Главная Обзор Помощь
Вход
chiappa
/
irdb
зеркало из https://git.snix.ch/chiappa/irdb.git
1
0
Ответвить 0
Файлы Задачи 0
Просмотр исходного кода

docs: mark SEC_REVIEW F45 as fixed by F25 (33e9198)

F45 noted that `InternalNetworkMiddleware::ALLOWED_CIDRS` admitted
the entire RFC1918 universe (10/8, 172.16/12, 192.168/16). The F25
fix in commit 33e9198 already resolved this as a side-effect:

  - `DEFAULT_ALLOWED_CIDRS` is now `['127.0.0.1/32', '::1/128']`.
  - The constructor takes an explicit list; the container reads
    `INTERNAL_CIDR_ALLOWLIST` and passes the parsed CIDRs through.
  - Empty env → loopback-only.
  - The bundled scheduler moved to `network_mode: "service:api"` so
    its calls land on `127.0.0.1` and need no allowlist entry.

`InternalNetworkMiddlewareTest::defaultAddressProvider` already
asserts that 10/8, 172.16/12, and 192.168/16 sources are rejected
by default, so the regression coverage is in place. Closing F45
for bookkeeping; no new code change required.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chiappa 3 дней назад
Родитель
82124b9d94
Сommit
fc6415ca6f
1 измененных файлов с 20 добавлено и 1 удалено
Единый вид Показать статистику Diff
  1. 20 1
      doc/SEC_REVIEW.md

+ 20 - 1
doc/SEC_REVIEW.md
Просмотреть файл 

@@ -11,7 +11,7 @@
 
 >
 
 >
 
 > Each finding is referenced as **F<N>** for later citation.
 
 > Each finding is referenced as **F<N>** for later citation.
 
 >
 
 >
 
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (12 fixed, 30 open).
 
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (13 fixed, 29 open).
 
 
 
 ---
 
 ---
 
 
 
@@ -1507,6 +1507,25 @@
 
   internal docker network passes the network gate. Safer: pin to a
 
   internal docker network passes the network gate. Safer: pin to a
 
   named docker-compose network or to the explicit scheduler IP.
 
   named docker-compose network or to the explicit scheduler IP.
 
 - **Severity: 1**
 
 - **Severity: 1**
 
+- **Status:** Fixed by the F25 fix (`33e9198`). The hardcoded RFC1918
 
+  list is gone; `InternalNetworkMiddleware::DEFAULT_ALLOWED_CIDRS` is
 
+  now `['127.0.0.1/32', '::1/128']` and the constructor takes an
 
+  explicit allowlist. The container wires that allowlist from the new
 
+  `INTERNAL_CIDR_ALLOWLIST` env var (parsed via
 
+  `InternalNetworkMiddleware::parseCidrList`); empty env →
 
+  loopback-only. The bundled scheduler also moved to
 
+  `network_mode: "service:api"` (so its calls land on `127.0.0.1`),
 
+  removing the only legitimate non-loopback caller in the default
 
+  topology — operators with a host-cron VM or other private-bridge
 
+  caller opt in by listing the explicit IP/CIDR. The earlier finding
 
+  text predates the F25 fix; closing here for bookkeeping. Regression
 
+  tests in
 
+  `api/tests/Unit/Http/InternalNetworkMiddlewareTest.php`:
 
+  `defaultAddressProvider` includes `rfc1918 10/8 rejected by
 
+  default`, `rfc1918 172.16/12 rejected by default`, `rfc1918
 
+  192.168/16 rejected by default`, and the loopback admit cases —
 
+  every previously-permissive RFC1918 source now 404s under the
 
+  default config.
 
 
 
 ### F46 — LIKE wildcard injection in IPs search `q`
 
 ### F46 — LIKE wildcard injection in IPs search `q`
 
 - **File:** `api/src/Infrastructure/Reputation/IpScoreRepository.php:155-162`
 
 - **File:** `api/src/Infrastructure/Reputation/IpScoreRepository.php:155-162`