Proxy/redirect support for log review, FP reduction, UAE Luhn tiering, cleanup#2
Merged
Merged
Conversation
… dead-code removal Restricted-network access (mode=logs / mode=search): - New --proxy flag with HTTPS_PROXY/HTTP_PROXY env fallback and NO_PROXY host-suffix support. HTTPS targets tunnel via CONNECT; HTTP targets use absolute-URI forwarding. Proxy credentials ride in the URL userinfo, are sent only as Proxy-Authorization, and are scrubbed from all output. - KibanaClient follows redirects (301/302/303/307/308, max 5 hops) so http->https upgrades, SSO gateways, and LB canonicalization work. Authorization is forwarded only on same-origin hops; loops fail fast. - --insecure (private CAs) applies identically through proxy tunnels. False-positive reduction: - BCR-CRYPTO-006 matches the secret pattern against the comparand's terminal identifier, skips PascalCase enum members and presence/ metadata checks (=== undefined, .length, typeof). Self-scan: 27 -> 0. - Self-referential matches in scanner source carry inline suppressions with reasons instead of detector weakening. UAE log review: - LOG-PII-001 Emirates ID gains Luhn check-digit tiering: checksum-valid -> HIGH, shape-only -> MEDIUM with verify wording (recall preserved). Descriptions cite UAE PDPL Art. 4/5/24 and CBUAE CPS. Cleanup: - constants.ts trimmed from 13 exports to the 2 with actual consumers. Docs: README restricted-network + UAE compliance sections; CHANGELOG. Tests: +7 transport tests against real local HTTP servers (redirect following, auth stripping, loop guard, proxy absolute-URI, CONNECT failure scrubbing), EID Luhn tiers, FP fixture shapes. 317/317 pass.
There was a problem hiding this comment.
Pull request overview
This PR improves log-review usability in restricted enterprise/bank networks by enhancing the Kibana/Elasticsearch client transport (proxy + redirects), reduces scanner false positives (notably BCR-CRYPTO-006), increases UAE Emirates ID detection precision via Luhn tiering, and removes dead constants.
Changes:
- Add forward-proxy support and redirect following to the Kibana/ES client, with credential scrubbing and new transport tests.
- Reduce false positives in
BCR-CRYPTO-006by using terminal-identifier matching and skipping presence/metadata comparisons; add regression fixtures. - Add Luhn-based severity tiering to
LOG-PII-001(Emirates ID) and update docs/changelog accordingly; trim unused exports fromsrc/utils/constants.ts.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/logRules.test.ts | Adds tests for Emirates ID Luhn tiering (HIGH vs MEDIUM). |
| tests/logReviewAnalyzer.test.ts | Updates EID fixture to use a Luhn-valid number for expected HIGH-severity behavior. |
| tests/kibanaClientTransport.test.ts | New integration-style transport tests for redirects and forward proxy behavior. |
| tests/fixtures/fp-regression-safe.ts | Adds FP fixtures covering enum-member and presence/metadata comparison shapes. |
| src/utils/constants.ts | Removes unused constant exports; keeps only actively-consumed lists. |
| src/poc/PocGenerator.ts | Adds inline suppression to prevent self-scanner false positives in remediation templates. |
| src/logs/logRules.ts | Implements Emirates ID Luhn tiering and updated PDPL/CBUAE wording. |
| src/logs/kibanaClient.ts | Implements proxy support, redirect following, and credential scrubbing in transport layer. |
| src/index.ts | Adds --proxy CLI option and env/NO_PROXY resolution logic; logs scrubbed proxy value. |
| src/detectors/jwtBypassDetector.ts | Adds inline suppression for self-referential pattern strings. |
| src/detectors/cryptoWeaknessDetector.ts | Refines timing-unsafe comparison heuristic to reduce false positives. |
| README.md | Documents restricted-network access and UAE specifics; adds --proxy to tables. |
| CHANGELOG.md | Documents new proxy/redirect behavior, FP reductions, UAE tiering, and constants cleanup. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…pgrade auth - Proxy credentials are now removed from the stored URL object right after the Proxy-Authorization header is built — heap snapshots and debug dumps of the long-lived client never carry the raw password. - Authorization forwarding on redirects now permits same-host http→https UPGRADES (the LB/SSO gateway pattern that motivated redirect support) while still refusing TLS downgrades and different hosts. Extracted as the exported pure helper shouldForwardAuth for direct testing. Adds 5 tests (forwarding policy matrix + stored-credential check). 322/322 pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Four improvement tracks: restricted-network access for log review, false-positive reduction, UAE compliance precision, and dead-code cleanup.
Restricted-network access (
--mode logs/--mode search)Bank networks rarely expose Kibana directly. The client now handles the three common obstacles:
--proxyflag withHTTPS_PROXY/HTTP_PROXYenv fallback andNO_PROXYhost-suffix support. HTTPS targets tunnel via CONNECT; plain-HTTP targets use absolute-URI forwarding. Proxy credentials ride in the URL userinfo, are sent only asProxy-Authorization, and are scrubbed from every banner and error message.Authorizationis forwarded only on same-origin hops — a cross-origin redirect target never receives the credential. Loops fail fast with the scrubbed chain in the error.--insecure(private CAs) applies identically through proxy tunnels: target-cert validation is enforced at the TLS layer above the CONNECT socket.False-positive reduction
BCR-CRYPTO-006(timing-unsafe comparison) now matches the secret-name pattern against the comparand's terminal identifier rather than full text, skips PascalCase enum/constant members (ts.SyntaxKind.BarBarTokenno longer flags on/token/), and skips presence/metadata checks (token === undefined,sig.length === 64,typeof token === 'string'). Self-scan findings: 27 → 0.bcr-disablesuppressions with reasons, rather than weakening detectors.UAE log-review improvements
LOG-PII-001(Emirates ID) gains Luhn check-digit tiering: shape + birth-year + checksum-valid → HIGH (near-certain real EID); shape-only → still reported (recall preserved for national IDs) but MEDIUM with explicit verify wording. Descriptions now cite UAE PDPL Art. 4/5/24 and CBUAE Consumer Protection Standards.Cleanup
src/utils/constants.tstrimmed from 13 exports to the 2 with actual consumers — the other 11 had zero references and drifted from real detector logic.Docs
--proxyrows in both input tables.Testing
tsc --noEmitclean; self-scan reports 0 findings.Generated by Claude Code