|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (14 fixed, 28 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (15 fixed, 27 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -1556,6 +1556,22 @@
|
|
|
forwarded to the prepared statement, wasting RAM/CPU per request.
|
|
|
Apply max length 128 plus an allowlist regex on `*_kind` fields.
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed. The 128-char length cap from F31's fix
|
|
|
+ (`MAX_FILTER_LENGTH`) already covers `action`, `entity_type`,
|
|
|
+ `entity_id`, `subject_kind`, and `subject_id` — the
|
|
|
+ multi-megabyte-payload concern. F47 also asked for an allowlist
|
|
|
+ regex on the `*_kind` fields. New
|
|
|
+ `AuditController::KIND_PATTERN = '/^[a-z0-9][a-z0-9_-]*$/'`
|
|
|
+ applies to `entity_type` and `subject_kind`; `actor_kind` and
|
|
|
+ `actor_via` were already in-array-allowlisted. The pattern matches
|
|
|
+ every real `target_type` / `actor_kind` value the audit emitter
|
|
|
+ writes (`reporter`, `consumer`, `admin-token`, `manual_block`,
|
|
|
+ `oidc_role_mapping`, …) and rejects uppercase, dots, spaces, CR/LF,
|
|
|
+ and leading-dash inputs that wouldn't match any column value
|
|
|
+ anyway. Regression test
|
|
|
+ `AuditLogControllerTest::testKindFilterCharsetGate` covers
|
|
|
+ `entity_type` and `subject_kind` reject paths plus a
|
|
|
+ smoke-pass for known good kinds.
|
|
|
|
|
|
### F48 — MaxMind tarball extraction has no decompressed-size cap
|
|
|
- **File:** `api/src/Infrastructure/Enrichment/Downloaders/MaxMindDownloader.php:90-98`
|
chiappa