Skip to content

fix(NO_AUTH): treat auth.type "none"/"disabled" as unauthenticated#24

Merged
dmchaledev merged 1 commit into
mainfrom
claude/amazing-franklin-pfjlij
Jun 16, 2026
Merged

fix(NO_AUTH): treat auth.type "none"/"disabled" as unauthenticated#24
dmchaledev merged 1 commit into
mainfrom
claude/amazing-franklin-pfjlij

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

Summary

A CRITICAL-severity false negative in the flagship NO_AUTH rule: a server that explicitly declares no authentication via transport.auth.type: "none" passes the gate cleanly. For a tool sold as a CI/CD security gate, this is the worst kind of bug — an unauthenticated server reports PASSED.

Repro (before this PR)

// none-auth.json — auth explicitly disabled
{
  "serverUrl": "https://x.example.com",
  "transport": { "url": "https://x.example.com", "tls": true, "auth": { "type": "none" } },
  "rateLimit": { "enabled": true, "requestsPerMinute": 100 }
}
$ node dist/cli.js none-auth.json --format=table --rule=NO_AUTH
Found 0 finding(s): 0 critical, 0 high, 0 medium, 0 low   →  PASSED   # false negative

Root cause

NO_AUTH in src/rules/auth-rules.ts counted any non-empty auth.type as authentication:

const hasAuth = config.transport?.auth &&
  (config.transport.auth.apiKey ||
   config.transport.auth.token ||
   config.transport.auth.type);   // ← "none" is truthy

So auth: { type: "none" } — the canonical way to declare no auth — made hasAuth truthy and suppressed the finding. The same held for "disabled", "off", "false", "anonymous".

Fix

An auth type now only counts as authentication when it names a real mechanism; a set of placeholder/disabled values (none, disabled, off, false, anonymous, case-insensitive, trimmed) is treated as no auth. A real credential (apiKey/token) still always counts, regardless of type. The finding now also carries evidence distinguishing the "explicitly disabled" case from "auth block absent".

$ node dist/cli.js none-auth.json --format=table --rule=NO_AUTH
CRITICAL | NO_AUTH | No Authentication Configured   →  FAILED   # now caught

Verification

  • npx tsc --noEmit — clean · npm run lint (0 warnings) — clean
  • npm test99 passed (10 new NO_AUTH cases: disabled-type variants, case-insensitivity, meaningful type, and credential-present-with-type-none)
  • No regression: examples/secure-config.json → 0 findings / PASSED (no false positive); examples/vulnerable-config.json → still FAILED

This is independent of the open PR backlog — no other open PR touches the NO_AUTH logic (#18 is MISSING_TLS only). CI on this branch is green.

🤖 Generated with Claude Code

https://claude.ai/code/session_01QQgkZGTBue6Yo27iS8bPSf


Generated by Claude Code

The NO_AUTH rule counted any non-empty transport.auth.type as
authentication, so a config explicitly declaring `auth.type: "none"`
(or "disabled"/"off"/"false"/"anonymous") satisfied the check and an
unauthenticated server passed the CRITICAL gate — a false negative for
a tool sold as a CI/CD security gate.

An auth `type` now only counts when it names a real mechanism; a real
credential (apiKey/token) always counts regardless of type. Adds
regression tests and a CHANGELOG entry.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01QQgkZGTBue6Yo27iS8bPSf
@dmchaledev dmchaledev merged commit dba94a2 into main Jun 16, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants