Files
apf_portal/apps
Julien Gautier 6695909db2
CI / scan (pull_request) Successful in 4m34s
CI / commits (pull_request) Successful in 4m33s
CI / check (pull_request) Successful in 5m3s
CI / a11y (pull_request) Successful in 1m53s
CI / perf (pull_request) Successful in 8m32s
fix(security): normalize IPv6 in rate-limit keyGenerator (ADR-0021)
express-rate-limit v8 raises ERR_ERL_KEY_GEN_IPV6 at boot because the
custom keyGenerator returned req.ip verbatim. For IPv6, that lets an
attacker rotate through the host bits of their own subnet (~2^72 keys
on a typical /56 residential allocation) and escape per-IP rate
limiting entirely — useful as a brute-force protection it isn't, then.

Wrap req.ip through the library's ipKeyGenerator helper before keying,
which truncates IPv6 addresses to their /56 prefix and is a no-op for
IPv4. Test coverage for IPv4 / session / SKIP_PATHS unchanged; new
case asserts two addresses in the same /56 share a bucket and that
distinct /56s remain isolated.

Surfaced by the ADR-0030 dockerised dev mode validation. The BFF kept
booting (v8's default error handler logs and continues for this
validation), so the bypass was live in dev until now.
2026-06-01 12:29:17 +02:00
..