Skip to content

fix: add remediations on EXT-2 DoS and Auth Failures#916

Open
Manuthor wants to merge 14 commits intodevelopfrom
test/owasp
Open

fix: add remediations on EXT-2 DoS and Auth Failures#916
Manuthor wants to merge 14 commits intodevelopfrom
test/owasp

Conversation

@Manuthor
Copy link
Copy Markdown
Contributor

@Manuthor Manuthor commented Apr 14, 2026

OWASP security hardening across the KMS server:

  • EXT2-2/A03-2: TTLV binary parser recursion depth limit (MAX=64) + tests
  • EXT2-3/A03-3: TTLV XML parser stack depth limit (MAX=64)
  • EXT2-1/A04-1: HTTP payload limit 10GB -> 64MB (PayloadConfig + JsonConfig)
  • EXT2-5/A04-2: Rate-limiting via actix-governor (KMS_RATE_LIMIT_PER_SECOND config)
  • A05-1/A01-1: Replace Cors::permissive() on KMIP default scope with Cors::default()
  • A07-1: JWT algorithm confusion fix: asymmetric-only allowlist + explicit validation.algorithms
  • A07-2: API token constant-time comparison via subtle::ConstantTimeEq
  • A09-1: DB URL password masking in Display impl (mask_db_url_password helper)
  • A09-2: TLS P12 password proper [****] redaction
  • Update audit script CORS check for enterprise-integration scopes

cargo clippy-all: clean
cargo test-non-fips: 0 failures
audit.sh: 8 PASS, 8 WARN, 0 FAIL

Manuthor added 10 commits April 16, 2026 17:22
@Manuthor
fix: add remediations on EXT-2 DoS and Auth Failures
6886bb5 
OWASP security hardening across the KMS server:

- EXT2-2/A03-2: TTLV binary parser recursion depth limit (MAX=64) + tests
- EXT2-3/A03-3: TTLV XML parser stack depth limit (MAX=64)
- EXT2-1/A04-1: HTTP payload limit 10GB -> 64MB (PayloadConfig + JsonConfig)
- EXT2-5/A04-2: Rate-limiting via actix-governor (KMS_RATE_LIMIT_PER_SECOND config)
- A05-1/A01-1: Replace Cors::permissive() on KMIP default scope with Cors::default()
- A07-1: JWT algorithm confusion fix: asymmetric-only allowlist + explicit validation.algorithms
- A07-2: API token constant-time comparison via subtle::ConstantTimeEq
- A09-1: DB URL password masking in Display impl (mask_db_url_password helper)
- A09-2: TLS P12 password proper [****] redaction
- Update audit script CORS check for enterprise-integration scopes

cargo clippy-all: clean
cargo test-non-fips: 0 failures
audit.sh: 8 PASS, 8 WARN, 0 FAIL
@Manuthor
fix: leftover vulnerabilities - key size bounds, test suite, lint
43985cc
@Manuthor
ci: wip
4e54c0d
@Manuthor
fix: CORS preflight — move allow_any_method/allow_any_header before o…
55c2ce5 
…rigin loop
@Manuthor
fix: add supports_credentials to CORS config for browser WASM UI
98c4eb0
@Manuthor
docs: update CHANGELOG with complete CORS fix details
59a37c6
@Manuthor
fix: hsm proteccio tests and windows test
71be186
@Manuthor
fix: add remidations on EXT-2 DoS and Auth Failures
adc5861
@Manuthor
fix: upgrade OpenSSL to 3.6.2
c877ea0
@Manuthor
fix: tests
07b782e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Manuthor