Medium: No HTTPS Verification for CloudFront URLs

[kitzy]

Security Risk: Medium

Location: Line 1371 in FleetImporter/FleetImporter.py

Issue: No validation that CloudFront domain is actually HTTPS-capable before generating URLs.

return f"https://{domain}/{key}"

Impact:

• Could generate HTTP URLs if misconfigured
• No validation of domain format
• Potential for insecure package distribution

Recommended Fix:

# Validate domain format
if not domain or not domain.endswith(".cloudfront.net"):
    raise ProcessorError(f"Invalid CloudFront domain: {domain}")

# Explicitly ensure HTTPS
url = f"https://{domain}/{key}"

# Optional: Verify HTTPS is actually available
# (could be done once at initialization)

Priority: Medium - Could lead to insecure package distribution