|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (19 fixed, 8 open), 42 sev-1.
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (20 fixed, 7 open), 42 sev-1.
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -1041,6 +1041,22 @@
|
|
|
compromised Viewer token (Viewer is the OIDC default role) can
|
|
|
issue unlimited heavy queries.
|
|
|
- **Severity: 2**
|
|
|
+- **Status:** Fixed in `a997d65`. The admin route group now attaches
|
|
|
+ `RateLimitMiddleware` in the same two-position pattern used by the
|
|
|
+ public and auth groups (SEC_REVIEW F27): once as the outermost
|
|
|
+ layer (pre-auth, `ip:<REMOTE_ADDR>` bucket — throttles
|
|
|
+ invalid-bearer floods before TokenAuth queries the DB) and once
|
|
|
+ innermost (post-auth, `token:<tokenId>` bucket — caps an
|
|
|
+ authenticated Viewer driving the heavy admin queries flagged by
|
|
|
+ F30/F31/F32). The order added is
|
|
|
+ `rateLimit(token) → auditContext → impersonation → tokenAuth →
|
|
|
+ rateLimit(ip)` so execution runs `ip → tokenAuth → impersonation →
|
|
|
+ auditContext → token → controller`. Mitigates F29 directly and
|
|
|
+ bounds the impact of F30/F31/F32 until those land their own fixes.
|
|
|
+ Regression tests in `api/tests/Integration/Public/RateLimitTest.php`
|
|
|
+ (`testAdminRoutesAreRateLimited` — replaces the prior
|
|
|
+ `testAdminRoutesNotRateLimited` which encoded the bug as expected
|
|
|
+ behaviour — and `testAdminAuditLogIsRateLimitedPerToken`).
|
|
|
|
|
|
### F30 — `IpScoreRepository::searchIps` allows full-table scan via `q=%X%`
|
|
|
- **File:** `api/src/Infrastructure/Reputation/IpScoreRepository.php:146-307`
|
chiappa