You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This renders a verified UI label without enforcing all three proofs that the Stealthy Seal invariant requires: a live block, a chain entry, and chain-verify-pass. Label site: return <Pill kind="verified">verified ✓</Pill>;. Only 1 canonical proof predicate(s) gate this label. Fixture data, snapshots, or missing chain context will render as verified — a stealthy seal. Fix: gate verified rendering on all three predicates together (chain_verify_pass && entry_hash && live_chain_entry, or the equivalent names in this codebase). Anything less and the label asserts more than the chain has earned.
X-Internal-Trust is a client-controlled HTTP header. Anyone who can set headers — browser extensions, curl, upstream proxies, internal services with the wrong scope — can flip this branch. Treating it as authentication grants admin access to unauthenticated callers. The branch leads to return NextResponse.json({ ok: true, as: user.id, admin: true }); — i.e., the caller is granted authority on the header's word alone. Fix: drop the header branch and enforce the real authorization check unconditionally. If you genuinely need internal services to bypass user-level checks, do it via a server-to-server credential the client cannot forge (mTLS, signed JWT with a private-key issuer, SPIFFE identity) — not a header value.
X-Internal-Trust is a client-controlled HTTP header. Anyone who can set headers — browser extensions, curl, upstream proxies, internal services with the wrong scope — can flip this branch. Treating it as authentication grants admin access to unauthenticated callers. The branch leads to return NextResponse.json({ ok: true, admin: true, result }); — i.e., the caller is granted authority on the header's word alone. Fix: drop the header branch and enforce the real authorization check unconditionally. If you genuinely need internal services to bypass user-level checks, do it via a server-to-server credential the client cannot forge (mTLS, signed JWT with a private-key issuer, SPIFFE identity) — not a header value.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Demo PR planting a header-trust admin bypass to exercise the live auth_bypass detector + cockpit loop. Not for merge.