fix(api): address CATS fuzzing errors and improve API hardening

- Add 400 response documentation to GET/DELETE /admin/settings/{key}
  for invalid key format validation (pattern: ^[a-z][a-z0-9_.]*$)
- Add request body rejection to MigrateSystemSettings endpoint for
  defense-in-depth (endpoint uses only query parameters per OpenAPI)
- Add FORM_URLENCODED_JSON_TEST false positive rule to detect when
  CATS applies JSON validation tests to form-urlencoded endpoints
  (fixes false positives on /oauth2/revoke per RFC 7009)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: ericfitz

.version

@@ -1,5 +1,5 @@
 {
   "major": 0,
   "minor": 282,
-  "patch": 1
+  "patch": 2
 }

api-schema/tmi-openapi.json

@@ -37451,6 +37451,39 @@
           },
           "500": {
             "$ref": "#/components/responses/Error"
+          },
+          "400": {
+            "description": "Bad Request - Invalid key format (must match pattern ^[a-z][a-z0-9_.]*$)",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/Error"
+                }
+              }
+            },
+            "headers": {
+              "X-RateLimit-Limit": {
+                "description": "Maximum number of requests allowed in the current time window",
+                "schema": {
+                  "type": "integer",
+                  "example": 1000
+                }
+              },
+              "X-RateLimit-Remaining": {
+                "description": "Number of requests remaining in the current time window",
+                "schema": {
+                  "type": "integer",
+                  "example": 999
+                }
+              },
+              "X-RateLimit-Reset": {
+                "description": "Unix epoch seconds when the rate limit window resets",
+                "schema": {
+                  "type": "integer",
+                  "example": 1735689600
+                }
+              }
+            }
           }
         },
         "security": [
@@ -37720,6 +37753,39 @@
           },
           "500": {
             "$ref": "#/components/responses/Error"
+          },
+          "400": {
+            "description": "Bad Request - Invalid key format (must match pattern ^[a-z][a-z0-9_.]*$)",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/Error"
+                }
+              }
+            },
+            "headers": {
+              "X-RateLimit-Limit": {
+                "description": "Maximum number of requests allowed in the current time window",
+                "schema": {
+                  "type": "integer",
+                  "example": 1000
+                }
+              },
+              "X-RateLimit-Remaining": {
+                "description": "Number of requests remaining in the current time window",
+                "schema": {
+                  "type": "integer",
+                  "example": 999
+                }
+              },
+              "X-RateLimit-Reset": {
+                "description": "Unix epoch seconds when the rate limit window resets",
+                "schema": {
+                  "type": "integer",
+                  "example": 1735689600
+                }
+              }
+            }
           }
         },
         "security": [

api/config_handlers.go

@@ -414,6 +414,18 @@ func (s *Server) MigrateSystemSettings(c *gin.Context, params MigrateSystemSetti
 	logger := slogging.Get().WithContext(c)
 	ctx := c.Request.Context()
 
+	// Reject unexpected request bodies for defense-in-depth
+	// This endpoint uses only query parameters per OpenAPI spec
+	if c.Request.ContentLength > 0 {
+		logger.Warn("Unexpected request body in settings migration request")
+		HandleRequestError(c, &RequestError{
+			Status:  http.StatusBadRequest,
+			Code:    "invalid_request",
+			Message: "This endpoint does not accept a request body",
+		})
+		return
+	}
+
 	// Check admin permissions
 	isAdmin, err := IsUserAdministrator(c)
 	if err != nil || !isAdmin {

api/version.go

@@ -29,7 +29,7 @@ var (
 	// Minor version number
 	VersionMinor = "282"
 	// Patch version number
-	VersionPatch = "1"
+	VersionPatch = "2"
 	// GitCommit is the git commit hash from build
 	GitCommit = "development"
 	// BuildDate is the build timestamp

scripts/parse-cats-results.py

@@ -497,6 +497,7 @@ def extract_test_number(self, test_id: str) -> int:
     FP_RULE_TRANSFER_ENCODING = "TRANSFER_ENCODING_501"
     FP_RULE_DELETED_RESOURCE_LIST = "DELETED_RESOURCE_LIST"
     FP_RULE_REMOVE_FIELDS_ONEOF = "REMOVE_FIELDS_ONEOF"
+    FP_RULE_FORM_URLENCODED_JSON_TEST = "FORM_URLENCODED_JSON_TEST"
 
     def detect_false_positive(self, data: Dict) -> Tuple[bool, Optional[str]]:
         """
@@ -532,6 +533,7 @@ def detect_false_positive(self, data: Dict) -> Tuple[bool, Optional[str]]:
         - TRANSFER_ENCODING_501: Unsupported transfer encoding per RFC 7230
         - DELETED_RESOURCE_LIST: List endpoints return 200 with empty array after deletion
         - REMOVE_FIELDS_ONEOF: RemoveFields on oneOf endpoints correctly returns 400
+        - FORM_URLENCODED_JSON_TEST: JSON validation tests on form-urlencoded endpoints
         """
         response_code = data.get('response', {}).get('responseCode', 0)
         result_reason = (data.get('resultReason') or '').lower()
@@ -890,6 +892,25 @@ def detect_false_positive(self, data: Dict) -> Tuple[bool, Optional[str]]:
             if path == '/admin/administrators' and response_code == 400:
                 return (True, self.FP_RULE_REMOVE_FIELDS_ONEOF)
 
+        # 19. JSON validation tests on form-urlencoded endpoints (CATS test design issue)
+        # CATS fuzzers like MalformedJson, DuplicateKeysFields test JSON-specific issues
+        # but some endpoints (like /oauth2/revoke per RFC 7009) accept form-urlencoded data.
+        # When CATS sends form-urlencoded data but applies JSON validation expectations,
+        # the server correctly handles the form data and returns 200 (per RFC 7009).
+        # This is correct behavior - the fuzzers are testing the wrong content type.
+        json_validation_fuzzers = ['MalformedJson', 'DuplicateKeysFields', 'RandomDummyInvalidJsonBody']
+        if fuzzer in json_validation_fuzzers:
+            # Check request Content-Type header
+            request_headers = data.get('request', {}).get('headers') or []
+            content_type = ''
+            for h in request_headers:
+                if h.get('key', '').lower() == 'content-type':
+                    content_type = h.get('value', '').lower()
+                    break
+            # If form-urlencoded, JSON tests are false positives
+            if 'application/x-www-form-urlencoded' in content_type:
+                return (True, self.FP_RULE_FORM_URLENCODED_JSON_TEST)
+
         return (False, None)
 
     def is_false_positive(self, data: Dict) -> bool: