|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (12 fixed, 30 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (13 fixed, 29 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -1507,6 +1507,25 @@
|
|
|
internal docker network passes the network gate. Safer: pin to a
|
|
|
named docker-compose network or to the explicit scheduler IP.
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed by the F25 fix (`33e9198`). The hardcoded RFC1918
|
|
|
+ list is gone; `InternalNetworkMiddleware::DEFAULT_ALLOWED_CIDRS` is
|
|
|
+ now `['127.0.0.1/32', '::1/128']` and the constructor takes an
|
|
|
+ explicit allowlist. The container wires that allowlist from the new
|
|
|
+ `INTERNAL_CIDR_ALLOWLIST` env var (parsed via
|
|
|
+ `InternalNetworkMiddleware::parseCidrList`); empty env →
|
|
|
+ loopback-only. The bundled scheduler also moved to
|
|
|
+ `network_mode: "service:api"` (so its calls land on `127.0.0.1`),
|
|
|
+ removing the only legitimate non-loopback caller in the default
|
|
|
+ topology — operators with a host-cron VM or other private-bridge
|
|
|
+ caller opt in by listing the explicit IP/CIDR. The earlier finding
|
|
|
+ text predates the F25 fix; closing here for bookkeeping. Regression
|
|
|
+ tests in
|
|
|
+ `api/tests/Unit/Http/InternalNetworkMiddlewareTest.php`:
|
|
|
+ `defaultAddressProvider` includes `rfc1918 10/8 rejected by
|
|
|
+ default`, `rfc1918 172.16/12 rejected by default`, `rfc1918
|
|
|
+ 192.168/16 rejected by default`, and the loopback admit cases —
|
|
|
+ every previously-permissive RFC1918 source now 404s under the
|
|
|
+ default config.
|
|
|
|
|
|
### F46 — LIKE wildcard injection in IPs search `q`
|
|
|
- **File:** `api/src/Infrastructure/Reputation/IpScoreRepository.php:155-162`
|
chiappa