jedisct1

1. Get the content of the QR for Okta Verify app setup. It looks like this: oktaverify://email@domain.com/?t=XXXXX&f=YYYYY&s=https://DOMAIN.okta.com&issuer=DOMAIN.okta.com&isIdxEnabled=true
2. Replace XXXXX, YYYYY and DOMAIN to your values in curl below:

curl --request POST \
  --url https://DOMAIN.okta.com/idp/authenticators \
  --header 'Accept: application/json; charset=UTF-8' \
  --header 'Accept-Encoding: gzip, deflate' \
  --header 'Authorization: OTDT XXXXX' \
  --header 'Content-Type: application/json; charset=UTF-8' \

jedisct1

/*
 * PoC: ASN1_UINTEGER length truncation via certificate parsing
 *
 * This creates a real X.509v3 self-signed certificate using the OpenSSL
 * API, serializes it to DER, then patches the serial number's length
 * field in the raw DER to exceed INT_MAX, and re-parses it with
 * d2i_X509(). Internally X509 parsing calls x_int64_ex_d2i which uses
 * the general ASN1 machinery, but the legacy d2i_ASN1_UINTEGER path
 * is only reached through direct calls.
 *

jedisct1

ASN1 UINTEGER decoder truncates oversized lengths

Classification

• Type: vulnerability
• Severity: high
• Confidence: certain

Affected Locations

• crypto/asn1/a_int.c:448
• crypto/asn1/a_int.c:457

jedisct1

Path-based package dependencies can escape the parent package root

Classification

• Type: unsafe trust-boundary violation
• Severity: high
• Confidence: certain

Affected Locations

• src/Package/Fetch.zig:526
• src/Package/Fetch.zig:963

jedisct1

Claude Code Environment Variables

Scope and methodology

This file documents environment variables visible in the checked-in source of this repository snapshot. It is not guaranteed to be exhaustive for the full product, because many imported files are not present here.

For each variable, this document gives:

• the visible purpose in code
• the rough subsystem it belongs to

jedisct1

{
  "version": 1,
  "timestamp": "2026-02-25T13:19:05.695339+00:00",
  "task": "Create xvcl code to compute the MD5 hash of the User-Agent header. Dont simulate, just lint",
  "model": "zai-org/GLM-5",
  "provider": "huggingface",
  "settings": {
    "temperature": 0.55,
    "top_p": 1.0,
    "seed": null,

jedisct1

{
  "version": 1,
  "timestamp": "2026-02-25T13:06:32.962539+00:00",
  "task": "Create xvcl code to compute the MD5 hash of the User-Agent header",
  "model": "zai-org/GLM-5",
  "provider": "huggingface",
  "settings": {
    "temperature": 0.55,
    "top_p": 1.0,
    "seed": null,

jedisct1

diff --git a/lib/std/base64.zig b/lib/std/base64.zig
index 8c08fd6786..5eb9a8d283 100644
--- a/lib/std/base64.zig
+++ b/lib/std/base64.zig
@@ -313,12 +313,22 @@ pub const Base64DecoderWithIgnore = struct {
         return result;
     }
 
-    /// Return the maximum possible decoded size for a given input length - The actual length may be less if the input includes padding.
-    /// `InvalidPadding` is returned if the input length is not valid.

jedisct1

#!/usr/bin/env python3
"""
Demonstrate a length extension attack against tokens computed as
SHA256(secret || signed_url || expiration || remote_ip || query_string).
"""

import base64
import hashlib
import struct
import urllib.parse

jedisct1

(**
   This Coq proof formally verifies that the EGCD algorithm implemented in egcd.zig
   correctly computes the GCD and Bezout coefficients for all inputs.

   PROVEN PROPERTIES:
   1. Termination: The algorithm terminates for all inputs
   2. Bezout Identity: a*x + b*y = gcd(a,b) for all inputs
   3. GCD Correctness: The result matches Coq's standard library Z.gcd
   4. Type Coverage: Works for ALL Zig integer types (u0 to u65534, i0 to i65534)
*)