|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (33 fixed, 9 open).
|
|
|
|
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (35 fixed, 7 open).
|
|
|
|
|
|
|
|
---
|
|
---
|
|
|
|
|
|
|
@@ -2112,6 +2112,25 @@
|
|
|
misleading security signal. Either wire them into ETag/CSRF/session
|
|
misleading security signal. Either wire them into ETag/CSRF/session
|
|
|
signing or remove them.
|
|
signing or remove them.
|
|
|
- **Severity: 1**
|
|
- **Severity: 1**
|
|
|
|
|
+- **Status:** Fixed by removal. Neither secret was ever used for
|
|
|
|
|
+ signing or HMAC (no callsites under `api/src/` or `ui/src/`),
|
|
|
|
|
+ and adding fictional uses just to keep the env vars alive would
|
|
|
|
|
+ invent ceremony. Deleted from:
|
|
|
|
|
+ - `.env.example` — both `APP_SECRET` and `UI_SECRET` lines.
|
|
|
|
|
+ - `api/config/settings.php` — `'app_secret'` settings key.
|
|
|
|
|
+ - `ui/config/settings.php` — `'ui_secret'` settings key.
|
|
|
|
|
+ - `api/src/Application/Admin/ConfigController.php` — the
|
|
|
|
|
+ `APP_SECRET` line in the masked-config response, plus the
|
|
|
|
|
+ docblock-listed masking rules.
|
|
|
|
|
+ - `api/tests/Integration/Support/AppTestCase.php` and
|
|
|
|
|
+ `ui/tests/Integration/Support/AppTestCase.php` — test fixture
|
|
|
|
|
+ overrides.
|
|
|
|
|
+ - `doc/user-manual.md` and `doc/security.md` — operator guidance
|
|
|
|
|
+ that pointed at the removed env vars.
|
|
|
|
|
+ Operators upgrading from a prior release can leave the lines in
|
|
|
|
|
+ their `.env`; both apps now ignore them. F67 (validator-doesn't-
|
|
|
|
|
+ check-UI_SECRET) is closed by the same change since `UI_SECRET`
|
|
|
|
|
+ no longer exists to validate.
|
|
|
|
|
|
|
|
### F67 — UI `Config::validateOrExit` does not check `UI_SECRET` despite docs
|
|
### F67 — UI `Config::validateOrExit` does not check `UI_SECRET` despite docs
|
|
|
- **Files:** `ui/src/App/Config.php:20-55`,
|
|
- **Files:** `ui/src/App/Config.php:20-55`,
|
|
@@ -2121,6 +2140,15 @@
|
|
|
it. Sessions are unsigned PHP-native files. Misleading
|
|
it. Sessions are unsigned PHP-native files. Misleading
|
|
|
documentation.
|
|
documentation.
|
|
|
- **Severity: 1**
|
|
- **Severity: 1**
|
|
|
|
|
+- **Status:** Fixed alongside F66 by removing `UI_SECRET` entirely
|
|
|
|
|
+ rather than wiring the signing the docs implied. The docs/
|
|
|
|
|
+ validator mismatch the SEC_REVIEW called out is resolved by
|
|
|
|
|
+ deleting the misleading half: `.env.example`,
|
|
|
|
|
+ `ui/config/settings.php`, and `doc/user-manual.md` /
|
|
|
|
|
+ `doc/security.md` no longer mention `UI_SECRET`. Sessions remain
|
|
|
|
|
+ PHP-native files (the storage was never actually signed by
|
|
|
|
|
+ anything in the existing code), but nothing in the deploy
|
|
|
|
|
+ documentation now claims otherwise.
|
|
|
|
|
|
|
|
### F68 — `/api/v1/openapi.yaml` and `/api/docs` are unauthenticated
|
|
### F68 — `/api/v1/openapi.yaml` and `/api/docs` are unauthenticated
|
|
|
- **Files:** `api/src/App/AppFactory.php:99-101`,
|
|
- **Files:** `api/src/App/AppFactory.php:99-101`,
|
chiappa