Skip to content

1.2.1 Release#426

Merged
liquidsec merged 13 commits into
mainfrom
dev
Jun 24, 2026
Merged

1.2.1 Release#426
liquidsec merged 13 commits into
mainfrom
dev

Conversation

@liquidsec

@liquidsec liquidsec commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

1.2.1 Release

Rolls up the changes accumulated on dev for the 1.2.1 patch release.

Bug fixes

Django signed cookie identify_regex false positives (#427)

The DjangoSignedCookies identify regex matched any two colon-separated alphanumeric segments with no minimum length, producing IdentifyOnly false positives on short values like abc:def, JSESSIONID:abcdef1234, and tokens such as 0000Qs-hTQlwlgXAYBlmgEFoQTR:1ffkg4vkm.

It now anchors to the real django.core.signing structure — optional leading dot, base64url payload, optional 4–8 char base62 timestamp, and a 27+ char base64url HMAC signature:

identify_regex = re.compile(r"^\.?[a-zA-Z0-9_-]+(?::[a-zA-Z0-9_-]{4,8})?:[a-zA-Z0-9_-]{27,}$")

The {27,} minimum covers both legacy SHA-1 (27 char) and default SHA-256 (43 char) signatures, so all real Signer/TimestampSigner/dumps outputs still match while the short false positives are rejected. Adds test_django_identify_false_positives.

CI / release

Publish on patch-level version changes (#428)

The publish job compared only major.minor of the current version against the latest tag, so patch bumps like 1.2.0 → 1.2.1 were treated as "no change" and never built, published, or tagged. It now compares the full version string (matching the fix already in baddns), and the tag step is renamed to "Tag the release if version changed".

Version bump to 1.2.1.

Dependencies

dependabot Bot and others added 8 commits June 18, 2026 00:11
Bumps blasthttp from 0.8.0 to 0.9.0.

---
updated-dependencies:
- dependency-name: blasthttp
  dependency-version: 0.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.3 to 9.1.0.
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.0.3...9.1.0)

---
updated-dependencies:
- dependency-name: pytest
  dependency-version: 9.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
…lasthttp-0.9.0

build(deps): bump blasthttp from 0.8.0 to 0.9.0
…ytest-9.1.0

build(deps-dev): bump pytest from 9.0.3 to 9.1.0
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.1.0 to 9.1.1.
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.1.0...9.1.1)

---
updated-dependencies:
- dependency-name: pytest
  dependency-version: 9.1.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 48.0.0 to 48.0.1.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@48.0.0...48.0.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 48.0.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
…ytest-9.1.1

build(deps-dev): bump pytest from 9.1.0 to 9.1.1
…ography-48.0.1

build(deps): bump cryptography from 48.0.0 to 48.0.1
@codecov-commenter

codecov-commenter commented Jun 24, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 66.66667% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 99.45%. Comparing base (f14e50d) to head (f5b67ea).
⚠️ Report is 29 commits behind head on main.

Files with missing lines Patch % Lines
badsecrets/__version__.py 0.00% 1 Missing ⚠️
Additional details and impacted files
@@           Coverage Diff           @@
##             main     #426   +/-   ##
=======================================
  Coverage   99.45%   99.45%           
=======================================
  Files          30       30           
  Lines        3102     3102           
=======================================
  Hits         3085     3085           
  Misses         17       17           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

The identify_regex matched any two colon-separated alphanumeric segments
with no minimum length, producing IdentifyOnly false positives on short
values like abc:def, JSESSIONID:abcdef1234, and government app tokens
(0000Qs-hTQlwlgXAYBlmgEFoQTR:1ffkg4vkm).

Real django.core.signing output is always payload[:timestamp]:signature
where the signature is a base64url HMAC of at least 27 chars (SHA-1, 27)
or 43 chars (SHA-256, the default since Django 3.1). Anchor the regex to
that structure: optional leading dot, base64url payload, optional 4-8 char
base62 timestamp, and a 27+ char signature.

Verified against real cookies from both Signer/TimestampSigner and SHA-1/
SHA-256 algorithms; all match, while the false positives are rejected.
The publish job only compared major.minor between the current version and
the latest tag, so patch-level bumps (e.g. 1.2.0 -> 1.2.1) were treated as
"no change" and never built/published/tagged. Compare the full version
string instead, matching the fix already applied in baddns.
release: bump version to 1.2.1 and publish on patch-level changes
…okie-identify-fp

fix: tighten Django signed cookie identify_regex to cut false positives
@liquidsec
liquidsec requested a review from ausmaster June 24, 2026 01:16
@liquidsec
liquidsec merged commit d9e43d8 into main Jun 24, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants