fix: land security audit severity + temp-path guard fixes (#23428) (thanks @bmendonca3)

2026-05-09 11:07:41 +00:00 · 2026-02-22 11:05:27 +01:00
parent bc78b343ba
commit 29e41d4c0a
5 changed files with 78 additions and 2 deletions
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -1009,6 +1009,40 @@ describe("security audit", () => {
        },
        expectedSeverity: "critical",
      },
+      {
+        name: "loopback trusted-proxy with loopback-only proxies",
+        cfg: {
+          gateway: {
+            bind: "loopback",
+            allowRealIpFallback: true,
+            trustedProxies: ["127.0.0.1"],
+            auth: {
+              mode: "trusted-proxy",
+              trustedProxy: {
+                userHeader: "x-forwarded-user",
+              },
+            },
+          },
+        },
+        expectedSeverity: "warn",
+      },
+      {
+        name: "loopback trusted-proxy with non-loopback proxy range",
+        cfg: {
+          gateway: {
+            bind: "loopback",
+            allowRealIpFallback: true,
+            trustedProxies: ["127.0.0.1", "10.0.0.0/8"],
+            auth: {
+              mode: "trusted-proxy",
+              trustedProxy: {
+                userHeader: "x-forwarded-user",
+              },
+            },
+          },
+        },
+        expectedSeverity: "critical",
+      },
    ];

    for (const testCase of cases) {