Domů Procházet Nápověda
Přihlásit se
chiappa
/
irdb
zrcadlo https://git.snix.ch/chiappa/irdb.git
1
0
Rozštěpit 0
Soubory Úkoly 0
Procházet zdrojové kódy

docs: mark SEC_REVIEW F66 and F67 as fixed in 4a764f5

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chiappa před 3 dny
rodič
4a764f58f0
revize
0345b90174
1 změnil soubory, kde provedl 29 přidání a 1 odebrání
Rozdělené zobrazení Ukázat statistiku rozdílových dat
  1. 29 1
      doc/SEC_REVIEW.md

+ 29 - 1
doc/SEC_REVIEW.md
Zobrazit soubor 

@@ -11,7 +11,7 @@
 
 >
 
 > Each finding is referenced as **F<N>** for later citation.
 
 >
 
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (33 fixed, 9 open).
 
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (35 fixed, 7 open).
 
 
 ---
 
 
@@ -2112,6 +2112,25 @@
 
   misleading security signal. Either wire them into ETag/CSRF/session
 
   signing or remove them.
 
 - **Severity: 1**
 
+- **Status:** Fixed by removal. Neither secret was ever used for
 
+  signing or HMAC (no callsites under `api/src/` or `ui/src/`),
 
+  and adding fictional uses just to keep the env vars alive would
 
+  invent ceremony. Deleted from:
 
+  - `.env.example` — both `APP_SECRET` and `UI_SECRET` lines.
 
+  - `api/config/settings.php` — `'app_secret'` settings key.
 
+  - `ui/config/settings.php` — `'ui_secret'` settings key.
 
+  - `api/src/Application/Admin/ConfigController.php` — the
 
+    `APP_SECRET` line in the masked-config response, plus the
 
+    docblock-listed masking rules.
 
+  - `api/tests/Integration/Support/AppTestCase.php` and
 
+    `ui/tests/Integration/Support/AppTestCase.php` — test fixture
 
+    overrides.
 
+  - `doc/user-manual.md` and `doc/security.md` — operator guidance
 
+    that pointed at the removed env vars.
 
+  Operators upgrading from a prior release can leave the lines in
 
+  their `.env`; both apps now ignore them. F67 (validator-doesn't-
 
+  check-UI_SECRET) is closed by the same change since `UI_SECRET`
 
+  no longer exists to validate.
 
 
 ### F67 — UI `Config::validateOrExit` does not check `UI_SECRET` despite docs
 
 - **Files:** `ui/src/App/Config.php:20-55`,
 
@@ -2121,6 +2140,15 @@
 
   it. Sessions are unsigned PHP-native files. Misleading
 
   documentation.
 
 - **Severity: 1**
 
+- **Status:** Fixed alongside F66 by removing `UI_SECRET` entirely
 
+  rather than wiring the signing the docs implied. The docs/
 
+  validator mismatch the SEC_REVIEW called out is resolved by
 
+  deleting the misleading half: `.env.example`,
 
+  `ui/config/settings.php`, and `doc/user-manual.md` /
 
+  `doc/security.md` no longer mention `UI_SECRET`. Sessions remain
 
+  PHP-native files (the storage was never actually signed by
 
+  anything in the existing code), but nothing in the deploy
 
+  documentation now claims otherwise.
 
 
 ### F68 — `/api/v1/openapi.yaml` and `/api/docs` are unauthenticated
 
 - **Files:** `api/src/App/AppFactory.php:99-101`,