From bb7fea155e5990ab336598d3f24d49a4c1d22c32 Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Fri, 22 May 2026 14:17:59 -0400 Subject: [PATCH] merged 2 PRs and updated changelog --- docs-site/docs/changelog.md | 4 ++++ src/scanner/validation.rs | 16 ++++++++++------ 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/docs-site/docs/changelog.md b/docs-site/docs/changelog.md index 42d7283..4d8af32 100644 --- a/docs-site/docs/changelog.md +++ b/docs-site/docs/changelog.md @@ -6,6 +6,10 @@ description: "Kingfisher release history: new features, rules, bug fixes, and im # Changelog All notable changes to this project will be documented in this file. +## [v1.101.0] +- Fixed asymmetric JWT validation panics by using a single `jsonwebtoken` crypto backend and adding RS256 regression coverage. Thanks @AgentEnder. [#386](https://github.com/mongodb/kingfisher/pull/386) +- Validator panics now fail that validation result instead of crashing the scan, with panic payloads kept out of cached and user-visible validation responses. Thanks @AgentEnder. [#387](https://github.com/mongodb/kingfisher/pull/387) +- Reduced `failed to spawn thread` errors in validation-heavy scans by capping Tokio blocking pools for the main and artifact-fetcher runtimes and raising the Unix soft `RLIMIT_NPROC` before worker startup. ## [v1.100.0] - Archive scanning now reaches inside Android/iOS app packages: added `apk`, `aab`, and `ipa` to the recognized ZIP-based archive formats so secrets embedded in APK/AAB/IPA contents (e.g. `classes*.dex`, `res/values/strings.xml`) are extracted and matched. diff --git a/src/scanner/validation.rs b/src/scanner/validation.rs index 6ab7363..b547fb3 100644 --- a/src/scanner/validation.rs +++ b/src/scanner/validation.rs @@ -17,7 +17,7 @@ use liquid::Parser; use reqwest::StatusCode; use rustc_hash::{FxHashMap, FxHashSet}; use tokio::{sync::Notify, time::timeout}; -use tracing::{trace, warn}; +use tracing::{debug, trace, warn}; use crate::{ access_map::AccessMapRequest, @@ -989,19 +989,23 @@ fn apply_validation_outcome( ValidationOutcome::Panicked(panic_message) => { // The panic payload can embed secret material (e.g. a token captured // in a debug string), so it must never reach the cached or - // user-visible body. Emit the detail through structured logging - // (truncated), and keep the visible body to the stable rule id. + // user-visible body. Keep WARN free of the payload too; truncated + // panic detail is only emitted at DEBUG for troubleshooting. warn!( rule_id = %om.rule.id(), - panic = %truncate_for_log(&panic_message), "validator panicked; marking match as failed", ); + debug!( + rule_id = %om.rule.id(), + panic = %truncate_for_log(&panic_message), + "validator panic detail", + ); om.validation_success = false; om.validation_response_body = validation_body::from_string(format!( "Validation panicked for rule {}", om.rule.id() )); - om.validation_response_status = http::StatusCode::INTERNAL_SERVER_ERROR; + om.validation_response_status = StatusCode::INTERNAL_SERVER_ERROR; fail_count.fetch_add(1, Ordering::Relaxed); cache.insert( cache_key.to_owned(), @@ -1016,7 +1020,7 @@ fn apply_validation_outcome( ValidationOutcome::TimedOut => { om.validation_success = false; om.validation_response_body = validation_body::from_string("Validation timed out"); - om.validation_response_status = http::StatusCode::REQUEST_TIMEOUT; + om.validation_response_status = StatusCode::REQUEST_TIMEOUT; fail_count.fetch_add(1, Ordering::Relaxed); } }