17.4 · Debt register addendum (Deep Redo)
บทนี้เป็นส่วนเสริมของ 01 Master register หลัง DEEP REDO — อย่าใช้ตัวเลข 275 จาก index เป็น final จนกว่าจะ reconcile ครบ
สถานะ reconciliation
| Source | Status |
|---|---|
| Shallow pass (original Vol 17) | 275 items — baseline |
| Wave 1 deep scorecards (vtrc-api, cu-central, centralize, vtrc-web, vtrc-rc-bo) | Expanded depth; IDs largely stable; new frontend SEC-* IDs |
| Wave 2 deep scorecards (benefit, recruit, pms, ai-recruit, chat, workflow, 2way-*, meeting-vtrc, vtrc-common, sso, job-scheduler) | Many new Critical IDs — ดู Vol 12.5 |
| Mobile / OCR / meeting-bo / recruitment-web | Done (vtrc-mobile ~2k, meeting-bo*, ocr, report-log, recruitment-web) |
New Critical IDs to merge (must-add)
| ID | Repo | One-line |
|---|---|---|
SEC-2WAYAPI-01 | 2way-api | Backdoor i3admin |
SEC-2WAYAPI-02 | 2way-api | Secret/AES/SSO fallback in source |
SEC-2WAYAPI-03 | 2way-api | SQL injection raw string |
SEC-2WAYAPI-04 | 2way-api | @Public() mutations / LINE |
SEC-2WAYVTRC-01 | 2way-vtrc-api | Bypass "testnaja" |
SEC-2WAYVTRC-02 | 2way-vtrc-api | getProfile PII no auth |
SEC-2WAYVTRC-03 | 2way-vtrc-api | Mongo/MSSQL creds in source |
SEC-2WAYVTRC-07 | 2way-vtrc-api | updateIncident no middleware |
SEC-2WAYVTRC-08 | 2way-vtrc-api | SSO creds hardcode |
SEC-BENEFIT-01..05 | benefit-api | secrets, SQLi, @Public medical/batch/upload |
SEC-RECRUIT-01..03 | recruitment-api | secrets, EXEC injection, public blacklist |
SEC-PMS-01..02 | pms-api | public salary, shared JWT in git |
SEC-AIRECRUIT-01..02 | ai-recruitment-api | API keys in git, no-role JWT |
SEC-CHAT-01/04 | chat-center-api | SQLi, .env in git |
SEC-WORKFLOW-01..02 | workflow-api | no JWT verify, secrets in .env.example |
SEC-COMMON-01/03 | vtrc-common | public writes, .env+Docker bake |
SEC-MTVTRC-01/02/05/06 | meeting-vtrc-api | .env, mockuser PII, auth commented, bypass broken |
SEC-JOBSCHED-01..02 | job-scheduler-api | .env committed, unauth cron POST |
CORR-SSO-01 | sso-api | JWT issue commented |
SEC-VTRC-RC-01..05 | vtrc-rc-backoffice | .env, pathLogin, XSS, localStorage |
SEC-VTRC-WEB-01..04 | vtrc-web | localStorage, XSS, no CSP/SRI |
Systemic patterns (unchanged, reinforced)
.envproduction commit — ≥15 repos- Shared JWT
SECRET_KEY— benefit/recruit/ai-recruit/pms @Public()on write/PII — NestJS services- Backdoor strings in source — 2way-api, 2way-vtrc-api, cu-central
- Raw SQL template literals — benefit, 2way, chat, recruit, vtrc-common, vtrc-api
- No secret manager anywhere
Next steps for Vol 17 maintainer
- Re-count all scorecard IDs after mobile/OCR agents complete
- Deduplicate shallow IDs (
C1/C2) → deep IDs (SEC-VTRC-RC-*) - Update index.md totals (replace 275)
- Re-sort by-severity / by-category chapters
กลับไป index →