Skip to content

feat(protect): hardening follow-ups (partial-scan, IPv6 egress, Set-Cookie redaction, WebSocket, verbose-error breadth)#80

Merged
patchstackdave merged 1 commit into
mainfrom
feat/protect-hardening-followups
Jul 15, 2026
Merged

feat(protect): hardening follow-ups (partial-scan, IPv6 egress, Set-Cookie redaction, WebSocket, verbose-error breadth)#80
patchstackdave merged 1 commit into
mainfrom
feat/protect-hardening-followups

Conversation

@patchstackdave

Copy link
Copy Markdown
Contributor

Follow-ups from the security review of #79 (now merged) — closes the gaps that review surfaced.

  • Body cap → partial-scan (was discard). An oversize body is truncated to the cap and its prefix scanned, so a front-loaded payload is caught; memory bounded by a 4× hard ceiling (only a declared body past that is skipped). A test documents the residual — a payload padded past the cap still slips.
  • IPv6 host extraction (node:http egress). extractHttpTarget no longer mangles ::1 / [::1] / [::1]:port via split(':'); normalizeHost preserves them so isInternalHost blocks IPv6-internal SSRF passed as an options host/hostname.
  • Redact array-valued headers. Header screening masks multi-valued Set-Cookie (via getSetCookie() / node arrays) and re-emits each cookie separately (fetch + node paths).
  • Multipart robustness. Tolerate LF-only line endings; collect duplicate field names as arrays.
  • WebSocket egress screening. The guard wraps the global WebSocket so ws:///wss:// egress is screened; restored on uninstall.
  • Verbose-error breadth. A default response rule redacts multi-language exception/traceback signatures (Python/JVM/.NET/Go) beyond the node stack-trace + SQL rules.

Deferred (noted, not done): DNS-rebinding resistance for egress (needs async resolve that doesn't fit the sync http.request wrapper).

Tests (+6)

fetch-body-cap, egress-followups, multipart, response-hardening. 443 pass, typecheck + build clean.

🤖 Generated with Claude Code

Addresses the gaps surfaced reviewing #79:

- Body cap → partial-scan (was discard). An oversize body is now TRUNCATED to the
  cap and its prefix scanned (front-loaded payloads are caught), with memory bounded
  by a 4× hard ceiling; only a declared body over that ceiling is skipped. Content-
  Length is compared in bytes; the prefix slice is by char (can only over-scan).
- IPv6 host extraction on the node:http egress path. extractHttpTarget no longer
  mangles `::1` / `[::1]` / `[::1]:port` via split(':') — normalizeHost preserves them
  so isInternalHost (which strips brackets) blocks IPv6-internal SSRF via options host.
- Redact array-valued headers. Header screening now masks multi-valued Set-Cookie
  (via getSetCookie / node arrays) and re-emits each cookie separately, in both the
  fetch and node paths.
- Multipart parser robustness: tolerate LF-only line endings and collect duplicate
  field names (arrays), matching the body/urlencoded behavior.
- WebSocket egress screening: the guard now also wraps the global WebSocket so ws://
  /wss:// egress is screened; restored on uninstall.
- Verbose-error breadth: a default response rule redacts multi-language exception/
  traceback signatures (Python/JVM/.NET/Go) beyond the node stack-trace + SQL rules.

+6 tests (body-cap partial-scan incl. the past-cap residual, IPv6 node egress,
Set-Cookie array redaction, multipart LF/dup, WebSocket block, exception redaction,
allowHosts override). 443 tests pass, typecheck + build clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderbuds

coderbuds Bot commented Jul 15, 2026

Copy link
Copy Markdown

Comprehensive security hardening with cohesive, well-tested follow-up enhancements.

🎯 Quality: 100% Elite · 📦 Size: Medium

📈 This month: Your 32nd PR — above team average · Averaging Excellent

See how your team is trending →

@patchstackdave

Copy link
Copy Markdown
Contributor Author

/review

@patchstackdave patchstackdave merged commit 43a3650 into main Jul 15, 2026
4 checks passed
@patchstackdave patchstackdave deleted the feat/protect-hardening-followups branch July 15, 2026 10:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants