Etusivu Tutki Apua
Kirjaudu sisään
chiappa
/
irdb
peilaus alkaen https://git.snix.ch/chiappa/irdb.git
1
0
Haarauta 0
Tiedostot Esitykset 0
Selaa lähdekoodia

docs: mark SEC_REVIEW F13 as fixed in 40be6c1

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chiappa 5 päivää sitten
vanhempi
40be6c1875
sitoutus
2bec88ea2a
1 muutettua tiedostoa jossa 25 lisäystä ja 1 poistoa
Jaettu näkymä Näytä diff tilastot
  1. 25 1
      doc/SEC_REVIEW.md

+ 25 - 1
doc/SEC_REVIEW.md
Näytä tiedosto 

@@ -11,7 +11,7 @@
 
 >
 
 > Each finding is referenced as **F<N>** for later citation.
 
 >
 
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (7 fixed, 20 open), 42 sev-1.
 
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (8 fixed, 19 open), 42 sev-1.
 
 
 ---
 
 
@@ -384,6 +384,30 @@
 
   `api_tokens`. If an old token leaks (config snapshot, image layer)
 
   the attacker authenticates indefinitely.
 
 - **Severity: 2**
 
+- **Status:** Fixed in `40be6c1`. `ServiceTokenBootstrap` now wraps
 
+  revoke-old + insert-new in `Connection::transactional()` (per F4): when the
 
+  configured `UI_SERVICE_TOKEN` does not match any current row but
 
+  one or more service-kind rows are currently active, every active
 
+  service-kind row is `revoked_at = now()`'d before the new row is
 
+  inserted. The revokes and the create roll back together if any
 
+  step fails — there is never an observable window with no service
 
+  token. New repository method
 
+  `TokenRepository::findActiveServiceTokens()` enumerates the rows
 
+  to revoke. The bootstrap also refuses to silently re-enable a
 
+  hash that is already present-but-revoked (operator must issue a
 
+  fresh value rather than rolling env back). Each revoke emits a
 
+  `token.revoked` audit row with
 
+  `details_json.reason = "rotated_by_bootstrap"` and the create
 
+  emits a `token.created` row carrying `source: "bootstrap"` and a
 
+  `rotated_from` array of revoked prefixes — so SOC tooling can
 
+  attribute the rotation and split automatic from operator-initiated
 
+  revocations. Both audit rows are attributed to `actor_kind=system`
 
+  via `AuditContext::system()`. Regression tests in
 
+  `api/tests/Integration/Auth/ServiceTokenBootstrapTest.php`
 
+  (`testBootstrapWithDifferentTokenRevokesPreviousAndInsertsNewRow`,
 
+  `testBootstrapRotationRevokesEveryPreviouslyActiveServiceToken`,
 
+  `testBootstrapRotationEmitsRevokedAndCreatedAuditRows`,
 
+  `testBootstrapRefusesToReEnablePreviouslyRevokedToken`).
 
 
 ### F14 — `/api/v1/auth/*` has no rate limit
 
 - **File:** `api/src/App/AppFactory.php:156-169`