|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (32 fixed, 10 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (33 fixed, 9 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -2082,6 +2082,25 @@
|
|
|
Add a JWT regex
|
|
|
`^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$`.
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed. Both `SecretScrubbingProcessor` value-pattern
|
|
|
+ lists (api and ui) gained two entries:
|
|
|
+ - `\beyJ[A-Za-z0-9_-]{4,}\.[A-Za-z0-9_-]{4,}\.[A-Za-z0-9_-]{4,}\b`
|
|
|
+ → `eyJ***`. Anchored on `eyJ` because every JWT header is the
|
|
|
+ base64url encoding of a JSON object that starts with `{"…`,
|
|
|
+ which is `eyJ…`. Anchoring eliminates false positives on
|
|
|
+ dotted-quad IPs (`192.168.1.1`), shared-object names
|
|
|
+ (`lib.so.6`), and arbitrary `a.b.c`-shaped prose; the per-
|
|
|
+ segment `{4,}` floor skips pathological short matches.
|
|
|
+ - The Bearer floor `[A-Za-z0-9._\-]{20,}` was lowered to `{8,}`
|
|
|
+ so a `Bearer abc12345` short token (the SEC_REVIEW called
|
|
|
+ out `< 20 char` Bearers slipping through) gets caught.
|
|
|
+ Regression tests:
|
|
|
+ - api: `testRawJwtInValueIsScrubbed`,
|
|
|
+ `testRawJwtInMessageIsScrubbed`,
|
|
|
+ `testShortBearerTokenIsScrubbed`,
|
|
|
+ `testIpAddressDoesNotMatchJwtRegex` (false-positive guard).
|
|
|
+ - ui: `testRawJwtInValueIsScrubbed`, `testShortBearerIsScrubbed`.
|
|
|
+ All existing tests still pass.
|
|
|
|
|
|
### F66 — `APP_SECRET` and `UI_SECRET` declared but unused
|
|
|
- **Files:** `.env.example:23, 82`,
|
chiappa