|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (13 fixed, 29 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (14 fixed, 28 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -1533,6 +1533,18 @@
|
|
|
meta-characters are not escaped. `?q=%` matches every row;
|
|
|
`?q=_____...` is a quadratic backtrack vector. The `IpsController`
|
|
|
validator only `trim()`s `q`; no length cap.
|
|
|
+- **Status:** Fixed by the F30 fix (`2cc1924`).
|
|
|
+ `IpsController::parseSearchFilters` now rejects any `q` not matching
|
|
|
+ `^[0-9a-fA-F:.]+$` or longer than 64 chars with 400
|
|
|
+ `validation_failed`; neither `%` nor `_` survives the charset, and
|
|
|
+ the source comment cites both F30 and F46. The repository's LIKE
|
|
|
+ path also re-validates with the same regex (defence-in-depth) and
|
|
|
+ only ever issues `s.ip_text LIKE 'q%'`. The earlier finding text
|
|
|
+ predates that fix; closing here for bookkeeping. Regression tests
|
|
|
+ in `api/tests/Integration/Admin/IpsControllerTest.php`:
|
|
|
+ `testSearchRejectsNonIpShapedQuery` covers `?q=%` and `?q=_____`
|
|
|
+ among other malformed shapes; `testSearchRejectsOverlongQuery`
|
|
|
+ caps the length at 64 chars.
|
|
|
- **Severity: 1**
|
|
|
|
|
|
### F47 — Unbounded length on string filters reaching SQL
|
chiappa