File SignedURL lifespan
When uploading a file there is the concept of a SignedURL that gives full access to the file in question for the lifespan of 7 days. This makes the file available for anyone how happens to have access to this URL.
Now there is the concept of a staging-area and a persistent-area. When uploading the file it first resides in the staging-area until a metadata has been created and posted to the OSDU-instance; then it will be moved by the system from staging to persistent. BUT this is a manual process and if the user somehow forgets or fails to the this second part the file will stay in the staging-area.
So even if it is the user or the process "fault" the way OSDU has designed this might make the file potentially "open" for "anyone" (with the link).
Is this something that can/should be mitigated?
See also #38 for a mitigating action on the signed url.