mosaicstack/stack
1
0
Fork 0
Code Issues 30 Pull Requests 4 Actions Packages Projects Releases 15 Wiki Activity
Files
e0a16281b4ac0207ea48bf9fe61581a1a89eb32e
stack/apps/gateway/src/federation/oid.util.ts
Jarvis 0af3e218a1
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/push/ci Pipeline was successful
Details
fix(federation/auth-guard): remediate CRIT-1/CRIT-2 + HIGH-1..4 review findings 
- CRIT-1: Validate cert subjectUserId against grant.subjectUserId from DB;
  use authoritative DB value in FederationContext
- CRIT-2: Add @Inject(GrantsService) decorator (tsx/esbuild requirement)
- HIGH-1: Validate UTF8String TLV tag, length, and bounds in OID parser
- HIGH-2: Collapse all 403 wire messages to a generic string to prevent
  grant enumeration; keep internal logger detail
- HIGH-3: Assert federation wire envelope shape in all guard tests
- HIGH-4: Regression test for subjectUserId cert/DB mismatch

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-25 06:33:37 -05:00

4.6 KiB
Raw Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink