Skip to content

17.4 · Debt register addendum (Deep Redo)

บทนี้เป็นส่วนเสริมของ 01 Master register หลัง DEEP REDO — อย่าใช้ตัวเลข 275 จาก index เป็น final จนกว่าจะ reconcile ครบ


สถานะ reconciliation

SourceStatus
Shallow pass (original Vol 17)275 items — baseline
Wave 1 deep scorecards (vtrc-api, cu-central, centralize, vtrc-web, vtrc-rc-bo)Expanded depth; IDs largely stable; new frontend SEC-* IDs
Wave 2 deep scorecards (benefit, recruit, pms, ai-recruit, chat, workflow, 2way-*, meeting-vtrc, vtrc-common, sso, job-scheduler)Many new Critical IDs — ดู Vol 12.5
Mobile / OCR / meeting-bo / recruitment-webDone (vtrc-mobile ~2k, meeting-bo*, ocr, report-log, recruitment-web)

New Critical IDs to merge (must-add)

IDRepoOne-line
SEC-2WAYAPI-012way-apiBackdoor i3admin
SEC-2WAYAPI-022way-apiSecret/AES/SSO fallback in source
SEC-2WAYAPI-032way-apiSQL injection raw string
SEC-2WAYAPI-042way-api@Public() mutations / LINE
SEC-2WAYVTRC-012way-vtrc-apiBypass "testnaja"
SEC-2WAYVTRC-022way-vtrc-apigetProfile PII no auth
SEC-2WAYVTRC-032way-vtrc-apiMongo/MSSQL creds in source
SEC-2WAYVTRC-072way-vtrc-apiupdateIncident no middleware
SEC-2WAYVTRC-082way-vtrc-apiSSO creds hardcode
SEC-BENEFIT-01..05benefit-apisecrets, SQLi, @Public medical/batch/upload
SEC-RECRUIT-01..03recruitment-apisecrets, EXEC injection, public blacklist
SEC-PMS-01..02pms-apipublic salary, shared JWT in git
SEC-AIRECRUIT-01..02ai-recruitment-apiAPI keys in git, no-role JWT
SEC-CHAT-01/04chat-center-apiSQLi, .env in git
SEC-WORKFLOW-01..02workflow-apino JWT verify, secrets in .env.example
SEC-COMMON-01/03vtrc-commonpublic writes, .env+Docker bake
SEC-MTVTRC-01/02/05/06meeting-vtrc-api.env, mockuser PII, auth commented, bypass broken
SEC-JOBSCHED-01..02job-scheduler-api.env committed, unauth cron POST
CORR-SSO-01sso-apiJWT issue commented
SEC-VTRC-RC-01..05vtrc-rc-backoffice.env, pathLogin, XSS, localStorage
SEC-VTRC-WEB-01..04vtrc-weblocalStorage, XSS, no CSP/SRI

Systemic patterns (unchanged, reinforced)

  1. .env production commit — ≥15 repos
  2. Shared JWT SECRET_KEY — benefit/recruit/ai-recruit/pms
  3. @Public() on write/PII — NestJS services
  4. Backdoor strings in source — 2way-api, 2way-vtrc-api, cu-central
  5. Raw SQL template literals — benefit, 2way, chat, recruit, vtrc-common, vtrc-api
  6. No secret manager anywhere

Next steps for Vol 17 maintainer

  1. Re-count all scorecard IDs after mobile/OCR agents complete
  2. Deduplicate shallow IDs (C1/C2) → deep IDs (SEC-VTRC-RC-*)
  3. Update index.md totals (replace 275)
  4. Re-sort by-severity / by-category chapters

กลับไป index