From 239eb3327ad8e543e35975e67452db1f733e8959 Mon Sep 17 00:00:00 2001 From: Offending Commit Date: Tue, 2 Jun 2026 15:11:17 -0500 Subject: [PATCH 1/2] test(web): use a documentation IP instead of a tailnet-range fixture MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Swap the 100.x CGNAT example for 192.0.2.10 (RFC 5737 TEST-NET-1) in the token-transport guard tests — keeps the non-loopback-HTTP assertion, drops an environment-specific address. --- packages/web/src/test/security.test.ts | 4 ++-- packages/web/src/test/settings-form.test.tsx | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/web/src/test/security.test.ts b/packages/web/src/test/security.test.ts index 7fc40c1..dcd551c 100644 --- a/packages/web/src/test/security.test.ts +++ b/packages/web/src/test/security.test.ts @@ -27,11 +27,11 @@ describe("security URL helpers", () => { expect(isSecureTokenTransport("http://localhost:8000")).toBe(true); expect(isSecureTokenTransport("http://127.0.0.1:8000")).toBe(true); expect(isSecureTokenTransport("http://192.168.1.50:8000")).toBe(false); - expect(isSecureTokenTransport("http://100.67.206.76:8000")).toBe(false); + expect(isSecureTokenTransport("http://192.0.2.10:8000")).toBe(false); }); it("returns a user-facing error for insecure token transport", () => { - expect(tokenTransportError("http://100.67.206.76:8000")).toMatch(/HTTPS/); + expect(tokenTransportError("http://192.0.2.10:8000")).toMatch(/HTTPS/); expect(tokenTransportError("https://honcho.example.com")).toBeNull(); }); }); diff --git a/packages/web/src/test/settings-form.test.tsx b/packages/web/src/test/settings-form.test.tsx index 3ea55f3..8c33cc3 100644 --- a/packages/web/src/test/settings-form.test.tsx +++ b/packages/web/src/test/settings-form.test.tsx @@ -58,7 +58,7 @@ describe("SettingsForm — self-hosted preset", () => { renderForm(); const baseUrl = screen.getByPlaceholderText("http://localhost:8000"); await user.clear(baseUrl); - await user.type(baseUrl, "http://100.67.206.76:8000"); + await user.type(baseUrl, "http://192.0.2.10:8000"); await user.type( screen.getByPlaceholderText(/required only if your instance has auth enabled/i), "secret-token", From 1aa1c0456f00f4ed728ccd21d4bac6cfad3b5bf9 Mon Sep 17 00:00:00 2001 From: Offending Commit Date: Tue, 2 Jun 2026 15:12:33 -0500 Subject: [PATCH 2/2] chore(hooks): flag tailnet hostnames and CGNAT IPs in the secret scan Extend the pre-commit secret-scan to catch environment-specific values (*.ts.net MagicDNS names and 100.64.0.0/10 tailnet IPs) so live infra can't be committed into code, docs, or examples. Verified: detects leaks, no false positive on 192.0.2.x or non-CGNAT 100.x, and the script does not self-trip. --- scripts/secret-scan.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/scripts/secret-scan.sh b/scripts/secret-scan.sh index 69f4517..f74265a 100755 --- a/scripts/secret-scan.sh +++ b/scripts/secret-scan.sh @@ -52,12 +52,17 @@ check_pattern "Honcho-style JWT (likely)" 'eyJ[A-Za-z0-9_-]{20,}\.eyJ[A-Za-z0-9_ check_pattern "RSA/EC/DSA/OpenSSH private key block" '-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----' check_pattern "Generic hardcoded password" '(password|passwd|pwd)[[:space:]]*[:=][[:space:]]*["'\'']\w{8,}["'\'']' +# Environment-specific values — keep live infra out of committed code/docs/PRs. +# Use examples instead (honcho.example.net; 192.0.2.x per RFC 5737 TEST-NET). +check_pattern "Tailnet hostname (env-specific; use example.net)" '[A-Za-z0-9-]+\.ts\.net' +check_pattern "Tailnet/CGNAT IP (env-specific; use 192.0.2.x)" '100\.(6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7])\.[0-9]{1,3}\.[0-9]{1,3}' + if [ $FOUND -eq 1 ]; then - printf '\n\033[31m✗ Secret scan: potential secrets in staged changes\033[0m\n' >&2 + printf '\n\033[31m✗ Secret scan: potential secrets or environment-specific values in staged changes\033[0m\n' >&2 printf '%b' "$FINDINGS" >&2 printf '\n' >&2 printf 'If this is a false positive, bypass with: \033[33mgit commit --no-verify\033[0m\n' >&2 - printf 'Otherwise: remove the secret, rotate the credential, and re-stage.\n\n' >&2 + printf 'Otherwise: remove the secret/value (use an example), rotate if a credential, and re-stage.\n\n' >&2 exit 1 fi