Skip to content

security: PySafeguard 8.0.3 — CVE dep pins and TLS documentation#33

Merged
petrsnd merged 8 commits into
OneIdentity:mainfrom
petrsnd:security/review-20260522-py
May 27, 2026
Merged

security: PySafeguard 8.0.3 — CVE dep pins and TLS documentation#33
petrsnd merged 8 commits into
OneIdentity:mainfrom
petrsnd:security/review-20260522-py

Conversation

@petrsnd
Copy link
Copy Markdown
Member

@petrsnd petrsnd commented May 26, 2026
edited
Loading

Summary

  • Pins vulnerable transitive dependency floors: urllib3 >= 2.0.8 (CVE-2026-44431, CVE-2026-44432) and idna >= 3.7 (CVE-2026-45409).
  • Adds a TLS Verification section to README.md documenting the verify parameter and production guidance.
  • Adds an inline WARNING comment in samples/AnonymousExample.py explaining verify=False usage.
  • Bumps package version to 8.0.3.

Validation

  • Unit tests: 289 passed
  • Integration tests (live appliance): 154 passed

@petrsnd petrsnd requested a review from a team as a code owner May 26, 2026 22:31
@petrsnd
Copy link
Copy Markdown
Member Author

petrsnd commented May 26, 2026

Live verified against 192.168.117.15 admin smoke 2026-05-26. Selected GET-only pytest integration subset passed: 11 passed, 0 failed; mutating suites were intentionally skipped under live-reads-only discipline. Full log: .security-review-impl-logs/live-sweep/py-live.log. ansible-safeguard S5 can now proceed once PyPI publish completes.

@petrsnd
Copy link
Copy Markdown
Member Author

petrsnd commented May 27, 2026

Full live appliance sweep re-run (mutation allowed) completed against 192.168.117.15.

Results:

  • SafeguardDotNet (security/review-20260522-dotnet): 15 suites, 71 passed / 0 failed / 2 skipped. SpsIntegration excluded because no SPS appliance was in the lease. Cleanup audit: no SgDnTest objects remained.
  • PySafeguard (security/review-20260522-py): after installing the optional SignalR extra required by event tests, full pytest passed: 453 passed / 0 failed / 0 skipped. Cleanup audit found one leaked PySg_ event-test user; it was deleted and re-audit showed 0 remaining.
  • safeguard.js (security/review-20260522-js): integration suite passed: 11 files, 55 passed / 0 failed / 0 skipped. Cleanup audit: no SgJs_ objects remained.
  • safeguard-bash (security/review-20260522-bash): full suite executed with SAFEGUARD_ALLOW_LOCALHOST=1 after the stock runner PKCE preflight failed against the private appliance address. Result: 14 suites, 323 passed / 10 failed / 0 skipped. Failures are confined to A2A and A2A Access Request Broker retrieval/broker negative-path checks. Cleanup audit: no SgBashTest objects remained.
  • SafeguardJava (security/review-20260522-java): PowerShell integration runner passed: 9 suites, 59 passed / 0 failed / 0 skipped; SpsIntegration excluded because no SPS appliance was in the lease. FP-004 cap regression unit test also passed: 6 passed / 0 failed / 0 skipped. Cleanup audit: no SgJTest objects remained.

Lease released in SECURITY-REVIEW.md. Follow-up needed: investigate safeguard-bash A2A failures and the PySafeguard event-test cleanup leak.

@petrsnd petrsnd changed the title security: PySafeguard 8.0.3 — coordinated security review fixes security: PySafeguard 8.0.3 — CVE dep pins and TLS documentation May 27, 2026
petrsnd added 8 commits May 27, 2026 14:11
@petrsnd
Clarify params keyword and document HiddenString usage in api-pattern…
4bb1aae 
…s skill
@petrsnd
deps: pin urllib3 >= 2.0.8 and idna >= 3.7 for CVE fixes
7f88d44 
Add direct floor pins on transitive deps that have known CVEs at lower

versions:

- urllib3 >= 2.0.8 fixes CVE-2026-44431 (DNS rebinding) and

  CVE-2026-44432 (proxy protocol confusion).

- idna >= 3.7 fixes CVE-2026-45409 (ReDoS via crafted IDN inputs).

Regenerated poetry.lock. Added tests/test_dependency_versions.py to enforce

the floors so future poetry resolutions cannot regress below the patched

versions.
@petrsnd
samples: document verify=False in AnonymousExample and add TLS Verifi…
65d4826 
…cation README section

The anonymous sample uses verify=False so it works out of the box against

a dev appliance with a self-signed certificate. Make the insecurity

intentional and traceable:

- Inline WARNING comment in samples/AnonymousExample.py explaining when

  verify=False is appropriate and pointing back to the README.

- New 'TLS Verification' section in README.md describing the verify=

  options and the production-safe REQUESTS_CA_BUNDLE / CA-bundle pattern.

- Regression test that fails if either the inline guidance or the README

  section disappears.
@petrsnd
errors: truncate response bodies in exception messages (D-013)
1839f3b 
Audit of exception/response-rendering paths found that ApiError.from_response,

ApiError.from_async_response, and several SafeguardError raises in pkce.py

interpolated the full upstream response body verbatim into the human-facing

exception message. That body is the form that typically reaches logs, crash

reporters, and SIEMs, so it is the leak surface that matters in practice.

Per cross-cutting decision D-013 the chosen mitigation is **truncation**,

not field-level redaction: substring or regex redaction would wrongly mask

legitimate Safeguard payload fields such as PasswordRulesPolicyId,

ApiKeyName, RequirePasswordChange, PasswordHistoryDepth, and

PrivateKeyFormat. The full body remains available to callers via

SafeguardError.response_body for diagnostic use.

Changes:

- errors.py: add _truncate_for_message helper with a 200-char cap and an

  explicit '... (truncated, N total chars)' marker. Apply it in both

  ApiError.from_response and ApiError.from_async_response.

- pkce.py: route all four raise-SafeguardError sites that interpolated

  resp.text through _truncate_for_message.

- tests/test_credential_redaction_audit.py: new regression suite covering

  truncation, marker presence, short-body passthrough, response_body

  preservation, a static guardrail against future raw {resp.text}

  interpolations in pkce.py, and the D-013 negative test ensuring

  legitimate API field names survive intact.
@petrsnd
test(d013): tripwire exact Password/ApiKey/PrivateKey field-name pass…
33516de 
…through (C-PySafeguard-001)
@petrsnd
chore(release): bump version to 8.0.3 for security review
1668846
@petrsnd
rollback on some fixes that aren't needed or worth it
f3e59a2
@petrsnd
fix: remove stray blank line in errors.py
aec7cf4
@petrsnd petrsnd force-pushed the security/review-20260522-py branch from 9afd18f to aec7cf4 Compare May 27, 2026 20:11
@petrsnd petrsnd merged commit 0acb6c1 into OneIdentity:main May 27, 2026
5 checks passed
@petrsnd petrsnd deleted the security/review-20260522-py branch May 27, 2026 20:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@petrsnd