keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_primitives/_rust/kei-forge
History
Parfii-bot f7982f0415 fix(substrate): E2 — kei-forge security hardening (DNS rebind + CSRF + injection) 
Three HIGH security findings resolved in _primitives/_rust/kei-forge/:

- F-1: DNS rebinding — require_local_host middleware returns 421 on
  non-localhost Host headers
- F-2: CSRF via urlencoded — require_json_content_type middleware
  returns 415 on non-JSON; form HTML now POSTs JSON via fetch()
- crit#1/SA F-7: description sed injection — whitelist validator rejects
  newline/CR/tab/NUL/backtick/$/length>200, blocks the shell-script attack
  at the Rust layer
- crit#11: missing security headers — CSP, X-Frame-Options DENY,
  X-Content-Type-Options nosniff, Referrer-Policy no-referrer on GET /

Zero new deps (axum 0.7 middleware::from_fn + HeaderMap native).
Constructor Pattern compliant — 6 Cube files, largest 231 LOC including tests.

Tests: 29/29 (was 12/12; +17 new). Includes 4 adversarial integration
tests for each defence layer.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-23 00:49:49 +08:00
..
src fix(substrate): E2 — kei-forge security hardening (DNS rebind + CSRF + injection) 2026-04-23 00:49:49 +08:00
tests fix(substrate): E2 — kei-forge security hardening (DNS rebind + CSRF + injection) 2026-04-23 00:49:49 +08:00
Cargo.toml feat(stream-a): kei-forge MVP — local web wizard scaffolding atoms 2026-04-23 00:09:53 +08:00