preparing for v1.100.0

2026-05-18 15:19:11 -07:00 · 2026-05-18 15:19:11 -07:00 · b58eed2696
commit b58eed2696
parent 91d9f431c5
5 changed files with 17 additions and 7 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -150,6 +150,7 @@ crossbeam-skiplist = "0.1.3"
 tokio-postgres = { version = "0.7", default-features = false, features = ["runtime"] }
 # Temporary Git pin: keeps MongoDB SRV validation enabled while using the upstream
 # Hickory 0.26 DNS-resolver fix before it is available in a crates.io release.
+# TODO: switch back to a crates.io mongodb release once it includes that fix.
 mongodb = { git = "https://github.com/mongodb/mongo-rust-driver", rev = "bdddefc50c4794d51d10b944320d42c6eb216b04", default-features = false, features = ["rustls-tls", "aws-auth", "compat-3-0-0", "dns-resolver"] }
 mysql_async = { version = "0.36.2", default-features = false, features = ["default-rustls"] }
 aws-config = { version = "1.8.14", default-features = false, features = ["default-https-client", "rt-tokio", "credentials-process", "sso"] }
--- a/crates/kingfisher-scanner/Cargo.toml
+++ b/crates/kingfisher-scanner/Cargo.toml
@ -189,6 +189,7 @@ hex = { workspace = true, optional = true }
 url = { version = "2.5.7", optional = true }
 # Temporary Git pin: keeps MongoDB SRV validation enabled while using the upstream
 # Hickory 0.26 DNS-resolver fix before it is available in a crates.io release.
+# TODO: switch back to a crates.io mongodb release once it includes that fix.
 mongodb = { git = "https://github.com/mongodb/mongo-rust-driver", rev = "bdddefc50c4794d51d10b944320d42c6eb216b04", default-features = false, features = ["rustls-tls", "aws-auth", "compat-3-0-0", "dns-resolver"], optional = true }
 mysql_async = { version = "0.36.2", default-features = false, features = ["default-rustls"], optional = true }
 tokio-postgres = { version = "0.7", default-features = false, features = ["runtime"], optional = true }
--- a/crates/kingfisher-scanner/src/validation/aws.rs
+++ b/crates/kingfisher-scanner/src/validation/aws.rs
@ -192,7 +192,7 @@ pub fn generate_aws_cache_key(aws_access_key_id: &str, aws_secret_access_key: &s

 /// Validate AWS credentials format before attempting validation.
 pub fn validate_aws_credentials_input(access_key_id: &str, secret_key: &str) -> Result<(), String> {
-    // Validate access key ID format (20 chars, known AWS prefixes including STS)
+    // Validate access key ID format (20 chars, usable AWS access-key prefixes including STS)
    if access_key_id.len() != 20 {
        return Err("Invalid AWS access key ID format".to_string());
    }
@ -200,6 +200,8 @@ pub fn validate_aws_credentials_input(access_key_id: &str, secret_key: &str) ->
        return Err("AWS access key ID contains invalid characters".to_string());
    }
    let prefix = &access_key_id[..4];
+    // IAM principal IDs (for example AIDA/AROA) are deliberately rejected here:
+    // they are not usable access-key IDs for STS credential validation.
    let valid_prefix = matches!(prefix, "AKIA" | "ASIA") || prefix.starts_with("A3T");
    if !valid_prefix {
        return Err("Invalid AWS access key ID format".to_string());
--- a/src/decompress.rs
+++ b/src/decompress.rs
@ -225,12 +225,11 @@ pub fn extract_zip_archive_in_memory(
    Ok(entries)
 }

-/// Return true if `data` begins with the standard local-file ZIP signature
-/// (`PK\x03\x04`) — used to short-circuit extraction attempts on blobs whose
-/// extension matches a ZIP-based format but whose contents are not actually
-/// a real ZIP (e.g., a stub or partial download).
+/// Return true if `data` begins with a standard ZIP signature — used to
+/// short-circuit extraction attempts on blobs whose extension matches a
+/// ZIP-based format but whose contents are not actually a real ZIP.
 pub fn looks_like_zip(data: &[u8]) -> bool {
-    data.len() >= 4 && data[0] == b'P' && data[1] == b'K' && data[2] == 0x03 && data[3] == 0x04
+    matches!(data.get(..4), Some(b"PK\x03\x04" | b"PK\x05\x06" | b"PK\x07\x08"))
 }

 fn handle_zip_archive_streaming(
--- a/src/scanner/validation.rs
+++ b/src/scanner/validation.rs
@ -964,7 +964,14 @@ fn build_cache_key(
    // Build key
    let capture0 = om.captures.captures.get(0).map_or(String::new(), |c| c.raw_value().to_string());

-    if !om.rule.syntax().depends_on_rule.is_empty() {
+    let has_context_dependency = om
+        .rule
+        .syntax()
+        .depends_on_rule
+        .iter()
+        .flatten()
+        .any(|dep| !dep.variable.eq_ignore_ascii_case("TOKEN"));
+    if has_context_dependency {
        return format!(
            "{}|{}|{}|{}|{}",
            om.rule.name(),