Skip to content

consent-engine v0.6.2

Choose a tag to compare

View all tags
@github-actions github-actions released this 28 May 21:04
· 17 commits to main since this release
v0.6.2
c3d27b1

fix: v0.6.2 second-review hardening (5 P0, 9 P1, 8 P2)

Deeper multi-agent review of the full pipeline (not just the diff) before the
public launch. The false-positive problem ran deeper than v0.6.1 closed, plus
two genuinely exploitable security holes. All re-verified in source.

P0 (launch-blocking):

  • XSS: report autoescape was OFF (template is .j2, select_autoescape(["html"])
    keys off the extension). Now autoescape=True + html.escape() on site-derived
    values in _derive_action_items. SECURITY.md corrected.
  • SSRF: _grab_brand_logo fetched attacker og:image/favicon via httpx with
    follow_redirects and no guard -> metadata exfil. Now validate + no-redirect +
    size cap.
  • Accuracy: fast-path geo-override fired off the always-injected OptanonConsent,
    rewriting every granted site to denied. Now CMP-gated, injected cookie excluded.
  • Accuracy: verdict/exposure/summary keyed off CONFIRMED with no methodology
    check -> false "Consent Violation Detected" + $ exposure on compliant
    un-injectable-CMP sites. Centralized _confirmed_violations() gate +
    zero-exposure short-circuit + neutral "Consent Enforcement Not Verified" state.
  • Accuracy: S3_CONSENT_WIRING_BROKEN claimed for CMPs never injected against.
    classify_fast_methodology() restricts it to OneTrust.

P1:

  • Truyo/CookiePro mislabeled as OneTrust (first-match on a shared base-layer
    global). Detection now demotes generic globals (OneTrust, IAB TCF) when a
    specific CMP co-matches; JS + both URL passes.
  • SSRF octal/hex/dotless IP bypass (0177.0.0.1). New _canonical_ipv4().
  • SSRF in ssGTM detector httpx fetch (validate + no-redirect).
  • Vendor false attribution from generic short cookie names (Tier-1 + Tier-2
    domain-gate).
  • Removed undocumented-but-broken consent-engine chat + dead [chat] extra.

P2:

  • LLM prompt-injection: audited URL sanitized before prompt interpolation.
  • Playwright accept_downloads=False; OneTrust testLog() poll + None-on-miss.
  • Wheel data dedup; Docker uv.lock --frozen; MCP CONSENT_ENGINE_OUT_DIR;
    tldextract bundled snapshot (no first-run network).
  • P3: G100 docstring; SyntaxWarning raw-string.

Tests: 104 pass (22 new: methodology gating, SSRF obfuscated-IP/IPv6, CMP
precedence). ruff + mypy strict clean. Live smoke: example.com -> detected_cmp
None, inconclusive, no violation verdict.

Known limitation: DNS-rebinding TOCTOU needs socket-level IP pinning (deferred;
multi-IP private-answer blocking mitigates).

Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com

Assets 4
Loading