|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (35 fixed, 7 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (36 fixed, 6 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -2159,6 +2159,24 @@
|
|
|
internet-reachable. Aids reconnaissance. Gate behind a flag like
|
|
|
`API_DOCS_PUBLIC` or move to an authenticated path.
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed. New `api_docs_public` setting (read from the
|
|
|
+ `API_DOCS_PUBLIC` env var, default `false`). `AppFactory::build`
|
|
|
+ now only registers `GET /api/docs` and `GET /api/v1/openapi.yaml`
|
|
|
+ when the flag is `true`; with the default, both paths are simply
|
|
|
+ never registered, so Slim returns 404 like any other unmapped
|
|
|
+ path. Operators who want the docs viewer (open APIs, dev
|
|
|
+ environments) opt in by setting `API_DOCS_PUBLIC=true` in the
|
|
|
+ environment. The `.env.example` documents the gate alongside the
|
|
|
+ other api-side settings. Caddyfile's `@docs`-path CSP block is
|
|
|
+ unchanged — it now only takes effect for the 404 responses on
|
|
|
+ the unregistered paths, which is harmless. Regression tests in
|
|
|
+ `api/tests/Integration/Public/DocsControllerTest.php`:
|
|
|
+ `testDocsPageIs404ByDefault` and `testOpenapiSpecIs404ByDefault`
|
|
|
+ exercise the off-state directly; the F58 SRI test
|
|
|
+ (`testDocsPageEmbedsRapiDocWithSriIntegrity`) and the spec-served
|
|
|
+ smoke test now route through a small `enableDocs()` helper that
|
|
|
+ flips the setting and rebuilds the app, mirroring the binding-
|
|
|
+ override pattern `JobsAdminControllerTest` already uses.
|
|
|
|
|
|
### F69 — `ReportController` parses unbounded JSON body before size checks
|
|
|
- **Files:** `api/src/Application/Public/ReportController.php:99-113, 184-197`,
|
chiappa