|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (5 fixed, 37 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (6 fixed, 36 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -1313,6 +1313,22 @@
|
|
|
with no rate-limit. Worker threads still serve the request — a
|
|
|
cheap DoS lever on environments with the local path disabled.
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed. `LocalLoginController::postLocal` now records a
|
|
|
+ `LoginThrottle` failure on the disabled-path branch before returning
|
|
|
+ the 404. The bucket key is `('', source_ip)` — an empty username
|
|
|
+ sentinel — so all hits from one source IP fold into the same per-IP
|
|
|
+ bucket regardless of what username field the attacker happens to
|
|
|
+ submit, defeating a rotating-username spray. Once locked, additional
|
|
|
+ hits skip `recordFailure` (the gate is `if (!isLocked) recordFailure`),
|
|
|
+ so the throttle file size is bounded by the lockout ladder rather
|
|
|
+ than by attacker request volume. The 404 status code is preserved on
|
|
|
+ both the locked and unlocked branches so the response doesn't leak
|
|
|
+ the lockout state to a probing attacker. Regression tests in
|
|
|
+ `ui/tests/Integration/Auth/LocalLoginTest.php`:
|
|
|
+ `testDisabledLocalAdminRecordsThrottleFailure` (5 hits with rotating
|
|
|
+ usernames from one IP trip the lockout) and
|
|
|
+ `testDisabledLocalAdminLockedHitDoesNotIncrementBucket` (50 more
|
|
|
+ hits while locked don't extend the lockout window).
|
|
|
|
|
|
### F39 — Token base32 encoding has trailing-bit ambiguity
|
|
|
- **Files:** `api/src/Domain/Auth/Token.php:18, 47`,
|
chiappa