_features
signin -->|calls| _extract_context
signin -->|calls| _fetch_attack_metrics
signup -->|calls| _parse_preferences
signup -->|calls| _extract_latitude
signup -->|calls| _extract_longitude
signup -->|calls| _extract_risk_features
signup -->|calls| _extract_context
signup -->|calls| _normalize_gender
signup -->|calls| _validate_dob
signup -->|calls| _validate_json_slugs
signup -->|calls| _record_signup_frequency
signup -->|calls| _fetch_attack_metrics
signup -->|calls| execute
signup -->|calls| _insert_profile_photo_rows
signup -->|calls| _store_verification_id
signup -->|calls| _check_geo_consistency
signup -->|calls| _store_profile_photos
_check_geo_consistency -->|calls| _haversine_km
_insert_profile_photo_rows -->|calls| execute
validate -->|calls| _extract_risk_features
validate -->|calls| _extract_context
validate -->|calls| _extract_latitude
validate -->|calls| _extract_longitude
validate -->|calls| _fetch_attack_metrics
execute -->|calls| _extract_latitude
execute -->|calls| _extract_longitude
get_chat_token -->|calls| _extract_bearer_token
chat_websocket -->|calls| _token_refresh_watchdog
chat_websocket -->|calls| _handle_chat_send
chat_websocket -->|calls| _handle_chat_sync
chat_websocket -->|calls| _handle_chat_keep
chat_websocket -->|calls| _handle_chat_media_viewed
chat_websocket -->|calls| _handle_consent_update
chat_websocket -->|calls| _handle_consent_query
chat_websocket -->|calls| _handle_consent_request
chat_websocket -->|calls| _handle_consent_respond
chat_websocket -->|calls| _handle_consent_revoke
chat_websocket -->|calls| _handle_screenshot_warning
chat_websocket -->|calls| _handle_chat_report
_handle_chat_send -->|calls| _find_connection_for_user
_handle_chat_media_viewed -->|calls| _find_connection_for_user
_handle_chat_media_viewed -->|calls| _schedule_media_deletion
_handle_consent_update -->|calls| _find_connection_for_user
_handle_consent_request -->|calls| _find_connection_for_user
_handle_consent_respond -->|calls| _find_connection_for_user
_handle_consent_revoke -->|calls| _find_connection_for_user
_handle_screenshot_warning -->|calls| _find_connection_for_user
get_feed_token -->|calls| _extract_bearer_token
get_feed_token -->|calls| _bg_compute
feed_websocket -->|calls| _token_refresh_watchdog
feed_websocket -->|calls| _handle_feed
feed_websocket -->|calls| _handle_feed_decision
feed_websocket -->|calls| _handle_update_feed
_handle_feed -->|calls| _bg_compute
_handle_feed_decision -->|calls| _async_upsert_decision
_handle_feed_decision -->|calls| _async_spend_flare
_handle_feed_decision -->|calls| _async_increment_counter
_handle_feed_decision -->|calls| _async_increment_match_counters
_handle_feed_decision -->|calls| _notify_match
_async_increment_match_counters -->|calls| _async_increment_counter
_notify_match -->|calls| _find_connection_for_user
get_latest_backup -->|calls| _extract_bearer_token
register_public_key -->|calls| _extract_bearer_token
register_public_key -->|calls| _get_ip
upload_backup -->|calls| _extract_bearer_token
get_keysync_token -->|calls| _extract_bearer_token
keysync_websocket -->|calls| _handle_key_exchange_init
keysync_websocket -->|calls| _handle_key_exchange_complete
_require_session -->|calls| _extract_bearer_token
update_profile -->|calls| _require_session
update_profile -->|calls| _validate_dob
update_privacy -->|calls| _require_session
update_photo_visibility -->|calls| _require_session
validate -->|calls| revoke
run -->|calls| WSTokenResult
run -->|calls| _persist_to_redis
run -->|calls| _persist_to_supabase
cloudflare_update_ruleset -->|calls| cloudflare_get_ruleset
lambda_handler -->|calls| put_secret
lambda_handler -->|calls| get_secret
lambda_handler -->|calls| finish_secret
lambda_handler -->|calls| cloudflare_update_ruleset
lambda_handler -->|calls| cloudflare_list_rulesets
lambda_handler -->|calls| cloudflare_create_ruleset
auth_headers -->|calls| cf_headers
sb_query -->|calls| _sb_headers
create_account -->|calls| flush_ip
create_account -->|calls| cf_headers
parallel_match -->|calls| _recv
run_tests -->|calls| solve_pow
run_tests -->|calls| auth_headers
run_tests -->|calls| wait_for_pool_ready
run_tests -->|calls| cf_headers
run_tests -->|calls| create_account
run_tests -->|calls| parallel_match
run_tests -->|calls| sb_query
run_tests -->|calls| Result
run_tests -->|calls| test_ws_connection
main -->|calls| run_tests
test_ws_connection -->|calls| make_ciphertext
test_ws_connection -->|calls| make_msg_id
test_ws_connection -->|calls| sb_query
test_ws_connection -->|calls| flush_ip
test_ws_connection -->|calls| auth_headers
test_ws_connection -->|calls| chat_connect
test_ws_connection -->|calls| Result
test_ws_connection -->|calls| chat_send_and_recv
test_ws_connection -->|calls| chat_recv
test_ws_connection -->|calls| _sb_headers
test_ws_connection -->|calls| cf_headers
feed_mode -->|calls| get_feed_token
chat_mode -->|calls| get_chat_token
chat_mode -->|calls| _print_chat_help
chat_mode -->|calls| get_matches
chat_mode -->|calls| derive_keys
chat_mode -->|calls| _poll_queue
chat_mode -->|calls| _display_incoming
chat_mode -->|calls| _ws_recv_one
chat_mode -->|calls| _handle_chat_command
_display_incoming -->|calls| decrypt_message
_handle_chat_command -->|calls| _print_chat_help
_handle_chat_command -->|calls| sb_query
_handle_chat_command -->|calls| _cmd_report
_handle_chat_command -->|calls| _cmd_send_media
_handle_chat_command -->|calls| _cmd_send_text
_cmd_send_text -->|calls| encrypt_message
_cmd_send_text -->|calls| _other_device_id
_cmd_send_media -->|calls| encrypt_message
_cmd_send_media -->|calls| _other_device_id
keysync_mode -->|calls| derive_keys
keysync_mode -->|calls| hdrs
settings_mode -->|calls| derive_keys
settings_mode -->|calls| signin
main_loop -->|calls| feed_mode
main_loop -->|calls| chat_mode
main_loop -->|calls| keysync_mode
main_loop -->|calls| settings_mode
main -->|calls| Session
main -->|calls| signin
main -->|calls| main_loop
hdrs -->|calls| auth_headers
derive_keys -->|calls| derive_shared_secret
derive_keys -->|calls| derive_session_key
signin -->|calls| cf_headers
get_feed_token -->|calls| hdrs
get_chat_token -->|calls| hdrs
get_matches -->|calls| sb_query
cleanup_stale_cli_accounts -->|calls| _sb_headers
seed_flare_balance -->|calls| _sb_headers
main -->|calls| cleanup_stale_cli_accounts
main -->|calls| solve_pow
main -->|calls| create_account
main -->|calls| gen_x25519_keypair
main -->|calls| seed_flare_balance
main -->|calls| auth_headers
_sb_headers_repr -->|calls| _sb_headers
sb_patch_user -->|calls| _sb_headers
sb_patch_settings -->|calls| _sb_headers
sb_delete_primary_photo -->|calls| _sb_headers
sb_patch_photo_visibility -->|calls| _sb_headers
sb_insert_decision -->|calls| _sb_headers_repr
sb_delete_decision -->|calls| _sb_headers
sb_insert_flare_balance -->|calls| _sb_headers_repr
sb_insert_subscription -->|calls| _sb_headers_repr
sb_query -->|calls| _sb_headers_repr
sb_verify -->|calls| _sb_headers
build_all_accounts -->|calls| _dob_for_age
run_ws -->|calls| ws_session
parallel_match_test -->|calls| _recv
get_feed_token -->|calls| auth_headers
run_tests -->|calls| build_all_accounts
run_tests -->|calls| sb_patch_user
run_tests -->|calls| sb_insert_subscription
run_tests -->|calls| sb_insert_flare_balance
run_tests -->|calls| sb_insert_decision
run_tests -->|calls| run_ws
run_tests -->|calls| fresh_token_a
run_tests -->|calls| extract_all_profiles
run_tests -->|calls| fresh_token_b
run_tests -->|calls| flush_ip
run_tests -->|calls| get_feed_token
run_tests -->|calls| print_pool_timing_summary
run_tests -->|calls| sb_verify
run_tests -->|calls| sb_delete_primary_photo
run_tests -->|calls| sb_patch_settings
run_tests -->|calls| sb_patch_photo_visibility
run_tests -->|calls| sb_delete_decision
run_tests -->|calls| parallel_match_test
fresh_token_a -->|calls| flush_ip
fresh_token_a -->|calls| get_feed_token
fresh_token_a -->|calls| wait_for_pool_ready
fresh_token_b -->|calls| flush_ip
fresh_token_b -->|calls| get_feed_token
fresh_token_b -->|calls| wait_for_pool_ready
sb_delete -->|calls| _sb_headers
run_tests -->|calls| load_public_key_b64
run_tests -->|calls| sb_delete
run_tests -->|calls| run_key_exchange
auth_headers -->|calls| cf_headers_clean
bootstrap_account -->|calls| flush_drop_and_rate
bootstrap_account -->|calls| cf_headers_clean
run_tests -->|calls| bootstrap_account
run_tests -->|calls| cf_headers_clean
create_test_account -->|calls| flush_drop_and_rate
create_test_account -->|calls| build_signup_form
create_test_account -->|calls| build_signup_files
create_test_account -->|calls| cf_headers_clean
run_tests -->|calls| create_test_account
run_tests -->|calls| flush_drop_and_rate
run_tests -->|calls| cf_headers_high_risk
run_tests -->|calls| load_device1_public_key_b64
run_tests -->|calls| example_ciphertext_b64
expected_private_b64 -->|calls| expected_private_payload
main -->|calls| load_device1_public_key_b64
main -->|calls| expected_private_b64
main -->|calls| expected_private_payload
build_valid_form -->|calls| random_preferences
build_files_with_photo2 -->|calls| build_files
run_tests -->|calls| build_valid_form
run_tests -->|calls| build_files
run_tests -->|calls| build_files_with_photo2
Class and function hierarchy with vulnerability heat markers.
graph TD
subgraph sg1["app/chat/constants.py π‘"]
sg1__ChatKeys[["_ChatKeys"]]
sg1__ChatTTL[["_ChatTTL"]]
sg1_ws_token("ws_token()")
sg1_msg("msg()")
sg1_rate("rate()")
sg1_session("session()")
end
subgraph sg2["app/chat/service.py π‘"]
sg2_verify_match_participant("verify_match_participant()")
sg2_get_other_user_id("get_other_user_id()")
sg2_check_consent("check_consent()")
sg2_get_effective_consent("get_effective_consent()")
sg2_upsert_consent("upsert_consent()")
sg2_revoke_consent("revoke_consent()")
sg2__expire_stale_consent_requests("_expire_stale_consent_requests()")
sg2_ConsentAlreadyGranted[["ConsentAlreadyGranted"]]
sg2_create_consent_request("create_consent_request()")
sg2_respond_to_consent_request("respond_to_consent_request()")
sg2_get_pending_consent_requests("get_pending_consent_requests()")
sg2_persist_message("persist_message()")
sg2_update_keep_flag("update_keep_flag()")
sg2_mark_media_viewed("mark_media_viewed()")
sg2_delete_expired_media("delete_expired_media()")
sg2_more["... +8 more"]
end
subgraph sg3["app/chat/types.py π’"]
sg3_ws_msg("ws_msg()")
sg3_ws_error("ws_error()")
end
subgraph sg4["app/config.py π’"]
sg4_Settings[["Settings"]]
sg4_get_supabase_credentials("get_supabase_credentials()")
sg4_get_audit_encryption_key("get_audit_encryption_key()")
sg4_get_verification_public_key("get_verification_public_key()")
end
subgraph sg5["app/core/abstracts.py π’"]
sg5_BaseRESTHandler[["BaseRESTHandler"]]
sg5_BaseWSHandler[["BaseWSHandler"]]
sg5_BaseTokenValidator[["BaseTokenValidator"]]
sg5_BaseRiskEvaluator[["BaseRiskEvaluator"]]
sg5_BaseStore[["BaseStore"]]
sg5_validate("validate()")
sg5_execute("execute()")
sg5_on_connect("on_connect()")
sg5_on_message("on_message()")
sg5_on_disconnect("on_disconnect()")
sg5_revoke("revoke()")
sg5_score("score()")
sg5_get("get()")
sg5_set("set()")
sg5_delete("delete()")
end
subgraph sg6["app/core/crypto/abstracts.py π‘"]
sg6_CryptoViolationError[["CryptoViolationError"]]
sg6_BaseKeyPair[["BaseKeyPair"]]
sg6_BaseKeyAgreement[["BaseKeyAgreement"]]
sg6_BaseMessageEncryptor[["BaseMessageEncryptor"]]
sg6_BasePrivateKeyBackup[["BasePrivateKeyBackup"]]
sg6_BaseKeyStore[["BaseKeyStore"]]
sg6_public_key_bytes("public_key_bytes()")
sg6_public_key_b64("public_key_b64()")
sg6_sign_not_supported("sign_not_supported()")
sg6_zero_private_key("zero_private_key()")
sg6_derive_shared_secret("derive_shared_secret()")
sg6_derive_session_key("derive_session_key()")
sg6_encrypt("encrypt()")
sg6_decrypt("decrypt()")
sg6_encrypt_for_backup("encrypt_for_backup()")
sg6_more["... +6 more"]
end
subgraph sg7["app/core/crypto/aes_gcm.py π’"]
sg7_aes_gcm_encrypt("aes_gcm_encrypt()")
end
subgraph sg8["app/core/crypto/agreement.py π‘"]
sg8_X25519KeyAgreement[["X25519KeyAgreement"]]
sg8_derive_shared_secret("derive_shared_secret()")
sg8_derive_session_key("derive_session_key()")
end
subgraph sg9["app/core/crypto/backup.py π‘"]
sg9__zero_bytes("_zero_bytes()")
sg9_PrivateKeyBackup[["PrivateKeyBackup"]]
sg9_encrypt_for_backup("encrypt_for_backup()")
sg9_decrypt_from_backup("decrypt_from_backup()")
sg9__derive_key("_derive_key()")
end
subgraph sg10["app/core/crypto/encryptor.py π’"]
sg10_MessageEncryptor[["MessageEncryptor"]]
sg10_encrypt("encrypt()")
sg10_decrypt("decrypt()")
end
subgraph sg11["app/core/crypto/keys.py π‘"]
sg11_DeviceKeyPair[["DeviceKeyPair"]]
sg11___init__("__init__()")
sg11_from_bytes("from_bytes()")
sg11_public_key_bytes("public_key_bytes()")
sg11_public_key_b64("public_key_b64()")
sg11_nacl_private_key("nacl_private_key()")
sg11_sign_not_supported("sign_not_supported()")
sg11_zero_private_key("zero_private_key()")
sg11___del__("__del__()")
end
subgraph sg12["app/core/image_scanner.py π’"]
sg12_ScanResult[["ScanResult"]]
sg12_ImageScanError[["ImageScanError"]]
sg12_scan_image("scan_image()")
sg12__detect_format("_detect_format()")
sg12__check_content_type_mismatch("_check_content_type_mismatch()")
sg12__detect_trailing_bytes("_detect_trailing_bytes()")
sg12__estimate_metadata_size("_estimate_metadata_size()")
sg12__check_lsb_uniformity("_check_lsb_uniformity()")
sg12___init__("__init__()")
end
subgraph sg13["app/core/middleware.py π’"]
sg13_CloudflareOriginMiddleware[["CloudflareOriginMiddleware"]]
sg13_dispatch("dispatch()")
end
subgraph sg14["app/core/pow.py π’"]
sg14_verify_pow("verify_pow()")
end
subgraph sg15["app/core/rate_limit.py π‘"]
sg15_check_rate_limit("check_rate_limit()")
sg15_record_violation("record_violation()")
sg15_check_dropped("check_dropped()")
sg15_drop_ip("drop_ip()")
sg15_record_duplicate_attempt("record_duplicate_attempt()")
end
subgraph sg16["app/core/rate_limit_middleware.py π’"]
sg16__get_ip("_get_ip()")
sg16_RateLimitMiddleware[["RateLimitMiddleware"]]
sg16_dispatch("dispatch()")
end
subgraph sg17["app/core/risk.py π’"]
sg17_RiskDeterminer[["RiskDeterminer"]]
sg17_score("score()")
end
subgraph sg18["app/core/risk_db.py π‘"]
sg18_check_risky_ip("check_risky_ip()")
sg18_flag_risky_ip("flag_risky_ip()")
sg18_check_risky_account("check_risky_account()")
sg18_check_account_banned("check_account_banned()")
end
subgraph sg19["app/core/sanitizer.py π’"]
sg19_sanitize_str("sanitize_str()")
sg19_sanitize_dict("sanitize_dict()")
sg19_deep_text_filter("deep_text_filter()")
sg19_validate_email_format("validate_email_format()")
sg19_validate_password_strength("validate_password_strength()")
sg19_validate_coordinates("validate_coordinates()")
end
subgraph sg20["app/core/security.py π‘"]
sg20_hash_password("hash_password()")
sg20_generate_salt("generate_salt()")
sg20_generate_user_secret("generate_user_secret()")
sg20_sign_token("sign_token()")
sg20_make_session_token("make_session_token()")
sg20_encrypt_verification_id("encrypt_verification_id()")
sg20_validate_public_key("validate_public_key()")
end
subgraph sg21["app/core/session.py π‘"]
sg21_SessionInfo[["SessionInfo"]]
sg21__session_key("_session_key()")
sg21_create_session("create_session()")
sg21_validate_session("validate_session()")
sg21_revoke_session("revoke_session()")
sg21_hash_session_token("hash_session_token()")
end
subgraph sg22["app/db/redis_client.py π‘"]
sg22_init_redis("init_redis()")
sg22__redis_url_for_log("_redis_url_for_log()")
sg22_get_redis("get_redis()")
sg22_close_redis("close_redis()")
end
subgraph sg23["app/db/supabase_client.py π’"]
sg23_init_supabase("init_supabase()")
sg23_get_supabase("get_supabase()")
end
subgraph sg24["app/feed/constants.py π‘"]
sg24__FeedKeys[["_FeedKeys"]]
sg24__FeedTTL[["_FeedTTL"]]
sg24_ws_token("ws_token()")
sg24_feed_pool("feed_pool()")
sg24_feed_profile("feed_profile()")
sg24_computing("computing()")
sg24_decision("decision()")
sg24_flare_balance("flare_balance()")
sg24_sub_tier("sub_tier()")
end
subgraph sg25["app/feed/service.py π‘"]
sg25_compute_age("compute_age()")
sg25_build_masked_profile("build_masked_profile()")
sg25_profile_hash_to_client_dict("profile_hash_to_client_dict()")
sg25_score_candidate("score_candidate()")
sg25_compute_feed_pool("compute_feed_pool()")
sg25__compute_pool_inner("_compute_pool_inner()")
sg25_check_mutual_match("check_mutual_match()")
sg25_create_match("create_match()")
sg25_get_flare_balance("get_flare_balance()")
sg25_fetch_profile_for_feed("fetch_profile_for_feed()")
sg25_fetch_public_photos("fetch_public_photos()")
sg25__is_viewer_pro("_is_viewer_pro()")
sg25_fetch_photos_for_viewer("fetch_photos_for_viewer()")
sg25__to_bool("_to_bool()")
sg25__to_json_str("_to_json_str()")
sg25_more["... +2 more"]
end
subgraph sg26["app/feed/types.py π‘"]
sg26_FeedTokenResponse[["FeedTokenResponse"]]
sg26_FeedProfile[["FeedProfile"]]
sg26_ws_msg("ws_msg()")
sg26_ws_error("ws_error()")
sg26_to_dict("to_dict()")
end
subgraph sg27["app/main.py π‘"]
sg27_lifespan("lifespan()")
end
subgraph sg28["app/models/requests.py π’"]
sg28_BasePayload[["BasePayload"]]
sg28_SignupPayload[["SignupPayload"]]
sg28_SigninPayload[["SigninPayload"]]
sg28_SessionTokenPayload[["SessionTokenPayload"]]
sg28_KeyBackupUploadPayload[["KeyBackupUploadPayload"]]
sg28_ProfileUpdatePayload[["ProfileUpdatePayload"]]
sg28_PrivacyUpdatePayload[["PrivacyUpdatePayload"]]
sg28_PhotoVisibilityPayload[["PhotoVisibilityPayload"]]
end
subgraph sg29["app/models/responses.py π’"]
sg29_BaseResponse[["BaseResponse"]]
sg29_SignupResponse[["SignupResponse"]]
sg29_SigninResponse[["SigninResponse"]]
sg29_KeyBackupResponse[["KeyBackupResponse"]]
sg29_KeyBackupUploadResponse[["KeyBackupUploadResponse"]]
sg29_SettingsUpdateResponse[["SettingsUpdateResponse"]]
end
subgraph sg30["app/router.py π’"]
sg30_register_routes("register_routes()")
end
subgraph sg31["app/routes/auth/signin.py π’"]
sg31__extract_risk_features("_extract_risk_features()")
sg31__extract_context("_extract_context()")
sg31__fetch_attack_metrics("_fetch_attack_metrics()")
sg31_signin("signin()")
end
subgraph sg32["app/routes/auth/signup.py π‘"]
sg32_SignupHandler[["SignupHandler"]]
sg32__parse_preferences("_parse_preferences()")
sg32__normalize_gender("_normalize_gender()")
sg32__validate_dob("_validate_dob()")
sg32__validate_json_slugs("_validate_json_slugs()")
sg32_signup("signup()")
sg32__extract_risk_features("_extract_risk_features()")
sg32__extract_context("_extract_context()")
sg32__fetch_attack_metrics("_fetch_attack_metrics()")
sg32__extract_latitude("_extract_latitude()")
sg32__extract_longitude("_extract_longitude()")
sg32__haversine_km("_haversine_km()")
sg32__check_geo_consistency("_check_geo_consistency()")
sg32__record_signup_frequency("_record_signup_frequency()")
sg32__store_verification_id("_store_verification_id()")
sg32_more["... +4 more"]
end
subgraph sg33["app/routes/chat/token.py π’"]
sg33__extract_bearer_token("_extract_bearer_token()")
sg33_get_chat_token("get_chat_token()")
end
subgraph sg34["app/routes/chat/ws.py π‘"]
sg34_chat_websocket("chat_websocket()")
sg34__handle_chat_send("_handle_chat_send()")
sg34__handle_chat_sync("_handle_chat_sync()")
sg34__handle_chat_keep("_handle_chat_keep()")
sg34__handle_chat_media_viewed("_handle_chat_media_viewed()")
sg34__schedule_media_deletion("_schedule_media_deletion()")
sg34__handle_consent_update("_handle_consent_update()")
sg34__handle_consent_query("_handle_consent_query()")
sg34__handle_consent_request("_handle_consent_request()")
sg34__handle_consent_respond("_handle_consent_respond()")
sg34__handle_consent_revoke("_handle_consent_revoke()")
sg34__handle_screenshot_warning("_handle_screenshot_warning()")
sg34__handle_chat_report("_handle_chat_report()")
sg34__token_refresh_watchdog("_token_refresh_watchdog()")
sg34__find_connection_for_user("_find_connection_for_user()")
end
subgraph sg35["app/routes/feed/token.py π’"]
sg35__extract_bearer_token("_extract_bearer_token()")
sg35_get_feed_token("get_feed_token()")
sg35__bg_compute("_bg_compute()")
end
subgraph sg36["app/routes/feed/ws.py π‘"]
sg36_feed_websocket("feed_websocket()")
sg36__handle_feed("_handle_feed()")
sg36__handle_feed_decision("_handle_feed_decision()")
sg36__handle_update_feed("_handle_update_feed()")
sg36__token_refresh_watchdog("_token_refresh_watchdog()")
sg36__bg_compute("_bg_compute()")
sg36__async_upsert_decision("_async_upsert_decision()")
sg36__async_spend_flare("_async_spend_flare()")
sg36__async_increment_counter("_async_increment_counter()")
sg36__async_increment_match_counters("_async_increment_match_counters()")
sg36__notify_match("_notify_match()")
sg36__find_connection_for_user("_find_connection_for_user()")
end
subgraph sg37["app/routes/health.py π’"]
sg37_health("health()")
end
subgraph sg38["app/routes/keys/backup.py π‘"]
sg38__extract_bearer_token("_extract_bearer_token()")
sg38_get_latest_backup("get_latest_backup()")
end
subgraph sg39["app/routes/keys/register.py π‘"]
sg39__RegisterPayload[["_RegisterPayload"]]
sg39__extract_bearer_token("_extract_bearer_token()")
sg39__get_ip("_get_ip()")
sg39_register_public_key("register_public_key()")
end
subgraph sg40["app/routes/keys/upload.py π‘"]
sg40__extract_bearer_token("_extract_bearer_token()")
sg40_upload_backup("upload_backup()")
end
subgraph sg41["app/routes/keysync/token.py π’"]
sg41__extract_bearer_token("_extract_bearer_token()")
sg41_get_keysync_token("get_keysync_token()")
end
subgraph sg42["app/routes/keysync/ws.py π‘"]
sg42_keysync_websocket("keysync_websocket()")
sg42__handle_key_exchange_init("_handle_key_exchange_init()")
sg42__handle_key_exchange_complete("_handle_key_exchange_complete()")
end
subgraph sg43["app/routes/settings/profile.py π‘"]
sg43__extract_bearer_token("_extract_bearer_token()")
sg43__require_session("_require_session()")
sg43__validate_dob("_validate_dob()")
sg43_update_profile("update_profile()")
sg43_update_privacy("update_privacy()")
sg43_update_photo_visibility("update_photo_visibility()")
end
subgraph sg44["app/utils/key_exchange_helpers.py π‘"]
sg44_make_key_name("make_key_name()")
sg44_validate_key_name("validate_key_name()")
sg44_validate_encrypted_format("validate_encrypted_format()")
end
subgraph sg45["app/ws/manager.py π’"]
sg45_WSTokenValidator[["WSTokenValidator"]]
sg45_ConnectionManager[["ConnectionManager"]]
sg45_validate("validate()")
sg45_revoke("revoke()")
sg45___init__("__init__()")
sg45_register("register()")
sg45_unregister("unregister()")
sg45_get("get()")
end
subgraph sg46["app/ws/token_maker.py π‘"]
sg46_WSTokenResult[["WSTokenResult"]]
sg46_WebSocketTokenMaker[["WebSocketTokenMaker"]]
sg46___init__("__init__()")
sg46_run("run()")
sg46__persist_to_redis("_persist_to_redis()")
sg46__persist_to_supabase("_persist_to_supabase()")
end
subgraph sg47["scripts/count_supabase_accounts.py π’"]
sg47_main("main()")
end
subgraph sg48["terraform/lambda/rotate_origin_secret.py π‘"]
sg48_get_secret("get_secret()")
sg48_put_secret("put_secret()")
sg48_finish_secret("finish_secret()")
sg48_cloudflare_get_ruleset("cloudflare_get_ruleset()")
sg48_cloudflare_list_rulesets("cloudflare_list_rulesets()")
sg48_cloudflare_create_ruleset("cloudflare_create_ruleset()")
sg48_cloudflare_update_ruleset("cloudflare_update_ruleset()")
sg48_lambda_handler("lambda_handler()")
end
subgraph sg49["testing/chat/run_chat_tests.py π‘"]
sg49_solve_pow("solve_pow()")
sg49_cf_headers("cf_headers()")
sg49_auth_headers("auth_headers()")
sg49_flush_ip("flush_ip()")
sg49__sb_headers("_sb_headers()")
sg49_sb_query("sb_query()")
sg49_wait_for_pool_ready("wait_for_pool_ready()")
sg49_make_msg_id("make_msg_id()")
sg49_make_ciphertext("make_ciphertext()")
sg49_Result[["Result"]]
sg49_create_account("create_account()")
sg49_parallel_match("parallel_match()")
sg49_chat_connect("chat_connect()")
sg49_chat_send_and_recv("chat_send_and_recv()")
sg49_chat_recv("chat_recv()")
sg49_more["... +6 more"]
end
subgraph sg50["testing/cli/nudr_cli.py π‘"]
sg50_derive_shared_secret("derive_shared_secret()")
sg50_derive_session_key("derive_session_key()")
sg50_encrypt_message("encrypt_message()")
sg50_decrypt_message("decrypt_message()")
sg50_cf_headers("cf_headers()")
sg50_auth_headers("auth_headers()")
sg50_solve_pow("solve_pow()")
sg50__other_device_id("_other_device_id()")
sg50__sb_headers("_sb_headers()")
sg50_sb_query("sb_query()")
sg50__stdin_reader("_stdin_reader()")
sg50_Session[["Session"]]
sg50_feed_mode("feed_mode()")
sg50_chat_mode("chat_mode()")
sg50__poll_queue("_poll_queue()")
sg50_more["... +18 more"]
end
subgraph sg51["testing/cli/setup_accounts.py π‘"]
sg51__sb_headers("_sb_headers()")
sg51_cleanup_stale_cli_accounts("cleanup_stale_cli_accounts()")
sg51_solve_pow("solve_pow()")
sg51_cf_headers("cf_headers()")
sg51_auth_headers("auth_headers()")
sg51_flush_ip("flush_ip()")
sg51_gen_x25519_keypair("gen_x25519_keypair()")
sg51_create_account("create_account()")
sg51_seed_flare_balance("seed_flare_balance()")
sg51_main("main()")
end
subgraph sg52["testing/feed/run_feed_tests.py π‘"]
sg52_solve_pow("solve_pow()")
sg52_cf_headers("cf_headers()")
sg52_flush_ip("flush_ip()")
sg52_auth_headers("auth_headers()")
sg52__sb_headers("_sb_headers()")
sg52__sb_headers_repr("_sb_headers_repr()")
sg52_sb_patch_user("sb_patch_user()")
sg52_sb_patch_settings("sb_patch_settings()")
sg52_sb_delete_primary_photo("sb_delete_primary_photo()")
sg52_sb_patch_photo_visibility("sb_patch_photo_visibility()")
sg52_sb_insert_decision("sb_insert_decision()")
sg52_sb_delete_decision("sb_delete_decision()")
sg52_sb_insert_flare_balance("sb_insert_flare_balance()")
sg52_sb_insert_subscription("sb_insert_subscription()")
sg52_sb_query("sb_query()")
sg52_more["... +19 more"]
end
subgraph sg53["testing/key_exchange/run_key_exchange_tests.py π‘"]
sg53_solve_pow("solve_pow()")
sg53_cf_headers("cf_headers()")
sg53_auth_headers("auth_headers()")
sg53_flush_ip("flush_ip()")
sg53__sb_headers("_sb_headers()")
sg53_sb_query("sb_query()")
sg53_sb_delete("sb_delete()")
sg53_load_public_key_b64("load_public_key_b64()")
sg53_wait_for_pool_ready("wait_for_pool_ready()")
sg53_Result[["Result"]]
sg53_create_account("create_account()")
sg53_parallel_match("parallel_match()")
sg53_run_key_exchange("run_key_exchange()")
sg53_run_tests("run_tests()")
sg53_main("main()")
sg53_more["... +3 more"]
end
subgraph sg54["testing/settings/run_settings_tests.py π‘"]
sg54_solve_pow("solve_pow()")
sg54_cf_headers_clean("cf_headers_clean()")
sg54_flush_drop_and_rate("flush_drop_and_rate()")
sg54_auth_headers("auth_headers()")
sg54_bootstrap_account("bootstrap_account()")
sg54_Result[["Result"]]
sg54_run_tests("run_tests()")
sg54_main("main()")
sg54___init__("__init__()")
sg54___str__("__str__()")
end
subgraph sg55["testing/signin/run_signin_tests.py π‘"]
sg55_solve_pow("solve_pow()")
sg55_cf_headers_clean("cf_headers_clean()")
sg55_cf_headers_high_risk("cf_headers_high_risk()")
sg55_flush_drop_and_rate("flush_drop_and_rate()")
sg55_build_signup_form("build_signup_form()")
sg55_build_signup_files("build_signup_files()")
sg55_create_test_account("create_test_account()")
sg55_load_device1_public_key_b64("load_device1_public_key_b64()")
sg55_example_ciphertext_b64("example_ciphertext_b64()")
sg55_Result[["Result"]]
sg55_run_tests("run_tests()")
sg55_main("main()")
sg55___init__("__init__()")
sg55___str__("__str__()")
end
subgraph sg56["testing/signin/validation.py π’"]
sg56_load_device1_public_key_b64("load_device1_public_key_b64()")
sg56_expected_private_payload("expected_private_payload()")
sg56_expected_private_b64("expected_private_b64()")
sg56_main("main()")
end
subgraph sg57["testing/signup/run_signup_tests.py π‘"]
sg57_solve_pow("solve_pow()")
sg57_random_preferences("random_preferences()")
sg57_cf_headers_clean("cf_headers_clean()")
sg57_cf_headers_high_risk("cf_headers_high_risk()")
sg57_build_valid_form("build_valid_form()")
sg57_build_files("build_files()")
sg57_build_files_with_photo2("build_files_with_photo2()")
sg57_flush_drop_and_rate("flush_drop_and_rate()")
sg57_Result[["Result"]]
sg57_run_tests("run_tests()")
sg57_main("main()")
sg57___init__("__init__()")
sg57___str__("__str__()")
end
Dockerfileapp/config.pyapp/main.pyapp/router.pyapp/__init__.pyapp/chat/constants.pyapp/chat/service.pyapp/chat/types.pyapp/chat/__init__.pyapp/core/abstracts.pyapp/core/image_scanner.pyapp/core/middleware.pyapp/core/pow.pyapp/core/rate_limit.pyapp/core/rate_limit_middleware.pyapp/core/risk.pyapp/core/risk_db.pyapp/core/sanitizer.pyapp/core/security.pyapp/core/session.pyapp/core/__init__.pyapp/core/crypto/abstracts.pyapp/core/crypto/aes_gcm.pyapp/core/crypto/agreement.pyapp/core/crypto/backup.pyapp/core/crypto/encryptor.pyapp/core/crypto/keys.pyapp/core/crypto/__init__.pyapp/db/redis_client.pyapp/db/supabase_client.pyapp/db/__init__.pyapp/feed/constants.pyapp/feed/service.pyapp/feed/types.pyapp/feed/__init__.pyapp/models/requests.pyapp/models/responses.pyapp/models/__init__.pyapp/routes/health.pyapp/routes/__init__.pyapp/routes/auth/signin.pyapp/routes/auth/signup.pyapp/routes/auth/__init__.pyapp/routes/chat/token.pyapp/routes/chat/ws.pyapp/routes/chat/__init__.pyapp/routes/feed/token.pyapp/routes/feed/ws.pyapp/routes/feed/__init__.pyapp/routes/keys/backup.py
- ACVAS v1.0 (Agentic Code Vulnerability Analysis System)
- Bandit (Python SAST)
- Semgrep (Multi-language SAST)
- cppcheck (C/C++ SAST)
- ESLint (JavaScript SAST)
- LLM Deep Analysis (GPT-4)
- Code Quality Analyzer (AST)
- sqlite-vec (Semantic Search)
- NIST NVD (National Vulnerability Database)
Generated by ACVAS v1.0 -- 2026-03-11T14:08:07.259390