Skip to content

Fix --publish scan token authentication#42

Merged
thebenignhacker merged 2 commits intomainfrom
fix/publish-scan-token
Mar 12, 2026
Merged

Fix --publish scan token authentication#42
thebenignhacker merged 2 commits intomainfrom
fix/publish-scan-token

Conversation

@thebenignhacker
Copy link
Copy Markdown
Contributor

@thebenignhacker thebenignhacker commented Mar 12, 2026

Summary

  • Fix --publish flag on secure/attack commands failing with AUTH_TOKEN_MISSING
  • publishScanResults() now calls requestScanToken() before submitting to the registry
  • The registry requires an X-Scan-Token header on all community scan submissions

Test plan

  • 838/838 unit tests passing
  • Build clean
  • Publish tests verify two-step flow (token request + publish with token header)
  • --no-registry --publish still correctly skips both token request and publish

@thebenignhacker
Fix --publish flow: request scan token before submitting
e327a64 
The publishScanResults() function was posting to the community
scan-result endpoint without first requesting a scan token. The
registry requires an X-Scan-Token header on all community submissions,
causing every --publish attempt to fail with AUTH_TOKEN_MISSING.

Now calls requestScanToken() before reportPublishResult() and passes
the token through to the request headers.
@thebenignhacker
Update publish tests for scan token flow
eddab73 
Tests now mock the scan token request (first fetch call) separately
from the publish request (second call), matching the new two-step
flow in publishScanResults().
github-actions[bot]
github-actions bot approved these changes Mar 12, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

VERDICT: APPROVE

SUMMARY: This PR fixes the --publish flag authentication by implementing a two-step flow: requesting a scan token via requestScanToken(), then submitting the scan with the token in the X-Scan-Token header. The changes are security-positive — they add proper authentication to the publish flow. All modifications are to the publish flow and test code, with no introduction of command injection, path traversal, prototype pollution, or other security vulnerabilities. The scanToken parameter is safely passed through method signatures and set as an HTTP header without shell interpolation or eval.

FINDINGS:
(none)

Verification notes:

  • Command injection: No use of child_process or shell commands in changed code.
  • Prototype pollution: scanToken parameter is a simple string passed through typed interfaces; no object merge/spread on untrusted input.
  • Path traversal: No file system operations in the diff.
  • SSRF: The registryUrl is configured at initialization time (line 302, 277 in publish.ts), not derived from user input in this PR. The token request endpoint is a static path appended to the configured base URL (line 143 in client.ts).
  • Unsafe header injection: The scanToken value is set directly as headers['X-Scan-Token'] = scanToken (lines 200, 284). While this could theoretically allow header injection if scanToken contained CRLF sequences, the value comes from tokenResponse?.scanToken (line 309), which is parsed from the registry's JSON response (line 175). The registry is the trusted source, and JSON parsing does not introduce newlines into string values. Additionally, modern fetch implementations sanitize headers to prevent CRLF injection.
  • Test coverage: Tests verify both the token request step and the presence of the X-Scan-Token header in the publish request (publish.test.ts lines 460-477, 493).

Reviewed 3 files changed (4827 bytes)

@thebenignhacker thebenignhacker merged commit 52985f7 into main Mar 12, 2026
1 check passed
@thebenignhacker thebenignhacker deleted the fix/publish-scan-token branch March 12, 2026 07:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thebenignhacker