首頁 探索 說明
登入
chiappa
/
irdb
镜像来自 https://git.snix.ch/chiappa/irdb.git
1
0
複刻 0
檔案 問題管理 0
瀏覽代碼

docs: mark SEC_REVIEW F34 as fixed in 3a4026b

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chiappa 3 天之前
父節點
3a4026baf6
當前提交
1409ff2179
共有 1 個文件被更改,包括 23 次插入1 次删除
分割檢視 顯示文件統計
  1. 23 1
      doc/SEC_REVIEW.md

+ 23 - 1
doc/SEC_REVIEW.md
查看文件 

@@ -11,7 +11,7 @@
 
 >
 
 > Each finding is referenced as **F<N>** for later citation.
 
 >
 
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (1 fixed, 41 open).
 
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (2 fixed, 40 open).
 
 
 ---
 
 
@@ -1182,6 +1182,28 @@
 
   plaintext. SIEM exports / log access by lower-trust operators
 
   amount to accidental disclosure.
 
 - **Severity: 1**
 
+- **Status:** Fixed. New `App\Logging\LogIdentifier::fingerprint()` helper
 
+  produces a stable 12-hex-char SHA-256 prefix of any sensitive
 
+  identifier; an empty input collapses to the `empty` sentinel so log
 
+  matching doesn't fold an absent field into the SHA-256-of-empty
 
+  bucket. `LoginThrottle::recordFailure()` now logs `username_fp` and
 
+  `source_ip_fp` instead of the raw values on both the per-IP and
 
+  per-username buckets, on both the failure-with-no-lock and
 
+  lockout-triggered paths. `OidcController` logs `subject_fp` instead
 
+  of `subject` on the `user_disabled` denial and the no-role-assigned
 
+  branch. Triage by counting hits on a single fingerprint still works;
 
+  a SIEM reader no longer sees passwords typed in the username field,
 
+  raw client addresses, or IdP `sub` claims. (The fingerprint is not
 
+  cryptographic protection against an attacker with full log access
 
+  who is willing to brute-force a small space such as the IPv4
 
+  universe — that threat is out of scope for F34, which targets
 
+  accidental disclosure.) Regression tests:
 
+  `ui/tests/Unit/Logging/LogIdentifierTest.php`,
 
+  `LoginThrottleTest::testRecordFailureLogsFingerprintsNotRawIdentifiers`,
 
+  and the two new
 
+  `OidcFlowTest::test{NoneRoleDoesNotLogRawSubject,DisabledUserDeniedDoesNotLogRawSubject}`
 
+  cases (the latter exercised via a new `AppTestCase::captureLogs()`
 
+  helper that swaps in a Monolog `TestHandler`).
 
 
 ### F35 — `INTERNAL_JOB_TOKEN` has no minimum-length enforcement at startup
 
 - **File:** `api/src/Infrastructure/Http/Middleware/InternalTokenMiddleware.php:35-47`