Levandor

ASSICASH-71

7 min read

ASSICASH-71 — InstaCash CSS log zaj

One-line summary

PROD vuer_css local.json portal.url was misconfigured (UAT URL in PROD); SysOps fixed in FKITSYS-9486 (2026-01-06). portal_css devel already contains the Express 5 fixes referenced via PR #666 (carried by PR #670). Open: PROD log-volume confirmation; possible parallel hosts.portal misconfig on portal_css side.

Ticket chain

  • ASSICASH-71 (Assist Instacash) — Open, P2, assigned andras.lederer, Production, “IT scheduled”. Spawned from SLAICASH-28.
  • FKITDEV-8201 (FaceKom Dev) — In-progress (set 2026-05-05 by Bence László), assigned andras.lederer, related to FKITDEV-8150.
  • FKITSYS-9486 (SysOps) — Done 2026-01-06 by Bence Balázs (1h), Production, Contractual obligation. Found PROD CSS portal.url = https://ohp-uat.mbhbank.hu/login (UAT).
  • SLAICASH-28 (SLA Instacash) — Solved 2026-01-05 (Critical SLA, 7h, Kulcsár Gergő). Origin incident: “A váró bár nyitva van az ügyfelek nem tudnak belépni”.

Findings (compressed)

Branch state matrix

develcustomization/instacash (PROD)
Express version5.14.16
HEADactiveb0a4a37a (2024-08-05)
WebServer.js CSP handlerlines 316-322lines 343-348
Password-recovery routearray form (PR #670 landed)'/password-recovery/:token?/:lang?'
_router → router renamefixed (PR #670, PR #689 follow-up)n/a (Express 4)

PR #666 / PR #670 lineage

PR #666 metadata (cite via gh source): author Peter Szollar (szollarp), created 2026-01-06, closed unmerged 2026-01-08, 2 changed files / +2/-2 lines. Both fixes merged via PR #670 (commit 8b94fab3 / d544c5e7). Diff equivalence verified.

Log-noise mechanism

server/web/WebServer.js setupCSPReportViolation() writes every POST /report-violation as logger.channels.csp.error('csp-validation', report) — no throttle, no dedup. Combined with empty-default hosts.portal in dev.json/docker.json, any deployment with a wrong/empty value will spam the csp channel.

Bonus finding (council)

server/service/PortalService.js:48 uses url: `https://${config.get('hosts.portal')}/password-recovery/...` . Empty hosts.portal produces https:///password-recovery/... in customer emails. Same config key, broader blast radius than just CSP noise.

Deployment source

Per release-process, InstaCash PROD ships from customization/instacash (Express 4) — devel state is for future update/customization/instacash/{date} core syncs. Latest unmerged sync attempt: update/customization/instacash-2024-10-15.

Devel relevance is forward-looking only

Until the next core sync of customization/instacash, devel’s Express 5 fixes are not running on InstaCash PROD.

PR #666 reached devel via PR #670

PR #666 was closed unmerged but its content reached devel via PR #670 — the cross-reference in FKITDEV-8201 is misleading without this context.

Magyar válaszok (kanonikus)

Ezek a végleges, beküldendő verziók

Az alábbi két magyar nyelvű komment váltja a korábbi angol “Draft 1” / “Draft 2” vázlatokat — azok ezzel elavultak, nem őrizzük meg mindkettőt. Tartalmilag a fenti gyökérok-elemzéssel, a bug-lánccal (SLAICASH-28 → FKITSYS-9486 → 2026-01-06-i fix) és a hardening opciókkal egyezik.

Magyar válasz — FKITDEV-8201 komment

Egyetlen kommentként a FKITDEV-8201-re, rövid kereszthivatkozással az ASSICASH-71-re.

Megnéztem ezt a CSS log zajt — a forrása megvan, és nagyrészt meg is van oldva.

A fő ok: a vuer_css PROD local.json-jában a portal.url rossz volt (https://ohp-uat.mbhbank.hu/login a helyes https://instacash.hu/ helyett). Ezt Balázs Bence javította a FKITSYS-9486-ban (2026-01-06).

A portal_css devel ágával nincs gond: a 666-os PR két Express 5-ös javítása (app._router → app.router, és a /password-recovery/:token?/:lang? átírása 3 elemű path-tömbre) benne van a devel-ben a 670-en keresztül (8b94fab3 / d544c5e7), a _router rész a 689-ben tovább erősítve (e1fcbd57). Lediffeltem, egyezik — onnan nem hiányzik semmi.

A customization/instacash ágat ez nem érinti, mert az még Express 4-en van (HEAD b0a4a37a, 2024-08-05). Amikor legközelebb kap egy update/customization/instacash/{date} core sync-et a develből, a #670 route-javítását vinni kell vele.

Lezárás előtt érdemes ránézni, hogy a csp log mennyisége PROD-on tényleg leesett-e a FKITSYS-9486 óta — addig In Review. Külön jeleztem a FKITSYS-9486-on, hogy a portal_css PROD configját (hosts.portal) is érdemes ellenőrizni, mert az ugyanígy tud CSP-zajt okozni.

Magyar válasz — FKITSYS-9486 komment (@bence.balazs)

Kommentként a FKITSYS-9486-ra (vagy új sub-taskként), @bence.balazs-nak címezve.

@bence.balazs — egy kérdés ehhez a javításhoz. A portal_css local.json-jában van egy hosts.portal kulcs, ami a WebSocket CSP connect-src allowlistjét adja ('wss://' + config.get('hosts.portal') a WebServer.js-ben) és a jelszó-helyreállító email URL-jét (PortalService.js:48). A dev.json/docker.json defaultja üres string. Meg tudnád nézni, hogy az InstaCash PROD-on a portal_css local.json-ban ez jól van-e beállítva (instacash.hu)? Ugyanaz a fajta konfig-elcsúszás lenne, mint amit a vuer_css portal.url-nél javítottál.

Hardening options (if a follow-up PR happens)

Three patterns considered (council-validated), weakest → strongest:

OptionProsCons
In-handler Map<key, {count, lastLogged}> dedup keyed on blocked-uri|violated-directive|document-uriself-contained, no new depcustom code to test
express-rate-limit mounted only on POST /report-violationbattle-tested, idiomaticadds a dep
Forward CSP reports to dedicated collector / separate log4js channel with samplingpreserves all data, cleanest separationinfra work

Also recommend lowering the csp log4js category to a separate file/syslog facility — likely what made PROD logs disappear during SLAICASH-28.

Validation summary

Council review

4-perspective review (backend / SRE / process / devil’s advocate) — 1 sound, 3 concerns. Edits applied: corrected line numbers, diff-equivalence statement, “pending log-volume confirmation” caveat, In-Review state recommendation, hardening alternatives, PortalService.js:48 broader-blast finding, deployment-source confirmation.

Open questions / follow-ups

Did SysOps verify portal_css's hosts.portal?

Awaiting Bence Balázs’s response on the FKITSYS-9486 follow-up comment.

PROD log volume signal

Need Papertrail/syslog before-vs-after data for the csp channel around 2026-01-06 to confirm FKITSYS-9486 actually stopped the noise.

Other customization branches

80+ customization branches share the empty-string hosts.portal default. Worth a one-shot grep audit at some point.

Deployment templating mechanism

Neither vault nor repo documents how local.json is templated for InstaCash UAT vs PROD. A doc gap that allowed this drift to ship.

Validation (2026-05-18)

Log pulls from ~/Downloads/ for 3 environments — PROD vuer_css, Dedikal UAT, non-dedikal UAT — confirm the CSP-validation flood is gone everywhere.

Conclusion

  • FKITSYS-9486 (PROD config fix on 2026-01-06): VALIDATED. PROD vuer_css shows no ohp-uat.mbhbank.hu references and CSP-channel volume is at normal residual level — real browser-extension noise (≈1.3/day), not a flood.
  • Both UAT environments stopped flooding their own CSP channels long before PROD got fixed (Dedikal UAT cutoff May 2025, non-dedikal UAT cutoff May 2024). Suggests earlier config corrections on UAT side or related upstream changes.
  • The customer-visible noise loop is fixed across the board. ASSICASH-71 / FKITDEV-8201 can be moved to closed / resolved.

Per-environment results

PROD vuer_css (prod_vuer_css.log)

  • Range: 2026-05-08 → 2026-05-15 (~300K lines)

  • csp-validation ERRORs: 9 over 7 days (≈1.3/day) — not a flood

  • References to ohp-uat.mbhbank.hu: 0 — FKITSYS-9486 config fix is holding

  • All 9 errors are legitimate residual reports: Kaspersky antivirus extension (me.kis.v2.scr.kaspersky-labs.com/.../main.js) injecting inline styles/scripts, plus chrome-extension source-file violations

  • Violated directives: style-src-elem (3), font-src (4 lines worth), script-src-elem (2)

  • Blocked-uri categories: inline (5), data (4)

  • Document URIs: ohp-css.mbhbank.hu/(lobby|waiting-room|videochat) — MBHBank InstaCash CSS prod

Dedikal UAT (dedikal_uat_css.log)

  • Range: 2024-04-02 → 2026-05-14 (~679K lines)

  • csp-validation ERRORs: 248 total, but distribution shows clear cutoff:

    • 2024-04: 25, 2024-05: 2, 2024-07: 1, 2024-10: 13, 2024-11: 41, 2024-12: 17

    • 2025-01: 17, 2025-02: 23, 2025-03: 63, 2025-04: 45, 2025-05: 1

    • 2025-06 onward: 0 (12 consecutive months silent)

  • Last CSP error: 2025-05-22T15:23:30 — then silence through 2026-05-14

Non-dedikal UAT (nem_dedikal_uat_vuer_css.log)

  • Range: 2020-08-12 → 2025-12-02 (~179K lines)
  • csp-validation ERRORs: 77 total, all clustered in 2020-11, 2021-02/03, 2024-04/05
  • Last CSP error: 2024-05 — silent for 19+ months

Interpretation

  • PROD’s residual noise floor is exactly what an unfixed-default would not produce: tightly-scoped browser-extension chatter from kaspersky-labs.com and chrome-extension source files, at single-digit-per-day rate. Compare against the historic flood that triggered SLAICASH-28 — the qualitative signature has fully changed.

  • Both UATs went silent on their own CSP channels months before PROD got the same config fix. Two readings: (1) their portal.url / hosts.portal configs got corrected (or the URL drift never applied to them after a certain redeploy); (2) the original noise source on those envs was already mitigated upstream — there is no active feedback loop on UAT today, regardless of what the config says.

  • Either way, the previously-open question “Need Papertrail/syslog before-vs-after data for the csp channel around 2026-01-06” is now closed by these pulls. The signal is unambiguous.

Graph View

Backlinks