Главная Обзор Помощь
Вход
chiappa
/
irdb
зеркало из https://git.snix.ch/chiappa/irdb.git
1
0
Ответвить 0
Файлы Задачи 0
Просмотр исходного кода

docs: mark SEC_REVIEW F58 as fixed in 95e206c

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chiappa 3 дней назад
Родитель
95e206c436
Сommit
b2d81caa70
1 измененных файлов с 25 добавлено и 1 удалено
Разделённый вид Показать статистику Diff
  1. 25 1
      doc/SEC_REVIEW.md

+ 25 - 1
doc/SEC_REVIEW.md
Просмотреть файл 

@@ -11,7 +11,7 @@
 
 >
 
 > Each finding is referenced as **F<N>** for later citation.
 
 >
 
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (25 fixed, 17 open).
 
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (26 fixed, 16 open).
 
 
 ---
 
 
@@ -1898,6 +1898,30 @@
 
   the docs page executes attacker JS. Add SRI hashes on the RapiDoc
 
   tag, or vendor a copy locally.
 
 - **Severity: 1**
 
+- **Status:** Fixed. `DocsController` now emits the RapiDoc
 
+  `<script>` tag with `integrity="sha384-…"` and
 
+  `crossorigin="anonymous"`. The hash
 
+  (`MDSxszbIJtK/9YakZ3tvi2bK6LaaHnB8+Hd2/fCfih0tLa+Mqlv6HO0bZdrICjjG`)
 
+  was computed from the actual upstream bytes via `openssl dgst
 
+  -sha384 -binary | base64`. The browser refuses to execute the
 
+  script if the CDN serves different bytes — covers a jsDelivr
 
+  compromise, an in-flight content modification, or a hostile
 
+  origin failover. The hash is captured as a class constant
 
+  (`RAPIDOC_INTEGRITY`) alongside `RAPIDOC_URL` so a future
 
+  RapiDoc version bump is a documented two-line change with the
 
+  reproduction recipe in the docblock. The Caddyfile CSP is
 
+  unchanged: `script-src 'self' https://cdn.jsdelivr.net
 
+  'unsafe-inline'` still allows the CDN host (the SRI is the
 
+  per-bytes contract, the CSP entry is the per-host contract).
 
+  Vendoring locally was considered but rejected: the M01 Caddyfile
 
+  routes everything through PHP, and reshaping that to serve a
 
+  static asset would be a wider change than the F58 ask. The CDN
 
+  + SRI combination is the spec-accepted alternative.
 
+  Regression test:
 
+  `api/tests/Integration/Public/DocsControllerTest.php` —
 
+  `testDocsPageEmbedsRapiDocWithSriIntegrity` asserts the script
 
+  tag carries a well-formed sha384 SRI hash AND
 
+  `crossorigin="anonymous"`.
 
 
 ### F59 — Missing modern hardening headers
 
 - **Files:** `ui/docker/Caddyfile:18-34`,