Commit Graph

2 Commits

Author SHA1 Message Date
Sharang Parnerkar fce9f1cbf1 fix(audit): bump quinn-proto + ignore rmcp DNS-rebinding advisory
CI / Check (pull_request) Successful in 8m1s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been skipped
CI / Deploy Dashboard (pull_request) Has been skipped
CI / Deploy Docs (pull_request) Has been skipped
CI / Deploy MCP (pull_request) Has been skipped
Two new RUSTSEC advisories landed between 2026-06-18 and 2026-06-30
that started failing every PR's `cargo audit` step:

- RUSTSEC-2026-0185 (quinn-proto 0.11.14): remote memory exhaustion via
  unbounded out-of-order stream reassembly. Patched in 0.11.15 (semver-
  compatible). `cargo update -p quinn-proto`, no API change.

- RUSTSEC-2026-0189 (rmcp 0.16.0): DNS rebinding in Streamable HTTP
  server transport due to missing Host-header validation. Patched in
  rmcp >= 1.4.0, which is a major API jump from our pin (rmcp shipped
  0.x -> 1.x -> 2.x in three months and the migration touches every
  tool handler + the auth middleware just landed in #92).

  Added to ignore with justification: our MCP server is exposed at a
  public hostname behind orca's TLS-terminating ingress with per-tenant
  bearer auth. The attack model (browser DNS-rebinding into a victim's
  localhost MCP server) doesn't apply to a public-hostname deployment.
  Defense-in-depth Host-header validation remains worthwhile, tracked
  as a multi-hour M7.3 follow-up to migrate rmcp 0.16 -> 2.x.

Unblocks #96 and #94.
2026-06-30 17:48:42 +02:00
sharang df0063abc0 fix: scanner timeouts, semgrep memory cap, syft remote lookups, Script error (#78)
CI / Check (push) Has been skipped
CI / Detect Changes (push) Successful in 5s
CI / Deploy Agent (push) Successful in 9m41s
CI / Deploy Dashboard (push) Successful in 15m19s
CI / Deploy Docs (push) Has been skipped
CI / Deploy MCP (push) Successful in 3m7s
## Summary

- **Scan produces no results in Orca** — semgrep (`--config=auto`, unbounded memory) and syft (remote license network calls) were getting OOM-killed or hanging in resource-constrained Orca containers. Scan would "complete" with 0 findings/SBOMs silently because each scanner failure is caught and logged as a warning.
- **Dashboard Script error spam** — `document::Script` in Dioxus 0.7 needs a single text node child for inline scripts; `dangerous_inner_html` was invalid and spammed the error log on every unauthenticated page load.

## Changes

| File | Change |
|------|--------|
| `semgrep.rs` | Add `--max-memory 500 --jobs 1`; 10-minute timeout |
| `syft.rs` | Remove remote license lookup env vars; 5-minute timeout |
| `gitleaks.rs` | 5-minute timeout |
| `app_shell.rs` | Fix `dangerous_inner_html` → text child in `document::Script` |

## Test plan

- [ ] Trigger a scan on a repo in Orca — findings and SBOM entries should now appear
- [ ] Agent logs should show timeout/error warnings rather than silent empty results when tools are killed
- [ ] Navigate to dashboard unauthenticated — Script error gone from logs
- [ ] Verify scans work end-to-end with `docker compose up`

---------

Co-authored-by: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com>
Reviewed-on: #78
2026-05-12 11:27:24 +00:00