From cd6ad51ae7bbd308ec48211fa55a4cfdca145613 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Fri, 13 Feb 2026 07:43:45 +0000 Subject: [PATCH] fix: clear block security decisions during emergency reset --- .../api/handlers/emergency_handler.go | 4 +++ .../api/handlers/emergency_handler_test.go | 26 +++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/backend/internal/api/handlers/emergency_handler.go b/backend/internal/api/handlers/emergency_handler.go index 8a4803ee..12a50e22 100644 --- a/backend/internal/api/handlers/emergency_handler.go +++ b/backend/internal/api/handlers/emergency_handler.go @@ -272,6 +272,10 @@ func (h *EmergencyHandler) disableAllSecurityModules() ([]string, error) { } } + if err := h.db.Where("action = ?", "block").Delete(&models.SecurityDecision{}).Error; err != nil { + log.WithError(err).Warn("Failed to clear block security decisions during emergency reset") + } + return disabledModules, nil } diff --git a/backend/internal/api/handlers/emergency_handler_test.go b/backend/internal/api/handlers/emergency_handler_test.go index 9d537834..a11981f6 100644 --- a/backend/internal/api/handlers/emergency_handler_test.go +++ b/backend/internal/api/handlers/emergency_handler_test.go @@ -35,6 +35,7 @@ func setupEmergencyTestDB(t *testing.T) *gorm.DB { &models.Setting{}, &models.SecurityConfig{}, &models.SecurityAudit{}, + &models.SecurityDecision{}, &models.EmergencyToken{}, ) require.NoError(t, err) @@ -312,6 +313,31 @@ func TestEmergencySecurityReset_TriggersReloadAndCacheInvalidate(t *testing.T) { assert.Equal(t, 1, mockCache.calls) } +func TestEmergencySecurityReset_ClearsBlockDecisions(t *testing.T) { + db := setupEmergencyTestDB(t) + handler := NewEmergencyHandler(db) + router := setupEmergencyRouter(handler) + + validToken := "this-is-a-valid-emergency-token-with-32-chars-minimum" + require.NoError(t, os.Setenv(EmergencyTokenEnvVar, validToken)) + defer func() { require.NoError(t, os.Unsetenv(EmergencyTokenEnvVar)) }() + + require.NoError(t, db.Create(&models.SecurityDecision{UUID: "dec-1", Source: "manual", Action: "block", IP: "127.0.0.1", CreatedAt: time.Now()}).Error) + require.NoError(t, db.Create(&models.SecurityDecision{UUID: "dec-2", Source: "manual", Action: "allow", IP: "127.0.0.2", CreatedAt: time.Now()}).Error) + + req := httptest.NewRequest(http.MethodPost, "/api/v1/emergency/security-reset", nil) + req.Header.Set(EmergencyTokenHeader, validToken) + w := httptest.NewRecorder() + router.ServeHTTP(w, req) + + require.Equal(t, http.StatusOK, w.Code) + + var remaining []models.SecurityDecision + require.NoError(t, db.Find(&remaining).Error) + require.Len(t, remaining, 1) + assert.Equal(t, "allow", remaining[0].Action) +} + func TestLogEnhancedAudit(t *testing.T) { // Setup db := setupEmergencyTestDB(t)