|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (20 fixed, 7 open), 42 sev-1.
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (21 fixed, 6 open), 42 sev-1.
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -1070,6 +1070,24 @@
|
|
|
statement timeout. Each request also runs a separate `COUNT(*)`
|
|
|
over the same wrapped subquery, doubling cost.
|
|
|
- **Severity: 2**
|
|
|
+- **Status:** Fixed in `2cc1924`. `IpsController::parseSearchFilters`
|
|
|
+ rejects any `q` that doesn't match `/^[0-9a-fA-F:.]+$/` or exceeds
|
|
|
+ 64 chars (IPv6 max is 39) with 400 `validation_failed`, so the
|
|
|
+ non-anchored substring path can no longer be reached from the API.
|
|
|
+ `IpScoreRepository::searchIps` drops the `%q%` branch entirely —
|
|
|
+ the only LIKE shape it ever issues is `s.ip_text LIKE 'q%'`, and
|
|
|
+ it re-validates `q` with the same regex as defence-in-depth so a
|
|
|
+ future caller cannot accidentally reintroduce a full-table scan.
|
|
|
+ Same change incidentally closes F46 (`%`/`_` wildcard injection in
|
|
|
+ the IPs search), since neither character survives the regex.
|
|
|
+ Pre-auth and per-token admin rate limits added under F29
|
|
|
+ bound the cost of even the legitimate prefix path. The remaining
|
|
|
+ `COUNT(*)` cost on deep filters is tracked under F31/F32.
|
|
|
+ Regression tests in
|
|
|
+ `api/tests/Integration/Admin/IpsControllerTest.php`
|
|
|
+ (`testSearchRejectsNonIpShapedQuery`,
|
|
|
+ `testSearchRejectsOverlongQuery`,
|
|
|
+ `testSearchQueryIsPrefixAnchoredNotSubstring`).
|
|
|
|
|
|
### F31 — `AuditController` has no length cap, no max-offset cap, deep-offset scans
|
|
|
- **Files:** `api/src/Application/Admin/AuditController.php:58-101`,
|
chiappa