Skip to content

v4.4.19

Choose a tag to compare

View all tags
@xalgord xalgord released this 27 May 08:56
· 94 commits to main since this release
v4.4.19
4a5a7e4

Scope guard hardening v2 — four targeted fixes

  • agent: scopeHostTokenSplit splits on =, ?, #, @ plus a new extractEmbeddedURLs sweep so URLs hidden in query params, fragments, or userinfo surface as standalone tokens.
  • agent: extractHostsFromArgs caps tokenization at 8 KiB per arg via truncateForScopeScan with a UTF-8 rune-boundary-safe trim. Oversize args fall through to allow, never reject.
  • agent: (*Agent).redactOutOfScopeHosts replaces every OOS host span in add_note key/value with [redacted: out-of-scope host] before the gate runs, so notes can no longer launder OOS hostnames into read_notes.
  • web: isBlockedTarget resolves DNS exactly once per call (via package-level lookupHost shim) and threads the resolved IP set into both the self-listener check (new ipsMatchLocalInterface) and the private-range check.

Verification

go vet ./..., go build ./..., go test ./internal/agent/... ./internal/web/... -count=1, and go test -race on the same packages all pass clean.

PR

#63

Spec

.kiro/specs/scope-guard-hardening-v2/

Assets 3
Loading