首页 发现 帮助
登录
chiappa
/
irdb
镜像自地址 https://git.snix.ch/chiappa/irdb.git
1
0
派生 0
文件 工单管理 0
浏览代码

docs: mark SEC_REVIEW F43 as fixed in 8ff409f

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chiappa 3 天之前
父节点
8ff409fff2
当前提交
bb72a427b4
共有 1 个文件被更改,包括 23 次插入1 次删除
分列视图 显示文件统计
  1. 23 1
      doc/SEC_REVIEW.md

+ 23 - 1
doc/SEC_REVIEW.md
查看文件 

@@ -11,7 +11,7 @@
 
 >
 
 > Each finding is referenced as **F<N>** for later citation.
 
 >
 
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (10 fixed, 32 open).
 
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (11 fixed, 31 open).
 
 
 ---
 
 
@@ -1455,6 +1455,28 @@
 
   component inherits a path-traversal sink. Tighten to a strict IP
 
   charset regex.
 
 - **Severity: 1**
 
+- **Status:** Fixed. Both routes now use the strict pattern
 
+  `[0-9a-fA-F.:%]+` instead of `.+`:
 
+  - `api/src/App/AppFactory.php` — `GET /api/v1/admin/ips/{ip:[0-9a-fA-F.:%]+}`
 
+  - `ui/src/App/AppFactory.php` — `GET /app/ips/{ip:[0-9a-fA-F.:%]+}`
 
+  The charset covers IPv4 dotted-quad (digits + `.`), IPv6 hex (digits
 
+  + a-f/A-F + `:`), and the `%` byte that survives the UI's
 
+  `rawurlencode($ip)` for IPv6 colons (e.g. `2001%3Adb8%3A%3A1`)
 
+  before the controller's `rawurldecode`. Anything outside that —
 
+  `/`, `..`, `?`, spaces, dashes, brackets — fails to match the route
 
+  and 404s before the handler can read `$args['ip']`. The handler's
 
+  existing `IpAddress::fromString` validation is kept as a second
 
+  layer (still rejects e.g. `999.999.999.999` which is in the
 
+  charset but not a valid IP). Regression tests:
 
+  `api/tests/Integration/Admin/IpsControllerTest.php` —
 
+  `testDetailRejectsNonIpShapedPaths` data-provider covers path
 
+  traversal (`..%2Fetc%2Fpasswd`), multi-segment paths (`/192.0.2.1/extra`),
 
+  query-injection probes, backslashes, spaces, dashes, and bracketed
 
+  IPv6 (`[2001:db8::1]`) — all 404 at the route layer. The existing
 
+  `testDetail404OnInvalidIp` (using `not-an-ip` with a dash) and
 
+  `testDetailRendersForUnknownIpWithCleanStatus` (using
 
+  `198.51.100.99`) document the 404-via-route vs.
 
+  200-via-handler split.
 
 
 ### F44 — Job name not strictly regex-validated before audit emission
 
 - **File:** `api/src/Application/Admin/JobsAdminController.php:90-130`