|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (39 fixed, 3 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (40 fixed, 2 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -2304,6 +2304,24 @@
|
|
|
a few KB but mitigations are environment-specific. Tighten the
|
|
|
regex to a strict IP character class.
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed by extending the F43 charset constraint with a
|
|
|
+ per-route length cap. Both routes
|
|
|
+ (`/api/v1/admin/ips/{ip}` and `/app/ips/{ip}`) now use
|
|
|
+ `[0-9a-fA-F.:%]{1,80}` instead of `[0-9a-fA-F.:%]+`. 80 chars
|
|
|
+ covers IPv4 (≤15), canonical IPv6 (≤39), and IPv6 with every
|
|
|
+ colon urlencoded as `%3A` (≤53) with comfortable headroom.
|
|
|
+ Anything past that — including the 10 MB string the SEC_REVIEW
|
|
|
+ called out — fails to match the route and 404s before
|
|
|
+ `rawurldecode` is invoked, before `IpAddress::fromString` runs
|
|
|
+ any regex, and before any future code path could read the param
|
|
|
+ as a filename / log key / downstream URL component. The web
|
|
|
+ server's URL-length limit is still the outermost bound; this
|
|
|
+ change is the deterministic application-layer cap that doesn't
|
|
|
+ rely on the deployment environment. Regression tests added in
|
|
|
+ `api/tests/Integration/Admin/IpsControllerTest.php` —
|
|
|
+ `testDetailRejectsNonIpShapedPaths` data-provider gains
|
|
|
+ `oversized digits` (81 ones) and `oversized hex` (200 a's),
|
|
|
+ both 404.
|
|
|
|
|
|
### F73 — UI `JsonExceptionHandler` `getCode()` type-juggling for HTTP status
|
|
|
- **File:** `ui/src/Http/JsonExceptionHandler.php:40-63`
|
chiappa