feat(enrichment): flag insecure HTTP security-header settings in iac-misconfig#3380
Conversation
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
|
Caution 🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥 🛑 Gittensory review result - reject/close recommendedReview updated: 2026-07-05 05:43:03 UTC
🛑 Suggested Action - Reject/Close
Review summary Blockers
Nits — 3 non-blocking
Why this is blocked
Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
|
Gittensory is closing this pull request on the maintainer's behalf (AI reviewers agree on a likely critical defect: review-enrichment/src/analyzers/iac-misconfig.ts:116 treats `Content-Security-Policy-Report-Only` as `Content-Security-Policy` because `\bContent-Security-Policy\b` has a word boundary before the hyphen, so a line like `+Content-Security-Policy-Report-Only: script-src 'unsafe-inline'` is incorrectly flagged as weakening enforced CSP; change the token to exclude the report-only suffix, e.g. `const CSP_UNSAFE_INLINE_RE = /\bContent-Security-Policy\b(?!-Report-Only)[^\n]*\bunsafe-inline\b/i;` and apply the same fix to `CSP_UNSAFE_EVAL_RE`.). This is an automated maintenance action — to pursue this change, please open a new pull request with the issues resolved. Closed PRs may be analyzed later to improve review accuracy, but they are not automatically reopened or re-reviewed. |
Summary
The IaC-misconfig analyzer already covers Kubernetes, Dockerfile, Docker Compose, and TLS-bypass
misconfigurations. This adds 5 HTTP security-header rules for insecure header values that appear in the
config files the analyzer already scans (
nginx*.conf,.conf, YAML/Helm ingress annotations,.toml,.json):csp-unsafe-inline'unsafe-inline'in a Content-Security-Policycsp-unsafe-eval'unsafe-eval'in a Content-Security-Policyeval()(weakens XSS defense)hsts-disabledStrict-Transport-Security … max-age=0referrer-policy-leakReferrer-Policy: unsafe-urlcookie-not-httponlyhttpOnly: falseWhy these are false-positive-safe: each rule requires its own header token on the same line as the
weakening value, so an unrelated line that merely contains the value is not flagged: a normal
Cache-Control: max-age=0caching directive does not fire the HSTS rule, and a strayunsafe-inline = falseconfig key does not fire the CSP rule (both asserted in the negative test). Within a header that IS being set,
the matched value is the weakening itself — the secure value uses a different token the regex never matches
(
'self',max-age=31536000,strict-origin-when-cross-origin,httpOnly: true), also asserted to produceno finding.
No existing rule is modified, and the analyzer's finding schema is
{file, line, kind}— thekindunion isnot part of the analyzer descriptor, so
analyzer-metadata.jsonand the generated UI mirror are unchanged.The render-brief switch is TypeScript-exhaustive, so each new kind is compiler-forced to have a public-safe
explanation.
No linked issue: additive detection-coverage that extends an existing multi-domain analyzer along its own
established lines; each rule is a self-evident, named HTTP-hardening check (OWASP Secure Headers) with no public
API/schema/deploy surface change — fits the repo's
preferred(not required) linked-issue policy.Scope
type(scope): short summaryConventional Commit format, for examplefix(api): restore profile access checks.CONTRIBUTING.mdand does not reintroduce GitHub Pages, VitePress,site/, orCNAME.Validation
git diff --checknpm run typechecknpm run rees:test— the review-enrichment build + analyzer suite (see note below)npm run test:coverage(N/A — this analyzer is inreview-enrichment/, outside the rootsrc/**Codecov scope)npm run ui:buildnpm audit --audit-level=moderateIf any required check was skipped, explain why:
git diff --check(clean), the review-enrichment TypeScript build (exit 0 — which proves therender switch is exhaustive over the 5 new kinds), and the analyzer suite via
node --test. Theiac-misconfig file passes 21/21: a table test asserting each of the 5 settings produces exactly one finding
of its own kind, and a negative test asserting the secure counterpart of each — including a normal
Cache-Control: max-age=0(which must NOT fire the HSTS rule) — produces none. The fullnode --testrun'sonly failures are the two
upload-sourcemapstests (they shell out to the Sentry CLI, absent on this devbox), which fail identically on unmodified
main.metadata:checkstep ofrees:test. This change adds onlyfinding kinds and rules, not any analyzer descriptor field, so the committed
analyzer-metadata.json/ UImirror are unchanged (a local regeneration produces a zero-content diff) and
metadata:checkpasses on CI(Linux). On this Windows dev box
metadata:checkreports a spurious line-ending difference; it failsidentically on unmodified
main.analyzer-metadata.jsonwas NOT modified.Safety
UI Evidencesection below with JPG/JPEG or PNG screenshots arranged as organized, captioned, clickable thumbnails. SVG screenshots are not used as review evidence. Review-only screenshots or recordings are not committed to the repository.Notes
threshold, or descriptor changed, so current findings and
analyzer-metadata.jsonare unaffected. Each newkind reports only
file:line+ the public-safe kind, never the matched line content.same value (e.g.
Cache-Control: max-age=0) is never flagged.