mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-03 11:24:54 -07:00
Compare commits
172 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 86a22a553d | |||
| 7ea1cd28d5 | |||
| 9e8fb3a8d5 | |||
| abcc22de38 | |||
| 122fe5f94b | |||
| e1c8e3948d | |||
| 24bcab0a8f | |||
| 3a289a3ac4 | |||
| 6e022d56d9 | |||
| 1bb54393f1 | |||
| f97c67695d | |||
| 7eb6603e77 | |||
| 12cab935ec | |||
| 79794638e4 | |||
| ed0cceb75a | |||
| 551c89ad0d | |||
| 2c9bb4bad7 | |||
| 19eb3b4292 | |||
| 2a49a72548 | |||
| 855a47c3cf | |||
| b4dec11a52 | |||
| c69818ecd0 | |||
| 64e3f540a9 | |||
| b9bca40a06 | |||
| 16ffcc240b | |||
| 1b0677033c | |||
| 84ae3a7168 | |||
| 754739bac7 | |||
| fcccff5532 | |||
| a549102bb0 | |||
| 7e3648e06d | |||
| 9e2965b777 | |||
| 37a1a9e0ec | |||
| 6575c2e5f7 | |||
| 0caca05467 | |||
| 61c4d33f5c | |||
| 3971d37190 | |||
| 9d95c5b74c | |||
| ee4ade207d | |||
| 96092dafab | |||
| 39b333320e | |||
| 7c0eb0bd4d | |||
| fb9b92a5bf | |||
| 184842f734 | |||
| 0c6a8db5a7 | |||
| 54d1be288b | |||
| 17cf26cd82 | |||
| 672858b1fe | |||
| 0422b8b413 | |||
| f37094c9ee | |||
| d34db5582f | |||
| 9cf7854ed8 | |||
| af337bd094 | |||
| 7e104ac8d4 | |||
| 5dc14ecf22 | |||
| b31234c1bc | |||
| caeff3944d | |||
| 8c8f8afba3 | |||
| 1e47b6547e | |||
| 368d658882 | |||
| c6cedf3f55 | |||
| 6dd1d9e7fe | |||
| 3f78eabf6d | |||
| 7a915d5ae7 | |||
| 1b41b5ed65 | |||
| d17f7c2074 | |||
| 301f758053 | |||
| 9f3b9eaa55 | |||
| 9be84be908 | |||
| d7d669e300 | |||
| db862992b5 | |||
| 0255e2d3ac | |||
| 7c635bae9f | |||
| 0c9419b374 | |||
| af759c7073 | |||
| 273dcdc30d | |||
| be56a90af1 | |||
| cf159ad4a9 | |||
| f22aa9e161 | |||
| 4a84790f02 | |||
| e2f59637ec | |||
| c68b077a22 | |||
| 8c732f9955 | |||
| 27a8a27880 | |||
| 9340a8be0e | |||
| 77f203e47c | |||
| 733578e6ec | |||
| 0fa3d03eb7 | |||
| 1bbc564170 | |||
| 0f11283b1e | |||
| f5ad97ac57 | |||
| 12b56661ac | |||
| 798f53d3f4 | |||
| a7f769b35a | |||
| fa3223ab31 | |||
| 657cb0cbb8 | |||
| c03fa7d336 | |||
| 45f5302e1f | |||
| 78a2ec364f | |||
| f6f9a2bbf7 | |||
| a9fde8c695 | |||
| 94d375fc3b | |||
| d16391186f | |||
| c6741e0f16 | |||
| 6a8ce9c07b | |||
| 355df83b59 | |||
| 570592c317 | |||
| 761e570d59 | |||
| 28a01f0f83 | |||
| 7788550722 | |||
| 40482a8409 | |||
| 3ed9ea4b6f | |||
| 612bb61d00 | |||
| ec53d15a9f | |||
| 064484ff4d | |||
| e2a26c19c6 | |||
| 95523bc344 | |||
| d0e986736d | |||
| 72f59532cf | |||
| 24b573a368 | |||
| 4d680074b8 | |||
| f0aa1895e9 | |||
| 6d903a4752 | |||
| 9c241cf185 | |||
| 26ccbea888 | |||
| bca4831df1 | |||
| 291846dde5 | |||
| 21c1d1c8a5 | |||
| 68075b6901 | |||
| 1bbcefa685 | |||
| aa22e6965a | |||
| 33c1c421c3 | |||
| 27c76e350c | |||
| 2e89a94a25 | |||
| 6f88625997 | |||
| 4cc48597a5 | |||
| 82a36886fa | |||
| 33e8668456 | |||
| fc3f11fb61 | |||
| 28acb16a46 | |||
| d62919523a | |||
| 33961a5c35 | |||
| 8078978a44 | |||
| 6ec0b60e5a | |||
| 22168611e4 | |||
| 4813146afc | |||
| 57b1bd7113 | |||
| ab731d0562 | |||
| ef0408ee8d | |||
| 0383a7bcd2 | |||
| 136ddbddba | |||
| a5f42ddfa6 | |||
| 1237f3f09e | |||
| 546ab091da | |||
| 5166b8d8e6 | |||
| c3a755f934 | |||
| 5050900f29 | |||
| 320fc3d4e7 | |||
| 839c0a779c | |||
| 306f9a864d | |||
| dbe79c495e | |||
| 9401aa669e | |||
| b4e78114d7 | |||
| 65ce36e963 | |||
| d0bdcf1690 | |||
| dd0276893b | |||
| cb194406a7 | |||
| 8823fa76b7 | |||
| ade9860250 | |||
| 912f6e8e0e | |||
| 1d2bc64dbc | |||
| 9f8045be22 |
+1
-1
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"projectName": "sif",
|
||||
"projectOwner": "lunchcat",
|
||||
"projectOwner": "vmfunc",
|
||||
"files": [
|
||||
"README.md"
|
||||
],
|
||||
|
||||
@@ -14,7 +14,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout the latest code
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v7
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: automatic rebase
|
||||
|
||||
@@ -17,7 +17,7 @@ jobs:
|
||||
name: check for large files
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
- name: check for large files
|
||||
run: |
|
||||
large_files=$(find . -path ./.git -prune -o -type f -size +5M -print)
|
||||
|
||||
@@ -0,0 +1,48 @@
|
||||
name: Claude Code Review
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, ready_for_review, reopened]
|
||||
# Optional: Only run on specific file changes
|
||||
# paths:
|
||||
# - "src/**/*.ts"
|
||||
# - "src/**/*.tsx"
|
||||
# - "src/**/*.js"
|
||||
# - "src/**/*.jsx"
|
||||
|
||||
jobs:
|
||||
claude-review:
|
||||
# OIDC tokens and repo secrets are withheld from pull_request runs that
|
||||
# originate from forks or dependabot, so the action cannot authenticate
|
||||
# there and the check fails for every external PR. Skip those cases (the
|
||||
# job simply does not run) instead of failing. Same-repo branch PRs still
|
||||
# get reviewed. To review fork PRs too, switch the trigger to
|
||||
# pull_request_target (has a security trade-off) rather than loosening this.
|
||||
if: >-
|
||||
github.event.pull_request.head.repo.full_name == github.repository &&
|
||||
github.actor != 'dependabot[bot]'
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: read
|
||||
issues: read
|
||||
id-token: write
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v7
|
||||
with:
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Run Claude Code Review
|
||||
id: claude-review
|
||||
uses: anthropics/claude-code-action@v1
|
||||
with:
|
||||
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
|
||||
plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
|
||||
plugins: 'code-review@claude-code-plugins'
|
||||
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
|
||||
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
|
||||
# or https://code.claude.com/docs/en/cli-reference for available options
|
||||
|
||||
@@ -0,0 +1,50 @@
|
||||
name: Claude Code
|
||||
|
||||
on:
|
||||
issue_comment:
|
||||
types: [created]
|
||||
pull_request_review_comment:
|
||||
types: [created]
|
||||
issues:
|
||||
types: [opened, assigned]
|
||||
pull_request_review:
|
||||
types: [submitted]
|
||||
|
||||
jobs:
|
||||
claude:
|
||||
if: |
|
||||
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
|
||||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
|
||||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
|
||||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: read
|
||||
issues: read
|
||||
id-token: write
|
||||
actions: read # Required for Claude to read CI results on PRs
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v7
|
||||
with:
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Run Claude Code
|
||||
id: claude
|
||||
uses: anthropics/claude-code-action@v1
|
||||
with:
|
||||
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
|
||||
|
||||
# This is an optional setting that allows Claude to read CI results on PRs
|
||||
additional_permissions: |
|
||||
actions: read
|
||||
|
||||
# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
|
||||
# prompt: 'Update the pull request description to include a summary of changes.'
|
||||
|
||||
# Optional: Add claude_args to customize behavior and configuration
|
||||
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
|
||||
# or https://code.claude.com/docs/en/cli-reference for available options
|
||||
# claude_args: '--allowed-tools Bash(gh pr *)'
|
||||
|
||||
@@ -22,7 +22,7 @@ jobs:
|
||||
security-events: write
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
- name: set up go
|
||||
uses: actions/setup-go@v5
|
||||
with:
|
||||
|
||||
@@ -16,7 +16,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: checkout repository
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v7
|
||||
- name: dependency review
|
||||
uses: actions/dependency-review-action@v5
|
||||
continue-on-error: ${{ github.event_name == 'push' }}
|
||||
|
||||
@@ -17,7 +17,7 @@ jobs:
|
||||
lint:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
- name: set up go
|
||||
uses: actions/setup-go@v6
|
||||
with:
|
||||
@@ -33,7 +33,7 @@ jobs:
|
||||
matrix:
|
||||
go-version: ["1.25"]
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
- name: set up go
|
||||
uses: actions/setup-go@v6
|
||||
with:
|
||||
@@ -43,7 +43,7 @@ jobs:
|
||||
- name: run tests with coverage
|
||||
run: go test -race -coverprofile=coverage.out -covermode=atomic ./...
|
||||
- name: upload coverage to codecov
|
||||
uses: codecov/codecov-action@v6
|
||||
uses: codecov/codecov-action@v7
|
||||
with:
|
||||
files: ./coverage.out
|
||||
fail_ci_if_error: false
|
||||
|
||||
@@ -15,7 +15,7 @@ jobs:
|
||||
govulncheck:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
- name: set up go
|
||||
uses: actions/setup-go@v5
|
||||
with:
|
||||
|
||||
@@ -15,7 +15,7 @@ jobs:
|
||||
check-headers:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
|
||||
- name: check license headers
|
||||
run: |
|
||||
|
||||
@@ -24,7 +24,7 @@ jobs:
|
||||
name: profanity check
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v7
|
||||
- name: Profanity check step
|
||||
uses: tailaiw/mind-your-language-action@v1.0.3
|
||||
env:
|
||||
|
||||
@@ -14,9 +14,9 @@ jobs:
|
||||
name: runner / markdownlint
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
- name: markdownlint
|
||||
uses: reviewdog/action-markdownlint@v0.26.2
|
||||
uses: reviewdog/action-markdownlint@v0.27.0
|
||||
with:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
reporter: github-pr-review
|
||||
|
||||
@@ -18,7 +18,7 @@ jobs:
|
||||
name: runner / misspell
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
- name: misspell
|
||||
uses: reviewdog/action-misspell@v1.27.0
|
||||
with:
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
name: pr bot
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
pull_request_target:
|
||||
types: [opened, synchronize, reopened, edited]
|
||||
|
||||
permissions:
|
||||
@@ -9,7 +9,7 @@ permissions:
|
||||
pull-requests: write
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
group: ${{ github.workflow }}-pr-${{ github.event.pull_request.number }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
@@ -23,7 +23,6 @@ jobs:
|
||||
size:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- name: label pr size
|
||||
uses: actions/github-script@v9
|
||||
with:
|
||||
|
||||
@@ -19,30 +19,33 @@ jobs:
|
||||
permissions:
|
||||
contents: write
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
- name: set up go
|
||||
uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version: "1.25"
|
||||
|
||||
- name: extract version
|
||||
run: echo "VERSION=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
|
||||
run: |
|
||||
echo "VERSION=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
|
||||
# single source of truth so the cross-compile steps can't drift
|
||||
echo "LDFLAGS=-s -w -X main.version=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
|
||||
|
||||
- name: build for windows
|
||||
run: |
|
||||
GOOS=windows GOARCH=amd64 go build -ldflags="-s -w -X main.version=${{ env.VERSION }}" -o sif-windows-amd64.exe ./cmd/sif
|
||||
GOOS=windows GOARCH=386 go build -ldflags="-s -w -X main.version=${{ env.VERSION }}" -o sif-windows-386.exe ./cmd/sif
|
||||
GOOS=windows GOARCH=amd64 go build -ldflags="${{ env.LDFLAGS }}" -o sif-windows-amd64.exe ./cmd/sif
|
||||
GOOS=windows GOARCH=386 go build -ldflags="${{ env.LDFLAGS }}" -o sif-windows-386.exe ./cmd/sif
|
||||
|
||||
- name: build for macOS
|
||||
run: |
|
||||
GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w -X main.version=${{ env.VERSION }}" -o sif-macos-amd64 ./cmd/sif
|
||||
GOOS=darwin GOARCH=arm64 go build -ldflags="-s -w -X main.version=${{ env.VERSION }}" -o sif-macos-arm64 ./cmd/sif
|
||||
GOOS=darwin GOARCH=amd64 go build -ldflags="${{ env.LDFLAGS }}" -o sif-macos-amd64 ./cmd/sif
|
||||
GOOS=darwin GOARCH=arm64 go build -ldflags="${{ env.LDFLAGS }}" -o sif-macos-arm64 ./cmd/sif
|
||||
|
||||
- name: build for linux
|
||||
run: |
|
||||
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X main.version=${{ env.VERSION }}" -o sif-linux-amd64 ./cmd/sif
|
||||
GOOS=linux GOARCH=386 go build -ldflags="-s -w -X main.version=${{ env.VERSION }}" -o sif-linux-386 ./cmd/sif
|
||||
GOOS=linux GOARCH=arm64 go build -ldflags="-s -w -X main.version=${{ env.VERSION }}" -o sif-linux-arm64 ./cmd/sif
|
||||
GOOS=linux GOARCH=amd64 go build -ldflags="${{ env.LDFLAGS }}" -o sif-linux-amd64 ./cmd/sif
|
||||
GOOS=linux GOARCH=386 go build -ldflags="${{ env.LDFLAGS }}" -o sif-linux-386 ./cmd/sif
|
||||
GOOS=linux GOARCH=arm64 go build -ldflags="${{ env.LDFLAGS }}" -o sif-linux-arm64 ./cmd/sif
|
||||
|
||||
- name: package releases with modules
|
||||
run: |
|
||||
@@ -168,7 +171,7 @@ jobs:
|
||||
|
||||
**go install**
|
||||
```bash
|
||||
go install github.com/dropalldatabases/sif/cmd/sif@v${{ env.VERSION }}
|
||||
go install github.com/vmfunc/sif/cmd/sif@v${{ env.VERSION }}
|
||||
```
|
||||
|
||||
**binary download** - grab the right archive from below.
|
||||
|
||||
@@ -18,6 +18,6 @@ jobs:
|
||||
update-report-card:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
- name: update go report card
|
||||
uses: creekorful/goreportcard-action@v1.0
|
||||
|
||||
@@ -14,7 +14,7 @@ jobs:
|
||||
build-and-test:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
- name: set up go
|
||||
uses: actions/setup-go@v5
|
||||
with:
|
||||
|
||||
@@ -15,7 +15,7 @@ jobs:
|
||||
security-events: write
|
||||
id-token: write
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
with:
|
||||
persist-credentials: false
|
||||
- name: run scorecard
|
||||
|
||||
@@ -14,7 +14,7 @@ jobs:
|
||||
name: runner / shellcheck
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
- name: shellcheck
|
||||
uses: reviewdog/action-shellcheck@v1.32.0
|
||||
with:
|
||||
|
||||
@@ -15,9 +15,9 @@ jobs:
|
||||
name: runner / yamllint
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v7
|
||||
- name: yamllint
|
||||
uses: reviewdog/action-yamllint@v1.21.0
|
||||
uses: reviewdog/action-yamllint@v1.22.0
|
||||
with:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
reporter: github-pr-review
|
||||
|
||||
+3
-1
@@ -36,7 +36,7 @@ linters:
|
||||
check-blank: false
|
||||
exclude-functions:
|
||||
# log writes are best-effort
|
||||
- github.com/dropalldatabases/sif/internal/logger.Write
|
||||
- github.com/vmfunc/sif/internal/logger.Write
|
||||
# Close on io.Closer is idiomatic best-effort
|
||||
- (io.Closer).Close
|
||||
- (*os.File).Close
|
||||
@@ -88,6 +88,8 @@ linters:
|
||||
linters:
|
||||
- errcheck
|
||||
- noctx
|
||||
- gosec # fake credentials in secret-scanner fixtures are not real keys
|
||||
- bodyclose # synthetic *http.Response fixtures carry no socket to close
|
||||
|
||||
issues:
|
||||
max-issues-per-linter: 50
|
||||
|
||||
+2
-2
@@ -24,7 +24,7 @@ If you like the project, but don't have time to contribute, that's okay too! Her
|
||||
|
||||
## Reporting issues
|
||||
|
||||
If you believe you've found a bug, or you have a new feature to request, please hop on the [Discord server](https://discord.com/invite/sifcli) first to discuss it.
|
||||
If you believe you've found a bug, or you have a new feature to request, please hop on the [Discord server](https://discord.gg/Yksy9J2BvE) first to discuss it.
|
||||
This way, if it's an easy fix, we could help you solve it more quickly, and if it's a feature request we could workshop it together into something more mature.
|
||||
|
||||
When opening an issue, please use the search tool and make sure that the issue has not been discussed before. In the case of a bug report, run sif with the `-d/-debug` flag for full debug logs.
|
||||
@@ -33,7 +33,7 @@ When opening an issue, please use the search tool and make sure that the issue h
|
||||
|
||||
### Development
|
||||
|
||||
To develop sif, you'll need version 1.23 or later of the Go toolchain. After making your changes, run the program using `go run ./cmd/sif` to make sure it compiles and runs properly.
|
||||
To develop sif, you'll need version 1.25 or later of the Go toolchain. After making your changes, run the program using `go run ./cmd/sif` to make sure it compiles and runs properly.
|
||||
|
||||
_Nix users:_ the repository provides a flake that can be used to develop and run sif. Use `nix run`, `nix develop`, `nix build`, etc. Make sure to run `gomod2nix` if `go.mod` is changed.
|
||||
|
||||
|
||||
@@ -38,8 +38,7 @@ define SUPPORT_MESSAGE
|
||||
│ │
|
||||
│ 🌟 Enjoying sif? Please consider: │
|
||||
│ │
|
||||
│ • Starring our repo: https://github.com/lunchcat/sif │
|
||||
│ • Supporting the devs: https://lunchcat.dev │
|
||||
│ • Starring our repo: https://github.com/vmfunc/sif │
|
||||
│ │
|
||||
│ Your support helps us continue improving sif! │
|
||||
│ │
|
||||
|
||||
@@ -15,18 +15,32 @@
|
||||
|
||||
**[install](#install) · [usage](#usage) · [modules](#modules) · [docs](docs/) · [contribute](#contribute)**
|
||||
|
||||
*fast, concurrent recon to exploitation in one binary. every scanner shares one connection-pooled http client.*
|
||||
|
||||
</div>
|
||||
|
||||
---
|
||||
|
||||
## what is sif?
|
||||
|
||||
sif is a modular pentesting toolkit written in go. it's designed to be fast, concurrent, and extensible. run multiple scan types against targets with a single command.
|
||||
sif is a recon and exploitation scanner that runs the whole chain in one binary: subdomain enum, port scan, crawler, nuclei, framework/cve detection, js secret extraction, web-vuln probes (cors/xss/redirect), cloud and takeover checks. 25+ scan types, one command.
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -headers -sh -cms -framework -git
|
||||
sif -u https://example.com -dnslist -ports -crawl -js -framework -nuclei
|
||||
```
|
||||
|
||||
nuclei and colly are compiled in as libraries rather than shelled out to (there's no `exec.Command` in the tree), so it's a single static binary with no runtime dependencies and nothing to wire together.
|
||||
|
||||
every scanner runs through one shared http client and a work-stealing worker pool. `-proxy`, `-H`, `-cookie` and `-rate-limit` apply to the whole run at once, connections get pooled and reused across the scan (a single-host run reuses one connection for ~50 requests instead of dialing 50 times), and a slow host doesn't hold the rest up. that shared client is the practical reason to use it over piping a stack of separate tools together. port scanning is `connect()`-based, so rustscan and nmap are still faster at raw port scans.
|
||||
|
||||
it reads targets from stdin and prints findings one per line under `-silent`, so it composes:
|
||||
|
||||
```bash
|
||||
subfinder -d example.com | sif -silent -crawl -js -nuclei | notify
|
||||
```
|
||||
|
||||
`-diff` turns a re-scan into a monitor that only reports what changed, `-notify` posts to slack/discord/telegram/webhook, and runs export to sarif and markdown.
|
||||
|
||||
## install
|
||||
|
||||
### homebrew (macos)
|
||||
@@ -49,7 +63,7 @@ paru -S sif
|
||||
### nix
|
||||
|
||||
```bash
|
||||
# nixpkgs (declarative — add to configuration.nix or home-manager)
|
||||
# nixpkgs (declarative: add to configuration.nix or home-manager)
|
||||
environment.systemPackages = [ pkgs.sif ];
|
||||
|
||||
# or imperatively
|
||||
@@ -84,7 +98,7 @@ cd sif
|
||||
make
|
||||
```
|
||||
|
||||
requires go 1.23+
|
||||
requires go 1.25+
|
||||
|
||||
### aur (manual install)
|
||||
|
||||
@@ -122,6 +136,9 @@ makepkg -si
|
||||
# sql recon + lfi scanning
|
||||
./sif -u https://example.com -sql -lfi
|
||||
|
||||
# web vuln probes (cors, open redirect, reflected xss)
|
||||
./sif -u https://example.com -cors -redirect -xss
|
||||
|
||||
# framework detection (with cve lookup)
|
||||
./sif -u https://example.com -framework
|
||||
|
||||
@@ -154,11 +171,19 @@ sif has a modular architecture. modules are defined in yaml and can be extended
|
||||
| flag | description |
|
||||
|------|-------------|
|
||||
| `-dirlist` | directory and file fuzzing (small/medium/large) |
|
||||
| `-mc` | dirlist: match these status codes (comma list, e.g. 200,301) |
|
||||
| `-fc` | dirlist: filter out these status codes (comma list) |
|
||||
| `-fs` | dirlist: filter out responses of these body sizes (comma list) |
|
||||
| `-fw` | dirlist: filter out responses with these word counts (comma list) |
|
||||
| `-fr` | dirlist: filter out responses whose body matches this regex |
|
||||
| `-ac` | auto-calibrate the soft-404 wildcard baseline (dirlist, sql) |
|
||||
| `-w` | dirlist: custom wordlist (local file or url; overrides `-dirlist` size) |
|
||||
| `-e` | dirlist: extensions appended to each word (comma list, e.g. php,bak,env) |
|
||||
| `-dnslist` | subdomain enumeration (small/medium/large) |
|
||||
| `-ports` | port scanning (common/full) |
|
||||
| `-nuclei` | vulnerability scanning with nuclei templates |
|
||||
| `-dork` | automated google dorking |
|
||||
| `-js` | javascript analysis |
|
||||
| `-js` | javascript analysis + secret and endpoint extraction |
|
||||
| `-c3` | cloud storage misconfiguration |
|
||||
| `-headers` | http header analysis |
|
||||
| `-sh` | security header analysis (missing/weak headers) |
|
||||
@@ -170,7 +195,109 @@ sif has a modular architecture. modules are defined in yaml and can be extended
|
||||
| `-securitytrails` | domain discovery + target expansion (requires SECURITYTRAILS_API_KEY) |
|
||||
| `-sql` | sql recon |
|
||||
| `-lfi` | local file inclusion |
|
||||
| `-jwt` | jwt discovery + offline weakness analysis (alg:none, weak hmac, exp, sensitive claims) |
|
||||
| `-openapi` | openapi/swagger spec exposure probe (enumerates paths + unauth endpoints) |
|
||||
| `-favicon` | favicon hash fingerprinting (shodan-style mmh3, tech match + pivot query) |
|
||||
| `-cors` | cors misconfiguration probe |
|
||||
| `-redirect` | open redirect probe |
|
||||
| `-xss` | reflected xss probe |
|
||||
| `-framework` | framework detection with cve lookup |
|
||||
| `-crawl` | web crawler (spider same-host links/scripts/forms) |
|
||||
| `-crawl-depth` | max crawl recursion depth (default 2) |
|
||||
| `-passive` | passive subdomain/url discovery (zero traffic to target) |
|
||||
| `-probe` | live-host probe (status, title, server, redirect chain) |
|
||||
|
||||
### http options
|
||||
|
||||
these apply to every outbound request across all scanners:
|
||||
|
||||
| flag | description |
|
||||
|------|-------------|
|
||||
| `-proxy` | route all traffic through a proxy (http/https/socks5 url) |
|
||||
| `-H`, `--header` | custom header to send (repeatable or comma-separated, `"Key: Value"`) |
|
||||
| `-cookie` | cookie header to send with every request |
|
||||
| `-rate-limit` | max requests per second (0 = unlimited, default 0) |
|
||||
|
||||
```bash
|
||||
# scan through a socks5 proxy with a custom header, cookie and 20 req/s cap
|
||||
./sif -u https://example.com -headers -proxy socks5://127.0.0.1:1080 -H "Authorization: Bearer tok" -cookie "session=abc" -rate-limit 20
|
||||
```
|
||||
|
||||
a scanner that sets a header explicitly (e.g. an api key) always wins over the global default.
|
||||
|
||||
### report export
|
||||
|
||||
write the run's findings out to a file for ci/cd or triage:
|
||||
|
||||
| flag | description |
|
||||
|------|-------------|
|
||||
| `-sarif` | write a sarif 2.1.0 report to this file |
|
||||
| `-markdown`, `-md` | write a markdown report to this file |
|
||||
| `-silent` | plain output: chrome to stderr, one finding per line to stdout (for pipelines) |
|
||||
| `-diff` | surface only findings added/removed since the last snapshot of each target |
|
||||
| `-store` | snapshot directory for `-diff` (default: log dir, else `<user-config>/sif/state`) |
|
||||
|
||||
```bash
|
||||
# scan and emit both a sarif and markdown report
|
||||
./sif -u https://example.com -headers -cors -sarif out.sarif -md out.md
|
||||
```
|
||||
|
||||
sarif output is ingestable by github code scanning; markdown is a readable per-target summary.
|
||||
|
||||
### diff mode
|
||||
|
||||
`-diff` turns a re-scan into a monitor: sif snapshots each target's normalized findings to a json file, and on the next run reports only the delta (`+ new` / `- gone`) against that snapshot, then overwrites it. the first run for a target has no baseline, so everything is `+ new`. snapshots land in `-store` (one sanitized file per target); when unset they reuse the log dir, falling back to `<user-config>/sif/state`.
|
||||
|
||||
```bash
|
||||
# baseline run, then re-scan later and see only what moved
|
||||
./sif -u https://example.com -sh -cors -diff
|
||||
./sif -u https://example.com -sh -cors -diff
|
||||
```
|
||||
|
||||
the snapshot is always rewritten, so each run diffs against the previous one. the delta is chrome (it rides the normal output sink / stderr under `-silent`), not the findings stream.
|
||||
|
||||
### notify
|
||||
|
||||
ship findings to a chat/webhook sink so a continuous-recon run alerts on what it turns up. every provider is a single POST through the shared http client, so the global proxy/rate-limit/header config applies.
|
||||
|
||||
| flag | description |
|
||||
|------|-------------|
|
||||
| `-notify` | ship findings to every configured provider after the scan |
|
||||
| `-notify-severity` | minimum severity to send (`info`/`low`/`medium`/`high`/`critical`, default `medium`) |
|
||||
| `-notify-config` | path to a notify-compatible yaml config (overrides env vars) |
|
||||
|
||||
providers are configured env-first; a yaml file (`-notify-config`) overrides per-field. the yaml keys match [projectdiscovery/notify](https://github.com/projectdiscovery/notify) so an existing config ports over:
|
||||
|
||||
| env var | yaml key | provider |
|
||||
|---------|----------|----------|
|
||||
| `SLACK_WEBHOOK_URL` | `slack_webhook_url` | slack incoming webhook |
|
||||
| `DISCORD_WEBHOOK_URL` | `discord_webhook_url` | discord webhook |
|
||||
| `TELEGRAM_BOT_TOKEN` | `telegram_api_key` | telegram bot api (needs chat id too) |
|
||||
| `TELEGRAM_CHAT_ID` | `telegram_chat_id` | telegram destination chat |
|
||||
| `NOTIFY_WEBHOOK_URL` | `webhook_url` | generic json webhook (structured findings) |
|
||||
|
||||
```bash
|
||||
# alert slack on medium+ findings discovered during a scan
|
||||
export SLACK_WEBHOOK_URL=https://hooks.slack.com/services/...
|
||||
./sif -u https://example.com -cors -xss -notify -notify-severity medium
|
||||
```
|
||||
|
||||
a provider with no destination is skipped; with nothing configured, `-notify` is a silent no-op. slack/discord/telegram receive a fixed-width finding block; the generic webhook receives structured json (`{count, findings[]}`).
|
||||
|
||||
### pipe mode
|
||||
|
||||
sif reads targets from stdin and accepts naked hosts, so it drops into a unix pipeline. `-silent` routes all banner/spinner/log chrome to stderr and prints one normalized finding per line (`[severity] target module title`) to stdout:
|
||||
|
||||
```bash
|
||||
# subfinder feeds hosts, sif probes them, notify ships the findings
|
||||
subfinder -d example.com | sif -silent -probe | notify
|
||||
```
|
||||
|
||||
| flag | description |
|
||||
|------|-------------|
|
||||
| stdin | a piped target stream (one host/url per line) is read alongside `-u`/`-f` |
|
||||
|
||||
scheme-less hosts default to `https://`; an explicit `http://`/`https://` is kept; any other scheme (`ftp://`, ...) is rejected.
|
||||
|
||||
### yaml modules
|
||||
|
||||
@@ -238,7 +365,7 @@ contributions welcome. see [contributing.md](CONTRIBUTING.md) for guidelines.
|
||||
gofmt -w .
|
||||
|
||||
# lint
|
||||
golangci-lint run
|
||||
go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4 run
|
||||
|
||||
# test
|
||||
go test ./...
|
||||
@@ -248,7 +375,7 @@ go test ./...
|
||||
|
||||
join our discord for support, feature discussions, and pentesting tips:
|
||||
|
||||
[](https://discord.gg/sifcli)
|
||||
[](https://discord.gg/Yksy9J2BvE)
|
||||
|
||||
## contributors
|
||||
|
||||
@@ -258,13 +385,13 @@ join our discord for support, feature discussions, and pentesting tips:
|
||||
<table>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td align="center" valign="top" width="14.28%"><a href="https://vmfunc.re"><img src="https://avatars.githubusercontent.com/u/59031302?v=4?s=100" width="100px;" alt="vmfunc"/><br /><sub><b>vmfunc</b></sub></a><br /><a href="#maintenance-vmfunc" title="Maintenance">🚧</a> <a href="#mentoring-vmfunc" title="Mentoring">🧑🏫</a> <a href="#projectManagement-vmfunc" title="Project Management">📆</a> <a href="#security-vmfunc" title="Security">🛡️</a> <a href="https://github.com/lunchcat/sif/commits?author=vmfunc" title="Code">💻</a></td>
|
||||
<td align="center" valign="top" width="14.28%"><a href="https://vmfunc.re"><img src="https://avatars.githubusercontent.com/u/59031302?v=4?s=100" width="100px;" alt="vmfunc"/><br /><sub><b>vmfunc</b></sub></a><br /><a href="#maintenance-vmfunc" title="Maintenance">🚧</a> <a href="#mentoring-vmfunc" title="Mentoring">🧑🏫</a> <a href="#projectManagement-vmfunc" title="Project Management">📆</a> <a href="#security-vmfunc" title="Security">🛡️</a> <a href="https://github.com/vmfunc/sif/commits?author=vmfunc" title="Code">💻</a></td>
|
||||
<td align="center" valign="top" width="14.28%"><a href="https://projectdiscovery.io"><img src="https://avatars.githubusercontent.com/u/50994705?v=4?s=100" width="100px;" alt="ProjectDiscovery"/><br /><sub><b>ProjectDiscovery</b></sub></a><br /><a href="#platform-projectdiscovery" title="Packaging/porting to new platform">📦</a></td>
|
||||
<td align="center" valign="top" width="14.28%"><a href="https://github.com/macdoos"><img src="https://avatars.githubusercontent.com/u/127897805?v=4?s=100" width="100px;" alt="macdoos"/><br /><sub><b>macdoos</b></sub></a><br /><a href="https://github.com/lunchcat/sif/commits?author=macdoos" title="Code">💻</a></td>
|
||||
<td align="center" valign="top" width="14.28%"><a href="https://github.com/macdoos"><img src="https://avatars.githubusercontent.com/u/127897805?v=4?s=100" width="100px;" alt="macdoos"/><br /><sub><b>macdoos</b></sub></a><br /><a href="https://github.com/vmfunc/sif/commits?author=macdoos" title="Code">💻</a></td>
|
||||
<td align="center" valign="top" width="14.28%"><a href="https://epitech.eu"><img src="https://avatars.githubusercontent.com/u/75166283?v=4?s=100" width="100px;" alt="Matthieu Witrowiez"/><br /><sub><b>Matthieu Witrowiez</b></sub></a><br /><a href="#ideas-D3adPlays" title="Ideas, Planning, & Feedback">🤔</a></td>
|
||||
<td align="center" valign="top" width="14.28%"><a href="https://github.com/tessa-u-k"><img src="https://avatars.githubusercontent.com/u/109355732?v=4?s=100" width="100px;" alt="tessa "/><br /><sub><b>tessa </b></sub></a><br /><a href="#infra-tessa-u-k" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a> <a href="#question-tessa-u-k" title="Answering Questions">💬</a> <a href="#userTesting-tessa-u-k" title="User Testing">📓</a></td>
|
||||
<td align="center" valign="top" width="14.28%"><a href="https://github.com/xyzeva"><img src="https://avatars.githubusercontent.com/u/133499694?v=4?s=100" width="100px;" alt="Eva"/><br /><sub><b>Eva</b></sub></a><br /><a href="#blog-xyzeva" title="Blogposts">📝</a> <a href="#content-xyzeva" title="Content">🖋</a> <a href="#research-xyzeva" title="Research">🔬</a> <a href="#security-xyzeva" title="Security">🛡️</a> <a href="https://github.com/lunchcat/sif/commits?author=xyzeva" title="Tests">⚠️</a> <a href="https://github.com/lunchcat/sif/commits?author=xyzeva" title="Code">💻</a></td>
|
||||
<td align="center" valign="top" width="14.28%"><a href="https://github.com/vxfemboy"><img src="https://avatars.githubusercontent.com/u/79362520?v=4?s=100" width="100px;" alt="Zoa Hickenlooper"/><br /><sub><b>Zoa Hickenlooper</b></sub></a><br /><a href="https://github.com/lunchcat/sif/commits?author=vxfemboy" title="Code">💻</a></td>
|
||||
<td align="center" valign="top" width="14.28%"><a href="https://github.com/xyzeva"><img src="https://avatars.githubusercontent.com/u/133499694?v=4?s=100" width="100px;" alt="Eva"/><br /><sub><b>Eva</b></sub></a><br /><a href="#blog-xyzeva" title="Blogposts">📝</a> <a href="#content-xyzeva" title="Content">🖋</a> <a href="#research-xyzeva" title="Research">🔬</a> <a href="#security-xyzeva" title="Security">🛡️</a> <a href="https://github.com/vmfunc/sif/commits?author=xyzeva" title="Tests">⚠️</a> <a href="https://github.com/vmfunc/sif/commits?author=xyzeva" title="Code">💻</a></td>
|
||||
<td align="center" valign="top" width="14.28%"><a href="https://github.com/vxfemboy"><img src="https://avatars.githubusercontent.com/u/79362520?v=4?s=100" width="100px;" alt="Zoa Hickenlooper"/><br /><sub><b>Zoa Hickenlooper</b></sub></a><br /><a href="https://github.com/vmfunc/sif/commits?author=vxfemboy" title="Code">💻</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td align="center" valign="top" width="14.28%"><a href="https://github.com/0xatrilla"><img src="https://avatars.githubusercontent.com/u/107285362?v=4?s=100" width="100px;" alt="acxtrilla"/><br /><sub><b>acxtrilla</b></sub></a><br /><a href="#platform-0xatrilla" title="Packaging/porting to new platform">📦</a></td>
|
||||
|
||||
+8
-6
@@ -17,13 +17,13 @@ import (
|
||||
"os"
|
||||
|
||||
"github.com/charmbracelet/log"
|
||||
"github.com/dropalldatabases/sif"
|
||||
"github.com/dropalldatabases/sif/internal/config"
|
||||
"github.com/dropalldatabases/sif/internal/patchnotes"
|
||||
ver "github.com/dropalldatabases/sif/internal/version"
|
||||
"github.com/vmfunc/sif"
|
||||
"github.com/vmfunc/sif/internal/config"
|
||||
"github.com/vmfunc/sif/internal/patchnotes"
|
||||
ver "github.com/vmfunc/sif/internal/version"
|
||||
|
||||
// Register framework detectors
|
||||
_ "github.com/dropalldatabases/sif/internal/scan/frameworks/detectors"
|
||||
_ "github.com/vmfunc/sif/internal/scan/frameworks/detectors"
|
||||
)
|
||||
|
||||
// version is stamped at release time via -ldflags "-X main.version=...";
|
||||
@@ -52,7 +52,9 @@ func main() {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
if !settings.ApiMode {
|
||||
// patchnotes print to stdout; skip them in api/silent mode so the only thing
|
||||
// on stdout is the machine-readable result stream.
|
||||
if !settings.ApiMode && !settings.Silent {
|
||||
patchnotes.ShowOnce(version)
|
||||
}
|
||||
|
||||
|
||||
+1
-1
@@ -31,7 +31,7 @@ welcome to the sif documentation. sif is a modular pentesting toolkit designed t
|
||||
|
||||
```bash
|
||||
# install
|
||||
git clone https://github.com/dropalldatabases/sif.git && cd sif && make
|
||||
git clone https://github.com/vmfunc/sif.git && cd sif && make
|
||||
|
||||
# basic scan
|
||||
./sif -u https://example.com
|
||||
|
||||
@@ -57,6 +57,12 @@ enable verbose logging:
|
||||
./sif -u https://example.com -d
|
||||
```
|
||||
|
||||
### templates
|
||||
|
||||
`-template` loads a batch of scan settings from a built-in preset or a local yaml file, so a run does not have to pass every flag. see the [usage guide](usage.md) for the presets and file format. command-line flags still take precedence over the template.
|
||||
|
||||
sif also reads an ambient config at `~/.config/sif/config.yaml` (created on first run) keyed by the same flag names. passing `-template` uses that template as the config for the run instead of the ambient file.
|
||||
|
||||
## user modules
|
||||
|
||||
place custom modules in:
|
||||
@@ -92,6 +98,38 @@ info:
|
||||
# ...
|
||||
```
|
||||
|
||||
## custom signatures
|
||||
|
||||
framework detection (`-framework`) also loads user-defined detectors from yaml
|
||||
files, so a framework sif does not ship can be detected without rebuilding:
|
||||
|
||||
- linux/macos: `~/.config/sif/signatures/`
|
||||
- windows: `%LOCALAPPDATA%\sif\signatures\`
|
||||
|
||||
each file defines one detector; place them directly in the directory, as
|
||||
subdirectories are not scanned. `header: true` matches a response header name or
|
||||
value (case-insensitive) instead of the body; the optional `version` block pulls
|
||||
a version out of the body.
|
||||
|
||||
```yaml
|
||||
# ~/.config/sif/signatures/ghost.yaml
|
||||
name: Ghost
|
||||
signatures:
|
||||
- pattern: 'content="Ghost'
|
||||
weight: 0.6
|
||||
- pattern: 'X-Ghost-Cache'
|
||||
weight: 0.4
|
||||
header: true
|
||||
version:
|
||||
regex: 'content="Ghost ([0-9.]+)'
|
||||
group: 1
|
||||
```
|
||||
|
||||
a detector reports a match once its matched signature weights sum past half, so
|
||||
weight your signatures to total about `1.0`. a name matching a built-in detector
|
||||
overrides it and inherits that built-in's version patterns and known cves, the
|
||||
same as user modules.
|
||||
|
||||
## performance tuning
|
||||
|
||||
### fast scans
|
||||
|
||||
+6
-3
@@ -11,7 +11,7 @@ setting up a development environment for sif.
|
||||
## clone and build
|
||||
|
||||
```bash
|
||||
git clone https://github.com/dropalldatabases/sif.git
|
||||
git clone https://github.com/vmfunc/sif.git
|
||||
cd sif
|
||||
make
|
||||
```
|
||||
@@ -60,8 +60,11 @@ gofmt -w .
|
||||
|
||||
### lint
|
||||
|
||||
ci pins golangci-lint v2.11.4 (`.github/workflows/go.yml`); other versions
|
||||
report spurious issues against the v2 config, so pin it locally too:
|
||||
|
||||
```bash
|
||||
golangci-lint run
|
||||
go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4 run
|
||||
```
|
||||
|
||||
### test
|
||||
@@ -164,7 +167,7 @@ go test -tags=integration ./internal/scan/...
|
||||
1. fork the repository
|
||||
2. create a feature branch
|
||||
3. make changes
|
||||
4. run `gofmt -w .` and `golangci-lint run`
|
||||
4. run `gofmt -w .` and `golangci-lint run` (pinned version, see [lint](#lint))
|
||||
5. submit pr
|
||||
|
||||
### commit messages
|
||||
|
||||
@@ -39,7 +39,7 @@ download `sif-windows-amd64.exe` from releases and add to your PATH.
|
||||
requires go 1.25+
|
||||
|
||||
```bash
|
||||
git clone https://github.com/dropalldatabases/sif.git
|
||||
git clone https://github.com/vmfunc/sif.git
|
||||
cd sif
|
||||
make
|
||||
```
|
||||
|
||||
+94
-1
@@ -115,6 +115,29 @@ http:
|
||||
|
||||
each payload creates a separate request for each path.
|
||||
|
||||
#### attack
|
||||
|
||||
how paths and payloads combine into requests.
|
||||
|
||||
```yaml
|
||||
http:
|
||||
attack: pitchfork
|
||||
```
|
||||
|
||||
- `clusterbomb` (default) - every path is tried with every payload
|
||||
- `pitchfork` - path and payload are paired by index, stopping at the shorter list
|
||||
|
||||
#### wordlist
|
||||
|
||||
a local file whose non-empty lines fuzz the `{{word}}` placeholder, one request
|
||||
per word. paths without `{{word}}` are still requested as-is.
|
||||
|
||||
```yaml
|
||||
http:
|
||||
wordlist: /usr/share/wordlists/dirs.txt
|
||||
paths:
|
||||
- "{{BaseURL}}/{{word}}"
|
||||
```
|
||||
#### headers
|
||||
|
||||
custom headers to send.
|
||||
@@ -199,6 +222,42 @@ matchers:
|
||||
condition: or
|
||||
```
|
||||
|
||||
### size matcher
|
||||
|
||||
match the response body length in bytes (measured after the 5 MB response cap, so larger sizes never match).
|
||||
|
||||
```yaml
|
||||
matchers:
|
||||
- type: size
|
||||
size:
|
||||
- 0
|
||||
- 1337
|
||||
```
|
||||
|
||||
### favicon matcher
|
||||
|
||||
match the shodan-style mmh3 hash of the response body. point the module at a
|
||||
favicon and list the hashes of the tech you want to fingerprint.
|
||||
|
||||
```yaml
|
||||
http:
|
||||
paths:
|
||||
- "{{BaseURL}}/favicon.ico"
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: favicon
|
||||
hash:
|
||||
- -235701012 # jenkins
|
||||
- 1278322581 # grafana
|
||||
```
|
||||
|
||||
the hash is shodan's `http.favicon.hash` value. paste it signed or unsigned;
|
||||
both 32-bit forms are accepted, so values from shodan or any favicon-hash tool
|
||||
drop in without conversion. pair it with a `status: 200` matcher so an error
|
||||
page served for `/favicon.ico` is not hashed. a finding fires when the body
|
||||
hashes to any listed value.
|
||||
### combining matchers
|
||||
|
||||
multiple matchers are combined with AND logic by default.
|
||||
@@ -218,6 +277,25 @@ matchers:
|
||||
|
||||
this matches responses with status 200 AND containing "ref: refs/".
|
||||
|
||||
to require any matcher instead of all, set `matchers-condition: or` on the http
|
||||
block; the module then reports a finding when any one matcher matches.
|
||||
|
||||
```yaml
|
||||
http:
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 401
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 403
|
||||
```
|
||||
|
||||
this matches a 401 OR a 403 response. `matchers-condition` accepts `and` (the
|
||||
default) or `or`; any other value fails at load.
|
||||
|
||||
## extractors
|
||||
|
||||
extractors pull data from responses.
|
||||
@@ -238,7 +316,7 @@ extractors:
|
||||
|
||||
### kv extractor
|
||||
|
||||
extract key-value pairs.
|
||||
record every response header as a key-value pair, namespaced by `name`.
|
||||
|
||||
```yaml
|
||||
extractors:
|
||||
@@ -247,6 +325,21 @@ extractors:
|
||||
part: header
|
||||
```
|
||||
|
||||
### json extractor
|
||||
|
||||
extract values from a json body by gjson path (github.com/tidwall/gjson); the
|
||||
first path that exists is stored under name.
|
||||
|
||||
```yaml
|
||||
extractors:
|
||||
- type: json
|
||||
name: version
|
||||
part: body
|
||||
json:
|
||||
- "version"
|
||||
- "data.version"
|
||||
```
|
||||
|
||||
## examples
|
||||
|
||||
### exposed git repository
|
||||
|
||||
+299
-2
@@ -21,6 +21,23 @@ read targets from a file (one url per line):
|
||||
./sif -f targets.txt
|
||||
```
|
||||
|
||||
### stdin (pipe mode)
|
||||
|
||||
when stdin is a pipe, sif reads one target per line from it, alongside any `-u`/`-f` targets. this lets sif slot into a unix pipeline:
|
||||
|
||||
```bash
|
||||
subfinder -d example.com | sif -silent -probe | notify
|
||||
```
|
||||
|
||||
### naked hosts
|
||||
|
||||
targets without a scheme default to `https://`; an explicit `http://`/`https://` is kept as given. any other scheme (`ftp://`, `file://`, ...) is rejected:
|
||||
|
||||
```bash
|
||||
./sif -u example.com # scanned as https://example.com
|
||||
echo example.com | sif -probe # same, over stdin
|
||||
```
|
||||
|
||||
## scan options
|
||||
|
||||
### directory fuzzing
|
||||
@@ -33,6 +50,42 @@ sizes: `small`, `medium`, `large`
|
||||
./sif -u https://example.com -dirlist medium
|
||||
```
|
||||
|
||||
#### response filters
|
||||
|
||||
modern apps serve a catch-all 200 for unknown routes, so a naive scan reports
|
||||
every path. these ffuf-style filters cut the noise (a filter always wins over a
|
||||
match):
|
||||
|
||||
- `-mc <codes>` - match only these status codes (comma list, e.g. `200,301`)
|
||||
- `-fc <codes>` - filter out these status codes
|
||||
- `-fs <sizes>` - filter out responses of these body sizes
|
||||
- `-fw <counts>` - filter out responses with these word counts
|
||||
- `-fr <regex>` - filter out responses whose body matches this regex
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -dirlist medium -mc 200,301 -fs 1234
|
||||
```
|
||||
|
||||
#### wildcard calibration
|
||||
|
||||
`-ac` probes a few paths that cannot exist, learns the soft-404 baseline
|
||||
(status + size + words), and auto-drops any response matching it - so SPA
|
||||
catch-all 200s stop flooding the output:
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -dirlist medium -ac
|
||||
```
|
||||
|
||||
#### custom wordlists and extensions
|
||||
|
||||
`-w <path|url>` overrides the size switch with your own list (local file or
|
||||
remote url); `-e <exts>` appends each extension to every word, keeping the bare
|
||||
word too:
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -w /path/to/words.txt -e php,bak,env
|
||||
```
|
||||
|
||||
### subdomain enumeration
|
||||
|
||||
`-dnslist <size>` - enumerate subdomains
|
||||
@@ -79,7 +132,7 @@ scopes: `common` (top ports), `full` (all ports)
|
||||
|
||||
### javascript analysis
|
||||
|
||||
`-js` - analyze javascript files
|
||||
`-js` - analyze javascript files + secret and endpoint extraction
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -js
|
||||
@@ -154,6 +207,56 @@ export SHODAN_API_KEY=your-api-key
|
||||
./sif -u https://example.com -lfi
|
||||
```
|
||||
|
||||
### cors probe
|
||||
|
||||
`-cors` - probe for cors misconfigurations (reflected/permissive origins)
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -cors
|
||||
```
|
||||
|
||||
### open redirect probe
|
||||
|
||||
`-redirect` - probe redirect-prone params for open redirects
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com/login?next=home -redirect
|
||||
```
|
||||
|
||||
### reflected xss probe
|
||||
|
||||
`-xss` - inject a canary into params and report unescaped reflections
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com/search?q=test -xss
|
||||
```
|
||||
|
||||
### jwt analysis
|
||||
|
||||
`-jwt` - fetch the target once, harvest jwts from response headers, cookies and body, then analyze each one entirely offline
|
||||
|
||||
flags alg:none, the rs256->hs256 confusion surface, missing/expired exp, plaintext sensitive claims, and cracks a small bundled weak-hmac wordlist. no token is ever sent off-box.
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -jwt
|
||||
```
|
||||
|
||||
### openapi/swagger exposure
|
||||
|
||||
`-openapi` - probe the conventional spec paths (`/swagger.json`, `/openapi.json`, `/v3/api-docs`, ...), parse the first hit (json or yaml) and enumerate every path+method, flagging operations with no security requirement
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -openapi
|
||||
```
|
||||
|
||||
### favicon fingerprint
|
||||
|
||||
`-favicon` - fetch `/favicon.ico` (or the declared `<link rel=icon>`), compute the shodan-style mmh3 hash, match it against a bundled tech map and print the `http.favicon.hash:<n>` pivot query
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -favicon
|
||||
```
|
||||
|
||||
### framework detection
|
||||
|
||||
`-framework` - detect web frameworks with version and cve lookup
|
||||
@@ -162,6 +265,34 @@ export SHODAN_API_KEY=your-api-key
|
||||
./sif -u https://example.com -framework
|
||||
```
|
||||
|
||||
### web crawler
|
||||
|
||||
`-crawl` - spider the target, following same-host links, scripts and forms
|
||||
|
||||
`-crawl-depth` - max recursion depth (default 2). respects robots.txt and stays on the target host.
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -crawl -crawl-depth 3
|
||||
```
|
||||
|
||||
### passive discovery
|
||||
|
||||
`-passive` - gather subdomains from certificate transparency (crt.sh, certspotter) and historical urls from the wayback machine
|
||||
|
||||
keyless and zero traffic to the target itself - all lookups hit third-party feeds.
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -passive
|
||||
```
|
||||
|
||||
### live-host probe
|
||||
|
||||
`-probe` - check whether the target is alive and report its final status, page title, server header, content-length and the redirect chain it walked
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -probe
|
||||
```
|
||||
|
||||
### whois lookup
|
||||
|
||||
`-whois` - perform whois lookups
|
||||
@@ -225,7 +356,7 @@ http request timeout (default: 10s):
|
||||
|
||||
### --threads
|
||||
|
||||
number of concurrent threads (default: 10):
|
||||
number of concurrent threads (default: 10). values below 1 are clamped to 1:
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com --threads 20
|
||||
@@ -247,6 +378,169 @@ enable debug logging:
|
||||
./sif -u https://example.com -d
|
||||
```
|
||||
|
||||
### --template
|
||||
|
||||
load a batch of scan settings from a template instead of passing each flag. the value is either a built-in preset or a local yaml file keyed by flag long-names:
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com --template recon
|
||||
./sif -u https://example.com --template ./my-scans.yaml
|
||||
```
|
||||
|
||||
built-in presets:
|
||||
|
||||
- `minimal`: liveness and fingerprint only (probe, headers, favicon)
|
||||
- `recon`: broad non-intrusive discovery, no attack payloads
|
||||
- `full`: every scan except the api-key ones (shodan, securitytrails), including the intrusive probes (xss, sql, lfi, redirect)
|
||||
|
||||
`full` sends attack payloads, so only run it against targets you are authorized to test.
|
||||
|
||||
a local template lists flag long-names, for example:
|
||||
|
||||
```yaml
|
||||
cms: true
|
||||
dirlist: medium
|
||||
threads: 20
|
||||
```
|
||||
|
||||
flags passed on the command line take precedence over the template, so `--template recon -xss` runs the recon preset with an added xss probe.
|
||||
|
||||
## http options
|
||||
|
||||
these apply to every outbound request across all scanners (proxy, custom headers, cookie and rate limiting share one client). a scanner that sets a header explicitly still wins over the global default.
|
||||
|
||||
### -proxy
|
||||
|
||||
route all traffic through a proxy. supports http, https and socks5 urls:
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -proxy socks5://127.0.0.1:1080
|
||||
```
|
||||
|
||||
### -H, --header
|
||||
|
||||
add a custom header to every request. repeatable or comma-separated, `"Key: Value"`:
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -H "Authorization: Bearer tok" -H "X-Env: staging"
|
||||
```
|
||||
|
||||
### -cookie
|
||||
|
||||
cookie header to send with every request:
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -cookie "session=abc; theme=dark"
|
||||
```
|
||||
|
||||
### -rate-limit
|
||||
|
||||
cap outbound requests per second (0 = unlimited, default 0):
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -rate-limit 20
|
||||
```
|
||||
|
||||
## output options
|
||||
|
||||
write the collected findings out to a file after the scan. both formats can be requested in the same run.
|
||||
|
||||
### -sarif
|
||||
|
||||
write a sarif 2.1.0 report (one run, tool `sif`, one result per finding). ingestable by github code scanning and other sarif consumers:
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -headers -cors -sarif out.sarif
|
||||
```
|
||||
|
||||
### -md, --markdown
|
||||
|
||||
write a readable markdown report grouped by target, then by module:
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -headers -cors -md report.md
|
||||
```
|
||||
|
||||
### -silent
|
||||
|
||||
plain output for pipelines: all banner/spinner/log chrome goes to stderr and stdout carries one normalized finding per line, formatted `[severity] target module title`. implies non-interactive (no spinners), so a downstream consumer sees nothing but findings:
|
||||
|
||||
```bash
|
||||
subfinder -d example.com | sif -silent -probe -sh | notify
|
||||
```
|
||||
|
||||
### -diff
|
||||
|
||||
turn a re-scan into a monitor. sif snapshots each target's normalized findings to a json file under the store dir; on the next run it loads that snapshot, diffs the current findings against it by finding key, and prints only the delta (`+ new` for findings that appeared, `- gone` for findings that vanished). it always rewrites the snapshot afterwards, so each run compares against the previous one.
|
||||
|
||||
the first run for a target has no snapshot, so every finding shows as `+ new`. when nothing changed, sif notes that and writes a fresh snapshot anyway.
|
||||
|
||||
```bash
|
||||
# baseline, then re-scan and see only what moved
|
||||
./sif -u https://example.com -sh -cors -diff
|
||||
./sif -u https://example.com -sh -cors -diff
|
||||
```
|
||||
|
||||
the delta is chrome, not the findings stream: under `-silent` it rides stderr with the rest of the chrome, leaving stdout for the full findings.
|
||||
|
||||
### -store
|
||||
|
||||
snapshot directory for `-diff`. precedence when unset: the `-log` dir if one is given, else `<user-config>/sif/state` (`$XDG_CONFIG_HOME/sif/state` on linux, `~/Library/Application Support/sif/state` on macos). one sanitized file per target, created at `0750`, written `0600`.
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -sh -diff -store ./snapshots
|
||||
```
|
||||
|
||||
|
||||
## notify options
|
||||
|
||||
ship findings to a chat/webhook sink after the scan. every provider is a single POST through the shared http client, so the global proxy/rate-limit/header config applies. with nothing configured, `-notify` is a silent no-op.
|
||||
|
||||
### -notify
|
||||
|
||||
enable delivery to every configured provider:
|
||||
|
||||
```bash
|
||||
export SLACK_WEBHOOK_URL=https://hooks.slack.com/services/...
|
||||
./sif -u https://example.com -cors -xss -notify
|
||||
```
|
||||
|
||||
### -notify-severity
|
||||
|
||||
minimum severity to send: `info`, `low`, `medium`, `high` or `critical` (default `medium`). findings below the floor are dropped, so info-level recon noise doesn't flood a channel. an unrecognized value falls back to `medium`:
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -cors -notify -notify-severity high
|
||||
```
|
||||
|
||||
### -notify-config
|
||||
|
||||
path to a yaml config that overrides the env vars per-field. the keys match [projectdiscovery/notify](https://github.com/projectdiscovery/notify) so an existing config ports over:
|
||||
|
||||
```yaml
|
||||
slack_webhook_url: https://hooks.slack.com/services/...
|
||||
discord_webhook_url: https://discord.com/api/webhooks/...
|
||||
telegram_api_key: 123456:abcdef
|
||||
telegram_chat_id: "987654"
|
||||
webhook_url: https://example.internal/sif-findings
|
||||
```
|
||||
|
||||
```bash
|
||||
./sif -u https://example.com -cors -notify -notify-config notify.yaml
|
||||
```
|
||||
|
||||
providers are resolved env-first, then overlaid by the yaml file:
|
||||
|
||||
| env var | yaml key | provider |
|
||||
|---------|----------|----------|
|
||||
| `SLACK_WEBHOOK_URL` | `slack_webhook_url` | slack incoming webhook |
|
||||
| `DISCORD_WEBHOOK_URL` | `discord_webhook_url` | discord webhook |
|
||||
| `TELEGRAM_BOT_TOKEN` | `telegram_api_key` | telegram bot api (needs chat id too) |
|
||||
| `TELEGRAM_CHAT_ID` | `telegram_chat_id` | telegram destination chat |
|
||||
| `NOTIFY_WEBHOOK_URL` | `webhook_url` | generic json webhook (structured findings) |
|
||||
|
||||
slack/discord/telegram receive a fixed-width finding block; the generic webhook receives structured json (`{count, findings[]}`) for downstream automation.
|
||||
|
||||
## api options
|
||||
|
||||
### -api
|
||||
@@ -303,6 +597,9 @@ the first time you run a new release sif also prints that release's notes once.
|
||||
-git \
|
||||
-sql \
|
||||
-lfi \
|
||||
-cors \
|
||||
-redirect \
|
||||
-xss \
|
||||
-am
|
||||
```
|
||||
|
||||
|
||||
Generated
+3
-3
@@ -2,11 +2,11 @@
|
||||
"nodes": {
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1767364772,
|
||||
"narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=",
|
||||
"lastModified": 1780930886,
|
||||
"narHash": "sha256-rppURzHviaQN131F+nLiLdGfcb0uCd9gGP0E5+iw9MI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa",
|
||||
"rev": "8c3cede7ddc26bd659d2d383b5610efbd2c7a16e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
version = "unstable-${self.shortRev or self.dirtyShortRev or "dev"}";
|
||||
src = ./.;
|
||||
|
||||
vendorHash = "sha256-ztKXnOjZS/jMxsRjtF0rIZ3lKv4YjMdZd6oQFRuAtR4=";
|
||||
vendorHash = "sha256-fR63/dStMsZon22vancuLWIAvZiEYMLjMwY1kmRDNgM=";
|
||||
|
||||
# Tests require network access (httptest)
|
||||
doCheck = false;
|
||||
|
||||
@@ -1,17 +1,23 @@
|
||||
module github.com/dropalldatabases/sif
|
||||
module github.com/vmfunc/sif
|
||||
|
||||
go 1.25.7
|
||||
|
||||
require (
|
||||
github.com/antchfx/htmlquery v1.3.6
|
||||
github.com/charmbracelet/glamour v0.10.0
|
||||
github.com/charmbracelet/glamour v1.0.0
|
||||
github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834
|
||||
github.com/charmbracelet/log v1.0.0
|
||||
github.com/gocolly/colly/v2 v2.3.0
|
||||
github.com/likexian/whois v1.15.7
|
||||
github.com/projectdiscovery/goflags v0.1.74
|
||||
github.com/projectdiscovery/nuclei/v3 v3.8.0
|
||||
github.com/projectdiscovery/utils v0.10.1
|
||||
github.com/projectdiscovery/nuclei/v3 v3.10.0
|
||||
github.com/projectdiscovery/retryabledns v1.0.115
|
||||
github.com/projectdiscovery/utils v0.11.1
|
||||
github.com/rocketlaunchr/google-search v1.1.6
|
||||
github.com/tidwall/gjson v1.19.0
|
||||
github.com/twmb/murmur3 v1.1.8
|
||||
golang.org/x/net v0.56.0
|
||||
golang.org/x/time v0.15.0
|
||||
gopkg.in/yaml.v3 v3.0.1
|
||||
)
|
||||
|
||||
@@ -28,16 +34,16 @@ require (
|
||||
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0 // indirect
|
||||
github.com/Azure/go-ntlmssp v0.1.1 // indirect
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
|
||||
github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible // indirect
|
||||
github.com/Masterminds/semver/v3 v3.4.0 // indirect
|
||||
github.com/FalconOpsLLC/goexec v0.3.0 // indirect
|
||||
github.com/Masterminds/semver/v3 v3.5.0 // indirect
|
||||
github.com/Microsoft/go-winio v0.6.2 // indirect
|
||||
github.com/Mzack9999/gcache v0.0.0-20230410081825-519e28eab057 // indirect
|
||||
github.com/Mzack9999/go-http-digest-auth-client v0.6.1-0.20220414142836-eb8883508809 // indirect
|
||||
github.com/Mzack9999/go-rsync v0.0.0-20250821180103-81ffa574ef4d // indirect
|
||||
github.com/Mzack9999/goja v0.0.0-20250507184235-e46100e9c697 // indirect
|
||||
github.com/Mzack9999/goja_nodejs v0.0.0-20250507184139-66bcbf65c883 // indirect
|
||||
github.com/Mzack9999/goimpacket v0.0.0-20260422121140-7085336a0415 // indirect
|
||||
github.com/ProtonMail/go-crypto v1.1.6 // indirect
|
||||
github.com/PuerkitoBio/goquery v1.11.0 // indirect
|
||||
github.com/RedTeamPentesting/adauth v0.5.4-0.20260511073005-3d18e8a5a687 // indirect
|
||||
github.com/STARRY-S/zip v0.2.3 // indirect
|
||||
github.com/VividCortex/ewma v1.2.0 // indirect
|
||||
github.com/akrylysov/pogreb v0.10.2 // indirect
|
||||
@@ -50,7 +56,7 @@ require (
|
||||
github.com/andybalholm/brotli v1.2.0 // indirect
|
||||
github.com/andybalholm/cascadia v1.3.3 // indirect
|
||||
github.com/andygrunwald/go-jira v1.16.1 // indirect
|
||||
github.com/antchfx/xmlquery v1.4.4 // indirect
|
||||
github.com/antchfx/xmlquery v1.5.0 // indirect
|
||||
github.com/antchfx/xpath v1.3.6 // indirect
|
||||
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
|
||||
github.com/aws/aws-sdk-go-v2 v1.41.5 // indirect
|
||||
@@ -75,9 +81,8 @@ require (
|
||||
github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
|
||||
github.com/aymerick/douceur v0.2.0 // indirect
|
||||
github.com/bahlo/generic-list-go v0.2.0 // indirect
|
||||
github.com/bits-and-blooms/bitset v1.22.0 // indirect
|
||||
github.com/bits-and-blooms/bitset v1.24.4 // indirect
|
||||
github.com/bits-and-blooms/bloom/v3 v3.5.0 // indirect
|
||||
github.com/bluele/gcache v0.0.2 // indirect
|
||||
github.com/bodgit/plumbing v1.3.0 // indirect
|
||||
github.com/bodgit/sevenzip v1.6.1 // indirect
|
||||
github.com/bodgit/windows v1.0.1 // indirect
|
||||
@@ -92,7 +97,7 @@ require (
|
||||
github.com/cespare/xxhash v1.1.0 // indirect
|
||||
github.com/cespare/xxhash/v2 v2.3.0 // indirect
|
||||
github.com/charmbracelet/colorprofile v0.3.2 // indirect
|
||||
github.com/charmbracelet/x/ansi v0.10.1 // indirect
|
||||
github.com/charmbracelet/x/ansi v0.10.2 // indirect
|
||||
github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
|
||||
github.com/charmbracelet/x/exp/slice v0.0.0-20250908092851-c2208eb08494 // indirect
|
||||
github.com/charmbracelet/x/term v0.2.1 // indirect
|
||||
@@ -112,8 +117,8 @@ require (
|
||||
github.com/ditashi/jsbeautifier-go v0.0.0-20141206144643-2520a8026a9c // indirect
|
||||
github.com/djherbis/times v1.6.0 // indirect
|
||||
github.com/dlclark/regexp2 v1.11.5 // indirect
|
||||
github.com/docker/docker v28.3.3+incompatible // indirect
|
||||
github.com/docker/go-connections v0.6.0 // indirect
|
||||
github.com/dlclark/regexp2/v2 v2.2.1 // indirect
|
||||
github.com/docker/go-connections v0.7.0 // indirect
|
||||
github.com/docker/go-units v0.5.0 // indirect
|
||||
github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
|
||||
github.com/dustin/go-humanize v1.0.1 // indirect
|
||||
@@ -126,8 +131,8 @@ require (
|
||||
github.com/felixge/httpsnoop v1.0.4 // indirect
|
||||
github.com/free5gc/util v1.0.5-0.20230511064842-2e120956883b // indirect
|
||||
github.com/gabriel-vasile/mimetype v1.4.8 // indirect
|
||||
github.com/gaissmai/bart v0.26.1 // indirect
|
||||
github.com/geoffgarside/ber v1.1.0 // indirect
|
||||
github.com/gaissmai/bart v0.28.0 // indirect
|
||||
github.com/geoffgarside/ber v1.2.0 // indirect
|
||||
github.com/getkin/kin-openapi v0.132.0 // indirect
|
||||
github.com/gin-contrib/sse v0.1.0 // indirect
|
||||
github.com/gin-gonic/gin v1.9.1 // indirect
|
||||
@@ -136,7 +141,7 @@ require (
|
||||
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
|
||||
github.com/go-git/go-billy/v5 v5.9.0 // indirect
|
||||
github.com/go-git/go-git/v5 v5.19.1 // indirect
|
||||
github.com/go-ldap/ldap/v3 v3.4.11 // indirect
|
||||
github.com/go-ldap/ldap/v3 v3.4.12 // indirect
|
||||
github.com/go-logfmt/logfmt v0.6.1 // indirect
|
||||
github.com/go-logr/logr v1.4.3 // indirect
|
||||
github.com/go-logr/stdr v1.2.2 // indirect
|
||||
@@ -158,8 +163,6 @@ require (
|
||||
github.com/gobwas/pool v0.2.1 // indirect
|
||||
github.com/gobwas/ws v1.4.0 // indirect
|
||||
github.com/goccy/go-json v0.10.5 // indirect
|
||||
github.com/gocolly/colly/v2 v2.1.0 // indirect
|
||||
github.com/gogo/protobuf v1.3.2 // indirect
|
||||
github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
|
||||
github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
|
||||
github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
|
||||
@@ -168,7 +171,6 @@ require (
|
||||
github.com/golang/protobuf v1.5.4 // indirect
|
||||
github.com/golang/snappy v1.0.0 // indirect
|
||||
github.com/google/certificate-transparency-go v1.3.2 // indirect
|
||||
github.com/google/go-github v17.0.0+incompatible // indirect
|
||||
github.com/google/go-github/v30 v30.1.0 // indirect
|
||||
github.com/google/go-querystring v1.1.0 // indirect
|
||||
github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect
|
||||
@@ -187,14 +189,15 @@ require (
|
||||
github.com/hdm/jarm-go v0.0.7 // indirect
|
||||
github.com/iangcarroll/cookiemonster v1.6.0 // indirect
|
||||
github.com/imdario/mergo v0.3.16 // indirect
|
||||
github.com/indece-official/go-ebcdic v1.2.0 // indirect
|
||||
github.com/invopop/jsonschema v0.13.0 // indirect
|
||||
github.com/invopop/yaml v0.3.1 // indirect
|
||||
github.com/itchyny/gojq v0.12.17 // indirect
|
||||
github.com/itchyny/timefmt-go v0.1.6 // indirect
|
||||
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
|
||||
github.com/jcmturner/aescts/v2 v2.0.0 // indirect
|
||||
github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
|
||||
github.com/jcmturner/gofork v1.7.6 // indirect
|
||||
github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
|
||||
github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect
|
||||
github.com/jcmturner/rpc/v2 v2.0.3 // indirect
|
||||
github.com/jinzhu/inflection v1.0.0 // indirect
|
||||
@@ -207,12 +210,10 @@ require (
|
||||
github.com/kennygrant/sanitize v1.2.4 // indirect
|
||||
github.com/kevinburke/ssh_config v1.2.0 // indirect
|
||||
github.com/kitabisa/go-ci v1.0.3 // indirect
|
||||
github.com/klauspost/compress v1.18.2 // indirect
|
||||
github.com/klauspost/compress v1.18.5 // indirect
|
||||
github.com/klauspost/cpuid/v2 v2.3.0 // indirect
|
||||
github.com/klauspost/pgzip v1.2.6 // indirect
|
||||
github.com/kylelemons/godebug v1.1.0 // indirect
|
||||
github.com/labstack/echo/v4 v4.13.4 // indirect
|
||||
github.com/labstack/gommon v0.4.2 // indirect
|
||||
github.com/leodido/go-urn v1.4.0 // indirect
|
||||
github.com/leslie-qiwa/flat v0.0.0-20230424180412-f9d1cf014baa // indirect
|
||||
github.com/lib/pq v1.11.2 // indirect
|
||||
@@ -225,8 +226,8 @@ require (
|
||||
github.com/mackerelio/go-osstat v0.2.6 // indirect
|
||||
github.com/mailru/easyjson v0.7.7 // indirect
|
||||
github.com/mattn/go-colorable v0.1.14 // indirect
|
||||
github.com/mattn/go-isatty v0.0.20 // indirect
|
||||
github.com/mattn/go-runewidth v0.0.16 // indirect
|
||||
github.com/mattn/go-isatty v0.0.22 // indirect
|
||||
github.com/mattn/go-runewidth v0.0.17 // indirect
|
||||
github.com/mattn/go-sqlite3 v1.14.28 // indirect
|
||||
github.com/maypok86/otter/v2 v2.2.1 // indirect
|
||||
github.com/mholt/acmez/v3 v3.1.3 // indirect
|
||||
@@ -239,16 +240,21 @@ require (
|
||||
github.com/minio/selfupdate v0.6.1-0.20230907112617-f11e74f84ca7 // indirect
|
||||
github.com/mitchellh/go-homedir v1.1.0 // indirect
|
||||
github.com/moby/docker-image-spec v1.3.1 // indirect
|
||||
github.com/moby/sys/atomicwriter v0.1.0 // indirect
|
||||
github.com/moby/moby/api v1.54.2 // indirect
|
||||
github.com/moby/moby/client v0.4.1 // indirect
|
||||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
|
||||
github.com/modern-go/reflect2 v1.0.2 // indirect
|
||||
github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
|
||||
github.com/montanaflynn/stats v0.7.1 // indirect
|
||||
github.com/muesli/reflow v0.3.0 // indirect
|
||||
github.com/muesli/termenv v0.16.0 // indirect
|
||||
github.com/nlnwa/whatwg-url v0.6.2 // indirect
|
||||
github.com/nwaples/rardecode/v2 v2.2.2 // indirect
|
||||
github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 // indirect
|
||||
github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 // indirect
|
||||
github.com/oiweiwei/go-msrpc v1.2.12 // indirect
|
||||
github.com/oiweiwei/go-smb2.fork v1.0.0 // indirect
|
||||
github.com/oiweiwei/gokrb5.fork/v9 v9.0.6 // indirect
|
||||
github.com/olekukonko/errors v1.1.0 // indirect
|
||||
github.com/olekukonko/ll v0.0.9 // indirect
|
||||
github.com/olekukonko/tablewriter v1.0.8 // indirect
|
||||
@@ -264,41 +270,44 @@ require (
|
||||
github.com/praetorian-inc/fingerprintx v1.1.15 // indirect
|
||||
github.com/projectdiscovery/asnmap v1.1.1 // indirect
|
||||
github.com/projectdiscovery/blackrock v0.0.1 // indirect
|
||||
github.com/projectdiscovery/cdncheck v1.2.31 // indirect
|
||||
github.com/projectdiscovery/clistats v0.1.1 // indirect
|
||||
github.com/projectdiscovery/dsl v0.8.14 // indirect
|
||||
github.com/projectdiscovery/fastdialer v0.5.6 // indirect
|
||||
github.com/projectdiscovery/cdncheck v1.2.42 // indirect
|
||||
github.com/projectdiscovery/clistats v0.1.4 // indirect
|
||||
github.com/projectdiscovery/dsl v0.8.20 // indirect
|
||||
github.com/projectdiscovery/fastdialer v0.5.11 // indirect
|
||||
github.com/projectdiscovery/fasttemplate v0.0.2 // indirect
|
||||
github.com/projectdiscovery/freeport v0.0.7 // indirect
|
||||
github.com/projectdiscovery/gcache v0.0.0-20241015120333-12546c6e3f4c // indirect
|
||||
github.com/projectdiscovery/go-smb2 v0.0.0-20240129202741-052cc450c6cb // indirect
|
||||
github.com/projectdiscovery/gologger v1.1.68 // indirect
|
||||
github.com/projectdiscovery/goja v0.0.0-20260618133720-acb73e419534 // indirect
|
||||
github.com/projectdiscovery/goja_nodejs v0.0.0-20260618132410-8519f75f703d // indirect
|
||||
github.com/projectdiscovery/gologger v1.1.71 // indirect
|
||||
github.com/projectdiscovery/gostruct v0.0.2 // indirect
|
||||
github.com/projectdiscovery/gozero v0.1.1-0.20251027191944-a4ea43320b81 // indirect
|
||||
github.com/projectdiscovery/hmap v0.0.100 // indirect
|
||||
github.com/projectdiscovery/govaluate v0.0.0-20260615100919-5ee2581bbf7e // indirect
|
||||
github.com/projectdiscovery/gozero v0.1.1-0.20260530071156-fa1dad563d76 // indirect
|
||||
github.com/projectdiscovery/hmap v0.0.101 // indirect
|
||||
github.com/projectdiscovery/httpx v1.9.0 // indirect
|
||||
github.com/projectdiscovery/interactsh v1.3.1 // indirect
|
||||
github.com/projectdiscovery/ldapserver v1.0.2-0.20240219154113-dcc758ebc0cb // indirect
|
||||
github.com/projectdiscovery/machineid v0.0.0-20250715113114-c77eb3567582 // indirect
|
||||
github.com/projectdiscovery/mapcidr v1.1.97 // indirect
|
||||
github.com/projectdiscovery/n3iwf v0.0.0-20230523120440-b8cd232ff1f5 // indirect
|
||||
github.com/projectdiscovery/networkpolicy v0.1.36 // indirect
|
||||
github.com/projectdiscovery/ratelimit v0.0.85 // indirect
|
||||
github.com/projectdiscovery/networkpolicy v0.1.41 // indirect
|
||||
github.com/projectdiscovery/ratelimit v0.0.88 // indirect
|
||||
github.com/projectdiscovery/rawhttp v0.1.90 // indirect
|
||||
github.com/projectdiscovery/rdap v0.9.1-0.20221108103045-9865884d1917 // indirect
|
||||
github.com/projectdiscovery/retryabledns v1.0.114 // indirect
|
||||
github.com/projectdiscovery/retryablehttp-go v1.3.8 // indirect
|
||||
github.com/projectdiscovery/sarif v0.0.1 // indirect
|
||||
github.com/projectdiscovery/retryablehttp-go v1.3.16 // indirect
|
||||
github.com/projectdiscovery/sarif v0.1.0 // indirect
|
||||
github.com/projectdiscovery/tlsx v1.2.2 // indirect
|
||||
github.com/projectdiscovery/uncover v1.2.0 // indirect
|
||||
github.com/projectdiscovery/useragent v0.0.107 // indirect
|
||||
github.com/projectdiscovery/wappalyzergo v0.2.76 // indirect
|
||||
github.com/projectdiscovery/uncover v1.2.1 // indirect
|
||||
github.com/projectdiscovery/useragent v0.0.108 // indirect
|
||||
github.com/projectdiscovery/wappalyzergo v0.2.87 // indirect
|
||||
github.com/projectdiscovery/yamldoc-go v1.0.6 // indirect
|
||||
github.com/redis/go-redis/v9 v9.11.0 // indirect
|
||||
github.com/refraction-networking/utls v1.8.2 // indirect
|
||||
github.com/remeh/sizedwaitgroup v1.0.0 // indirect
|
||||
github.com/rivo/uniseg v0.4.7 // indirect
|
||||
github.com/rs/xid v1.6.0 // indirect
|
||||
github.com/rs/zerolog v1.34.0 // indirect
|
||||
github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d // indirect
|
||||
github.com/sashabaranov/go-openai v1.37.0 // indirect
|
||||
github.com/segmentio/ksuid v1.0.4 // indirect
|
||||
@@ -307,17 +316,17 @@ require (
|
||||
github.com/shirou/gopsutil/v4 v4.26.3 // indirect
|
||||
github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 // indirect
|
||||
github.com/sijms/go-ora/v2 v2.9.0 // indirect
|
||||
github.com/sirupsen/logrus v1.9.3 // indirect
|
||||
github.com/sirupsen/logrus v1.9.4 // indirect
|
||||
github.com/skeema/knownhosts v1.3.1 // indirect
|
||||
github.com/sorairolake/lzip-go v0.3.8 // indirect
|
||||
github.com/spaolacci/murmur3 v1.1.0 // indirect
|
||||
github.com/spf13/afero v1.15.0 // indirect
|
||||
github.com/spf13/cast v1.9.2 // indirect
|
||||
github.com/spf13/cast v1.10.0 // indirect
|
||||
github.com/spf13/pflag v1.0.10 // indirect
|
||||
github.com/syndtr/goleveldb v1.0.0 // indirect
|
||||
github.com/temoto/robotstxt v1.1.2 // indirect
|
||||
github.com/tidwall/btree v1.8.1 // indirect
|
||||
github.com/tidwall/buntdb v1.3.2 // indirect
|
||||
github.com/tidwall/gjson v1.18.0 // indirect
|
||||
github.com/tidwall/grect v0.1.4 // indirect
|
||||
github.com/tidwall/match v1.2.0 // indirect
|
||||
github.com/tidwall/pretty v1.2.1 // indirect
|
||||
@@ -332,7 +341,6 @@ require (
|
||||
github.com/ugorji/go/codec v1.2.11 // indirect
|
||||
github.com/ulikunitz/xz v0.5.15 // indirect
|
||||
github.com/valyala/bytebufferpool v1.0.0 // indirect
|
||||
github.com/valyala/fasttemplate v1.2.2 // indirect
|
||||
github.com/vmihailenco/bufpool v0.1.11 // indirect
|
||||
github.com/vmihailenco/msgpack/v5 v5.3.4 // indirect
|
||||
github.com/vmihailenco/tagparser v0.1.2 // indirect
|
||||
@@ -360,37 +368,35 @@ require (
|
||||
github.com/zmap/rc2 v0.0.0-20190804163417-abaa70531248 // indirect
|
||||
github.com/zmap/zcrypto v0.0.0-20240803002437-3a861682ac77 // indirect
|
||||
github.com/zmap/zgrab2 v0.1.8 // indirect
|
||||
gitlab.com/gitlab-org/api/client-go v0.130.1 // indirect
|
||||
gitlab.com/gitlab-org/api/client-go v1.9.1 // indirect
|
||||
go.etcd.io/bbolt v1.4.3 // indirect
|
||||
go.mongodb.org/mongo-driver v1.17.9 // indirect
|
||||
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
|
||||
go.opentelemetry.io/otel v1.41.0 // indirect
|
||||
go.opentelemetry.io/otel/metric v1.41.0 // indirect
|
||||
go.opentelemetry.io/otel/trace v1.41.0 // indirect
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 // indirect
|
||||
go.opentelemetry.io/otel v1.43.0 // indirect
|
||||
go.opentelemetry.io/otel/metric v1.43.0 // indirect
|
||||
go.opentelemetry.io/otel/trace v1.43.0 // indirect
|
||||
go.uber.org/multierr v1.11.0 // indirect
|
||||
go.uber.org/zap v1.27.0 // indirect
|
||||
go.uber.org/zap/exp v0.3.0 // indirect
|
||||
go4.org v0.0.0-20230225012048-214862532bf5 // indirect
|
||||
goftp.io/server/v2 v2.0.1 // indirect
|
||||
golang.org/x/arch v0.3.0 // indirect
|
||||
golang.org/x/crypto v0.50.0 // indirect
|
||||
golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
|
||||
golang.org/x/mod v0.35.0 // indirect
|
||||
golang.org/x/net v0.53.0 // indirect
|
||||
golang.org/x/crypto v0.53.0 // indirect
|
||||
golang.org/x/exp v0.0.0-20260527015227-08cc5374adb3 // indirect
|
||||
golang.org/x/mod v0.36.0 // indirect
|
||||
golang.org/x/oauth2 v0.34.0 // indirect
|
||||
golang.org/x/sync v0.20.0 // indirect
|
||||
golang.org/x/sys v0.43.0 // indirect
|
||||
golang.org/x/term v0.42.0 // indirect
|
||||
golang.org/x/text v0.36.0 // indirect
|
||||
golang.org/x/time v0.14.0 // indirect
|
||||
golang.org/x/tools v0.44.0 // indirect
|
||||
google.golang.org/appengine v1.6.7 // indirect
|
||||
google.golang.org/protobuf v1.36.6 // indirect
|
||||
golang.org/x/sync v0.21.0 // indirect
|
||||
golang.org/x/sys v0.46.0 // indirect
|
||||
golang.org/x/term v0.44.0 // indirect
|
||||
golang.org/x/text v0.38.0 // indirect
|
||||
golang.org/x/tools v0.45.0 // indirect
|
||||
google.golang.org/appengine v1.6.8 // indirect
|
||||
google.golang.org/protobuf v1.36.11 // indirect
|
||||
gopkg.in/alecthomas/kingpin.v2 v2.2.6 // indirect
|
||||
gopkg.in/corvus-ch/zbase32.v1 v1.0.0 // indirect
|
||||
gopkg.in/warnings.v0 v0.1.2 // indirect
|
||||
gopkg.in/yaml.v2 v2.4.0 // indirect
|
||||
mellium.im/sasl v0.3.2 // indirect
|
||||
moul.io/http2curl v1.0.0 // indirect
|
||||
software.sslmate.com/src/go-pkcs12 v0.7.0 // indirect
|
||||
)
|
||||
|
||||
@@ -70,13 +70,13 @@ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mo
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs=
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
|
||||
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
|
||||
github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
|
||||
github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
|
||||
github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
|
||||
github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
|
||||
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
|
||||
github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible h1:1G1pk05UrOh0NlF1oeaaix1x8XzrfjIDK47TY0Zehcw=
|
||||
github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
|
||||
github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
|
||||
github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
|
||||
github.com/FalconOpsLLC/goexec v0.3.0 h1:ryLMkrGT6asnkqdc5rFMNOSTYdMH/iCfyEuwu0D6ZhA=
|
||||
github.com/FalconOpsLLC/goexec v0.3.0/go.mod h1:kiyxVbmFCGbbwXRyZmOSKlOy7PiK+JH2gq07Ztag/k8=
|
||||
github.com/Masterminds/semver/v3 v3.5.0 h1:kQceYJfbupGfZOKZQg0kou0DgAKhzDg2NZPAwZ/2OOE=
|
||||
github.com/Masterminds/semver/v3 v3.5.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
|
||||
github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
|
||||
github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
|
||||
github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
|
||||
@@ -86,10 +86,8 @@ github.com/Mzack9999/go-http-digest-auth-client v0.6.1-0.20220414142836-eb888350
|
||||
github.com/Mzack9999/go-http-digest-auth-client v0.6.1-0.20220414142836-eb8883508809/go.mod h1:upgc3Zs45jBDnBT4tVRgRcgm26ABpaP7MoTSdgysca4=
|
||||
github.com/Mzack9999/go-rsync v0.0.0-20250821180103-81ffa574ef4d h1:DofPB5AcjTnOU538A/YD86/dfqSNTvQsAXgwagxmpu4=
|
||||
github.com/Mzack9999/go-rsync v0.0.0-20250821180103-81ffa574ef4d/go.mod h1:uzdh/m6XQJI7qRvufeBPDa+lj5SVCJO8B9eLxTbtI5U=
|
||||
github.com/Mzack9999/goja v0.0.0-20250507184235-e46100e9c697 h1:54I+OF5vS4a/rxnUrN5J3hi0VEYKcrTlpc8JosDyP+c=
|
||||
github.com/Mzack9999/goja v0.0.0-20250507184235-e46100e9c697/go.mod h1:yNqYRqxYkSROY1J+LX+A0tOSA/6soXQs5m8hZSqYBac=
|
||||
github.com/Mzack9999/goja_nodejs v0.0.0-20250507184139-66bcbf65c883 h1:+Is1AS20q3naP+qJophNpxuvx1daFOx9C0kLIuI0GVk=
|
||||
github.com/Mzack9999/goja_nodejs v0.0.0-20250507184139-66bcbf65c883/go.mod h1:K+FhM7iKGKtalkeXGEviafPPwyVjDv1a/ehomabLF2w=
|
||||
github.com/Mzack9999/goimpacket v0.0.0-20260422121140-7085336a0415 h1:lpSZPcbowbxvKFaFvE1reLTCStezWXcRVk0zzBtUatg=
|
||||
github.com/Mzack9999/goimpacket v0.0.0-20260422121140-7085336a0415/go.mod h1:Wvb2f1Aq6NVL4Fza/dPNxv6/canpeizpgmiTCBGMD50=
|
||||
github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
|
||||
github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
|
||||
github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE=
|
||||
@@ -101,6 +99,8 @@ github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBK
|
||||
github.com/PuerkitoBio/goquery v1.8.1/go.mod h1:Q8ICL1kNUJ2sXGoAhPGUdYDJvgQgHzJsnnd3H7Ho5jQ=
|
||||
github.com/PuerkitoBio/goquery v1.11.0 h1:jZ7pwMQXIITcUXNH83LLk+txlaEy6NVOfTuP43xxfqw=
|
||||
github.com/PuerkitoBio/goquery v1.11.0/go.mod h1:wQHgxUOU3JGuj3oD/QFfxUdlzW6xPHfqyHre6VMY4DQ=
|
||||
github.com/RedTeamPentesting/adauth v0.5.4-0.20260511073005-3d18e8a5a687 h1:HHkHNwakgAFX3qlMm88c090vIYNFWiO5+4WyAr0xJuM=
|
||||
github.com/RedTeamPentesting/adauth v0.5.4-0.20260511073005-3d18e8a5a687/go.mod h1:l6FRaC2TliS/JMNWskO3J1tmrcKJyOaMFhWC6hHeWno=
|
||||
github.com/RumbleDiscovery/rumble-tools v0.0.0-20201105153123-f2adbb3244d2/go.mod h1:jD2+mU+E2SZUuAOHZvZj4xP4frlOo+N/YrXDvASFhkE=
|
||||
github.com/STARRY-S/zip v0.2.3 h1:luE4dMvRPDOWQdeDdUxUoZkzUIpTccdKdhHHsQJ1fm4=
|
||||
github.com/STARRY-S/zip v0.2.3/go.mod h1:lqJ9JdeRipyOQJrYSOtpNAiaesFO6zVDsE8GIGFaoSk=
|
||||
@@ -125,8 +125,8 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF
|
||||
github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
|
||||
github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=
|
||||
github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
|
||||
github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
|
||||
github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
|
||||
github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
|
||||
github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
|
||||
github.com/alexsnet/go-vnc v0.1.0 h1:vBCwPNy79WEL8V/Z5A0ngEFCvTWBAjmS048lkR2rdmY=
|
||||
github.com/alexsnet/go-vnc v0.1.0/go.mod h1:bbRsg41Sh3zvrnWsw+REKJVGZd8Of2+S0V1G0ZaBhlU=
|
||||
github.com/alitto/pond v1.9.2 h1:9Qb75z/scEZVCoSU+osVmQ0I0JOeLfdTDafrbcJ8CLs=
|
||||
@@ -149,13 +149,13 @@ github.com/antchfx/htmlquery v1.3.6 h1:RNHHL7YehO5XdO8IM8CynwLKONwRHWkrghbYhQIk9
|
||||
github.com/antchfx/htmlquery v1.3.6/go.mod h1:kcVUqancxPygm26X2rceEcagZFFVkLEE7xgLkGSDl/4=
|
||||
github.com/antchfx/xmlquery v1.2.4/go.mod h1:KQQuESaxSlqugE2ZBcM/qn+ebIpt+d+4Xx7YcSGAIrM=
|
||||
github.com/antchfx/xmlquery v1.3.15/go.mod h1:zMDv5tIGjOxY/JCNNinnle7V/EwthZ5IT8eeCGJKRWA=
|
||||
github.com/antchfx/xmlquery v1.4.4 h1:mxMEkdYP3pjKSftxss4nUHfjBhnMk4imGoR96FRY2dg=
|
||||
github.com/antchfx/xmlquery v1.4.4/go.mod h1:AEPEEPYE9GnA2mj5Ur2L5Q5/2PycJ0N9Fusrx9b12fc=
|
||||
github.com/antchfx/xmlquery v1.5.0 h1:uAi+mO40ZWfyU6mlUBxRVvL6uBNZ6LMU4M3+mQIBV4c=
|
||||
github.com/antchfx/xmlquery v1.5.0/go.mod h1:lJfWRXzYMK1ss32zm1GQV3gMIW/HFey3xDZmkP1SuNc=
|
||||
github.com/antchfx/xpath v1.1.6/go.mod h1:Yee4kTMuNiPYJ7nSNorELQMr1J33uOpXDMByNYhvtNk=
|
||||
github.com/antchfx/xpath v1.1.8/go.mod h1:Yee4kTMuNiPYJ7nSNorELQMr1J33uOpXDMByNYhvtNk=
|
||||
github.com/antchfx/xpath v1.2.3/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
|
||||
github.com/antchfx/xpath v1.2.4/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
|
||||
github.com/antchfx/xpath v1.3.3/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
|
||||
github.com/antchfx/xpath v1.3.5/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
|
||||
github.com/antchfx/xpath v1.3.6 h1:s0y+ElRRtTQdfHP609qFu0+c6bglDv20pqOViQjjdPI=
|
||||
github.com/antchfx/xpath v1.3.6/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
|
||||
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
|
||||
@@ -212,12 +212,11 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
|
||||
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
|
||||
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
|
||||
github.com/bits-and-blooms/bitset v1.8.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
|
||||
github.com/bits-and-blooms/bitset v1.22.0 h1:Tquv9S8+SGaS3EhyA+up3FXzmkhxPGjQQCkcs2uw7w4=
|
||||
github.com/bits-and-blooms/bitset v1.22.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
|
||||
github.com/bits-and-blooms/bitset v1.20.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
|
||||
github.com/bits-and-blooms/bitset v1.24.4 h1:95H15Og1clikBrKr/DuzMXkQzECs1M6hhoGXLwLQOZE=
|
||||
github.com/bits-and-blooms/bitset v1.24.4/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
|
||||
github.com/bits-and-blooms/bloom/v3 v3.5.0 h1:AKDvi1V3xJCmSR6QhcBfHbCN4Vf8FfxeWkMNQfmAGhY=
|
||||
github.com/bits-and-blooms/bloom/v3 v3.5.0/go.mod h1:Y8vrn7nk1tPIlmLtW2ZPV+W7StdVMor6bC1xgpjMZFs=
|
||||
github.com/bluele/gcache v0.0.2 h1:WcbfdXICg7G/DGBh1PFfcirkWOQV+v077yF1pSy3DGw=
|
||||
github.com/bluele/gcache v0.0.2/go.mod h1:m15KV+ECjptwSPxKhOhQoAFQVtUFjTVkc3H8o0t/fp0=
|
||||
github.com/bodgit/plumbing v1.3.0 h1:pf9Itz1JOQgn7vEOE7v7nlEfBykYqvUYioC61TwWCFU=
|
||||
github.com/bodgit/plumbing v1.3.0/go.mod h1:JOTb4XiRu5xfnmdnDJo6GmSbSbtSyufrsyZFByMtKEs=
|
||||
github.com/bodgit/sevenzip v1.6.1 h1:kikg2pUMYC9ljU7W9SaqHXhym5HyKm8/M/jd31fYan4=
|
||||
@@ -245,8 +244,6 @@ github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+Y
|
||||
github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
|
||||
github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
|
||||
github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
|
||||
github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
|
||||
github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
|
||||
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
|
||||
github.com/censys/censys-sdk-go v0.19.1 h1:CG8rQKgwrKuoICd3oU0uddALMfJnboeMkDg/e74HYyc=
|
||||
github.com/censys/censys-sdk-go v0.19.1/go.mod h1:DgPz5NgL+EfoueXLPG9UG1e7hS0OhtlywgpkIuu3ZRE=
|
||||
@@ -259,14 +256,14 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
|
||||
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
|
||||
github.com/charmbracelet/colorprofile v0.3.2 h1:9J27WdztfJQVAQKX2WOlSSRB+5gaKqqITmrvb1uTIiI=
|
||||
github.com/charmbracelet/colorprofile v0.3.2/go.mod h1:mTD5XzNeWHj8oqHb+S1bssQb7vIHbepiebQ2kPKVKbI=
|
||||
github.com/charmbracelet/glamour v0.10.0 h1:MtZvfwsYCx8jEPFJm3rIBFIMZUfUJ765oX8V6kXldcY=
|
||||
github.com/charmbracelet/glamour v0.10.0/go.mod h1:f+uf+I/ChNmqo087elLnVdCiVgjSKWuXa/l6NU2ndYk=
|
||||
github.com/charmbracelet/glamour v1.0.0 h1:AWMLOVFHTsysl4WV8T8QgkQ0s/ZNZo7CiE4WKhk8l08=
|
||||
github.com/charmbracelet/glamour v1.0.0/go.mod h1:DSdohgOBkMr2ZQNhw4LZxSGpx3SvpeujNoXrQyH2hxo=
|
||||
github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834 h1:ZR7e0ro+SZZiIZD7msJyA+NjkCNNavuiPBLgerbOziE=
|
||||
github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834/go.mod h1:aKC/t2arECF6rNOnaKaVU6y4t4ZeHQzqfxedE/VkVhA=
|
||||
github.com/charmbracelet/log v1.0.0 h1:HVVVMmfOorfj3BA9i8X8UL69Hoz9lI0PYwXfJvOdRc4=
|
||||
github.com/charmbracelet/log v1.0.0/go.mod h1:uYgY3SmLpwJWxmlrPwXvzVYujxis1vAKRV/0VQB7yWA=
|
||||
github.com/charmbracelet/x/ansi v0.10.1 h1:rL3Koar5XvX0pHGfovN03f5cxLbCF2YvLeyz7D2jVDQ=
|
||||
github.com/charmbracelet/x/ansi v0.10.1/go.mod h1:3RQDQ6lDnROptfpWuUVIUG64bD2g2BgntdxH0Ya5TeE=
|
||||
github.com/charmbracelet/x/ansi v0.10.2 h1:ith2ArZS0CJG30cIUfID1LXN7ZFXRCww6RUvAPA+Pzw=
|
||||
github.com/charmbracelet/x/ansi v0.10.2/go.mod h1:HbLdJjQH4UH4AqA2HpRWuWNluRE6zxJH/yteYEYCFa8=
|
||||
github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k=
|
||||
github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
|
||||
github.com/charmbracelet/x/exp/golden v0.0.0-20240806155701-69247e0abc2a h1:G99klV19u0QnhiizODirwVksQB91TJKV/UaTnACcG30=
|
||||
@@ -305,8 +302,7 @@ github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG
|
||||
github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
|
||||
github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
|
||||
github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
|
||||
github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
|
||||
github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
|
||||
github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
|
||||
github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
|
||||
github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
|
||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
@@ -328,12 +324,12 @@ github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYC
|
||||
github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
|
||||
github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
|
||||
github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
|
||||
github.com/dlclark/regexp2/v2 v2.2.1 h1:mf4KkFUj0gJuarK8P+LgiS+Lit7m9N1yAwEfPbee7R0=
|
||||
github.com/dlclark/regexp2/v2 v2.2.1/go.mod h1:avUrQvPaLz2DrFNHJF0taWAFFX2C1GMSSoeiqFjcBmU=
|
||||
github.com/docker/cli v29.2.0+incompatible h1:9oBd9+YM7rxjZLfyMGxjraKBKE4/nVyvVfN4qNl9XRM=
|
||||
github.com/docker/cli v29.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
|
||||
github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
|
||||
github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
|
||||
github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
|
||||
github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
|
||||
github.com/docker/go-connections v0.7.0 h1:6SsRfJddP22WMrCkj19x9WKjEDTB+ahsdiGYf0mN39c=
|
||||
github.com/docker/go-connections v0.7.0/go.mod h1:no1qkHdjq7kLMGUXYAduOhYPSJxxvgWBh7ogVvptn3Q=
|
||||
github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
|
||||
github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
|
||||
github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 h1:2tV76y6Q9BB+NEBasnqvs7e49aEBFI8ejC89PSnWH+4=
|
||||
@@ -373,10 +369,10 @@ github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4
|
||||
github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
|
||||
github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
|
||||
github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
|
||||
github.com/gaissmai/bart v0.26.1 h1:+w4rnLGNlA2GDVn382Tfe3jOsK5vOr5n4KmigJ9lbTo=
|
||||
github.com/gaissmai/bart v0.26.1/go.mod h1:GREWQfTLRWz/c5FTOsIw+KkscuFkIV5t8Rp7Nd1Td5c=
|
||||
github.com/geoffgarside/ber v1.1.0 h1:qTmFG4jJbwiSzSXoNJeHcOprVzZ8Ulde2Rrrifu5U9w=
|
||||
github.com/geoffgarside/ber v1.1.0/go.mod h1:jVPKeCbj6MvQZhwLYsGwaGI52oUorHoHKNecGT85ZCc=
|
||||
github.com/gaissmai/bart v0.28.0 h1:89yZLo8NmyqD0RYgJ3QO9HhqqGGw+oWhf90cZm69Lko=
|
||||
github.com/gaissmai/bart v0.28.0/go.mod h1:GREWQfTLRWz/c5FTOsIw+KkscuFkIV5t8Rp7Nd1Td5c=
|
||||
github.com/geoffgarside/ber v1.2.0 h1:/loowoRcs/MWLYmGX9QtIAbA+V/FrnVLsMMPhwiRm64=
|
||||
github.com/geoffgarside/ber v1.2.0/go.mod h1:jVPKeCbj6MvQZhwLYsGwaGI52oUorHoHKNecGT85ZCc=
|
||||
github.com/getkin/kin-openapi v0.132.0 h1:3ISeLMsQzcb5v26yeJrBcdTCEQTag36ZjaGk7MIRUwk=
|
||||
github.com/getkin/kin-openapi v0.132.0/go.mod h1:3OlG51PCYNsPByuiMB0t4fjnNlIDnaEDsjiKUV8nL58=
|
||||
github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
|
||||
@@ -405,8 +401,8 @@ github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2
|
||||
github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
|
||||
github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
|
||||
github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
|
||||
github.com/go-ldap/ldap/v3 v3.4.11 h1:4k0Yxweg+a3OyBLjdYn5OKglv18JNvfDykSoI8bW0gU=
|
||||
github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
|
||||
github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
|
||||
github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
|
||||
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
|
||||
github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
|
||||
github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
|
||||
@@ -463,13 +459,15 @@ github.com/gobwas/ws v1.4.0 h1:CTaoG1tojrh4ucGPcoJFiAQUAsEWekEWvLy7GsVNqGs=
|
||||
github.com/gobwas/ws v1.4.0/go.mod h1:G3gNqMNtPppf5XUz7O4shetPpcZ1VJ7zt18dlUeakrc=
|
||||
github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
|
||||
github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
|
||||
github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
|
||||
github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
|
||||
github.com/gocolly/colly v1.2.0/go.mod h1:Hof5T3ZswNVsOHYmba1u03W65HDWgpV5HifSuueE0EA=
|
||||
github.com/gocolly/colly/v2 v2.1.0 h1:k0DuZkDoCsx51bKpRJNEmcxcp+W5N8ziuwGaSDuFoGs=
|
||||
github.com/gocolly/colly/v2 v2.1.0/go.mod h1:I2MuhsLjQ+Ex+IzK3afNS8/1qP3AedHOusRPcRdC5o0=
|
||||
github.com/gocolly/colly/v2 v2.3.0 h1:HSFh0ckbgVd2CSGRE+Y/iA4goUhGROJwyQDCMXGFBWM=
|
||||
github.com/gocolly/colly/v2 v2.3.0/go.mod h1:Qp54s/kQbwCQvFVx8KzKCSTXVJ1wWT4QeAKEu33x1q8=
|
||||
github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
|
||||
github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
|
||||
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
|
||||
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
|
||||
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
|
||||
github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
|
||||
github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
|
||||
github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
|
||||
@@ -534,7 +532,6 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
|
||||
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
|
||||
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
|
||||
github.com/google/go-github v17.0.0+incompatible h1:N0LgJ1j65A7kfXrZnUDaYCs/Sf4rEjNlfyDHW9dolSY=
|
||||
github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
|
||||
github.com/google/go-github/v30 v30.1.0 h1:VLDx+UolQICEOKu2m4uAoMti1SxuEBAl7RSEG16L+Oo=
|
||||
github.com/google/go-github/v30 v30.1.0/go.mod h1:n8jBpHl45a/rlBUtRJMOG4GhNADUQFEufcolZ95JfU8=
|
||||
@@ -569,13 +566,15 @@ github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORR
|
||||
github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
|
||||
github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
|
||||
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
|
||||
github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
|
||||
github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
|
||||
github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
|
||||
github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
|
||||
github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
|
||||
github.com/gosimple/slug v1.15.0 h1:wRZHsRrRcs6b0XnxMUBM6WK1U1Vg5B0R7VkIf1Xzobo=
|
||||
github.com/gosimple/slug v1.15.0/go.mod h1:UiRaFH+GEilHstLUmcBgWcI42viBN7mAb818JrYOeFQ=
|
||||
github.com/gosimple/unidecode v1.0.1 h1:hZzFTMMqSswvf0LBJZCZgThIZrpDHFXux9KeGmn6T/o=
|
||||
github.com/gosimple/unidecode v1.0.1/go.mod h1:CP0Cr1Y1kogOtx0bJblKzsVWrqYaqfNOnHzpgWw4Awc=
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
|
||||
github.com/h2non/filetype v1.1.3 h1:FKkx9QbD7HR/zjK1Ia5XiBsq9zdLi5Kf3zGyFTAFkGg=
|
||||
github.com/h2non/filetype v1.1.3/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY=
|
||||
github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
|
||||
@@ -608,10 +607,10 @@ github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:
|
||||
github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
|
||||
github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
|
||||
github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
|
||||
github.com/indece-official/go-ebcdic v1.2.0 h1:nKCubkNoXrGvBp3MSYuplOQnhANCDEY512Ry5Mwr4a0=
|
||||
github.com/indece-official/go-ebcdic v1.2.0/go.mod h1:RBddVJt0Ks0eDLRG5dhPwBDRiTNA7n+yv0dVFpSs46Q=
|
||||
github.com/invopop/jsonschema v0.13.0 h1:KvpoAJWEjR3uD9Kbm2HWJmqsEaHt8lBUpd0qHcIi21E=
|
||||
github.com/invopop/jsonschema v0.13.0/go.mod h1:ffZ5Km5SWWRAIN6wbDXItl95euhFz2uON45H2qjYt+0=
|
||||
github.com/invopop/yaml v0.3.1 h1:f0+ZpmhfBSS4MhG+4HYseMdJhoeeopbSKbq5Rpeelso=
|
||||
github.com/invopop/yaml v0.3.1/go.mod h1:PMOp3nn4/12yEZUFfmOuNHJsZToEEOwoWsT+D81KkeA=
|
||||
github.com/itchyny/gojq v0.12.17 h1:8av8eGduDb5+rvEdaOO+zQUjA04MS0m3Ps8HiD+fceg=
|
||||
github.com/itchyny/gojq v0.12.17/go.mod h1:WBrEMkgAfAGO1LUcGOckBl5O726KPp+OlkKug0I/FEY=
|
||||
github.com/itchyny/timefmt-go v0.1.6 h1:ia3s54iciXDdzWzwaVKXZPbiXzxxnv1SPGFfM/myJ5Q=
|
||||
@@ -665,13 +664,12 @@ github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4
|
||||
github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
|
||||
github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
|
||||
github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
|
||||
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
|
||||
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
|
||||
github.com/kitabisa/go-ci v1.0.3 h1:JmIUIvcercRQc/9x/v02ydCCqU4MadSHaNaOF8T2pGA=
|
||||
github.com/kitabisa/go-ci v1.0.3/go.mod h1:e3wBSzaJbcifXrr/Gw2ZBLn44MmeqP5WySwXyHlCK/U=
|
||||
github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
|
||||
github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
|
||||
github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
|
||||
github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
|
||||
github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
|
||||
github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
|
||||
github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
|
||||
github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
|
||||
@@ -690,10 +688,6 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
|
||||
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
|
||||
github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
|
||||
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
|
||||
github.com/labstack/echo/v4 v4.13.4 h1:oTZZW+T3s9gAu5L8vmzihV7/lkXGZuITzTQkTEhcXEA=
|
||||
github.com/labstack/echo/v4 v4.13.4/go.mod h1:g63b33BZ5vZzcIUF8AtRH40DrTlXnx4UMC8rBdndmjQ=
|
||||
github.com/labstack/gommon v0.4.2 h1:F8qTUNXgG1+6WQmqoUWnz8WiEU60mXVVw0P4ht1WRA0=
|
||||
github.com/labstack/gommon v0.4.2/go.mod h1:QlUFxVM+SNXhDL/Z7YhocGIBYOiwB0mXm1+1bAPHPyU=
|
||||
github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs=
|
||||
github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
|
||||
github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
|
||||
@@ -722,13 +716,16 @@ github.com/mackerelio/go-osstat v0.2.6 h1:gs4U8BZeS1tjrL08tt5VUliVvSWP26Ai2Ob8Lr
|
||||
github.com/mackerelio/go-osstat v0.2.6/go.mod h1:lRy8V9ZuHpuRVZh+vyTkODeDPl3/d5MgXHtLSaqG8bA=
|
||||
github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
|
||||
github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
|
||||
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
|
||||
github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
|
||||
github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
|
||||
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
|
||||
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
|
||||
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
|
||||
github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
|
||||
github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4=
|
||||
github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
|
||||
github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
|
||||
github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
|
||||
github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
|
||||
github.com/mattn/go-runewidth v0.0.17 h1:78v8ZlW0bP43XfmAfPsdXcoNCelfMHsDmd/pkENfrjQ=
|
||||
github.com/mattn/go-runewidth v0.0.17/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
|
||||
github.com/mattn/go-sqlite3 v1.14.28 h1:ThEiQrnbtumT+QMknw63Befp/ce/nUPgBPMlRFEum7A=
|
||||
github.com/mattn/go-sqlite3 v1.14.28/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
|
||||
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
|
||||
@@ -758,14 +755,10 @@ github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG
|
||||
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
|
||||
github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
|
||||
github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
|
||||
github.com/moby/moby/api v1.53.0 h1:PihqG1ncw4W+8mZs69jlwGXdaYBeb5brF6BL7mPIS/w=
|
||||
github.com/moby/moby/api v1.53.0/go.mod h1:8mb+ReTlisw4pS6BRzCMts5M49W5M7bKt1cJy/YbAqc=
|
||||
github.com/moby/moby/client v0.2.2 h1:Pt4hRMCAIlyjL3cr8M5TrXCwKzguebPAc2do2ur7dEM=
|
||||
github.com/moby/moby/client v0.2.2/go.mod h1:2EkIPVNCqR05CMIzL1mfA07t0HvVUUOl85pasRz/GmQ=
|
||||
github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
|
||||
github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
|
||||
github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
|
||||
github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
|
||||
github.com/moby/moby/api v1.54.2 h1:wiat9QAhnDQjA7wk1kh/TqHz2I1uUA7M7t9SAl/JNXg=
|
||||
github.com/moby/moby/api v1.54.2/go.mod h1:+RQ6wluLwtYaTd1WnPLykIDPekkuyD/ROWQClE83pzs=
|
||||
github.com/moby/moby/client v0.4.1 h1:DMQgisVoMkmMs7fp3ROSdiBnoAu8+vo3GggFl06M/wY=
|
||||
github.com/moby/moby/client v0.4.1/go.mod h1:z52C9O2POPOsnxZAy//WtKcQ32P+jT/NGeXu/7nfjGQ=
|
||||
github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs=
|
||||
github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
|
||||
github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
|
||||
@@ -781,8 +774,6 @@ github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9
|
||||
github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
|
||||
github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
|
||||
github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
|
||||
github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
|
||||
github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
|
||||
github.com/mreiferson/go-httpclient v0.0.0-20160630210159-31f0106b4474/go.mod h1:OQA4XLvDbMgS8P0CevmM4m9Q3Jq4phKUzcocxuGJ5m8=
|
||||
github.com/mreiferson/go-httpclient v0.0.0-20201222173833-5e475fde3a4d/go.mod h1:OQA4XLvDbMgS8P0CevmM4m9Q3Jq4phKUzcocxuGJ5m8=
|
||||
github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s=
|
||||
@@ -791,6 +782,8 @@ github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc
|
||||
github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
|
||||
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
|
||||
github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
|
||||
github.com/nlnwa/whatwg-url v0.6.2 h1:jU61lU2ig4LANydbEJmA2nPrtCGiKdtgT0rmMd2VZ/Q=
|
||||
github.com/nlnwa/whatwg-url v0.6.2/go.mod h1:x0FPXJzzOEieQtsBT/AKvbiBbQ46YlL6Xa7m02M1ECk=
|
||||
github.com/nwaples/rardecode/v2 v2.2.2 h1:/5oL8dzYivRM/tqX9VcTSWfbpwcbwKG1QtSJr3b3KcU=
|
||||
github.com/nwaples/rardecode/v2 v2.2.2/go.mod h1:7uz379lSxPe6j9nvzxUZ+n7mnJNgjsRNb6IbvGVHRmw=
|
||||
github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=
|
||||
@@ -799,6 +792,12 @@ github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 h1:G7ERwszslrBzRxj//J
|
||||
github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037/go.mod h1:2bpvgLBZEtENV5scfDFEtB/5+1M4hkQhDQrccEJ/qGw=
|
||||
github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 h1:bQx3WeLcUWy+RletIKwUIt4x3t8n2SxavmoclizMb8c=
|
||||
github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90/go.mod h1:y5+oSEHCPT/DGrS++Wc/479ERge0zTFxaF8PbGKcg2o=
|
||||
github.com/oiweiwei/go-msrpc v1.2.12 h1:gaxnv1cyX3v9l+NNxyr4ONyvh/mnmh8Egel9r8zxNxE=
|
||||
github.com/oiweiwei/go-msrpc v1.2.12/go.mod h1:T6/ENmAoD1nYCr3NW8PS8AjIX0tZEAL7yO0tsejtK18=
|
||||
github.com/oiweiwei/go-smb2.fork v1.0.0 h1:xHq/eYPM8hQEO/nwCez8YwHWHC8mlcsgw/Neu52fPN4=
|
||||
github.com/oiweiwei/go-smb2.fork v1.0.0/go.mod h1:h0CzLVvGAmq39izdYVHKyI5cLv6aHdbQAMKEe4dz4N8=
|
||||
github.com/oiweiwei/gokrb5.fork/v9 v9.0.6 h1:ZMXO5OtzPPSqZ7KPgknVuvHE5iAbSXq5JLgzrkiXknM=
|
||||
github.com/oiweiwei/gokrb5.fork/v9 v9.0.6/go.mod h1:KEnkAYUYqZ5VwzxLFbv3JHlRhCvdFahjrdjjssMJJkI=
|
||||
github.com/olekukonko/errors v1.1.0 h1:RNuGIh15QdDenh+hNvKrJkmxxjV4hcS50Db478Ou5sM=
|
||||
github.com/olekukonko/errors v1.1.0/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
|
||||
github.com/olekukonko/ll v0.0.9 h1:Y+1YqDfVkqMWuEQMclsF9HUR5+a82+dxJuL1HHSRpxI=
|
||||
@@ -817,8 +816,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
|
||||
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
|
||||
github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
|
||||
github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
|
||||
github.com/opencontainers/runc v1.2.8 h1:RnEICeDReapbZ5lZEgHvj7E9Q3Eex9toYmaGBsbvU5Q=
|
||||
github.com/opencontainers/runc v1.2.8/go.mod h1:cC0YkmZcuvr+rtBZ6T7NBoVbMGNAdLa/21vIElJDOzI=
|
||||
github.com/opencontainers/runc v1.3.6 h1:SLGIymCtsk80iNPWgbc8dtjI30r+5mTVV+4dN8/17Sk=
|
||||
github.com/opencontainers/runc v1.3.6/go.mod h1:o1wyv76EDlTkcf0KTFgN8bMWLPvgF/HfX709lDv+rr4=
|
||||
github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
|
||||
github.com/ory/dockertest/v3 v3.12.0 h1:3oV9d0sDzlSQfHtIaB5k6ghUCVMVLpAY8hwrqoCyRCw=
|
||||
github.com/ory/dockertest/v3 v3.12.0/go.mod h1:aKNDTva3cp8dwOWwb9cWuX84aH5akkxXRvO7KCwWVjE=
|
||||
@@ -847,14 +846,14 @@ github.com/projectdiscovery/asnmap v1.1.1 h1:ImJiKIaACOT7HPx4Pabb5dksolzaFYsD1kI
|
||||
github.com/projectdiscovery/asnmap v1.1.1/go.mod h1:QT7jt9nQanj+Ucjr9BqGr1Q2veCCKSAVyUzLXfEcQ60=
|
||||
github.com/projectdiscovery/blackrock v0.0.1 h1:lHQqhaaEFjgf5WkuItbpeCZv2DUIE45k0VbGJyft6LQ=
|
||||
github.com/projectdiscovery/blackrock v0.0.1/go.mod h1:ANUtjDfaVrqB453bzToU+YB4cUbvBRpLvEwoWIwlTss=
|
||||
github.com/projectdiscovery/cdncheck v1.2.31 h1:8iD/MLDdMdMziM3RA5FkjUxO6kIwwgAoxWaL6RBIIl0=
|
||||
github.com/projectdiscovery/cdncheck v1.2.31/go.mod h1:6/B6caF1+97hR9cICMlzIYR8hpAN/y3AlJPHI2q48PQ=
|
||||
github.com/projectdiscovery/clistats v0.1.1 h1:8mwbdbwTU4aT88TJvwIzTpiNeow3XnAB72JIg66c8wE=
|
||||
github.com/projectdiscovery/clistats v0.1.1/go.mod h1:4LtTC9Oy//RiuT1+76MfTg8Hqs7FQp1JIGBM3nHK6a0=
|
||||
github.com/projectdiscovery/dsl v0.8.14 h1:g9szcXk2RRdVf2rsHEzbTXOPxiny3haKonSncU6pg2w=
|
||||
github.com/projectdiscovery/dsl v0.8.14/go.mod h1:LYImt/EiBzqTWG1RswT3Yl0DZbfjUP93Nvq2Z/G7dcE=
|
||||
github.com/projectdiscovery/fastdialer v0.5.6 h1:kIBFmzbXrua41uf4fGsQClTZmT7cm7E3vVgcSj8gs6Q=
|
||||
github.com/projectdiscovery/fastdialer v0.5.6/go.mod h1:QxvCe02Jii+j8vA3hWYkymgZIY8cqMgs2s3Jbz6mvbs=
|
||||
github.com/projectdiscovery/cdncheck v1.2.42 h1:Y1Q9MPq7uuv25+aGlgjA5nToOcsk+9gNEKjicyhIwQI=
|
||||
github.com/projectdiscovery/cdncheck v1.2.42/go.mod h1:9oE9KKxCSHNvUf0UaMeqqUwWpC38FkNaTll0ScIBT3w=
|
||||
github.com/projectdiscovery/clistats v0.1.4 h1:kDnXoNxIdOvQElOF7k2Mt6XosGa5GbMKPtRXdPHMVzU=
|
||||
github.com/projectdiscovery/clistats v0.1.4/go.mod h1:hjJYNcUubk9T3cuFvA+JkLhZGjzYW50fkC48dqUAtbU=
|
||||
github.com/projectdiscovery/dsl v0.8.20 h1:CxWcKuoHFpOSS1kzqnbJuK5No/6qoRG8IzNDMnZ6c/M=
|
||||
github.com/projectdiscovery/dsl v0.8.20/go.mod h1:e1oHi7mxAxF+UhBhD5gOk90Ga6LQqvFea2voMO1E5D0=
|
||||
github.com/projectdiscovery/fastdialer v0.5.11 h1:eI7jfwz0i73Ot1cowIBezQLxbg0i6INdAsFGJjfwPa0=
|
||||
github.com/projectdiscovery/fastdialer v0.5.11/go.mod h1:W1ZkULr9mMR6i0oRFTztANnpVyEEzPUovK8sUM4eAw8=
|
||||
github.com/projectdiscovery/fasttemplate v0.0.2 h1:h2cISk5xDhlJEinlBQS6RRx0vOlOirB2y3Yu4PJzpiA=
|
||||
github.com/projectdiscovery/fasttemplate v0.0.2/go.mod h1:XYWWVMxnItd+r0GbjA1GCsUopMw1/XusuQxdyAIHMCw=
|
||||
github.com/projectdiscovery/freeport v0.0.7 h1:Q6uXo/j8SaV/GlAHkEYQi8WQoPXyJWxyspx+aFmz9Qk=
|
||||
@@ -865,14 +864,20 @@ github.com/projectdiscovery/go-smb2 v0.0.0-20240129202741-052cc450c6cb h1:rutG90
|
||||
github.com/projectdiscovery/go-smb2 v0.0.0-20240129202741-052cc450c6cb/go.mod h1:FLjF1DmZ+POoGEiIQdWuYVwS++C/GwpX8YaCsTSm1RY=
|
||||
github.com/projectdiscovery/goflags v0.1.74 h1:n85uTRj5qMosm0PFBfsvOL24I7TdWRcWq/1GynhXS7c=
|
||||
github.com/projectdiscovery/goflags v0.1.74/go.mod h1:UMc9/7dFz2oln+10tv6cy+7WZKTHf9UGhaNkF95emh4=
|
||||
github.com/projectdiscovery/gologger v1.1.68 h1:KfdIO/3X7BtHssWZuqhxPZ+A946epCCx2cz+3NnRAnU=
|
||||
github.com/projectdiscovery/gologger v1.1.68/go.mod h1:Xae0t4SeqJVa0RQGK9iECx/+HfXhvq70nqOQp2BuW+o=
|
||||
github.com/projectdiscovery/goja v0.0.0-20260618133720-acb73e419534 h1:hYd1zQA/dxO2ASyQ6Re73TcJkW1LjLQvt4+86Hxefz8=
|
||||
github.com/projectdiscovery/goja v0.0.0-20260618133720-acb73e419534/go.mod h1:SO0AP+uKfYeeoR6jyVH/PKRYJE/f5gJrPMAM00iGEMc=
|
||||
github.com/projectdiscovery/goja_nodejs v0.0.0-20260618132410-8519f75f703d h1:fqqH9LHpN2WDz9QuxFrhKNxXSRtzk+Sa6jAhbB7tXcQ=
|
||||
github.com/projectdiscovery/goja_nodejs v0.0.0-20260618132410-8519f75f703d/go.mod h1:Ezmbgdaw4EunGGBU4MQViLoGMJc37LA3ip55YV3KeRI=
|
||||
github.com/projectdiscovery/gologger v1.1.71 h1:IYU4mw9viKdSzMTIGVpYuw1Gtg7QIHIStqAQgeNXcBQ=
|
||||
github.com/projectdiscovery/gologger v1.1.71/go.mod h1:mJwODZcFDg70ihINpOvZevmBtgvpP8H9/l8Y+OPhZPY=
|
||||
github.com/projectdiscovery/gostruct v0.0.2 h1:s8gP8ApugGM4go1pA+sVlPDXaWqNP5BBDDSv7VEdG1M=
|
||||
github.com/projectdiscovery/gostruct v0.0.2/go.mod h1:H86peL4HKwMXcQQtEa6lmC8FuD9XFt6gkNR0B/Mu5PE=
|
||||
github.com/projectdiscovery/gozero v0.1.1-0.20251027191944-a4ea43320b81 h1:yHh46pJovYbyiaHCV7oIDinFmy+Fyq36H1BowJgb0M0=
|
||||
github.com/projectdiscovery/gozero v0.1.1-0.20251027191944-a4ea43320b81/go.mod h1:9lmGPBDGZVANzCGjQg+V32n8Y3Cgjo/4kT0E88lsVTI=
|
||||
github.com/projectdiscovery/hmap v0.0.100 h1:DBZ3Req9lWf4P1YC9PRa4eiMvLY0Uxud43NRBcocPfs=
|
||||
github.com/projectdiscovery/hmap v0.0.100/go.mod h1:2O06pR8pHOP9wSmxAoxuM45U7E+UqOqOdlSIeddM0bA=
|
||||
github.com/projectdiscovery/govaluate v0.0.0-20260615100919-5ee2581bbf7e h1:vxzgQlz2Cy/YvizYDQx9OhucBcmBotfDhbQ4yCY2vfA=
|
||||
github.com/projectdiscovery/govaluate v0.0.0-20260615100919-5ee2581bbf7e/go.mod h1:xH7bPwHxUlz1yx9UlVeTF+UVCUaKhTnZgaxHb5z362E=
|
||||
github.com/projectdiscovery/gozero v0.1.1-0.20260530071156-fa1dad563d76 h1:AN70bbi6BBs7KpIM9w0LxygUN7uzT/oH+owDIQ+Fz/k=
|
||||
github.com/projectdiscovery/gozero v0.1.1-0.20260530071156-fa1dad563d76/go.mod h1:cWHYnRXoYWHtTpOYyAp5laGYX8GH8ITUhgQaP8G/8FA=
|
||||
github.com/projectdiscovery/hmap v0.0.101 h1:zXM6YtLmsn8Q0CUUw8QavhqWmiQYwaw+/U679Rr00pc=
|
||||
github.com/projectdiscovery/hmap v0.0.101/go.mod h1:w6N9/a5H8kvyx53AhtPDUWe5Qq3D6NBDPA23glHpa/Q=
|
||||
github.com/projectdiscovery/httpx v1.9.0 h1:5yn4ik/LqZ+v3MLgU7+CZJQyND9osW9NmZ3squylxsc=
|
||||
github.com/projectdiscovery/httpx v1.9.0/go.mod h1:jGTRyUHddo2WyK4klWIwQXgGF1Lu39XVyzlue4H3pX8=
|
||||
github.com/projectdiscovery/interactsh v1.3.1 h1:5HzeVGVCAX/cjTguJ+7ClOmML5r97Ty7op9s+/F7BiM=
|
||||
@@ -885,34 +890,34 @@ github.com/projectdiscovery/mapcidr v1.1.97 h1:7FkxNNVXp+m1rIu5Nv/2SrF9k4+LwP8Qu
|
||||
github.com/projectdiscovery/mapcidr v1.1.97/go.mod h1:9dgTJh1SP02gYZdpzMjm6vtYFkEHQHoTyaVNvaeJ7lA=
|
||||
github.com/projectdiscovery/n3iwf v0.0.0-20230523120440-b8cd232ff1f5 h1:L/e8z8yw1pfT6bg35NiN7yd1XKtJap5Nk6lMwQ0RNi8=
|
||||
github.com/projectdiscovery/n3iwf v0.0.0-20230523120440-b8cd232ff1f5/go.mod h1:pGW2ncnTxTxHtP9wzcIJAB+3/NMp6IiuQWd2NK7K+oc=
|
||||
github.com/projectdiscovery/networkpolicy v0.1.36 h1:88EAYvEplBmn4vlGKenZJtzsGkEWALX3QzPiY930GtA=
|
||||
github.com/projectdiscovery/networkpolicy v0.1.36/go.mod h1:lrm+DXxtH0cGpM4OKhILC+9ktnzrXVYcM0S2Jk+gQcc=
|
||||
github.com/projectdiscovery/nuclei/v3 v3.8.0 h1:UfIDjoHBsvACtvO4x8XIp6COffH+0G4sqco1qrijZqw=
|
||||
github.com/projectdiscovery/nuclei/v3 v3.8.0/go.mod h1:xBCCFK5nMafAuf3sWyOojzL9pKN91tj4Uwj2TK7HhOM=
|
||||
github.com/projectdiscovery/ratelimit v0.0.85 h1:TrqYis/+6Djac20n3kgFXQbN/xj7ywObJpH3xDOd+40=
|
||||
github.com/projectdiscovery/ratelimit v0.0.85/go.mod h1:enLZ8XGL02WPBhuoHAhgvMgOpuU9ALhFpFgCps5lxmM=
|
||||
github.com/projectdiscovery/networkpolicy v0.1.41 h1:6daf4A8Vj1+iQ7nH2FR4+sOYd7q1WH1qfN61EyQU74c=
|
||||
github.com/projectdiscovery/networkpolicy v0.1.41/go.mod h1:9ULLaMbdv9UnT0C5rmuK4nIwYs0o776xMnkPUb8TtaE=
|
||||
github.com/projectdiscovery/nuclei/v3 v3.10.0 h1:hKWXhfqKvpxGa1vFaS0TlkSPY7EZy4VG7ml4JAMJavo=
|
||||
github.com/projectdiscovery/nuclei/v3 v3.10.0/go.mod h1:pWZNFVtdIHHSWCV6ouGHUPzvdARD+OGN5K9WrVw0plQ=
|
||||
github.com/projectdiscovery/ratelimit v0.0.88 h1:AcurW9aLRzlEyPe9kSjnOpr3XzLMWTpiWAlW/w73ALU=
|
||||
github.com/projectdiscovery/ratelimit v0.0.88/go.mod h1:CU1s+68UUG2mctSl2wi32/DHLJA6TMg+4rxgP59LfVk=
|
||||
github.com/projectdiscovery/rawhttp v0.1.90 h1:LOSZ6PUH08tnKmWsIwvwv1Z/4zkiYKYOSZ6n+8RFKtw=
|
||||
github.com/projectdiscovery/rawhttp v0.1.90/go.mod h1:VZYAM25UI/wVB3URZ95ZaftgOnsbphxyAw/XnQRRz4Y=
|
||||
github.com/projectdiscovery/rdap v0.9.1-0.20221108103045-9865884d1917 h1:m03X4gBVSorSzvmm0bFa7gDV4QNSOWPL/fgZ4kTXBxk=
|
||||
github.com/projectdiscovery/rdap v0.9.1-0.20221108103045-9865884d1917/go.mod h1:JxXtZC9e195awe7EynrcnBJmFoad/BNDzW9mzFkK8Sg=
|
||||
github.com/projectdiscovery/retryabledns v1.0.114 h1:COyNKzhA7oa3C/1639WRXeXsKrUJx06paVbN64IHZ3E=
|
||||
github.com/projectdiscovery/retryabledns v1.0.114/go.mod h1:+DyanDr8naxQ2dRO9c4Ezo3NHHXhz8L0tTSRYWhiwyA=
|
||||
github.com/projectdiscovery/retryablehttp-go v1.3.8 h1:TA075ioaVyaM65R3dSzKSbOCiJSvFrlGScxzScu4ik8=
|
||||
github.com/projectdiscovery/retryablehttp-go v1.3.8/go.mod h1:/vas835LvB4aqK9vCPGSgKF7Q7hY/BRcIJ/TgM2sPAY=
|
||||
github.com/projectdiscovery/sarif v0.0.1 h1:C2Tyj0SGOKbCLgHrx83vaE6YkzXEVrMXYRGLkKCr/us=
|
||||
github.com/projectdiscovery/sarif v0.0.1/go.mod h1:cEYlDu8amcPf6b9dSakcz2nNnJsoz4aR6peERwV+wuQ=
|
||||
github.com/projectdiscovery/retryabledns v1.0.115 h1:RKV63FNIznFHUoawg/1hs53pVH3wqPtFhwstCuxVSoA=
|
||||
github.com/projectdiscovery/retryabledns v1.0.115/go.mod h1:+fEMWoPigw+M0lGNKY7AZ+g8FIgj+4sONjsinMmeL3k=
|
||||
github.com/projectdiscovery/retryablehttp-go v1.3.16 h1:M/xICwSaiSHhd5OIarU3+5JoU7VmbiSAAwYUCK7CTjw=
|
||||
github.com/projectdiscovery/retryablehttp-go v1.3.16/go.mod h1:s0azLAqAbcVCjHI9t0ezPhamevYGM1eoOvFkn4QmpZ8=
|
||||
github.com/projectdiscovery/sarif v0.1.0 h1:O541T+a448nSJsmIMnXXSOeDQEzpnCAYvRfe0eG5h74=
|
||||
github.com/projectdiscovery/sarif v0.1.0/go.mod h1:LBC+reM3bkI3qIIhE0rZaINaYX6VG+En6u2hHa5mA7E=
|
||||
github.com/projectdiscovery/stringsutil v0.0.2 h1:uzmw3IVLJSMW1kEg8eCStG/cGbYYZAja8BH3LqqJXMA=
|
||||
github.com/projectdiscovery/stringsutil v0.0.2/go.mod h1:EJ3w6bC5fBYjVou6ryzodQq37D5c6qbAYQpGmAy+DC0=
|
||||
github.com/projectdiscovery/tlsx v1.2.2 h1:Y96QBqeD2anpzEtBl4kqNbwzXh2TrzJuXfgiBLvK+SE=
|
||||
github.com/projectdiscovery/tlsx v1.2.2/go.mod h1:ZJl9F1sSl0sdwE+lR0yuNHVX4Zx6tCSTqnNxnHCFZB4=
|
||||
github.com/projectdiscovery/uncover v1.2.0 h1:31tjYa0v8FB8Ch8hJTxb+2t63vsljdOo0OSFylJcX4M=
|
||||
github.com/projectdiscovery/uncover v1.2.0/go.mod h1:ozqKb++p39Kmh1SmwIpbQ9p0aVGPXuwsb4/X2Kvx6ms=
|
||||
github.com/projectdiscovery/useragent v0.0.107 h1:45gSBda052fv2Gtxtnpx7cu2rWtUpZEQRGAoYGP6F5M=
|
||||
github.com/projectdiscovery/useragent v0.0.107/go.mod h1:yv5ZZLDT/kq6P+NvBcCPq6sjEVQtZGgO+OvvHzZ+WtY=
|
||||
github.com/projectdiscovery/utils v0.10.1 h1:9luYfL7PpN1L/cLO4bAES4+ltDaEBKOUnRiTn920XfM=
|
||||
github.com/projectdiscovery/utils v0.10.1/go.mod h1:x3jGS2YIxnUYxlpB9HWBKf0k+AE83nYCGRX/YStC8G8=
|
||||
github.com/projectdiscovery/wappalyzergo v0.2.76 h1:6zQt6Jmi/hIwD8InWswkk1yhJGWaVEAEzshTGiTGbeM=
|
||||
github.com/projectdiscovery/wappalyzergo v0.2.76/go.mod h1:hRsnKNleH693FFJsBOD5NMUDbxw/Q94f0Oq2OV04Q6M=
|
||||
github.com/projectdiscovery/uncover v1.2.1 h1:8U46T/96CLT7BPoXBgkTvWqB06lOyeTSLvh5+UjzATE=
|
||||
github.com/projectdiscovery/uncover v1.2.1/go.mod h1:0p8onrWxfpXQEYs90ZDzTSpu1107gWmodX1NWqu/+z4=
|
||||
github.com/projectdiscovery/useragent v0.0.108 h1:fb+uLuFJvC+MHZjCtxQJxtvp1X6A8n98CUGPyFcg3NE=
|
||||
github.com/projectdiscovery/useragent v0.0.108/go.mod h1:XdNRrlvtDmYfVL1Oybat4uMe+W6cLwsK9S18ond17CI=
|
||||
github.com/projectdiscovery/utils v0.11.1 h1:PWj1KjIASxt8icxommH72C0TQqNOvGkcSODRkiq0SQw=
|
||||
github.com/projectdiscovery/utils v0.11.1/go.mod h1:yktGrHGk2CTjNiccXovnvGrLHX9sV2bqz9nSnbA3V8M=
|
||||
github.com/projectdiscovery/wappalyzergo v0.2.87 h1:KuUpeRSQ80L6tx9YaAPhfYWTF47bpEURYbAymr76zto=
|
||||
github.com/projectdiscovery/wappalyzergo v0.2.87/go.mod h1:gMH0o5lBp65sKMwHx/tuUdOtW2RjodC6Ti+9QDsYMkY=
|
||||
github.com/projectdiscovery/yamldoc-go v1.0.6 h1:GCEdIRlQjDux28xTXKszM7n3jlMf152d5nqVpVoetas=
|
||||
github.com/projectdiscovery/yamldoc-go v1.0.6/go.mod h1:R5lWrNzP+7Oyn77NDVPnBsxx2/FyQZBBkIAaSaCQFxw=
|
||||
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
|
||||
@@ -956,6 +961,8 @@ github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0t
|
||||
github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
|
||||
github.com/rs/xid v1.6.0 h1:fV591PaemRlL6JfRxGDEPl69wICngIQ3shQtzfy2gxU=
|
||||
github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
|
||||
github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
|
||||
github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
|
||||
github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd/go.mod h1:hPqNNc0+uJM6H+SuU8sEs5K5IQeKccPqeSjfgcKGgPk=
|
||||
github.com/saintfish/chardet v0.0.0-20120816061221-3af4cd4741ca/go.mod h1:uugorj2VCxiV1x+LzaIdVa9b4S4qGAcH6cbhh4qVxOU=
|
||||
github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d h1:hrujxIzL1woJ7AwssoOcM/tq5JjjG2yYOc8odClEiXA=
|
||||
@@ -980,8 +987,9 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
|
||||
github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
|
||||
github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
|
||||
github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
|
||||
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
|
||||
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
|
||||
github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
|
||||
github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
|
||||
github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
|
||||
github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
|
||||
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
|
||||
@@ -996,15 +1004,18 @@ github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0b
|
||||
github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
|
||||
github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
|
||||
github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
|
||||
github.com/spf13/cast v1.9.2 h1:SsGfm7M8QOFtEzumm7UZrZdLLquNdzFYfIbEXntcFbE=
|
||||
github.com/spf13/cast v1.9.2/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
|
||||
github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
|
||||
github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
|
||||
github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
|
||||
github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
|
||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
|
||||
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
|
||||
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
|
||||
github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
|
||||
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
|
||||
github.com/stretchr/objx v0.5.3 h1:jmXUvGomnU1o3W/V5h2VEradbpJDwGrzugQQvL0POH4=
|
||||
github.com/stretchr/objx v0.5.3/go.mod h1:rDQraq+vQZU7Fde9LOZLr8Tax6zZvy4kuNKF+QYS+U0=
|
||||
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
|
||||
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
||||
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
|
||||
@@ -1033,8 +1044,8 @@ github.com/tidwall/btree v1.8.1/go.mod h1:jBbTdUWhSZClZWoDg54VnvV7/54modSOzDN7VX
|
||||
github.com/tidwall/buntdb v1.3.2 h1:qd+IpdEGs0pZci37G4jF51+fSKlkuUTMXuHhXL1AkKg=
|
||||
github.com/tidwall/buntdb v1.3.2/go.mod h1:lZZrZUWzlyDJKlLQ6DKAy53LnG7m5kHyrEHvvcDmBpU=
|
||||
github.com/tidwall/gjson v1.12.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
|
||||
github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
|
||||
github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
|
||||
github.com/tidwall/gjson v1.19.0 h1:xwxm7n691Uf3u5OFjzngavjGTh55KX5q/9w9xHW88JU=
|
||||
github.com/tidwall/gjson v1.19.0/go.mod h1:V37/opeE/JbLUOfH0QTXiNez2l0RUjYUhpT4szFQAfc=
|
||||
github.com/tidwall/grect v0.1.4 h1:dA3oIgNgWdSspFzn1kS4S/RDpZFLrIxAZOdJKjYapOg=
|
||||
github.com/tidwall/grect v0.1.4/go.mod h1:9FBsaYRaR0Tcy4UwefBX/UDcDcDy9V5jUcxHzv2jd5Q=
|
||||
github.com/tidwall/lotsa v1.0.2 h1:dNVBH5MErdaQ/xd9s769R31/n2dXavsQ0Yf4TMEHHw8=
|
||||
@@ -1061,8 +1072,9 @@ github.com/trivago/tgo v1.0.7 h1:uaWH/XIy9aWYWpjm2CU3RpcqZXmX2ysQ9/Go+d9gyrM=
|
||||
github.com/trivago/tgo v1.0.7/go.mod h1:w4dpD+3tzNIIiIfkWWa85w5/B77tlvdZckQ+6PkFnhc=
|
||||
github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
|
||||
github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
|
||||
github.com/twmb/murmur3 v1.1.6 h1:mqrRot1BRxm+Yct+vavLMou2/iJt0tNVTTC0QoIjaZg=
|
||||
github.com/twmb/murmur3 v1.1.6/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq3OSQ=
|
||||
github.com/twmb/murmur3 v1.1.8 h1:8Yt9taO/WN3l08xErzjeschgZU2QSrwm1kclYq+0aRg=
|
||||
github.com/twmb/murmur3 v1.1.8/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq3OSQ=
|
||||
github.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4dU=
|
||||
github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
|
||||
github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
|
||||
@@ -1070,8 +1082,6 @@ github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
|
||||
github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
|
||||
github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
|
||||
github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
|
||||
github.com/valyala/fasttemplate v1.2.2 h1:lxLXG0uE3Qnshl9QyaK6XJxMXlQZELvChBOCmQD0Loo=
|
||||
github.com/valyala/fasttemplate v1.2.2/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
|
||||
github.com/vmihailenco/bufpool v0.1.11 h1:gOq2WmBrq0i2yW5QJ16ykccQ4wH9UyEsgLm6czKAd94=
|
||||
github.com/vmihailenco/bufpool v0.1.11/go.mod h1:AFf/MOy3l2CFTKbxwt0mp2MwnqjNEs5H/UxrkA5jxTQ=
|
||||
github.com/vmihailenco/msgpack/v5 v5.3.4 h1:qMKAwOV+meBw2Y8k9cVwAy7qErtYCwBzZ2ellBfvnqc=
|
||||
@@ -1133,7 +1143,6 @@ github.com/ysmood/leakless v0.9.0/go.mod h1:R8iAXPRaG97QJwqxs74RdwzcRHT1SWCGTNqY
|
||||
github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
|
||||
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
|
||||
github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
|
||||
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
|
||||
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
|
||||
github.com/yuin/goldmark v1.7.13 h1:GPddIs617DnBLFFVJFgpo1aBfe/4xcvMc3SB5t/D0pA=
|
||||
github.com/yuin/goldmark v1.7.13/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
|
||||
@@ -1163,8 +1172,8 @@ github.com/zmap/zflags v1.4.0-beta.1.0.20200204220219-9d95409821b6/go.mod h1:HXD
|
||||
github.com/zmap/zgrab2 v0.1.8 h1:PFnXrIBcGjYFec1JNbxMKQuSXXzS+SbqE89luuF4ORY=
|
||||
github.com/zmap/zgrab2 v0.1.8/go.mod h1:5d8HSmUwvllx4q1qG50v/KXphkg45ZzWdaQtgTFnegE=
|
||||
github.com/zmap/zlint/v3 v3.0.0/go.mod h1:paGwFySdHIBEMJ61YjoqT4h7Ge+fdYG4sUQhnTb1lJ8=
|
||||
gitlab.com/gitlab-org/api/client-go v0.130.1 h1:1xF5C5Zq3sFeNg3PzS2z63oqrxifne3n/OnbI7nptRc=
|
||||
gitlab.com/gitlab-org/api/client-go v0.130.1/go.mod h1:ZhSxLAWadqP6J9lMh40IAZOlOxBLPRh7yFOXR/bMJWM=
|
||||
gitlab.com/gitlab-org/api/client-go v1.9.1 h1:tZm+URa36sVy8UCEHQyGGJ8COngV4YqMHpM6k9O5tK8=
|
||||
gitlab.com/gitlab-org/api/client-go v1.9.1/go.mod h1:71yTJk1lnHCWcZLvM5kPAXzeJ2fn5GjaoV8gTOPd4ME=
|
||||
go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
|
||||
go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
|
||||
go.mongodb.org/mongo-driver v1.17.9 h1:IexDdCuuNJ3BHrELgBlyaH9p60JXAvdzWR128q+U5tU=
|
||||
@@ -1176,24 +1185,18 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
|
||||
go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
|
||||
go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
|
||||
go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
|
||||
go.opentelemetry.io/otel v1.41.0 h1:YlEwVsGAlCvczDILpUXpIpPSL/VPugt7zHThEMLce1c=
|
||||
go.opentelemetry.io/otel v1.41.0/go.mod h1:Yt4UwgEKeT05QbLwbyHXEwhnjxNO6D8L5PQP51/46dE=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4=
|
||||
go.opentelemetry.io/otel/metric v1.41.0 h1:rFnDcs4gRzBcsO9tS8LCpgR0dxg4aaxWlJxCno7JlTQ=
|
||||
go.opentelemetry.io/otel/metric v1.41.0/go.mod h1:xPvCwd9pU0VN8tPZYzDZV/BMj9CM9vs00GuBjeKhJps=
|
||||
go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
|
||||
go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
|
||||
go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
|
||||
go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
|
||||
go.opentelemetry.io/otel/trace v1.41.0 h1:Vbk2co6bhj8L59ZJ6/xFTskY+tGAbOnCtQGVVa9TIN0=
|
||||
go.opentelemetry.io/otel/trace v1.41.0/go.mod h1:U1NU4ULCoxeDKc09yCWdWe+3QoyweJcISEVa1RBzOis=
|
||||
go.opentelemetry.io/proto/otlp v1.8.0 h1:fRAZQDcAFHySxpJ1TwlA1cJ4tvcrw7nXl9xWWC8N5CE=
|
||||
go.opentelemetry.io/proto/otlp v1.8.0/go.mod h1:tIeYOeNBU4cvmPqpaji1P+KbB4Oloai8wN4rWzRrFF0=
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 h1:CqXxU8VOmDefoh0+ztfGaymYbhdB/tT3zs79QaZTNGY=
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0/go.mod h1:BuhAPThV8PBHBvg8ZzZ/Ok3idOdhWIodywz2xEcRbJo=
|
||||
go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
|
||||
go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
|
||||
go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
|
||||
go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
|
||||
go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
|
||||
go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
|
||||
go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
|
||||
go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
|
||||
go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
|
||||
go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
|
||||
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
|
||||
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
|
||||
go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
|
||||
@@ -1234,8 +1237,9 @@ golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDf
|
||||
golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
|
||||
golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
|
||||
golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
|
||||
golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
|
||||
golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
|
||||
golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
|
||||
golang.org/x/crypto v0.53.0 h1:QZ4Muo8THX6CizN2vPPd5fBGHyogrdK9fG4wLPFUsto=
|
||||
golang.org/x/crypto v0.53.0/go.mod h1:DNLU434OwVakk9PzuwV8w62mAJpRJL3vsgcfp4Qnsio=
|
||||
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
|
||||
@@ -1246,8 +1250,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
|
||||
golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
|
||||
golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
|
||||
golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
|
||||
golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
|
||||
golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
|
||||
golang.org/x/exp v0.0.0-20260527015227-08cc5374adb3 h1:VHEvKbpgPXcPXn40t9cDTGK3JZwMikIEyF/CTrFfu7k=
|
||||
golang.org/x/exp v0.0.0-20260527015227-08cc5374adb3/go.mod h1:d2fgXJLVs4dYDHUk5lwMIfzRzSrWCfGZb0ZqeLa/Vcw=
|
||||
golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
|
||||
golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
|
||||
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
|
||||
@@ -1273,8 +1277,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
|
||||
golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
|
||||
golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
|
||||
golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
|
||||
golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
|
||||
golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
|
||||
golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
|
||||
golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
|
||||
golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
@@ -1310,7 +1314,6 @@ golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/
|
||||
golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
|
||||
golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
|
||||
golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
|
||||
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
|
||||
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
|
||||
golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
|
||||
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
|
||||
@@ -1331,8 +1334,9 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
|
||||
golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
|
||||
golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
|
||||
golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
|
||||
golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
|
||||
golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
|
||||
golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
|
||||
golang.org/x/net v0.56.0 h1:Rw8j/hFzGvJUZwNBXnAtf5sVDVt+65SK2C7IxCxZt5o=
|
||||
golang.org/x/net v0.56.0/go.mod h1:D3Ku6r+V6JROoZK144D2XfMHFcMq/0zSfLelVTCFKec=
|
||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
@@ -1352,7 +1356,6 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
|
||||
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
@@ -1361,8 +1364,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
|
||||
golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
|
||||
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
|
||||
golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
|
||||
golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
|
||||
golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
|
||||
golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
|
||||
golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
|
||||
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
@@ -1417,6 +1420,7 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
|
||||
golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
@@ -1429,8 +1433,9 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
|
||||
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
|
||||
golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
|
||||
golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
|
||||
golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
|
||||
golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
|
||||
golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
|
||||
golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
|
||||
golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
|
||||
golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
|
||||
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
|
||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
@@ -1446,8 +1451,9 @@ golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
|
||||
golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
|
||||
golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
|
||||
golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
|
||||
golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
|
||||
golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
|
||||
golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
|
||||
golang.org/x/term v0.44.0 h1:0rLvDRCtNj0gZkyIXhCyOb2OAzEhLVqc4B+hrsBhrmc=
|
||||
golang.org/x/term v0.44.0/go.mod h1:7ze4MdzUzLXpSAoFP1H0bOI9aXDqveSvatT5vKcFh2Y=
|
||||
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
@@ -1466,14 +1472,14 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
|
||||
golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
|
||||
golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
|
||||
golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
|
||||
golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
|
||||
golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
|
||||
golang.org/x/text v0.38.0 h1:sXmwo9DwP3OK9EZ7PqAdaooSGozfl/3a6/xJcbzPRhE=
|
||||
golang.org/x/text v0.38.0/go.mod h1:YXZt3QhHUKYT53r2lLKFIVi6Ao1jdzrTR/KQ09qyxF4=
|
||||
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
|
||||
golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
|
||||
golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
|
||||
golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
|
||||
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
|
||||
@@ -1513,17 +1519,15 @@ golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roY
|
||||
golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
|
||||
golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
|
||||
golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
|
||||
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
|
||||
golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
|
||||
golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
|
||||
golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
|
||||
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
|
||||
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
|
||||
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
|
||||
golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
|
||||
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
|
||||
golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
|
||||
golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
|
||||
golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
|
||||
golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
|
||||
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
@@ -1550,8 +1554,9 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
|
||||
google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
|
||||
google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
|
||||
google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
|
||||
google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
|
||||
google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
|
||||
google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
|
||||
google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
|
||||
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
|
||||
google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||
google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||
@@ -1581,11 +1586,6 @@ google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7Fc
|
||||
google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
|
||||
google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
|
||||
google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
|
||||
google.golang.org/genproto v0.0.0-20250122153221-138b5a5a4fd4 h1:Pw6WnI9W/LIdRxqK7T6XGugGbHIRl5Q7q3BssH6xk4s=
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
|
||||
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
|
||||
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
|
||||
google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
|
||||
@@ -1598,8 +1598,6 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa
|
||||
google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
|
||||
google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
|
||||
google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
|
||||
google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
|
||||
google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
|
||||
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
|
||||
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
|
||||
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
|
||||
@@ -1616,8 +1614,8 @@ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw
|
||||
google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
|
||||
google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
|
||||
google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
|
||||
google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
|
||||
google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
|
||||
google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
|
||||
google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
|
||||
gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
|
||||
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
@@ -1640,7 +1638,6 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
|
||||
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
|
||||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
@@ -1658,6 +1655,10 @@ mellium.im/sasl v0.3.2 h1:PT6Xp7ccn9XaXAnJ03FcEjmAn7kK1x7aoXV6F+Vmrl0=
|
||||
mellium.im/sasl v0.3.2/go.mod h1:NKXDi1zkr+BlMHLQjY3ofYuU4KSPFxknb8mfEu6SveY=
|
||||
moul.io/http2curl v1.0.0 h1:6XwpyZOYsgZJrU8exnG87ncVkU1FVCcTRpwzOkTDUi8=
|
||||
moul.io/http2curl v1.0.0/go.mod h1:f6cULg+e4Md/oW1cYmwW4IWQOVl2lGbmCNGOHvzX2kE=
|
||||
pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
|
||||
pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
|
||||
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
|
||||
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
|
||||
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
|
||||
software.sslmate.com/src/go-pkcs12 v0.7.0 h1:Db8W44cB54TWD7stUFFSWxdfpdn6fZVcDl0w3R4RVM0=
|
||||
software.sslmate.com/src/go-pkcs12 v0.7.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
|
||||
|
||||
+124
-7
@@ -13,6 +13,7 @@
|
||||
package config
|
||||
|
||||
import (
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"github.com/charmbracelet/log"
|
||||
@@ -21,7 +22,16 @@ import (
|
||||
|
||||
type Settings struct {
|
||||
Dirlist string
|
||||
DirMatchCodes string // -mc dirlist: status codes to keep
|
||||
DirFilterCodes string // -fc dirlist: status codes to drop
|
||||
DirFilterSizes string // -fs dirlist: body sizes to drop
|
||||
DirFilterWords string // -fw dirlist: word counts to drop
|
||||
DirFilterRegex string // -fr dirlist: regex; body match drops response
|
||||
Calibrate bool // -ac auto-calibrate the soft-404 baseline (dirlist, sql)
|
||||
DirWordlist string // -w dirlist: custom wordlist (file path or url)
|
||||
DirExtensions string // -e dirlist: extensions appended to each word
|
||||
Dnslist string
|
||||
Resolvers string // -resolvers dnslist: comma list overriding the bundled pool
|
||||
Debug bool
|
||||
LogDir string
|
||||
NoScan bool
|
||||
@@ -46,13 +56,49 @@ type Settings struct {
|
||||
SecurityTrails bool
|
||||
SQL bool
|
||||
LFI bool
|
||||
JWT bool
|
||||
OpenAPI bool
|
||||
Favicon bool
|
||||
CORS bool
|
||||
Redirect bool
|
||||
XSS bool
|
||||
Framework bool
|
||||
Crawl bool
|
||||
CrawlDepth int
|
||||
Passive bool
|
||||
Probe bool
|
||||
SARIF string // path to write a sarif 2.1.0 report to ("" = off)
|
||||
Markdown string // path to write a markdown report to ("" = off)
|
||||
Silent bool // route chrome to stderr, print one finding per line to stdout
|
||||
Diff bool // surface only findings added/removed vs the last snapshot
|
||||
Store string // snapshot dir for diff mode ("" = default state dir)
|
||||
Modules string // Comma-separated list of module IDs to run
|
||||
ModuleTags string // Run modules matching these tags
|
||||
AllModules bool // Run all loaded modules
|
||||
ListModules bool // List available modules and exit
|
||||
Proxy string
|
||||
Header goflags.StringSlice // custom request headers ("Key: Value")
|
||||
Cookie string
|
||||
RateLimit int
|
||||
MaxRetries int // -max-retries: retries on 429/503 (0 = off)
|
||||
Notify bool // -notify: ship findings to configured providers
|
||||
NotifySeverity string // -notify-severity: minimum severity to send (info..critical)
|
||||
NotifyConfig string // -notify-config: path to a notify-compatible yaml file
|
||||
}
|
||||
|
||||
// minThreads is the floor for the worker count. Threads feeds wg.Add across the
|
||||
// scanners, so 0 silently runs nothing and a negative value panics with
|
||||
// "negative WaitGroup counter"; clamp the parsed value up to this.
|
||||
const minThreads = 1
|
||||
|
||||
// defaultCrawlDepth bounds how far the spider recurses by default; deep enough
|
||||
// to find linked pages without crawling an entire site.
|
||||
const defaultCrawlDepth = 2
|
||||
|
||||
// defaultNotifySeverity is the floor notify sends at when -notify-severity is
|
||||
// unset: medium drops pure recon/info noise so alerts stay actionable.
|
||||
const defaultNotifySeverity = "medium"
|
||||
|
||||
const (
|
||||
Nil goflags.EnumVariable = iota
|
||||
|
||||
@@ -66,9 +112,9 @@ const (
|
||||
Full
|
||||
)
|
||||
|
||||
func Parse() *Settings {
|
||||
settings := &Settings{}
|
||||
|
||||
// registerFlags builds the flag set for the given settings without parsing it,
|
||||
// so callers (Parse and tests) can inspect the registered flags.
|
||||
func registerFlags(settings *Settings) *goflags.FlagSet {
|
||||
flagSet := goflags.NewFlagSet()
|
||||
flagSet.SetDescription("a blazing-fast pentesting (recon/exploitation) suite")
|
||||
|
||||
@@ -81,7 +127,16 @@ func Parse() *Settings {
|
||||
portScopes := goflags.AllowdTypes{"common": Common, "full": Full, "none": Nil}
|
||||
flagSet.CreateGroup("scans", "Scans",
|
||||
flagSet.EnumVar(&settings.Dirlist, "dirlist", Nil, "Directory fuzzing scan size (small/medium/large)", listSizes),
|
||||
flagSet.StringVar(&settings.DirMatchCodes, "mc", "", "Dirlist: match these status codes (comma list, e.g. 200,301)"),
|
||||
flagSet.StringVar(&settings.DirFilterCodes, "fc", "", "Dirlist: filter out these status codes (comma list)"),
|
||||
flagSet.StringVar(&settings.DirFilterSizes, "fs", "", "Dirlist: filter out responses of these body sizes (comma list)"),
|
||||
flagSet.StringVar(&settings.DirFilterWords, "fw", "", "Dirlist: filter out responses with these word counts (comma list)"),
|
||||
flagSet.StringVar(&settings.DirFilterRegex, "fr", "", "Dirlist: filter out responses whose body matches this regex"),
|
||||
flagSet.BoolVar(&settings.Calibrate, "ac", false, "Auto-calibrate the soft-404 wildcard baseline (dirlist, sql)"),
|
||||
flagSet.StringVar(&settings.DirWordlist, "w", "", "Dirlist: custom wordlist (local file path or url; overrides -dirlist size)"),
|
||||
flagSet.StringVar(&settings.DirExtensions, "e", "", "Dirlist: extensions appended to each word (comma list, e.g. php,bak,env)"),
|
||||
flagSet.EnumVar(&settings.Dnslist, "dnslist", Nil, "DNS fuzzing scan size (small/medium/large)", listSizes),
|
||||
flagSet.StringVar(&settings.Resolvers, "resolvers", "", "Dnslist: DNS resolvers to use (comma list, e.g. 1.1.1.1,8.8.8.8; overrides the bundled pool)"),
|
||||
flagSet.EnumVar(&settings.Ports, "ports", Nil, "Port scanning scope (common/full)", portScopes),
|
||||
flagSet.BoolVar(&settings.Dorking, "dork", false, "Enable Google dorking"),
|
||||
flagSet.BoolVar(&settings.Git, "git", false, "Enable git repository scanning"),
|
||||
@@ -98,7 +153,17 @@ func Parse() *Settings {
|
||||
flagSet.BoolVar(&settings.SecurityTrails, "securitytrails", false, "Enable SecurityTrails domain discovery (requires SECURITYTRAILS_API_KEY env var)"),
|
||||
flagSet.BoolVar(&settings.SQL, "sql", false, "Enable SQL reconnaissance (admin panels, error disclosure)"),
|
||||
flagSet.BoolVar(&settings.LFI, "lfi", false, "Enable LFI (Local File Inclusion) reconnaissance"),
|
||||
flagSet.BoolVar(&settings.JWT, "jwt", false, "Enable JWT discovery + offline weakness analysis"),
|
||||
flagSet.BoolVar(&settings.OpenAPI, "openapi", false, "Enable OpenAPI/Swagger spec exposure probe"),
|
||||
flagSet.BoolVar(&settings.Favicon, "favicon", false, "Enable favicon hash fingerprinting (shodan-style)"),
|
||||
flagSet.BoolVar(&settings.CORS, "cors", false, "Enable CORS misconfiguration probe"),
|
||||
flagSet.BoolVar(&settings.Redirect, "redirect", false, "Enable open redirect probe"),
|
||||
flagSet.BoolVar(&settings.XSS, "xss", false, "Enable reflected XSS probe"),
|
||||
flagSet.BoolVar(&settings.Framework, "framework", false, "Enable framework detection"),
|
||||
flagSet.BoolVar(&settings.Crawl, "crawl", false, "Enable web crawling (spider same-host links/scripts/forms)"),
|
||||
flagSet.IntVar(&settings.CrawlDepth, "crawl-depth", defaultCrawlDepth, "Max crawl recursion depth"),
|
||||
flagSet.BoolVar(&settings.Passive, "passive", false, "Enable passive subdomain/url discovery (zero traffic to target)"),
|
||||
flagSet.BoolVar(&settings.Probe, "probe", false, "Probe the target for liveness (status, title, server, redirect chain)"),
|
||||
)
|
||||
|
||||
flagSet.CreateGroup("runtime", "Runtime",
|
||||
@@ -106,11 +171,33 @@ func Parse() *Settings {
|
||||
flagSet.DurationVarP(&settings.Timeout, "timeout", "t", 10*time.Second, "HTTP request timeout"),
|
||||
flagSet.StringVarP(&settings.LogDir, "log", "l", "", "Directory to store logs in"),
|
||||
flagSet.IntVar(&settings.Threads, "threads", 10, "Number of threads to run scans on"),
|
||||
flagSet.StringVar(&settings.Template, "template", "", "Sif runtime template to use"),
|
||||
flagSet.StringVar(&settings.Template, "template", "", "Load scan settings from a template (preset minimal/recon/full, or a local yaml file)"),
|
||||
)
|
||||
|
||||
flagSet.CreateGroup("http", "HTTP",
|
||||
flagSet.StringVar(&settings.Proxy, "proxy", "", "Proxy for all requests (http/https/socks5 url)"),
|
||||
flagSet.StringSliceVarP(&settings.Header, "header", "H", nil, "Custom header to send (repeatable or comma-separated, \"Key: Value\")", goflags.CommaSeparatedStringSliceOptions),
|
||||
flagSet.StringVar(&settings.Cookie, "cookie", "", "Cookie header to send with every request"),
|
||||
flagSet.IntVar(&settings.RateLimit, "rate-limit", 0, "Max requests per second (0 = unlimited)"),
|
||||
flagSet.IntVar(&settings.MaxRetries, "max-retries", 2, "Retries on 429/503 with Retry-After backoff (0 = off)"),
|
||||
)
|
||||
|
||||
flagSet.CreateGroup("output", "Output",
|
||||
flagSet.StringVar(&settings.SARIF, "sarif", "", "Write a SARIF 2.1.0 report to this file"),
|
||||
flagSet.StringVarP(&settings.Markdown, "markdown", "md", "", "Write a markdown report to this file"),
|
||||
flagSet.BoolVar(&settings.Silent, "silent", false, "Plain output: chrome to stderr, one finding per line to stdout (for pipelines)"),
|
||||
flagSet.BoolVar(&settings.Diff, "diff", false, "Diff mode: surface only findings added/removed since the last snapshot of each target"),
|
||||
flagSet.StringVar(&settings.Store, "store", "", "Snapshot directory for -diff (default: log dir, else <user-config>/sif/state)"),
|
||||
)
|
||||
|
||||
flagSet.CreateGroup("notify", "Notify",
|
||||
flagSet.BoolVar(&settings.Notify, "notify", false, "Ship findings to configured providers (slack/discord/telegram/webhook)"),
|
||||
flagSet.StringVar(&settings.NotifySeverity, "notify-severity", defaultNotifySeverity, "Minimum severity to notify on (info/low/medium/high/critical)"),
|
||||
flagSet.StringVar(&settings.NotifyConfig, "notify-config", "", "Path to a notify-compatible yaml config (overrides env vars)"),
|
||||
)
|
||||
|
||||
flagSet.CreateGroup("api", "API",
|
||||
flagSet.BoolVar(&settings.ApiMode, "api", false, "Enable API mode. Only useful for internal lunchcat usage"),
|
||||
flagSet.BoolVar(&settings.ApiMode, "api", false, "Enable API mode. Only useful for internal usage"),
|
||||
)
|
||||
|
||||
flagSet.CreateGroup("modules", "Modules",
|
||||
@@ -120,8 +207,38 @@ func Parse() *Settings {
|
||||
flagSet.BoolVarP(&settings.ListModules, "list-modules", "lm", false, "List available modules and exit"),
|
||||
)
|
||||
|
||||
if err := flagSet.Parse(); err != nil {
|
||||
log.Fatalf("Could not parse flags: %s", err)
|
||||
return flagSet
|
||||
}
|
||||
|
||||
func Parse() *Settings {
|
||||
settings := &Settings{}
|
||||
flagSet := registerFlags(settings)
|
||||
|
||||
// -template presets a batch of scans from a yaml file or named preset; point
|
||||
// goflags at it before Parse so it merges as config (cli flags still win) and
|
||||
// replaces the ambient config for this run.
|
||||
templatePath, cleanup, err := templateConfigPath(os.Args[1:])
|
||||
if err != nil {
|
||||
log.Fatalf("Could not load template: %s", err)
|
||||
}
|
||||
if templatePath != "" {
|
||||
flagSet.SetConfigFilePath(templatePath)
|
||||
}
|
||||
|
||||
// Parse merges the template config synchronously, so a temp preset file can
|
||||
// be removed right after, before any fatal exit (no leaking defer).
|
||||
parseErr := flagSet.Parse()
|
||||
if cleanup != nil {
|
||||
cleanup()
|
||||
}
|
||||
if parseErr != nil {
|
||||
log.Fatalf("Could not parse flags: %s", parseErr)
|
||||
}
|
||||
|
||||
// threads feeds wg.Add directly; floor it so 0 isn't a silent no-op and a
|
||||
// negative value can't panic the waitgroup.
|
||||
if settings.Threads < minThreads {
|
||||
settings.Threads = minThreads
|
||||
}
|
||||
|
||||
return settings
|
||||
|
||||
@@ -61,6 +61,14 @@ func TestSettingsDefaults(t *testing.T) {
|
||||
if settings.Ports != "" {
|
||||
t.Errorf("expected Ports default to be empty, got %v", settings.Ports)
|
||||
}
|
||||
|
||||
// diff mode is opt-in and its store dir defaults empty (resolved at runtime).
|
||||
if settings.Diff != false {
|
||||
t.Errorf("expected Diff default to be false, got %v", settings.Diff)
|
||||
}
|
||||
if settings.Store != "" {
|
||||
t.Errorf("expected Store default to be empty, got %v", settings.Store)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSettingsNoScanBehavior(t *testing.T) {
|
||||
|
||||
@@ -0,0 +1,116 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package config
|
||||
|
||||
import (
|
||||
"embed"
|
||||
"fmt"
|
||||
"os"
|
||||
"strings"
|
||||
)
|
||||
|
||||
//go:embed templates/*.yaml
|
||||
var embeddedTemplates embed.FS
|
||||
|
||||
// presetNames are the templates shipped in the binary, listed in help and
|
||||
// error text. each presets a batch of scans without listing every flag.
|
||||
var presetNames = []string{"minimal", "recon", "full"}
|
||||
|
||||
// templateConfigPath resolves the -template value into a config file path for
|
||||
// goflags to merge, plus a cleanup to run after Parse (embedded presets are
|
||||
// written to a temp file). it returns "" when -template is unset.
|
||||
func templateConfigPath(args []string) (string, func(), error) {
|
||||
value := templateFlagValue(args)
|
||||
if value == "" {
|
||||
return "", nil, nil
|
||||
}
|
||||
return resolveTemplate(value)
|
||||
}
|
||||
|
||||
// templateFlagValue pulls the -template value out of raw args; the config path
|
||||
// has to be known before Parse, so it cannot come from the parsed flag itself.
|
||||
func templateFlagValue(args []string) string {
|
||||
for i, arg := range args {
|
||||
if arg == "-template" || arg == "--template" {
|
||||
if i+1 < len(args) {
|
||||
return args[i+1]
|
||||
}
|
||||
return ""
|
||||
}
|
||||
if v, ok := strings.CutPrefix(arg, "-template="); ok {
|
||||
return v
|
||||
}
|
||||
if v, ok := strings.CutPrefix(arg, "--template="); ok {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// resolveTemplate turns the -template value into a config file path. an existing
|
||||
// local file wins; a named preset is materialized from the embedded set; a
|
||||
// path-shaped miss or an unknown name is a hard error.
|
||||
func resolveTemplate(value string) (string, func(), error) {
|
||||
info, err := os.Stat(value) //nolint:gosec // G304: user-supplied local template path, by design (same as the -f/-w wordlist paths)
|
||||
switch {
|
||||
case err == nil && info.IsDir():
|
||||
return "", nil, fmt.Errorf("template path %q is a directory", value)
|
||||
case err == nil:
|
||||
return value, nil, nil
|
||||
}
|
||||
if data, ok := embeddedPreset(value); ok {
|
||||
return materializePreset(data)
|
||||
}
|
||||
if looksLikePath(value) {
|
||||
return "", nil, fmt.Errorf("template file %q not found", value)
|
||||
}
|
||||
return "", nil, fmt.Errorf("unknown template %q; use a local yaml file or one of: %s",
|
||||
value, strings.Join(presetNames, ", "))
|
||||
}
|
||||
|
||||
// embeddedPreset returns the bytes of a named preset shipped in the binary.
|
||||
func embeddedPreset(name string) ([]byte, bool) {
|
||||
data, err := embeddedTemplates.ReadFile("templates/" + name + ".yaml")
|
||||
if err != nil {
|
||||
return nil, false
|
||||
}
|
||||
return data, true
|
||||
}
|
||||
|
||||
// materializePreset writes preset bytes to a temp file so goflags, which merges
|
||||
// a config by path, can read it; the cleanup removes the file after Parse.
|
||||
func materializePreset(data []byte) (string, func(), error) {
|
||||
file, err := os.CreateTemp("", "sif-template-*.yaml")
|
||||
if err != nil {
|
||||
return "", nil, err
|
||||
}
|
||||
cleanup := func() { _ = os.Remove(file.Name()) }
|
||||
if _, err := file.Write(data); err != nil {
|
||||
cleanup()
|
||||
return "", nil, err
|
||||
}
|
||||
if err := file.Close(); err != nil {
|
||||
cleanup()
|
||||
return "", nil, err
|
||||
}
|
||||
return file.Name(), cleanup, nil
|
||||
}
|
||||
|
||||
// looksLikePath reports whether the value addresses a file rather than a named
|
||||
// preset: a path separator or a yaml suffix marks a file.
|
||||
func looksLikePath(value string) bool {
|
||||
if strings.ContainsAny(value, `/\`) {
|
||||
return true
|
||||
}
|
||||
return strings.HasSuffix(value, ".yaml") || strings.HasSuffix(value, ".yml")
|
||||
}
|
||||
@@ -0,0 +1,211 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package config
|
||||
|
||||
import (
|
||||
"flag"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
|
||||
"github.com/projectdiscovery/goflags"
|
||||
"gopkg.in/yaml.v3"
|
||||
)
|
||||
|
||||
// writeTemplate drops a yaml template in a temp dir and returns its path.
|
||||
func writeTemplate(t *testing.T, body string) string {
|
||||
t.Helper()
|
||||
path := filepath.Join(t.TempDir(), "tmpl.yaml")
|
||||
if err := os.WriteFile(path, []byte(body), 0o600); err != nil {
|
||||
t.Fatalf("write template: %s", err)
|
||||
}
|
||||
return path
|
||||
}
|
||||
|
||||
// loadPreset registers the real flags, merges the named embedded preset, and
|
||||
// returns the resulting settings (no cli scan flags set).
|
||||
func loadPreset(t *testing.T, name string) *Settings {
|
||||
t.Helper()
|
||||
goflags.DisableAutoConfigMigration = true
|
||||
path, cleanup, err := resolveTemplate(name)
|
||||
if err != nil {
|
||||
t.Fatalf("resolve %s: %s", name, err)
|
||||
}
|
||||
if cleanup != nil {
|
||||
defer cleanup()
|
||||
}
|
||||
settings := &Settings{}
|
||||
flagSet := registerFlags(settings)
|
||||
flagSet.SetConfigFilePath(path)
|
||||
if err := flagSet.Parse("-silent"); err != nil {
|
||||
t.Fatalf("parse %s: %s", name, err)
|
||||
}
|
||||
return settings
|
||||
}
|
||||
|
||||
// every key in an embedded preset must be a real flag long-name. goflags drops
|
||||
// unknown config keys silently, so a typo would otherwise ship as a dead no-op.
|
||||
func TestPresetKeysAreRegisteredFlags(t *testing.T) {
|
||||
valid := map[string]bool{}
|
||||
registerFlags(&Settings{}).CommandLine.VisitAll(func(f *flag.Flag) {
|
||||
valid[f.Name] = true
|
||||
})
|
||||
|
||||
for _, name := range presetNames {
|
||||
data, ok := embeddedPreset(name)
|
||||
if !ok {
|
||||
t.Errorf("preset %q is not embedded", name)
|
||||
continue
|
||||
}
|
||||
var keys map[string]any
|
||||
if err := yaml.Unmarshal(data, &keys); err != nil {
|
||||
t.Errorf("preset %q is not valid yaml: %s", name, err)
|
||||
continue
|
||||
}
|
||||
for key := range keys {
|
||||
if !valid[key] {
|
||||
t.Errorf("preset %q references unknown flag %q", name, key)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestPresetMinimal(t *testing.T) {
|
||||
s := loadPreset(t, "minimal")
|
||||
if !s.Probe || !s.Headers || !s.Favicon {
|
||||
t.Errorf("minimal should enable probe/headers/favicon, got probe=%v headers=%v favicon=%v",
|
||||
s.Probe, s.Headers, s.Favicon)
|
||||
}
|
||||
if s.XSS || s.SQL || s.Nuclei {
|
||||
t.Error("minimal should not enable heavy or intrusive scans")
|
||||
}
|
||||
}
|
||||
|
||||
func TestPresetReconIsNonIntrusive(t *testing.T) {
|
||||
s := loadPreset(t, "recon")
|
||||
if !s.Passive || !s.Whois || !s.CMS || !s.Probe {
|
||||
t.Errorf("recon should enable passive/whois/cms/probe, got %v/%v/%v/%v",
|
||||
s.Passive, s.Whois, s.CMS, s.Probe)
|
||||
}
|
||||
if s.XSS || s.SQL || s.LFI || s.Redirect {
|
||||
t.Errorf("recon must not enable payload-injecting scans: xss=%v sql=%v lfi=%v redirect=%v",
|
||||
s.XSS, s.SQL, s.LFI, s.Redirect)
|
||||
}
|
||||
}
|
||||
|
||||
func TestPresetFull(t *testing.T) {
|
||||
s := loadPreset(t, "full")
|
||||
if !s.XSS || !s.SQL || !s.LFI || !s.Redirect {
|
||||
t.Error("full should enable the intrusive scans")
|
||||
}
|
||||
if s.Dirlist != "large" || s.Ports != "full" {
|
||||
t.Errorf("full should set dirlist=large ports=full, got dirlist=%q ports=%q",
|
||||
s.Dirlist, s.Ports)
|
||||
}
|
||||
}
|
||||
|
||||
// the template merges as the goflags config: it fills flags left at their
|
||||
// default, an explicit cli flag still wins, and an untouched flag stays put.
|
||||
func TestTemplateConfigPrecedence(t *testing.T) {
|
||||
goflags.DisableAutoConfigMigration = true
|
||||
tmpl := writeTemplate(t, "cms: true\nthreads: 99\n")
|
||||
|
||||
var cms, sql bool
|
||||
var threads int
|
||||
flagSet := goflags.NewFlagSet()
|
||||
flagSet.BoolVar(&cms, "cms", false, "")
|
||||
flagSet.BoolVar(&sql, "sql", false, "")
|
||||
flagSet.IntVar(&threads, "threads", 10, "")
|
||||
|
||||
flagSet.SetConfigFilePath(tmpl)
|
||||
if err := flagSet.Parse("-threads", "5"); err != nil {
|
||||
t.Fatalf("parse: %s", err)
|
||||
}
|
||||
|
||||
if !cms {
|
||||
t.Error("expected template to set cms=true")
|
||||
}
|
||||
if threads != 5 {
|
||||
t.Errorf("expected cli threads 5 to win over template, got %d", threads)
|
||||
}
|
||||
if sql {
|
||||
t.Error("expected sql left untouched to stay false")
|
||||
}
|
||||
}
|
||||
|
||||
func TestTemplateFlagValue(t *testing.T) {
|
||||
cases := []struct {
|
||||
name string
|
||||
args []string
|
||||
want string
|
||||
}{
|
||||
{"long with space", []string{"-template", "a.yaml"}, "a.yaml"},
|
||||
{"double dash with space", []string{"--template", "b.yaml"}, "b.yaml"},
|
||||
{"long with equals", []string{"-template=c.yaml"}, "c.yaml"},
|
||||
{"double dash with equals", []string{"--template=d.yaml"}, "d.yaml"},
|
||||
{"absent", []string{"-u", "x"}, ""},
|
||||
{"trailing without value", []string{"-u", "x", "-template"}, ""},
|
||||
}
|
||||
for _, tc := range cases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
if got := templateFlagValue(tc.args); got != tc.want {
|
||||
t.Errorf("expected %q, got %q", tc.want, got)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestResolveTemplateExistingFile(t *testing.T) {
|
||||
path := writeTemplate(t, "cms: true\n")
|
||||
got, cleanup, err := resolveTemplate(path)
|
||||
if cleanup != nil {
|
||||
defer cleanup()
|
||||
}
|
||||
if err != nil {
|
||||
t.Fatalf("resolveTemplate: %s", err)
|
||||
}
|
||||
if got != path {
|
||||
t.Errorf("expected %q, got %q", path, got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestResolveTemplateNamedPreset(t *testing.T) {
|
||||
path, cleanup, err := resolveTemplate("recon")
|
||||
if cleanup != nil {
|
||||
defer cleanup()
|
||||
}
|
||||
if err != nil {
|
||||
t.Fatalf("recon preset should resolve: %s", err)
|
||||
}
|
||||
if path == "" {
|
||||
t.Fatal("expected a materialized preset path")
|
||||
}
|
||||
}
|
||||
|
||||
func TestResolveTemplateMissingFile(t *testing.T) {
|
||||
if _, _, err := resolveTemplate("./does-not-exist.yaml"); err == nil {
|
||||
t.Fatal("expected an error for a missing template file")
|
||||
}
|
||||
}
|
||||
|
||||
func TestResolveTemplateDirectory(t *testing.T) {
|
||||
if _, _, err := resolveTemplate(t.TempDir()); err == nil {
|
||||
t.Fatal("expected an error for a directory")
|
||||
}
|
||||
}
|
||||
|
||||
func TestResolveTemplateUnknownName(t *testing.T) {
|
||||
if _, _, err := resolveTemplate("bogus"); err == nil {
|
||||
t.Fatal("expected an error for an unknown template name")
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,28 @@
|
||||
# full: thorough and active, including intrusive probes that inject payloads
|
||||
# (xss, sql, lfi, redirect). api-key scans (shodan, securitytrails) stay opt-in
|
||||
# via their own flags.
|
||||
passive: true
|
||||
whois: true
|
||||
dork: true
|
||||
favicon: true
|
||||
headers: true
|
||||
security-headers: true
|
||||
cms: true
|
||||
framework: true
|
||||
probe: true
|
||||
git: true
|
||||
js: true
|
||||
nuclei: true
|
||||
openapi: true
|
||||
cors: true
|
||||
jwt: true
|
||||
c3: true
|
||||
st: true
|
||||
crawl: true
|
||||
sql: true
|
||||
lfi: true
|
||||
xss: true
|
||||
redirect: true
|
||||
dirlist: large
|
||||
dnslist: large
|
||||
ports: full
|
||||
@@ -0,0 +1,4 @@
|
||||
# minimal: fast liveness + fingerprint, a handful of benign GETs per target.
|
||||
probe: true
|
||||
headers: true
|
||||
favicon: true
|
||||
@@ -0,0 +1,11 @@
|
||||
# recon: broad non-intrusive discovery (light traffic, no attack payloads).
|
||||
passive: true
|
||||
whois: true
|
||||
dork: true
|
||||
favicon: true
|
||||
headers: true
|
||||
security-headers: true
|
||||
cms: true
|
||||
framework: true
|
||||
probe: true
|
||||
dnslist: small
|
||||
@@ -0,0 +1,270 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
// Package dnsx resolves subdomain candidates against a bundled resolver pool
|
||||
// before anything is probed over http, so the slow/inaccurate path of HTTP-ing
|
||||
// every wordlist entry through the OS resolver is gone. it also fingerprints
|
||||
// wildcard zones (a zone that answers every random label) so a catch-all
|
||||
// nameserver can't flood the caller with phantom subdomains.
|
||||
package dnsx
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"fmt"
|
||||
"math/big"
|
||||
"sort"
|
||||
"strings"
|
||||
|
||||
retryabledns "github.com/projectdiscovery/retryabledns"
|
||||
)
|
||||
|
||||
// bundled default resolver pool. anycast cloudflare/google/quad9 - fast, public,
|
||||
// and unlikely to rate-limit a recon sweep. -resolvers overrides this set.
|
||||
const (
|
||||
resolverCloudflare = "1.1.1.1:53"
|
||||
resolverGoogle = "8.8.8.8:53"
|
||||
resolverQuad9 = "9.9.9.9:53"
|
||||
)
|
||||
|
||||
// defaultResolvers is the bundled pool used when the caller passes none.
|
||||
var defaultResolvers = []string{resolverCloudflare, resolverGoogle, resolverQuad9}
|
||||
|
||||
const (
|
||||
// defaultRetries is how many times retryabledns rotates through the pool on a
|
||||
// timeout before giving up on a name. low enough to stay fast on a big list.
|
||||
defaultRetries = 3
|
||||
|
||||
// wildcardProbes is how many random nonexistent labels we resolve to
|
||||
// fingerprint a wildcard zone. more samples make a rotating catch-all (one
|
||||
// that hands back a different ip per query) harder to miss, but each is a
|
||||
// real lookup so this stays small.
|
||||
wildcardProbes = 3
|
||||
|
||||
// randomLabelLen is the length of each random wildcard-probe label. long
|
||||
// enough that a collision with a real host is astronomically unlikely.
|
||||
randomLabelLen = 16
|
||||
)
|
||||
|
||||
// randomLabelAlphabet is the lowercase-alnum set wildcard probe labels draw
|
||||
// from; a valid dns label so the query isn't rejected before it leaves.
|
||||
const randomLabelAlphabet = "abcdefghijklmnopqrstuvwxyz0123456789"
|
||||
|
||||
// defaultDNSPort is appended to any resolver entry given without an explicit
|
||||
// port, so "1.1.1.1" and "1.1.1.1:53" both work on the cli.
|
||||
const defaultDNSPort = "53"
|
||||
|
||||
// ParseResolvers splits a comma list of resolvers into a normalized slice,
|
||||
// appending the default port to bare ips/hosts. an empty or blank input returns
|
||||
// nil so the caller falls back to the bundled pool.
|
||||
func ParseResolvers(raw string) []string {
|
||||
if strings.TrimSpace(raw) == "" {
|
||||
return nil
|
||||
}
|
||||
parts := strings.Split(raw, ",")
|
||||
out := make([]string, 0, len(parts))
|
||||
for i := 0; i < len(parts); i++ {
|
||||
entry := strings.TrimSpace(parts[i])
|
||||
if entry == "" {
|
||||
continue
|
||||
}
|
||||
// a bare ip/host gets the default port; an entry already carrying ":port"
|
||||
// (or a bracketed ipv6 literal) is left as-is.
|
||||
if !strings.Contains(entry, ":") {
|
||||
entry += ":" + defaultDNSPort
|
||||
}
|
||||
out = append(out, entry)
|
||||
}
|
||||
|
||||
return out
|
||||
}
|
||||
|
||||
// resolution is the resolved address set for one host. empty Addrs means the
|
||||
// name did not resolve (nxdomain / no records).
|
||||
type resolution struct {
|
||||
Addrs []string
|
||||
}
|
||||
|
||||
// resolved reports whether the name returned any address.
|
||||
func (r resolution) resolved() bool {
|
||||
return len(r.Addrs) > 0
|
||||
}
|
||||
|
||||
// resolverFn is the test seam: every lookup the package makes goes through this
|
||||
// var, so a fake can answer without touching the network. real runs point it at
|
||||
// a retryabledns-backed client via NewResolver.
|
||||
var resolverFn func(host string) (resolution, error)
|
||||
|
||||
// Resolver resolves candidates against a pool and filters wildcard answers. it
|
||||
// is built once per scan and shared across the worker goroutines; the
|
||||
// underlying retryabledns client is safe for concurrent use.
|
||||
type Resolver struct {
|
||||
// wildcardSigs holds the address sets a wildcard zone answers random labels
|
||||
// with. nil/empty means the zone is not wildcard. a candidate whose answer is
|
||||
// covered by one of these is a catch-all hit, not a real host.
|
||||
wildcardSigs []map[string]struct{}
|
||||
}
|
||||
|
||||
// NewResolver wires resolverFn to a retryabledns client over the given pool
|
||||
// (bundled default when resolvers is empty) and returns a Resolver. it does not
|
||||
// fingerprint anything yet - call FingerprintWildcard with the apex first.
|
||||
func NewResolver(resolvers []string) (*Resolver, error) {
|
||||
pool := resolvers
|
||||
if len(pool) == 0 {
|
||||
pool = defaultResolvers
|
||||
}
|
||||
|
||||
client, err := retryabledns.New(pool, defaultRetries)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("dnsx: build resolver over %v: %w", pool, err)
|
||||
}
|
||||
|
||||
// only install the real client when a test hasn't already injected a fake;
|
||||
// the seam wins so hermetic tests never reach this client.
|
||||
if resolverFn == nil {
|
||||
resolverFn = func(host string) (resolution, error) {
|
||||
data, err := client.Resolve(host)
|
||||
if err != nil {
|
||||
return resolution{}, fmt.Errorf("dnsx: resolve %q: %w", host, err)
|
||||
}
|
||||
return resolution{Addrs: mergeAddrs(data)}, nil
|
||||
}
|
||||
}
|
||||
|
||||
return &Resolver{}, nil
|
||||
}
|
||||
|
||||
// FingerprintWildcard resolves wildcardProbes random labels under apex. any that
|
||||
// answer mean the zone is a catch-all, so their address sets are recorded as
|
||||
// signatures to filter real candidates against later. a clean zone leaves the
|
||||
// signature list empty and nothing gets filtered.
|
||||
func (r *Resolver) FingerprintWildcard(apex string) error {
|
||||
apex = strings.TrimSuffix(apex, ".")
|
||||
for i := 0; i < wildcardProbes; i++ {
|
||||
label, err := randomLabel(randomLabelLen)
|
||||
if err != nil {
|
||||
return fmt.Errorf("dnsx: wildcard probe label: %w", err)
|
||||
}
|
||||
|
||||
res, err := resolverFn(label + "." + apex)
|
||||
if err != nil {
|
||||
// a probe failure (timeout / nxdomain surfaced as error) just means this
|
||||
// sample says "not wildcard"; don't abort the whole fingerprint on it.
|
||||
continue
|
||||
}
|
||||
if res.resolved() {
|
||||
r.wildcardSigs = append(r.wildcardSigs, toSet(res.Addrs))
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Resolve looks up host and reports whether it is a real, non-wildcard hit. a
|
||||
// name that doesn't resolve, or whose answer matches a recorded wildcard
|
||||
// signature, returns false so the caller skips probing it.
|
||||
func (r *Resolver) Resolve(host string) (bool, error) {
|
||||
res, err := resolverFn(host)
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("dnsx: resolve %q: %w", host, err)
|
||||
}
|
||||
if !res.resolved() {
|
||||
return false, nil
|
||||
}
|
||||
if r.isWildcard(res.Addrs) {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
return true, nil
|
||||
}
|
||||
|
||||
// isWildcard reports whether addrs is covered by any recorded wildcard
|
||||
// signature. a candidate whose every address appears in a wildcard answer is a
|
||||
// catch-all hit; a host with even one address outside the signature is a real,
|
||||
// distinct record and survives.
|
||||
func (r *Resolver) isWildcard(addrs []string) bool {
|
||||
if len(r.wildcardSigs) == 0 {
|
||||
return false
|
||||
}
|
||||
for i := 0; i < len(r.wildcardSigs); i++ {
|
||||
if subset(addrs, r.wildcardSigs[i]) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
// mergeAddrs flattens the A and AAAA answers into one sorted, deduped slice so
|
||||
// two equal answers compare equal regardless of record ordering.
|
||||
func mergeAddrs(data *retryabledns.DNSData) []string {
|
||||
if data == nil {
|
||||
return nil
|
||||
}
|
||||
seen := make(map[string]struct{}, len(data.A)+len(data.AAAA))
|
||||
for i := 0; i < len(data.A); i++ {
|
||||
seen[data.A[i]] = struct{}{}
|
||||
}
|
||||
for i := 0; i < len(data.AAAA); i++ {
|
||||
seen[data.AAAA[i]] = struct{}{}
|
||||
}
|
||||
|
||||
addrs := make([]string, 0, len(seen))
|
||||
for addr := range seen {
|
||||
addrs = append(addrs, addr)
|
||||
}
|
||||
sort.Strings(addrs)
|
||||
|
||||
return addrs
|
||||
}
|
||||
|
||||
// toSet turns addrs into a lookup set for subset checks.
|
||||
func toSet(addrs []string) map[string]struct{} {
|
||||
set := make(map[string]struct{}, len(addrs))
|
||||
for i := 0; i < len(addrs); i++ {
|
||||
set[addrs[i]] = struct{}{}
|
||||
}
|
||||
|
||||
return set
|
||||
}
|
||||
|
||||
// subset reports whether every addr is present in sig (and addrs is non-empty);
|
||||
// an empty addrs can't be a wildcard match.
|
||||
func subset(addrs []string, sig map[string]struct{}) bool {
|
||||
if len(addrs) == 0 {
|
||||
return false
|
||||
}
|
||||
for i := 0; i < len(addrs); i++ {
|
||||
if _, ok := sig[addrs[i]]; !ok {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
// randomLabel returns a cryptographically-random lowercase-alnum dns label of
|
||||
// length n. crypto/rand (not math/rand) so a target can't predict the probe
|
||||
// labels and special-case them to defeat wildcard detection.
|
||||
func randomLabel(n int) (string, error) {
|
||||
var b strings.Builder
|
||||
b.Grow(n)
|
||||
alphabetLen := big.NewInt(int64(len(randomLabelAlphabet)))
|
||||
for i := 0; i < n; i++ {
|
||||
idx, err := rand.Int(rand.Reader, alphabetLen)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("dnsx: random index: %w", err)
|
||||
}
|
||||
b.WriteByte(randomLabelAlphabet[idx.Int64()])
|
||||
}
|
||||
|
||||
return b.String(), nil
|
||||
}
|
||||
@@ -0,0 +1,176 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package dnsx
|
||||
|
||||
import (
|
||||
"reflect"
|
||||
"strings"
|
||||
"testing"
|
||||
)
|
||||
|
||||
// withFakeResolver swaps resolverFn for fn for the duration of one test, then
|
||||
// restores it - the seam that keeps every case below network-free.
|
||||
func withFakeResolver(t *testing.T, fn func(host string) (resolution, error)) {
|
||||
t.Helper()
|
||||
orig := resolverFn
|
||||
resolverFn = fn
|
||||
t.Cleanup(func() { resolverFn = orig })
|
||||
}
|
||||
|
||||
// newFingerprinted builds a Resolver and runs the wildcard fingerprint against
|
||||
// apex using the already-injected fake; fatal on error.
|
||||
func newFingerprinted(t *testing.T, apex string) *Resolver {
|
||||
t.Helper()
|
||||
r := &Resolver{}
|
||||
if err := r.FingerprintWildcard(apex); err != nil {
|
||||
t.Fatalf("FingerprintWildcard: %v", err)
|
||||
}
|
||||
|
||||
return r
|
||||
}
|
||||
|
||||
const testApex = "example.com"
|
||||
|
||||
// a host that resolves to a real address, in a clean (non-wildcard) zone, is a
|
||||
// genuine hit.
|
||||
func TestResolve_FoundInCleanZone(t *testing.T) {
|
||||
withFakeResolver(t, func(host string) (resolution, error) {
|
||||
// nothing answers a random wildcard probe -> clean zone.
|
||||
if strings.HasSuffix(host, "."+testApex) && host != "www."+testApex {
|
||||
return resolution{}, nil
|
||||
}
|
||||
if host == "www."+testApex {
|
||||
return resolution{Addrs: []string{"93.184.216.34"}}, nil
|
||||
}
|
||||
return resolution{}, nil
|
||||
})
|
||||
|
||||
r := newFingerprinted(t, testApex)
|
||||
if len(r.wildcardSigs) != 0 {
|
||||
t.Fatalf("clean zone should record no wildcard signatures, got %d", len(r.wildcardSigs))
|
||||
}
|
||||
|
||||
ok, err := r.Resolve("www." + testApex)
|
||||
if err != nil {
|
||||
t.Fatalf("Resolve: %v", err)
|
||||
}
|
||||
if !ok {
|
||||
t.Error("a resolving host in a clean zone should be a hit")
|
||||
}
|
||||
}
|
||||
|
||||
// nxdomain (no addresses) is not a hit, so the caller skips probing it.
|
||||
func TestResolve_NxdomainSkipped(t *testing.T) {
|
||||
withFakeResolver(t, func(string) (resolution, error) {
|
||||
// every name, probes included, returns no records.
|
||||
return resolution{}, nil
|
||||
})
|
||||
|
||||
r := newFingerprinted(t, testApex)
|
||||
|
||||
ok, err := r.Resolve("ghost." + testApex)
|
||||
if err != nil {
|
||||
t.Fatalf("Resolve: %v", err)
|
||||
}
|
||||
if ok {
|
||||
t.Error("an nxdomain host must not count as found")
|
||||
}
|
||||
}
|
||||
|
||||
// a wildcard zone answers the random probe labels, so a candidate that resolves
|
||||
// to the same catch-all address is filtered out.
|
||||
func TestResolve_WildcardFiltered(t *testing.T) {
|
||||
const catchAll = "10.0.0.1"
|
||||
withFakeResolver(t, func(string) (resolution, error) {
|
||||
// the zone answers everything - probes and candidates alike - with one ip.
|
||||
return resolution{Addrs: []string{catchAll}}, nil
|
||||
})
|
||||
|
||||
r := newFingerprinted(t, testApex)
|
||||
if len(r.wildcardSigs) == 0 {
|
||||
t.Fatal("wildcard zone should record at least one signature")
|
||||
}
|
||||
|
||||
ok, err := r.Resolve("anything." + testApex)
|
||||
if err != nil {
|
||||
t.Fatalf("Resolve: %v", err)
|
||||
}
|
||||
if ok {
|
||||
t.Error("a candidate matching the wildcard answer must be filtered")
|
||||
}
|
||||
}
|
||||
|
||||
// a real host in a wildcard zone that resolves to a distinct address (not the
|
||||
// catch-all) still survives the filter - one address outside the signature is
|
||||
// enough to be a genuine record.
|
||||
func TestResolve_DistinctHostSurvivesWildcard(t *testing.T) {
|
||||
const catchAll = "10.0.0.1"
|
||||
const realHost = "api." + testApex
|
||||
withFakeResolver(t, func(host string) (resolution, error) {
|
||||
if host == realHost {
|
||||
return resolution{Addrs: []string{"203.0.113.7"}}, nil
|
||||
}
|
||||
// everything else (probes + other candidates) hits the catch-all.
|
||||
return resolution{Addrs: []string{catchAll}}, nil
|
||||
})
|
||||
|
||||
r := newFingerprinted(t, testApex)
|
||||
if len(r.wildcardSigs) == 0 {
|
||||
t.Fatal("wildcard zone should record at least one signature")
|
||||
}
|
||||
|
||||
ok, err := r.Resolve(realHost)
|
||||
if err != nil {
|
||||
t.Fatalf("Resolve: %v", err)
|
||||
}
|
||||
if !ok {
|
||||
t.Error("a host resolving to a distinct address should survive the wildcard filter")
|
||||
}
|
||||
}
|
||||
|
||||
func TestParseResolvers(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
in string
|
||||
want []string
|
||||
}{
|
||||
{"empty falls back to bundled", "", nil},
|
||||
{"blank falls back to bundled", " ", nil},
|
||||
{"bare ips get default port", "1.1.1.1,8.8.8.8", []string{"1.1.1.1:53", "8.8.8.8:53"}},
|
||||
{"explicit port preserved", "9.9.9.9:5353", []string{"9.9.9.9:5353"}},
|
||||
{"whitespace and empties trimmed", " 1.1.1.1 , ,8.8.8.8 ", []string{"1.1.1.1:53", "8.8.8.8:53"}},
|
||||
{"mixed bare and ported", "1.1.1.1,9.9.9.9:5353", []string{"1.1.1.1:53", "9.9.9.9:5353"}},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if got := ParseResolvers(tt.in); !reflect.DeepEqual(got, tt.want) {
|
||||
t.Errorf("ParseResolvers(%q) = %v, want %v", tt.in, got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestNewResolver_DefaultsToBundledPool(t *testing.T) {
|
||||
// keep the seam already installed so New doesn't replace it with a real
|
||||
// client; we only assert the constructor accepts an empty override.
|
||||
withFakeResolver(t, func(string) (resolution, error) { return resolution{}, nil })
|
||||
|
||||
r, err := NewResolver(nil)
|
||||
if err != nil {
|
||||
t.Fatalf("NewResolver(nil): %v", err)
|
||||
}
|
||||
if r == nil {
|
||||
t.Fatal("NewResolver returned nil resolver")
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,730 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
// Package finding is the one normalization layer between the scan results and
|
||||
// the consumers that don't want to know about ~two dozen result structs: notify
|
||||
// (later) gates and renders on it, diff (later) keys runs off it. Flatten is the
|
||||
// single type-switch; adding a scanner without teaching Flatten about it trips
|
||||
// the guard test in flatten_test.go, on purpose.
|
||||
package finding
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/projectdiscovery/nuclei/v3/pkg/output"
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
"github.com/vmfunc/sif/internal/scan"
|
||||
"github.com/vmfunc/sif/internal/scan/frameworks"
|
||||
"github.com/vmfunc/sif/internal/scan/js"
|
||||
)
|
||||
|
||||
// Finding is the normalized shape every scanner result collapses to. one
|
||||
// Finding is one underlying item (a single header, one cors hit, one nuclei
|
||||
// match) rather than a whole module's blob, so consumers diff and notify at
|
||||
// item granularity.
|
||||
type Finding struct {
|
||||
Target string // the url/host the scan ran against
|
||||
Module string // the ResultType() of the source scanner
|
||||
Severity Severity // ranked severity, SeverityUnknown when the source has none
|
||||
Key string // stable identity for dedup/diff: module + ":" + identifier
|
||||
Title string // short human label
|
||||
Raw string // short evidence string, not the full body
|
||||
}
|
||||
|
||||
// Line renders a finding as one stable, terse, machine-friendly line for the
|
||||
// -silent plain sink: "[severity] target module title". no styling, no color -
|
||||
// a downstream pipe (notify, grep, awk) keys off the bracketed severity and the
|
||||
// fixed field order, so the shape stays frozen. pointer receiver: Finding is
|
||||
// wide enough that copying it per line is wasteful.
|
||||
func (f *Finding) Line() string {
|
||||
return fmt.Sprintf("[%s] %s %s %s", f.Severity, f.Target, f.Module, f.Title)
|
||||
}
|
||||
|
||||
// static per-module severities for results that carry no severity field of
|
||||
// their own. these are the editorial baseline; a scanner that emits its own
|
||||
// severity (cors, xss, nuclei, ...) overrides this on a per-item basis.
|
||||
const (
|
||||
// a live admin panel / takeover / public bucket is high on its own.
|
||||
sevTakeover = SeverityHigh
|
||||
sevPublicS3 = SeverityHigh
|
||||
sevAdminPanel = SeverityHigh
|
||||
// disclosure-grade signals: dberrors, secrets, supabase keys.
|
||||
sevDBError = SeverityMedium
|
||||
sevSecret = SeverityMedium
|
||||
// pure recon/inventory: headers, crawl urls, passive hosts, ports.
|
||||
sevRecon = SeverityInfo
|
||||
)
|
||||
|
||||
// keySep joins the module id and the per-item identifier into a Key. kept as a
|
||||
// const so the diff layer can split on it without re-deriving the separator.
|
||||
const keySep = ":"
|
||||
|
||||
// key builds a stable per-item identity: module:identifier. identifier is
|
||||
// whatever uniquely names the item within its module (a url, a header name, a
|
||||
// subdomain) so the same finding across two runs produces the same Key.
|
||||
func key(module, identifier string) string {
|
||||
return module + keySep + identifier
|
||||
}
|
||||
|
||||
// Flatten normalizes one module's result into zero or more Findings. result is
|
||||
// the raw data carried in a ModuleResult; the type switch covers every scan
|
||||
// result struct. an unrecognized type yields a single SeverityUnknown finding
|
||||
// keyed "module:unhandled" so a new scanner surfaces loudly instead of
|
||||
// vanishing - the guard test asserts this never happens for a known type.
|
||||
func Flatten(target, module string, result any) []Finding {
|
||||
switch r := result.(type) {
|
||||
case *scan.ShodanResult:
|
||||
return flattenShodan(target, r)
|
||||
case *scan.SQLResult:
|
||||
return flattenSQL(target, r)
|
||||
case *scan.LFIResult:
|
||||
return flattenLFI(target, r)
|
||||
case *scan.JWTResult:
|
||||
return flattenJWT(target, r)
|
||||
case *scan.OpenAPIResult:
|
||||
return flattenOpenAPI(target, r)
|
||||
case *scan.FaviconResult:
|
||||
return flattenFavicon(target, r)
|
||||
case *scan.CMSResult:
|
||||
return flattenCMS(target, r)
|
||||
case *scan.SecurityTrailsResult:
|
||||
return flattenSecurityTrails(target, r)
|
||||
case *scan.CORSResult:
|
||||
return flattenCORS(target, r)
|
||||
case *scan.RedirectResult:
|
||||
return flattenRedirect(target, r)
|
||||
case *scan.XSSResult:
|
||||
return flattenXSS(target, r)
|
||||
case *scan.CrawlResult:
|
||||
return flattenCrawl(target, r)
|
||||
case *scan.PassiveResult:
|
||||
return flattenPassive(target, r)
|
||||
case *scan.ProbeResult:
|
||||
return flattenProbe(target, r)
|
||||
case scan.HeaderResults:
|
||||
return flattenHeaders(target, r)
|
||||
case []scan.HeaderResult:
|
||||
// the headers module appends a literal []HeaderResult, not the named
|
||||
// slice type; both reach here so cover both.
|
||||
return flattenHeaders(target, r)
|
||||
case scan.SecurityHeaderResults:
|
||||
return flattenSecurityHeaders(target, r)
|
||||
case []scan.SecurityHeaderResult:
|
||||
return flattenSecurityHeaders(target, r)
|
||||
case scan.DirectoryResults:
|
||||
return flattenDirlist(target, r)
|
||||
case []scan.DirectoryResult:
|
||||
return flattenDirlist(target, r)
|
||||
case scan.CloudStorageResults:
|
||||
return flattenCloudStorage(target, r)
|
||||
case []scan.CloudStorageResult:
|
||||
return flattenCloudStorage(target, r)
|
||||
case scan.DorkResults:
|
||||
return flattenDork(target, r)
|
||||
case []scan.DorkResult:
|
||||
return flattenDork(target, r)
|
||||
case scan.SubdomainTakeoverResults:
|
||||
return flattenTakeover(target, r)
|
||||
case []scan.SubdomainTakeoverResult:
|
||||
return flattenTakeover(target, r)
|
||||
case *frameworks.FrameworkResult:
|
||||
return flattenFramework(target, r)
|
||||
case *js.JavascriptScanResult:
|
||||
return flattenJS(target, r)
|
||||
case *modules.Result:
|
||||
// yaml/builtin modules carry their own module id; honor it over the
|
||||
// passed-in module so per-module findings stay attributed correctly.
|
||||
return flattenModule(target, r)
|
||||
case []output.ResultEvent:
|
||||
return flattenNuclei(target, r)
|
||||
case []string:
|
||||
// dnslist/portscan/git all hand back a bare []string of discovered
|
||||
// items; module disambiguates which inventory it is.
|
||||
return flattenStrings(target, module, r)
|
||||
default:
|
||||
// unknown type: emit a loud placeholder rather than dropping it.
|
||||
return []Finding{{
|
||||
Target: target,
|
||||
Module: module,
|
||||
Severity: SeverityUnknown,
|
||||
Key: key(module, "unhandled"),
|
||||
Title: fmt.Sprintf("unhandled result type %T", result),
|
||||
Raw: fmt.Sprintf("%T", result),
|
||||
}}
|
||||
}
|
||||
}
|
||||
|
||||
func flattenShodan(target string, r *scan.ShodanResult) []Finding {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
// one host snapshot -> one inventory finding; vulns are the interesting bit
|
||||
// so they bump severity and ride along in the evidence string.
|
||||
sev := sevRecon
|
||||
if len(r.Vulns) > 0 {
|
||||
sev = SeverityHigh
|
||||
}
|
||||
raw := fmt.Sprintf("%d ports", len(r.Ports))
|
||||
if len(r.Vulns) > 0 {
|
||||
raw = fmt.Sprintf("%s, %d vulns", raw, len(r.Vulns))
|
||||
}
|
||||
return []Finding{{
|
||||
Target: target,
|
||||
Module: "shodan",
|
||||
Severity: sev,
|
||||
Key: key("shodan", r.IP),
|
||||
Title: "shodan host " + r.IP,
|
||||
Raw: raw,
|
||||
}}
|
||||
}
|
||||
|
||||
func flattenSQL(target string, r *scan.SQLResult) []Finding {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
out := make([]Finding, 0, len(r.AdminPanels)+len(r.DatabaseErrors)+len(r.ExposedPorts))
|
||||
for i := 0; i < len(r.AdminPanels); i++ {
|
||||
p := r.AdminPanels[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "sql",
|
||||
Severity: sevAdminPanel,
|
||||
Key: key("sql", "admin:"+p.URL),
|
||||
Title: p.Type + " admin panel",
|
||||
Raw: fmt.Sprintf("%s (%d)", p.URL, p.Status),
|
||||
})
|
||||
}
|
||||
for i := 0; i < len(r.DatabaseErrors); i++ {
|
||||
e := r.DatabaseErrors[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "sql",
|
||||
Severity: sevDBError,
|
||||
Key: key("sql", "dberr:"+e.URL+":"+e.DatabaseType),
|
||||
Title: e.DatabaseType + " error disclosure",
|
||||
Raw: e.ErrorPattern,
|
||||
})
|
||||
}
|
||||
for i := 0; i < len(r.ExposedPorts); i++ {
|
||||
p := r.ExposedPorts[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "sql",
|
||||
Severity: SeverityMedium,
|
||||
Key: key("sql", fmt.Sprintf("port:%d", p)),
|
||||
Title: fmt.Sprintf("exposed db port %d", p),
|
||||
Raw: fmt.Sprintf("%d", p),
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenLFI(target string, r *scan.LFIResult) []Finding {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
out := make([]Finding, 0, len(r.Vulnerabilities))
|
||||
for i := 0; i < len(r.Vulnerabilities); i++ {
|
||||
v := r.Vulnerabilities[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "lfi",
|
||||
Severity: ParseSeverity(v.Severity),
|
||||
Key: key("lfi", v.URL+":"+v.Parameter),
|
||||
Title: "lfi via " + v.Parameter,
|
||||
Raw: v.Evidence,
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenJWT(target string, r *scan.JWTResult) []Finding {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
out := make([]Finding, 0, len(r.Tokens))
|
||||
for i := 0; i < len(r.Tokens); i++ {
|
||||
t := r.Tokens[i]
|
||||
// one finding per weakness, not per token: a token with alg:none and a
|
||||
// weak key is two distinct issues a consumer wants to diff separately.
|
||||
for j := 0; j < len(t.Issues); j++ {
|
||||
iss := t.Issues[j]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "jwt",
|
||||
Severity: ParseSeverity(iss.Severity),
|
||||
Key: key("jwt", t.Source+":"+iss.Kind),
|
||||
Title: "jwt " + iss.Kind,
|
||||
Raw: iss.Detail,
|
||||
})
|
||||
}
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenOpenAPI(target string, r *scan.OpenAPIResult) []Finding {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
return []Finding{{
|
||||
Target: target,
|
||||
Module: "openapi",
|
||||
Severity: ParseSeverity(r.Severity),
|
||||
Key: key("openapi", r.SpecURL),
|
||||
Title: "openapi spec exposed",
|
||||
Raw: fmt.Sprintf("%s (%d endpoints)", r.SpecURL, len(r.Endpoints)),
|
||||
}}
|
||||
}
|
||||
|
||||
func flattenFavicon(target string, r *scan.FaviconResult) []Finding {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
// a matched fingerprint is a real signal; an unmatched hash is just inventory
|
||||
// (still useful as a shodan pivot, so we keep it at recon).
|
||||
sev := sevRecon
|
||||
title := fmt.Sprintf("favicon hash %d", r.Hash)
|
||||
if r.Tech != "" {
|
||||
sev = SeverityLow
|
||||
title = r.Tech + " (favicon)"
|
||||
}
|
||||
return []Finding{{
|
||||
Target: target,
|
||||
Module: "favicon",
|
||||
Severity: sev,
|
||||
Key: key("favicon", fmt.Sprintf("%d", r.Hash)),
|
||||
Title: title,
|
||||
Raw: r.ShodanQ,
|
||||
}}
|
||||
}
|
||||
|
||||
func flattenCMS(target string, r *scan.CMSResult) []Finding {
|
||||
if r == nil || r.Name == "" {
|
||||
return nil
|
||||
}
|
||||
return []Finding{{
|
||||
Target: target,
|
||||
Module: "cms",
|
||||
Severity: sevRecon,
|
||||
Key: key("cms", r.Name),
|
||||
Title: r.Name + " detected",
|
||||
Raw: strings.TrimSpace(r.Name + " " + r.Version),
|
||||
}}
|
||||
}
|
||||
|
||||
func flattenSecurityTrails(target string, r *scan.SecurityTrailsResult) []Finding {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
out := make([]Finding, 0, len(r.Subdomains)+len(r.AssociatedDomains))
|
||||
for i := 0; i < len(r.Subdomains); i++ {
|
||||
d := r.Subdomains[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "securitytrails",
|
||||
Severity: sevRecon,
|
||||
Key: key("securitytrails", "sub:"+d),
|
||||
Title: "subdomain " + d,
|
||||
Raw: d,
|
||||
})
|
||||
}
|
||||
for i := 0; i < len(r.AssociatedDomains); i++ {
|
||||
d := r.AssociatedDomains[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "securitytrails",
|
||||
Severity: sevRecon,
|
||||
Key: key("securitytrails", "assoc:"+d),
|
||||
Title: "associated domain " + d,
|
||||
Raw: d,
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenCORS(target string, r *scan.CORSResult) []Finding {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
out := make([]Finding, 0, len(r.Findings))
|
||||
for i := 0; i < len(r.Findings); i++ {
|
||||
f := r.Findings[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "cors",
|
||||
Severity: ParseSeverity(f.Severity),
|
||||
Key: key("cors", f.URL+":"+f.OriginTested),
|
||||
Title: f.Note,
|
||||
Raw: "allow-origin: " + f.AllowOrigin,
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenRedirect(target string, r *scan.RedirectResult) []Finding {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
out := make([]Finding, 0, len(r.Findings))
|
||||
for i := 0; i < len(r.Findings); i++ {
|
||||
f := r.Findings[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "redirect",
|
||||
Severity: ParseSeverity(f.Severity),
|
||||
Key: key("redirect", f.URL+":"+f.Parameter+":"+f.Via),
|
||||
Title: "open redirect via " + f.Parameter,
|
||||
Raw: f.Location,
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenXSS(target string, r *scan.XSSResult) []Finding {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
out := make([]Finding, 0, len(r.Findings))
|
||||
for i := 0; i < len(r.Findings); i++ {
|
||||
f := r.Findings[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "xss",
|
||||
Severity: ParseSeverity(f.Severity),
|
||||
Key: key("xss", f.URL+":"+f.Parameter+":"+f.Context),
|
||||
Title: "reflected xss in " + f.Parameter,
|
||||
Raw: strings.Join(f.SurvivedRaw, " "),
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenCrawl(target string, r *scan.CrawlResult) []Finding {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
out := make([]Finding, 0, len(r.URLs))
|
||||
for i := 0; i < len(r.URLs); i++ {
|
||||
u := r.URLs[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "crawl",
|
||||
Severity: sevRecon,
|
||||
Key: key("crawl", u),
|
||||
Title: "crawled url",
|
||||
Raw: u,
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenPassive(target string, r *scan.PassiveResult) []Finding {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
out := make([]Finding, 0, len(r.Subdomains)+len(r.URLs))
|
||||
for i := 0; i < len(r.Subdomains); i++ {
|
||||
s := r.Subdomains[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "passive",
|
||||
Severity: sevRecon,
|
||||
Key: key("passive", "sub:"+s),
|
||||
Title: "passive subdomain " + s,
|
||||
Raw: s,
|
||||
})
|
||||
}
|
||||
for i := 0; i < len(r.URLs); i++ {
|
||||
u := r.URLs[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "passive",
|
||||
Severity: sevRecon,
|
||||
Key: key("passive", "url:"+u),
|
||||
Title: "passive url",
|
||||
Raw: u,
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenProbe(target string, r *scan.ProbeResult) []Finding {
|
||||
if r == nil || !r.Alive {
|
||||
// a dead probe isn't a finding, just an absent host.
|
||||
return nil
|
||||
}
|
||||
return []Finding{{
|
||||
Target: target,
|
||||
Module: "probe",
|
||||
Severity: sevRecon,
|
||||
Key: key("probe", r.URL),
|
||||
Title: fmt.Sprintf("alive %d", r.StatusCode),
|
||||
Raw: strings.TrimSpace(fmt.Sprintf("%d %s", r.StatusCode, r.Title)),
|
||||
}}
|
||||
}
|
||||
|
||||
func flattenHeaders(target string, rs []scan.HeaderResult) []Finding {
|
||||
out := make([]Finding, 0, len(rs))
|
||||
for i := 0; i < len(rs); i++ {
|
||||
h := rs[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "headers",
|
||||
Severity: sevRecon,
|
||||
Key: key("headers", h.Name),
|
||||
Title: h.Name,
|
||||
Raw: h.Value,
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenSecurityHeaders(target string, rs []scan.SecurityHeaderResult) []Finding {
|
||||
out := make([]Finding, 0, len(rs))
|
||||
for i := 0; i < len(rs); i++ {
|
||||
h := rs[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "security_headers",
|
||||
Severity: ParseSeverity(h.Severity),
|
||||
Key: key("security_headers", h.Header),
|
||||
Title: h.Header,
|
||||
Raw: h.Note,
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
// dirInteresting bounds the "noteworthy" 3xx range for a listed directory; a
|
||||
// redirect (>=300) or anything past it is worth more than a plain 200 hit.
|
||||
const dirRedirectFloor = 300
|
||||
|
||||
func flattenDirlist(target string, rs []scan.DirectoryResult) []Finding {
|
||||
out := make([]Finding, 0, len(rs))
|
||||
for i := 0; i < len(rs); i++ {
|
||||
d := rs[i]
|
||||
sev := sevRecon
|
||||
if d.StatusCode >= dirRedirectFloor {
|
||||
sev = SeverityLow
|
||||
}
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "dirlist",
|
||||
Severity: sev,
|
||||
Key: key("dirlist", d.Url),
|
||||
Title: fmt.Sprintf("%s [%d]", d.Url, d.StatusCode),
|
||||
Raw: fmt.Sprintf("status=%d size=%d", d.StatusCode, d.Size),
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenCloudStorage(target string, rs []scan.CloudStorageResult) []Finding {
|
||||
out := make([]Finding, 0, len(rs))
|
||||
for i := 0; i < len(rs); i++ {
|
||||
b := rs[i]
|
||||
sev := sevRecon
|
||||
if b.IsPublic {
|
||||
sev = sevPublicS3
|
||||
}
|
||||
title := "bucket " + b.BucketName
|
||||
if b.IsPublic {
|
||||
title = "public bucket " + b.BucketName
|
||||
}
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "cloudstorage",
|
||||
Severity: sev,
|
||||
Key: key("cloudstorage", b.BucketName),
|
||||
Title: title,
|
||||
Raw: fmt.Sprintf("public=%t", b.IsPublic),
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenDork(target string, rs []scan.DorkResult) []Finding {
|
||||
out := make([]Finding, 0, len(rs))
|
||||
for i := 0; i < len(rs); i++ {
|
||||
d := rs[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "dork",
|
||||
Severity: sevRecon,
|
||||
Key: key("dork", d.Url),
|
||||
Title: "dork hit",
|
||||
Raw: d.Url,
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenTakeover(target string, rs []scan.SubdomainTakeoverResult) []Finding {
|
||||
out := make([]Finding, 0, len(rs))
|
||||
for i := 0; i < len(rs); i++ {
|
||||
t := rs[i]
|
||||
// only the vulnerable ones are findings; a safe cname is noise here.
|
||||
if !t.Vulnerable {
|
||||
continue
|
||||
}
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "subdomain_takeover",
|
||||
Severity: sevTakeover,
|
||||
Key: key("subdomain_takeover", t.Subdomain),
|
||||
Title: "takeover: " + t.Subdomain,
|
||||
Raw: t.Service,
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenFramework(target string, r *frameworks.FrameworkResult) []Finding {
|
||||
if r == nil || r.Name == "" {
|
||||
return nil
|
||||
}
|
||||
// framework risk maps onto severity; an unset risk falls back to recon.
|
||||
sev := ParseSeverity(r.RiskLevel)
|
||||
if sev == SeverityUnknown {
|
||||
sev = sevRecon
|
||||
}
|
||||
raw := strings.TrimSpace(r.Name + " " + r.Version)
|
||||
if len(r.CVEs) > 0 {
|
||||
raw = fmt.Sprintf("%s, %d cves", raw, len(r.CVEs))
|
||||
}
|
||||
return []Finding{{
|
||||
Target: target,
|
||||
Module: "framework",
|
||||
Severity: sev,
|
||||
Key: key("framework", r.Name),
|
||||
Title: r.Name + " detected",
|
||||
Raw: raw,
|
||||
}}
|
||||
}
|
||||
|
||||
func flattenJS(target string, r *js.JavascriptScanResult) []Finding {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
supabase := r.SupabaseFindings()
|
||||
out := make([]Finding, 0, len(r.SecretMatches)+len(supabase)+len(r.Endpoints)+len(r.FoundEnvironmentVars))
|
||||
for i := 0; i < len(r.SecretMatches); i++ {
|
||||
s := r.SecretMatches[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "js",
|
||||
Severity: sevSecret,
|
||||
Key: key("js", "secret:"+s.Rule+":"+s.Source),
|
||||
Title: "secret: " + s.Rule,
|
||||
Raw: s.Source,
|
||||
})
|
||||
}
|
||||
for i := 0; i < len(supabase); i++ {
|
||||
s := supabase[i]
|
||||
// a non-anon role on an exposed key is the real bug; anon is just recon.
|
||||
sev := sevRecon
|
||||
if s.Role != "" && s.Role != "anon" {
|
||||
sev = SeverityHigh
|
||||
}
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "js",
|
||||
Severity: sev,
|
||||
Key: key("js", "supabase:"+s.ProjectId),
|
||||
Title: "supabase project " + s.ProjectId,
|
||||
Raw: fmt.Sprintf("role=%s collections=%d", s.Role, s.Collections),
|
||||
})
|
||||
}
|
||||
for i := 0; i < len(r.Endpoints); i++ {
|
||||
e := r.Endpoints[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "js",
|
||||
Severity: sevRecon,
|
||||
Key: key("js", "endpoint:"+e),
|
||||
Title: "js endpoint",
|
||||
Raw: e,
|
||||
})
|
||||
}
|
||||
// env vars are a map; sort-free since the Key carries the name, and diff
|
||||
// keys on the Key not on iteration order.
|
||||
for name, value := range r.FoundEnvironmentVars {
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "js",
|
||||
Severity: sevSecret,
|
||||
Key: key("js", "env:"+name),
|
||||
Title: "env var " + name,
|
||||
Raw: value,
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenModule(target string, r *modules.Result) []Finding {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
module := r.ResultType()
|
||||
out := make([]Finding, 0, len(r.Findings))
|
||||
for i := 0; i < len(r.Findings); i++ {
|
||||
f := r.Findings[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: module,
|
||||
Severity: ParseSeverity(f.Severity),
|
||||
Key: key(module, f.URL),
|
||||
Title: module + " finding",
|
||||
Raw: f.Evidence,
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenNuclei(target string, events []output.ResultEvent) []Finding {
|
||||
out := make([]Finding, 0, len(events))
|
||||
for i := 0; i < len(events); i++ {
|
||||
e := events[i]
|
||||
// host is the most reliable per-hit identifier; matched-at sharpens it
|
||||
// when several templates fire on one host.
|
||||
ident := e.TemplateID + ":" + e.Host
|
||||
if e.Matched != "" {
|
||||
ident = e.TemplateID + ":" + e.Matched
|
||||
}
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: "nuclei",
|
||||
Severity: ParseSeverity(e.Info.SeverityHolder.Severity.String()),
|
||||
Key: key("nuclei", ident),
|
||||
Title: e.Info.Name,
|
||||
Raw: e.Matched,
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func flattenStrings(target, module string, items []string) []Finding {
|
||||
out := make([]Finding, 0, len(items))
|
||||
for i := 0; i < len(items); i++ {
|
||||
v := items[i]
|
||||
out = append(out, Finding{
|
||||
Target: target,
|
||||
Module: module,
|
||||
Severity: sevRecon,
|
||||
Key: key(module, v),
|
||||
Title: module + " item",
|
||||
Raw: v,
|
||||
})
|
||||
}
|
||||
return out
|
||||
}
|
||||
@@ -0,0 +1,383 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package finding
|
||||
|
||||
import (
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/projectdiscovery/nuclei/v3/pkg/model"
|
||||
"github.com/projectdiscovery/nuclei/v3/pkg/model/types/severity"
|
||||
"github.com/projectdiscovery/nuclei/v3/pkg/output"
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
"github.com/vmfunc/sif/internal/scan"
|
||||
"github.com/vmfunc/sif/internal/scan/frameworks"
|
||||
"github.com/vmfunc/sif/internal/scan/js"
|
||||
)
|
||||
|
||||
// scanResultType mirrors the minimal interface the scan packages implement; the
|
||||
// coverage table below carries a value per ResultType() so a new scanner whose
|
||||
// ResultType isn't represented (or isn't handled by Flatten) trips a failure.
|
||||
type scanResultType interface {
|
||||
ResultType() string
|
||||
}
|
||||
|
||||
// coverageCase is one representative, non-empty instance of a result type plus
|
||||
// its expected module attribution. wantItems is how many findings Flatten must
|
||||
// emit for the populated instance, proving the per-item fan-out works.
|
||||
type coverageCase struct {
|
||||
value any // the result as it reaches Flatten
|
||||
typed scanResultType // same value when it implements ResultType(), else nil
|
||||
module string // module id Flatten should stamp
|
||||
wantItems int // findings the populated instance must produce
|
||||
}
|
||||
|
||||
// coverageCases is the registry the guard checks against. there must be one
|
||||
// entry per distinct ResultType() in the scan tree (plus the raw []string and
|
||||
// nuclei []ResultEvent that flow through the report without a ResultType). add a
|
||||
// scanner without adding it here and TestFlattenCoversEveryResultType fails.
|
||||
func coverageCases() []coverageCase {
|
||||
return []coverageCase{
|
||||
{
|
||||
value: &scan.ShodanResult{IP: "1.2.3.4", Ports: []int{80}, Vulns: []string{"CVE-1"}},
|
||||
typed: &scan.ShodanResult{},
|
||||
module: "shodan",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: &scan.SQLResult{
|
||||
AdminPanels: []scan.SQLAdminPanel{{URL: "http://x/pma", Type: "phpMyAdmin", Status: 200}},
|
||||
DatabaseErrors: []scan.SQLDatabaseError{{URL: "http://x", DatabaseType: "mysql", ErrorPattern: "syntax"}},
|
||||
ExposedPorts: []int{3306},
|
||||
},
|
||||
typed: &scan.SQLResult{},
|
||||
module: "sql",
|
||||
wantItems: 3,
|
||||
},
|
||||
{
|
||||
value: &scan.LFIResult{Vulnerabilities: []scan.LFIVulnerability{
|
||||
{URL: "http://x", Parameter: "file", Evidence: "root:x", Severity: "high"},
|
||||
}},
|
||||
typed: &scan.LFIResult{},
|
||||
module: "lfi",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: &scan.JWTResult{Tokens: []scan.JWTToken{{
|
||||
Source: "header:Authorization",
|
||||
Alg: "none",
|
||||
Issues: []scan.JWTIssue{
|
||||
{Kind: "alg:none", Severity: "critical", Detail: "no signature"},
|
||||
{Kind: "missing exp", Severity: "medium", Detail: "no expiry"},
|
||||
},
|
||||
}}},
|
||||
typed: &scan.JWTResult{},
|
||||
module: "jwt",
|
||||
wantItems: 2,
|
||||
},
|
||||
{
|
||||
value: &scan.OpenAPIResult{
|
||||
SpecURL: "http://x/openapi.json",
|
||||
Severity: "high",
|
||||
Endpoints: []scan.OpenAPIEndpoint{{Path: "/users", Method: "GET", Unauth: true}},
|
||||
},
|
||||
typed: &scan.OpenAPIResult{},
|
||||
module: "openapi",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: &scan.FaviconResult{Hash: 116323821, Tech: "Apache Tomcat", ShodanQ: "http.favicon.hash:116323821"},
|
||||
typed: &scan.FaviconResult{},
|
||||
module: "favicon",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: &scan.CMSResult{Name: "WordPress", Version: "6.1"},
|
||||
typed: &scan.CMSResult{},
|
||||
module: "cms",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: &scan.SecurityTrailsResult{Domain: "x.com", Subdomains: []string{"a.x.com"}, AssociatedDomains: []string{"y.com"}},
|
||||
typed: &scan.SecurityTrailsResult{},
|
||||
module: "securitytrails",
|
||||
wantItems: 2,
|
||||
},
|
||||
{
|
||||
value: &scan.CORSResult{Findings: []scan.CORSFinding{{URL: "http://x", OriginTested: "null", AllowOrigin: "null", Severity: "medium", Note: "null origin"}}},
|
||||
typed: &scan.CORSResult{},
|
||||
module: "cors",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: &scan.RedirectResult{Findings: []scan.RedirectFinding{{URL: "http://x", Parameter: "next", Location: "http://evil", Via: "header", Severity: "medium"}}},
|
||||
typed: &scan.RedirectResult{},
|
||||
module: "redirect",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: &scan.XSSResult{Findings: []scan.XSSFinding{{URL: "http://x", Parameter: "q", Context: "html", SurvivedRaw: []string{"<"}, Severity: "high"}}},
|
||||
typed: &scan.XSSResult{},
|
||||
module: "xss",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: &scan.CrawlResult{URLs: []string{"http://x/a"}},
|
||||
typed: &scan.CrawlResult{},
|
||||
module: "crawl",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: &scan.PassiveResult{Subdomains: []string{"a.x.com"}, URLs: []string{"http://x/old"}},
|
||||
typed: &scan.PassiveResult{},
|
||||
module: "passive",
|
||||
wantItems: 2,
|
||||
},
|
||||
{
|
||||
value: &scan.ProbeResult{URL: "http://x", Alive: true, StatusCode: 200, Title: "home"},
|
||||
typed: &scan.ProbeResult{},
|
||||
module: "probe",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: scan.HeaderResults{{Name: "Server", Value: "nginx"}},
|
||||
typed: scan.HeaderResults{},
|
||||
module: "headers",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: scan.SecurityHeaderResults{{Header: "Content-Security-Policy", Present: false, Severity: "medium", Note: "missing"}},
|
||||
typed: scan.SecurityHeaderResults{},
|
||||
module: "security_headers",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: scan.DirectoryResults{{Url: "http://x/admin", StatusCode: 301, Size: 10, Words: 2}},
|
||||
typed: scan.DirectoryResults{},
|
||||
module: "dirlist",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: scan.CloudStorageResults{{BucketName: "x-assets", IsPublic: true}},
|
||||
typed: scan.CloudStorageResults{},
|
||||
module: "cloudstorage",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: scan.DorkResults{{Url: "http://x/leak", Count: 1}},
|
||||
typed: scan.DorkResults{},
|
||||
module: "dork",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: scan.SubdomainTakeoverResults{{Subdomain: "old.x.com", Vulnerable: true, Service: "GitHub Pages"}},
|
||||
typed: scan.SubdomainTakeoverResults{},
|
||||
module: "subdomain_takeover",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: &frameworks.FrameworkResult{Name: "Laravel", Version: "9.0", RiskLevel: "high", CVEs: []string{"CVE-2"}},
|
||||
typed: &frameworks.FrameworkResult{},
|
||||
module: "framework",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
value: &js.JavascriptScanResult{
|
||||
SecretMatches: []js.SecretMatch{{Rule: "aws-key", Match: "AKIA...", Source: "http://x/app.js"}},
|
||||
Endpoints: []string{"/api/v1"},
|
||||
},
|
||||
typed: &js.JavascriptScanResult{},
|
||||
module: "js",
|
||||
wantItems: 2,
|
||||
},
|
||||
{
|
||||
value: &modules.Result{ModuleID: "custom-mod", Target: "http://x", Findings: []modules.Finding{{URL: "http://x", Severity: "low", Evidence: "hit"}}},
|
||||
typed: &modules.Result{ModuleID: "custom-mod"},
|
||||
module: "custom-mod",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
// nuclei results aren't ScanResult-typed; they ride through the report
|
||||
// as a raw []ResultEvent, so cover that shape explicitly.
|
||||
value: []output.ResultEvent{{TemplateID: "t1", Host: "x", Matched: "http://x", Info: model.Info{Name: "n", SeverityHolder: severity.Holder{Severity: severity.High}}}},
|
||||
module: "nuclei",
|
||||
wantItems: 1,
|
||||
},
|
||||
{
|
||||
// dnslist/portscan/git all hand Flatten a bare []string keyed only by
|
||||
// the module argument.
|
||||
value: []string{"sub.x.com"},
|
||||
module: "dnslist",
|
||||
wantItems: 1,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
const target = "http://target.example"
|
||||
|
||||
// TestFlattenCoversEveryResultType is the guard: every result type in the
|
||||
// coverage table must flatten into the expected module without hitting the
|
||||
// "unhandled" fallback. a new scanner that skips both the table and Flatten's
|
||||
// switch trips this loudly.
|
||||
func TestFlattenCoversEveryResultType(t *testing.T) {
|
||||
for _, tc := range coverageCases() {
|
||||
findings := Flatten(target, tc.module, tc.value)
|
||||
|
||||
if len(findings) != tc.wantItems {
|
||||
t.Errorf("module %q: got %d findings, want %d", tc.module, len(findings), tc.wantItems)
|
||||
}
|
||||
for i := 0; i < len(findings); i++ {
|
||||
f := findings[i]
|
||||
if strings.HasSuffix(f.Key, keySep+"unhandled") {
|
||||
t.Errorf("module %q: Flatten has no case, fell through to unhandled (key=%q)", tc.module, f.Key)
|
||||
}
|
||||
if f.Target != target {
|
||||
t.Errorf("module %q: target=%q, want %q", tc.module, f.Target, target)
|
||||
}
|
||||
if f.Module != tc.module {
|
||||
t.Errorf("module %q: finding stamped module=%q, want %q", tc.module, f.Module, tc.module)
|
||||
}
|
||||
if f.Key == "" {
|
||||
t.Errorf("module %q: empty Key", tc.module)
|
||||
}
|
||||
if !strings.HasPrefix(f.Key, tc.module+keySep) {
|
||||
t.Errorf("module %q: Key %q not prefixed with module", tc.module, f.Key)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TestEveryResultTypeIsInCoverageTable cross-checks the table against the actual
|
||||
// ResultType() registry: if a scanner type exists whose ResultType() isn't in
|
||||
// the table, the coverage guard above would never exercise it. enumerate the
|
||||
// known typed entries and assert each ResultType() string is present.
|
||||
func TestEveryResultTypeIsInCoverageTable(t *testing.T) {
|
||||
covered := make(map[string]struct{})
|
||||
for _, tc := range coverageCases() {
|
||||
if tc.typed == nil {
|
||||
continue
|
||||
}
|
||||
covered[tc.typed.ResultType()] = struct{}{}
|
||||
}
|
||||
|
||||
// the full set of ResultType() strings the scan tree exposes. keep this in
|
||||
// lockstep with the ScanResult implementers; a missing entry means the table
|
||||
// (and very likely Flatten) skipped a scanner.
|
||||
want := []string{
|
||||
"shodan", "sql", "lfi", "jwt", "openapi", "favicon", "cms", "securitytrails",
|
||||
"cors", "redirect", "xss", "crawl", "passive", "probe",
|
||||
"headers", "security_headers", "dirlist", "cloudstorage",
|
||||
"dork", "subdomain_takeover", "framework", "js", "custom-mod",
|
||||
}
|
||||
for _, rt := range want {
|
||||
if _, ok := covered[rt]; !ok {
|
||||
t.Errorf("ResultType %q has no entry in coverageCases; Flatten coverage unverified", rt)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TestFlattenStableKeysAndSeverities pins the keys and severities for a couple
|
||||
// of representative items so a refactor that quietly reshuffles them is caught.
|
||||
func TestFlattenStableKeysAndSeverities(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
value any
|
||||
module string
|
||||
wantKey string
|
||||
wantSev Severity
|
||||
}{
|
||||
{
|
||||
name: "cors honors source severity",
|
||||
value: &scan.CORSResult{Findings: []scan.CORSFinding{{URL: "http://x", OriginTested: "null", AllowOrigin: "null", Severity: "high", Note: "n"}}},
|
||||
module: "cors",
|
||||
wantKey: "cors:http://x:null",
|
||||
wantSev: SeverityHigh,
|
||||
},
|
||||
{
|
||||
name: "public bucket is high",
|
||||
value: scan.CloudStorageResults{{BucketName: "b", IsPublic: true}},
|
||||
module: "cloudstorage",
|
||||
wantKey: "cloudstorage:b",
|
||||
wantSev: SeverityHigh,
|
||||
},
|
||||
{
|
||||
name: "header is recon info",
|
||||
value: scan.HeaderResults{{Name: "Server", Value: "nginx"}},
|
||||
module: "headers",
|
||||
wantKey: "headers:Server",
|
||||
wantSev: SeverityInfo,
|
||||
},
|
||||
{
|
||||
name: "vulnerable takeover is high",
|
||||
value: scan.SubdomainTakeoverResults{{Subdomain: "old.x.com", Vulnerable: true, Service: "GitHub Pages"}},
|
||||
module: "subdomain_takeover",
|
||||
wantKey: "subdomain_takeover:old.x.com",
|
||||
wantSev: SeverityHigh,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
findings := Flatten(target, tt.module, tt.value)
|
||||
if len(findings) != 1 {
|
||||
t.Fatalf("got %d findings, want 1", len(findings))
|
||||
}
|
||||
f := findings[0]
|
||||
if f.Key != tt.wantKey {
|
||||
t.Errorf("Key = %q, want %q", f.Key, tt.wantKey)
|
||||
}
|
||||
if f.Severity != tt.wantSev {
|
||||
t.Errorf("Severity = %v, want %v", f.Severity, tt.wantSev)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestFlattenUnhandledTypeIsLoud asserts the fallback fires for a type Flatten
|
||||
// doesn't know - this is what makes the guard above meaningful.
|
||||
func TestFlattenUnhandledTypeIsLoud(t *testing.T) {
|
||||
type bogus struct{}
|
||||
findings := Flatten(target, "mystery", bogus{})
|
||||
if len(findings) != 1 {
|
||||
t.Fatalf("got %d findings, want 1 placeholder", len(findings))
|
||||
}
|
||||
if !strings.HasSuffix(findings[0].Key, keySep+"unhandled") {
|
||||
t.Errorf("unhandled type should key on :unhandled, got %q", findings[0].Key)
|
||||
}
|
||||
if findings[0].Severity != SeverityUnknown {
|
||||
t.Errorf("unhandled severity = %v, want SeverityUnknown", findings[0].Severity)
|
||||
}
|
||||
}
|
||||
|
||||
// TestSubdomainTakeoverSkipsSafe confirms a non-vulnerable cname produces no
|
||||
// finding; only the real takeover is a finding.
|
||||
func TestSubdomainTakeoverSkipsSafe(t *testing.T) {
|
||||
value := scan.SubdomainTakeoverResults{
|
||||
{Subdomain: "safe.x.com", Vulnerable: false},
|
||||
{Subdomain: "bad.x.com", Vulnerable: true, Service: "Heroku"},
|
||||
}
|
||||
findings := Flatten(target, "subdomain_takeover", value)
|
||||
if len(findings) != 1 {
|
||||
t.Fatalf("got %d findings, want 1 (only the vulnerable one)", len(findings))
|
||||
}
|
||||
if findings[0].Key != "subdomain_takeover:bad.x.com" {
|
||||
t.Errorf("Key = %q, want subdomain_takeover:bad.x.com", findings[0].Key)
|
||||
}
|
||||
}
|
||||
|
||||
// TestDeadProbeIsNotAFinding confirms a host that didn't answer yields nothing.
|
||||
func TestDeadProbeIsNotAFinding(t *testing.T) {
|
||||
findings := Flatten(target, "probe", &scan.ProbeResult{URL: "http://x", Alive: false})
|
||||
if len(findings) != 0 {
|
||||
t.Errorf("dead probe produced %d findings, want 0", len(findings))
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,48 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package finding
|
||||
|
||||
import "testing"
|
||||
|
||||
// Line is the -silent wire format; its shape is frozen, so pin it.
|
||||
func TestFindingLine(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
f Finding
|
||||
want string
|
||||
}{
|
||||
{
|
||||
name: "high severity",
|
||||
f: Finding{Target: "https://x.com", Module: "sql", Severity: SeverityHigh, Title: "admin panel"},
|
||||
want: "[high] https://x.com sql admin panel",
|
||||
},
|
||||
{
|
||||
name: "info recon",
|
||||
f: Finding{Target: "https://y.com", Module: "headers", Severity: SeverityInfo, Title: "Server"},
|
||||
want: "[info] https://y.com headers Server",
|
||||
},
|
||||
{
|
||||
name: "unknown severity",
|
||||
f: Finding{Target: "z.com", Module: "mystery", Severity: SeverityUnknown, Title: "?"},
|
||||
want: "[unknown] z.com mystery ?",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if got := tt.f.Line(); got != tt.want {
|
||||
t.Errorf("Line() = %q, want %q", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,78 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package finding
|
||||
|
||||
import "strings"
|
||||
|
||||
// Severity is an ordered severity rank shared by every normalized finding.
|
||||
// the order matters: notify gates on a threshold and diff sorts by it, so the
|
||||
// underlying ints have to compare info < low < medium < high < critical.
|
||||
type Severity int
|
||||
|
||||
// severity ranks, lowest to highest. SeverityUnknown sorts below everything so
|
||||
// an unrecognized scanner string never silently outranks a real critical.
|
||||
const (
|
||||
SeverityUnknown Severity = iota
|
||||
SeverityInfo
|
||||
SeverityLow
|
||||
SeverityMedium
|
||||
SeverityHigh
|
||||
SeverityCritical
|
||||
)
|
||||
|
||||
// severityNames maps each rank to its canonical lowercase string. the wire
|
||||
// format scanners emit ("info"/"low"/...) round-trips through this table.
|
||||
var severityNames = map[Severity]string{
|
||||
SeverityUnknown: "unknown",
|
||||
SeverityInfo: "info",
|
||||
SeverityLow: "low",
|
||||
SeverityMedium: "medium",
|
||||
SeverityHigh: "high",
|
||||
SeverityCritical: "critical",
|
||||
}
|
||||
|
||||
// String renders the canonical lowercase name for the rank.
|
||||
func (s Severity) String() string {
|
||||
if name, ok := severityNames[s]; ok {
|
||||
return name
|
||||
}
|
||||
return severityNames[SeverityUnknown]
|
||||
}
|
||||
|
||||
// ParseSeverity maps a scanner's free-form severity string onto a rank. it's
|
||||
// case/space insensitive and folds the common synonyms ("informational",
|
||||
// "warning", "moderate") so the dozen scanners that each picked their own
|
||||
// spelling all land on the same ladder. an empty or unrecognized value is
|
||||
// SeverityUnknown rather than a guess.
|
||||
func ParseSeverity(raw string) Severity {
|
||||
switch strings.ToLower(strings.TrimSpace(raw)) {
|
||||
case "critical":
|
||||
return SeverityCritical
|
||||
case "high":
|
||||
return SeverityHigh
|
||||
case "medium", "moderate", "warning":
|
||||
return SeverityMedium
|
||||
case "low":
|
||||
return SeverityLow
|
||||
case "info", "informational", "information", "none":
|
||||
return SeverityInfo
|
||||
default:
|
||||
return SeverityUnknown
|
||||
}
|
||||
}
|
||||
|
||||
// AtLeast reports whether s is at or above threshold; notify uses it to drop
|
||||
// findings below the configured floor.
|
||||
func (s Severity) AtLeast(threshold Severity) bool {
|
||||
return s >= threshold
|
||||
}
|
||||
@@ -0,0 +1,84 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package finding
|
||||
|
||||
import "testing"
|
||||
|
||||
func TestParseSeverity(t *testing.T) {
|
||||
tests := []struct {
|
||||
in string
|
||||
want Severity
|
||||
}{
|
||||
{"critical", SeverityCritical},
|
||||
{"CRITICAL", SeverityCritical},
|
||||
{" high ", SeverityHigh},
|
||||
{"medium", SeverityMedium},
|
||||
{"moderate", SeverityMedium},
|
||||
{"warning", SeverityMedium},
|
||||
{"low", SeverityLow},
|
||||
{"info", SeverityInfo},
|
||||
{"informational", SeverityInfo},
|
||||
{"none", SeverityInfo},
|
||||
{"", SeverityUnknown},
|
||||
{"bogus", SeverityUnknown},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
if got := ParseSeverity(tt.in); got != tt.want {
|
||||
t.Errorf("ParseSeverity(%q) = %v, want %v", tt.in, got, tt.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestSeverityOrdering(t *testing.T) {
|
||||
// the ladder must be strictly increasing for AtLeast/sort to behave.
|
||||
ordered := []Severity{
|
||||
SeverityUnknown, SeverityInfo, SeverityLow,
|
||||
SeverityMedium, SeverityHigh, SeverityCritical,
|
||||
}
|
||||
for i := 1; i < len(ordered); i++ {
|
||||
if ordered[i-1] >= ordered[i] {
|
||||
t.Errorf("severity ladder not increasing at %d: %v !< %v", i, ordered[i-1], ordered[i])
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestSeverityAtLeast(t *testing.T) {
|
||||
tests := []struct {
|
||||
sev Severity
|
||||
threshold Severity
|
||||
want bool
|
||||
}{
|
||||
{SeverityHigh, SeverityMedium, true},
|
||||
{SeverityMedium, SeverityMedium, true},
|
||||
{SeverityLow, SeverityMedium, false},
|
||||
{SeverityCritical, SeverityInfo, true},
|
||||
{SeverityUnknown, SeverityInfo, false},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
if got := tt.sev.AtLeast(tt.threshold); got != tt.want {
|
||||
t.Errorf("%v.AtLeast(%v) = %v, want %v", tt.sev, tt.threshold, got, tt.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestSeverityStringRoundTrip(t *testing.T) {
|
||||
// every named rank renders to a string ParseSeverity maps back to the same
|
||||
// rank, so the wire format is lossless for known severities.
|
||||
for _, sev := range []Severity{
|
||||
SeverityInfo, SeverityLow, SeverityMedium, SeverityHigh, SeverityCritical,
|
||||
} {
|
||||
if got := ParseSeverity(sev.String()); got != sev {
|
||||
t.Errorf("round-trip %v -> %q -> %v", sev, sev.String(), got)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,56 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
// Package fingerprint holds small response-fingerprinting primitives shared by
|
||||
// the scan checks and the module engine, so both compute identical values.
|
||||
package fingerprint
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"strings"
|
||||
|
||||
"github.com/twmb/murmur3"
|
||||
)
|
||||
|
||||
// b64LineLen is python's base64.encodebytes line width. mmh3/shodan hash the
|
||||
// chunked base64 (newline every 76 chars, trailing newline), so we must wrap at
|
||||
// exactly this width to land on the same hash.
|
||||
const b64LineLen = 76
|
||||
|
||||
// FaviconHash computes shodan's favicon hash: murmur3 32-bit over the python
|
||||
// base64.encodebytes encoding of the raw icon (newline every 76 chars plus a
|
||||
// trailing newline), reinterpreted as a signed int32 (both load-bearing, golden-pinned).
|
||||
func FaviconHash(data []byte) int32 {
|
||||
encoded := encodeFaviconBase64(data)
|
||||
return int32(murmur3.Sum32(encoded)) //nolint:gosec // shodan stores the signed reinterpretation on purpose
|
||||
}
|
||||
|
||||
// encodeFaviconBase64 mirrors python's base64.encodebytes: standard base64 with
|
||||
// a newline inserted every 76 output characters and a trailing newline. this is
|
||||
// the exact byte stream shodan feeds to mmh3, so it must match byte-for-byte.
|
||||
func encodeFaviconBase64(data []byte) []byte {
|
||||
raw := base64.StdEncoding.EncodeToString(data)
|
||||
|
||||
var b strings.Builder
|
||||
// final size: the base64 body plus one '\n' per (full or partial) 76-char
|
||||
// line. preallocate so the builder never regrows mid-loop.
|
||||
b.Grow(len(raw) + len(raw)/b64LineLen + 1)
|
||||
for i := 0; i < len(raw); i += b64LineLen {
|
||||
end := i + b64LineLen
|
||||
if end > len(raw) {
|
||||
end = len(raw)
|
||||
}
|
||||
b.WriteString(raw[i:end])
|
||||
b.WriteByte('\n')
|
||||
}
|
||||
return []byte(b.String())
|
||||
}
|
||||
@@ -0,0 +1,68 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package fingerprint
|
||||
|
||||
import (
|
||||
"strings"
|
||||
"testing"
|
||||
)
|
||||
|
||||
// goldenFaviconBytes is a fixed payload long enough to span multiple base64
|
||||
// lines, so the python-style 76-char chunking is actually exercised by the hash.
|
||||
var goldenFaviconBytes = []byte(strings.Repeat("sif-favicon-golden-test-bytes-", 8))
|
||||
|
||||
// goldenFaviconHash is the pinned shodan mmh3 hash of goldenFaviconBytes: the python
|
||||
// base64.encodebytes byte stream (76-char lines + trailing newline) through murmur3-32,
|
||||
// reinterpreted as a signed int32. if the chunking or signedness regress, this test fails.
|
||||
const goldenFaviconHash int32 = -1554620260
|
||||
|
||||
// goldenHelloHash pins a short single-line case so a regression in the trailing
|
||||
// newline (which the small case still has) is caught independently.
|
||||
const goldenHelloHash int32 = 1155597304
|
||||
|
||||
func TestFaviconHashGolden(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
in []byte
|
||||
want int32
|
||||
}{
|
||||
{name: "multi-line fixture", in: goldenFaviconBytes, want: goldenFaviconHash},
|
||||
{name: "single-line hello", in: []byte("hello"), want: goldenHelloHash},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if got := FaviconHash(tt.in); got != tt.want {
|
||||
t.Errorf("FaviconHash = %d, want %d", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestFaviconBase64Chunking pins the encode step against python's
|
||||
// base64.encodebytes: a 60-byte input encodes to 80 base64 chars, so it must
|
||||
// wrap into two newline-terminated lines.
|
||||
func TestFaviconBase64Chunking(t *testing.T) {
|
||||
in := []byte(strings.Repeat("A", 60))
|
||||
got := string(encodeFaviconBase64(in))
|
||||
|
||||
lines := strings.Split(strings.TrimRight(got, "\n"), "\n")
|
||||
if len(lines) != 2 {
|
||||
t.Fatalf("expected 2 wrapped lines, got %d: %q", len(lines), got)
|
||||
}
|
||||
if len(lines[0]) != b64LineLen {
|
||||
t.Errorf("first line = %d chars, want %d", len(lines[0]), b64LineLen)
|
||||
}
|
||||
if !strings.HasSuffix(got, "\n") {
|
||||
t.Errorf("encoding must end in a trailing newline, got %q", got)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,354 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
// Package httpx is the shared http layer every scanner talks through, so a
|
||||
// single Configure call wires proxy, custom headers, cookies and rate limiting
|
||||
// into every outbound request without touching scanner signatures.
|
||||
package httpx
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"golang.org/x/net/proxy"
|
||||
"golang.org/x/time/rate"
|
||||
)
|
||||
|
||||
// allowed proxy schemes
|
||||
const (
|
||||
schemeHTTP = "http"
|
||||
schemeHTTPS = "https"
|
||||
schemeSOCKS5 = "socks5"
|
||||
)
|
||||
|
||||
// a header is "Key: Value"; this is the separator between the two halves.
|
||||
const headerSep = ": "
|
||||
|
||||
// burst lets the limiter absorb a small spike before pacing kicks in; a burst
|
||||
// equal to the per-second rate keeps the cap honest over any one-second window.
|
||||
const limiterBurstPerRate = 1
|
||||
|
||||
// transport pool tuning. go's default transport caps idle conns per host at 2
|
||||
// and reuse only kicks in once a response body is fully drained, so without
|
||||
// these a high thread count just thrashes the dialer instead of pooling.
|
||||
const (
|
||||
// total idle conns kept warm across every host we hit in a run.
|
||||
maxIdleConns = 512
|
||||
// floor for per-host idle conns so a single-target run still pools even
|
||||
// when the thread count is tiny.
|
||||
minIdleConnsPerHost = 8
|
||||
// how long an idle conn lingers before the pool reaps it.
|
||||
idleConnTimeout = 90 * time.Second
|
||||
// keepalive probe interval for live conns; mirrors go's default dialer so
|
||||
// the socks5 branch doesn't silently lose os-level keepalive.
|
||||
dialKeepAlive = 30 * time.Second
|
||||
// dial timeout for the socks5 branch; matches go's default dialer.
|
||||
dialTimeout = 30 * time.Second
|
||||
)
|
||||
|
||||
// drainCap bounds how much of an unread body DrainClose will copy before
|
||||
// closing; a body larger than this isn't worth slurping just to reuse the
|
||||
// conn, so we cap the read and let the conn be discarded instead.
|
||||
const drainCap = 16 << 10
|
||||
|
||||
// Options carries the runtime knobs that apply to every outbound request.
|
||||
// RateLimit is requests/sec (0 = unlimited); Headers are "Key: Value" strings.
|
||||
type Options struct {
|
||||
Proxy string
|
||||
Headers []string
|
||||
Cookie string
|
||||
UserAgent string
|
||||
RateLimit int
|
||||
// MaxRetries is how many 429/503 responses to retry with backoff (0 = off).
|
||||
MaxRetries int
|
||||
// Threads is the scan worker count; it sizes the per-host idle pool so
|
||||
// concurrent workers hitting one target reuse conns instead of dialing fresh.
|
||||
Threads int
|
||||
}
|
||||
|
||||
// configured holds the package-level transport built once by Configure. nil
|
||||
// means Configure was never called, so Client falls back to a plain client.
|
||||
var (
|
||||
mu sync.RWMutex
|
||||
configured http.RoundTripper
|
||||
)
|
||||
|
||||
// Configure builds the shared transport once at startup from opts. Calling it
|
||||
// again replaces the previous configuration.
|
||||
//
|
||||
//nolint:gocritic // signature is the package's stable startup api; called once.
|
||||
func Configure(opts Options) error {
|
||||
base, err := buildTransport(opts.Proxy, opts.Threads)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
headers, err := parseHeaders(opts.Headers)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var limiter *rate.Limiter
|
||||
if opts.RateLimit > 0 {
|
||||
limiter = rate.NewLimiter(rate.Limit(opts.RateLimit), opts.RateLimit*limiterBurstPerRate)
|
||||
}
|
||||
|
||||
rt := &roundTripper{
|
||||
base: base,
|
||||
headers: headers,
|
||||
cookie: opts.Cookie,
|
||||
userAgent: opts.UserAgent,
|
||||
limiter: limiter,
|
||||
maxRetries: opts.MaxRetries,
|
||||
}
|
||||
|
||||
mu.Lock()
|
||||
configured = rt
|
||||
mu.Unlock()
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Client returns an http client wired to the configured transport. It works
|
||||
// before Configure is ever called (plain transport) so existing code and tests
|
||||
// behave unchanged. A zero timeout means no timeout, matching http.Client.
|
||||
func Client(timeout time.Duration) *http.Client {
|
||||
mu.RLock()
|
||||
rt := configured
|
||||
mu.RUnlock()
|
||||
|
||||
return &http.Client{Timeout: timeout, Transport: rt}
|
||||
}
|
||||
|
||||
// buildTransport clones the default transport, tunes its pool for the worker
|
||||
// count and applies the proxy. An empty proxy leaves the default behavior
|
||||
// (respects HTTP_PROXY env) intact.
|
||||
func buildTransport(proxyURL string, threads int) (*http.Transport, error) {
|
||||
tr, ok := http.DefaultTransport.(*http.Transport)
|
||||
if !ok {
|
||||
// unreachable in practice, but never trust an assertion silently.
|
||||
return nil, fmt.Errorf("default transport is not *http.Transport")
|
||||
}
|
||||
transport := tr.Clone()
|
||||
|
||||
// size the idle pool so every worker can keep its conn warm. per-host idle
|
||||
// must clear the thread count or workers past the cap re-dial each request;
|
||||
// MaxConnsPerHost stays 0 (unbounded) so the limiter, not the pool, paces us.
|
||||
transport.MaxIdleConns = maxIdleConns
|
||||
transport.MaxIdleConnsPerHost = idlePerHost(threads)
|
||||
transport.MaxConnsPerHost = 0
|
||||
transport.IdleConnTimeout = idleConnTimeout
|
||||
transport.ForceAttemptHTTP2 = true
|
||||
|
||||
if proxyURL == "" {
|
||||
return transport, nil
|
||||
}
|
||||
|
||||
parsed, err := url.Parse(proxyURL)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("parse proxy url %q: %w", proxyURL, err)
|
||||
}
|
||||
|
||||
switch parsed.Scheme {
|
||||
case schemeHTTP, schemeHTTPS:
|
||||
transport.Proxy = http.ProxyURL(parsed)
|
||||
case schemeSOCKS5:
|
||||
// socks5 needs a custom dialer. proxy.SOCKS5 takes a forward dialer, so
|
||||
// hand it our own net.Dialer with keepalive set - the default
|
||||
// proxy.Direct has none, which would kill os-level conn pooling.
|
||||
fwd := &net.Dialer{Timeout: dialTimeout, KeepAlive: dialKeepAlive}
|
||||
dialer, err := proxy.SOCKS5("tcp", parsed.Host, nil, fwd)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("socks5 proxy %q: %w", proxyURL, err)
|
||||
}
|
||||
ctxDialer, ok := dialer.(proxy.ContextDialer)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("socks5 proxy %q: dialer lacks context support", proxyURL)
|
||||
}
|
||||
transport.DialContext = ctxDialer.DialContext
|
||||
default:
|
||||
return nil, fmt.Errorf("unsupported proxy scheme %q (want http/https/socks5)", parsed.Scheme)
|
||||
}
|
||||
|
||||
return transport, nil
|
||||
}
|
||||
|
||||
// idlePerHost picks the per-host idle pool size: at least the worker count so
|
||||
// no worker re-dials, never below the floor so a small thread count still pools.
|
||||
func idlePerHost(threads int) int {
|
||||
if threads < minIdleConnsPerHost {
|
||||
return minIdleConnsPerHost
|
||||
}
|
||||
return threads
|
||||
}
|
||||
|
||||
// DrainClose fully reads (up to drainCap) and closes resp.Body. go only returns
|
||||
// a conn to the idle pool when the body is read to EOF, so a caller that only
|
||||
// closes leaks the conn and forces a fresh dial next time. Call this instead of
|
||||
// a bare resp.Body.Close() to keep the pool warm. Safe on a nil response.
|
||||
func DrainClose(resp *http.Response) {
|
||||
if resp == nil || resp.Body == nil {
|
||||
return
|
||||
}
|
||||
// the read result is intentionally ignored: we're discarding the body and
|
||||
// about to close it, so a copy error changes nothing we can act on.
|
||||
_, _ = io.Copy(io.Discard, io.LimitReader(resp.Body, drainCap))
|
||||
resp.Body.Close()
|
||||
}
|
||||
|
||||
// parseHeaders splits each "Key: Value" entry on the first ": ". Entries
|
||||
// without the separator are rejected so a typo fails loud instead of silently.
|
||||
// The returned map is always non-nil so callers can range it unconditionally.
|
||||
func parseHeaders(raw []string) (map[string]string, error) {
|
||||
headers := make(map[string]string, len(raw))
|
||||
for i := 0; i < len(raw); i++ {
|
||||
key, value, ok := strings.Cut(raw[i], headerSep)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("invalid header %q (want \"Key: Value\")", raw[i])
|
||||
}
|
||||
headers[key] = value
|
||||
}
|
||||
|
||||
return headers, nil
|
||||
}
|
||||
|
||||
// roundTripper paces and decorates each request before delegating to base.
|
||||
type roundTripper struct {
|
||||
base *http.Transport
|
||||
headers map[string]string
|
||||
cookie string
|
||||
userAgent string
|
||||
limiter *rate.Limiter
|
||||
maxRetries int
|
||||
}
|
||||
|
||||
func (rt *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
|
||||
// only set what the caller hasn't already; a scanner that explicitly sets a
|
||||
// header (e.g. an api key) must win over the global default.
|
||||
for key, value := range rt.headers {
|
||||
if req.Header.Get(key) == "" {
|
||||
req.Header.Set(key, value)
|
||||
}
|
||||
}
|
||||
if rt.cookie != "" && req.Header.Get("Cookie") == "" {
|
||||
req.Header.Set("Cookie", rt.cookie)
|
||||
}
|
||||
if rt.userAgent != "" && req.Header.Get("User-Agent") == "" {
|
||||
req.Header.Set("User-Agent", rt.userAgent)
|
||||
}
|
||||
|
||||
for attempt := 0; ; attempt++ {
|
||||
if rt.limiter != nil {
|
||||
if err := rt.limiter.Wait(req.Context()); err != nil {
|
||||
return nil, fmt.Errorf("rate limiter: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
resp, err := rt.base.RoundTrip(req)
|
||||
if err != nil || attempt >= rt.maxRetries || !retryableStatus(resp.StatusCode) {
|
||||
return resp, err
|
||||
}
|
||||
|
||||
// back off and retry, unless the body can't be replayed.
|
||||
if !rewind(req) {
|
||||
return resp, nil
|
||||
}
|
||||
wait := retryAfter(resp, attempt)
|
||||
DrainClose(resp)
|
||||
|
||||
if err := sleepCtx(req.Context(), wait); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func retryableStatus(code int) bool {
|
||||
return code == http.StatusTooManyRequests || code == http.StatusServiceUnavailable
|
||||
}
|
||||
|
||||
const (
|
||||
retryAfterCap = 20 * time.Second
|
||||
retryBackoffBase = 500 * time.Millisecond
|
||||
// clamp the shift so a large -max-retries can't overflow the duration.
|
||||
retryBackoffMaxShift = 16
|
||||
)
|
||||
|
||||
// retryAfter honors a Retry-After header (delta-seconds or HTTP-date) and
|
||||
// otherwise falls back to capped exponential backoff.
|
||||
func retryAfter(resp *http.Response, attempt int) time.Duration {
|
||||
if v := strings.TrimSpace(resp.Header.Get("Retry-After")); v != "" {
|
||||
if secs, err := strconv.Atoi(v); err == nil && secs >= 0 {
|
||||
return capDuration(time.Duration(secs) * time.Second)
|
||||
}
|
||||
if t, err := http.ParseTime(v); err == nil {
|
||||
return capDuration(time.Until(t))
|
||||
}
|
||||
}
|
||||
shift := attempt
|
||||
if shift > retryBackoffMaxShift {
|
||||
shift = retryBackoffMaxShift
|
||||
}
|
||||
return capDuration(retryBackoffBase << shift)
|
||||
}
|
||||
|
||||
// capDuration clamps d to [0, retryAfterCap].
|
||||
func capDuration(d time.Duration) time.Duration {
|
||||
switch {
|
||||
case d < 0:
|
||||
return 0
|
||||
case d > retryAfterCap:
|
||||
return retryAfterCap
|
||||
default:
|
||||
return d
|
||||
}
|
||||
}
|
||||
|
||||
// rewind restores req.Body for a resend. Only a GetBody-backed body (set by
|
||||
// net/http for the in-memory bodies sif uses) is replayable; a nil or NoBody
|
||||
// request needs nothing, anything else can't be retried.
|
||||
func rewind(req *http.Request) bool {
|
||||
if req.Body == nil || req.Body == http.NoBody {
|
||||
return true
|
||||
}
|
||||
if req.GetBody == nil {
|
||||
return false
|
||||
}
|
||||
body, err := req.GetBody()
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
req.Body = body
|
||||
return true
|
||||
}
|
||||
|
||||
// sleepCtx waits for d or until ctx is cancelled, whichever comes first.
|
||||
func sleepCtx(ctx context.Context, d time.Duration) error {
|
||||
if d <= 0 {
|
||||
return nil
|
||||
}
|
||||
timer := time.NewTimer(d)
|
||||
defer timer.Stop()
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
return ctx.Err()
|
||||
case <-timer.C:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,717 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package httpx
|
||||
|
||||
import (
|
||||
"context"
|
||||
"io"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"sync"
|
||||
"sync/atomic"
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
||||
// resetConfig clears the package-level transport so each test starts clean.
|
||||
func resetConfig(t *testing.T) {
|
||||
t.Helper()
|
||||
mu.Lock()
|
||||
configured = nil
|
||||
mu.Unlock()
|
||||
}
|
||||
|
||||
// captureServer records the headers of the last request it served.
|
||||
func captureServer(t *testing.T, seen *http.Header) *httptest.Server {
|
||||
t.Helper()
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
*seen = r.Header.Clone()
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
t.Cleanup(srv.Close)
|
||||
return srv
|
||||
}
|
||||
|
||||
func get(t *testing.T, client *http.Client, url string) {
|
||||
t.Helper()
|
||||
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, http.NoBody)
|
||||
if err != nil {
|
||||
t.Fatalf("new request: %v", err)
|
||||
}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
t.Fatalf("do request: %v", err)
|
||||
}
|
||||
resp.Body.Close()
|
||||
}
|
||||
|
||||
func TestClientBeforeConfigure(t *testing.T) {
|
||||
resetConfig(t)
|
||||
|
||||
var seen http.Header
|
||||
srv := captureServer(t, &seen)
|
||||
|
||||
// a client must work with no Configure call so existing code is unaffected.
|
||||
get(t, Client(5*time.Second), srv.URL)
|
||||
|
||||
if seen == nil {
|
||||
t.Fatal("request never reached the server")
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfigureHeadersAndCookie(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
opts Options
|
||||
wantKey string
|
||||
wantValue string
|
||||
}{
|
||||
{
|
||||
name: "custom header injected",
|
||||
opts: Options{Headers: []string{"X-Test: sif"}},
|
||||
wantKey: "X-Test",
|
||||
wantValue: "sif",
|
||||
},
|
||||
{
|
||||
name: "cookie injected",
|
||||
opts: Options{Cookie: "session=abc"},
|
||||
wantKey: "Cookie",
|
||||
wantValue: "session=abc",
|
||||
},
|
||||
{
|
||||
name: "user agent injected",
|
||||
opts: Options{UserAgent: "sif-scanner"},
|
||||
wantKey: "User-Agent",
|
||||
wantValue: "sif-scanner",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
resetConfig(t)
|
||||
|
||||
if err := Configure(tt.opts); err != nil {
|
||||
t.Fatalf("Configure: %v", err)
|
||||
}
|
||||
|
||||
var seen http.Header
|
||||
srv := captureServer(t, &seen)
|
||||
get(t, Client(5*time.Second), srv.URL)
|
||||
|
||||
if got := seen.Get(tt.wantKey); got != tt.wantValue {
|
||||
t.Errorf("header %q = %q, want %q", tt.wantKey, got, tt.wantValue)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfigureHeaderDoesNotOverride(t *testing.T) {
|
||||
resetConfig(t)
|
||||
|
||||
if err := Configure(Options{Headers: []string{"X-Test: global"}}); err != nil {
|
||||
t.Fatalf("Configure: %v", err)
|
||||
}
|
||||
|
||||
var seen http.Header
|
||||
srv := captureServer(t, &seen)
|
||||
|
||||
// a caller that sets the header explicitly must win over the global default.
|
||||
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, srv.URL, http.NoBody)
|
||||
if err != nil {
|
||||
t.Fatalf("new request: %v", err)
|
||||
}
|
||||
req.Header.Set("X-Test", "caller")
|
||||
resp, err := Client(5 * time.Second).Do(req)
|
||||
if err != nil {
|
||||
t.Fatalf("do request: %v", err)
|
||||
}
|
||||
resp.Body.Close()
|
||||
|
||||
if got := seen.Get("X-Test"); got != "caller" {
|
||||
t.Errorf("X-Test = %q, want caller (caller value must not be overridden)", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfigureInvalidHeader(t *testing.T) {
|
||||
resetConfig(t)
|
||||
|
||||
// a header without ": " should fail loud rather than silently dropping.
|
||||
if err := Configure(Options{Headers: []string{"missing-separator"}}); err == nil {
|
||||
t.Fatal("expected error for malformed header, got nil")
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfigureInvalidProxy(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
proxy string
|
||||
}{
|
||||
{name: "unsupported scheme", proxy: "ftp://localhost:1080"},
|
||||
{name: "malformed url", proxy: "://nope"},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
resetConfig(t)
|
||||
if err := Configure(Options{Proxy: tt.proxy}); err == nil {
|
||||
t.Errorf("expected error for proxy %q, got nil", tt.proxy)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestRateLimit(t *testing.T) {
|
||||
resetConfig(t)
|
||||
|
||||
const ratePerSec = 5
|
||||
if err := Configure(Options{RateLimit: ratePerSec}); err != nil {
|
||||
t.Fatalf("Configure: %v", err)
|
||||
}
|
||||
|
||||
var seen http.Header
|
||||
srv := captureServer(t, &seen)
|
||||
client := Client(5 * time.Second)
|
||||
|
||||
// at 5 req/s the limiter starts with a full burst, so the first batch is
|
||||
// immediate and the next request must wait roughly one tick. fire burst+1
|
||||
// requests and assert the extra one forced a measurable delay.
|
||||
const requests = ratePerSec + 1
|
||||
start := time.Now()
|
||||
for i := 0; i < requests; i++ {
|
||||
get(t, client, srv.URL)
|
||||
}
|
||||
elapsed := time.Since(start)
|
||||
|
||||
// one request beyond the burst should cost about 1/rate; allow slack but
|
||||
// require a non-trivial delay so an unthrottled client fails this.
|
||||
minDelay := time.Second / ratePerSec / 2
|
||||
if elapsed < minDelay {
|
||||
t.Errorf("expected rate limiting to add >= %v of delay, got %v", minDelay, elapsed)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRateLimitUnlimited(t *testing.T) {
|
||||
resetConfig(t)
|
||||
|
||||
// RateLimit 0 means no limiter is installed; requests should fly through.
|
||||
if err := Configure(Options{RateLimit: 0}); err != nil {
|
||||
t.Fatalf("Configure: %v", err)
|
||||
}
|
||||
|
||||
mu.RLock()
|
||||
rt, ok := configured.(*roundTripper)
|
||||
mu.RUnlock()
|
||||
if !ok {
|
||||
t.Fatal("configured transport is not *roundTripper")
|
||||
}
|
||||
if rt.limiter != nil {
|
||||
t.Error("expected no limiter when RateLimit is 0")
|
||||
}
|
||||
}
|
||||
|
||||
func TestIdlePerHost(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
threads int
|
||||
want int
|
||||
}{
|
||||
{name: "below floor clamps up", threads: 1, want: minIdleConnsPerHost},
|
||||
{name: "zero clamps up", threads: 0, want: minIdleConnsPerHost},
|
||||
{name: "at floor", threads: minIdleConnsPerHost, want: minIdleConnsPerHost},
|
||||
{name: "above floor passes through", threads: 64, want: 64},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if got := idlePerHost(tt.threads); got != tt.want {
|
||||
t.Errorf("idlePerHost(%d) = %d, want %d", tt.threads, got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestBuildTransportTuning(t *testing.T) {
|
||||
const threads = 32
|
||||
tr, err := buildTransport("", threads)
|
||||
if err != nil {
|
||||
t.Fatalf("buildTransport: %v", err)
|
||||
}
|
||||
|
||||
if tr.MaxIdleConns != maxIdleConns {
|
||||
t.Errorf("MaxIdleConns = %d, want %d", tr.MaxIdleConns, maxIdleConns)
|
||||
}
|
||||
if tr.MaxIdleConnsPerHost != threads {
|
||||
t.Errorf("MaxIdleConnsPerHost = %d, want %d", tr.MaxIdleConnsPerHost, threads)
|
||||
}
|
||||
if tr.MaxConnsPerHost != 0 {
|
||||
t.Errorf("MaxConnsPerHost = %d, want 0 (unbounded)", tr.MaxConnsPerHost)
|
||||
}
|
||||
if tr.IdleConnTimeout != idleConnTimeout {
|
||||
t.Errorf("IdleConnTimeout = %v, want %v", tr.IdleConnTimeout, idleConnTimeout)
|
||||
}
|
||||
if !tr.ForceAttemptHTTP2 {
|
||||
t.Error("ForceAttemptHTTP2 = false, want true")
|
||||
}
|
||||
}
|
||||
|
||||
func TestDrainClose(t *testing.T) {
|
||||
resetConfig(t)
|
||||
|
||||
// serve a body the caller never reads; DrainClose must drain it so the conn
|
||||
// is eligible for reuse rather than abandoned mid-stream.
|
||||
const body = "sif response body that the caller never reads"
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
io.WriteString(w, body)
|
||||
}))
|
||||
t.Cleanup(srv.Close)
|
||||
|
||||
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, srv.URL, http.NoBody)
|
||||
if err != nil {
|
||||
t.Fatalf("new request: %v", err)
|
||||
}
|
||||
resp, err := Client(5 * time.Second).Do(req)
|
||||
if err != nil {
|
||||
t.Fatalf("do request: %v", err)
|
||||
}
|
||||
|
||||
DrainClose(resp)
|
||||
|
||||
// after DrainClose the body is closed; a further read must fail.
|
||||
if _, err := resp.Body.Read(make([]byte, 1)); err == nil {
|
||||
t.Error("expected read after DrainClose to fail on a closed body")
|
||||
}
|
||||
}
|
||||
|
||||
func TestDrainCloseNil(t *testing.T) {
|
||||
// a nil response (e.g. an errored request) must not panic.
|
||||
DrainClose(nil)
|
||||
DrainClose(&http.Response{})
|
||||
}
|
||||
|
||||
// countConns wraps a test server with a ConnState hook that tallies how many
|
||||
// distinct tcp conns the server saw. distinct conns == failed reuse.
|
||||
func countConns(t *testing.T) (*httptest.Server, func() int) {
|
||||
t.Helper()
|
||||
|
||||
var (
|
||||
mu sync.Mutex
|
||||
conns = make(map[net.Conn]struct{})
|
||||
)
|
||||
srv := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
// always write a body so reuse depends on the caller draining it.
|
||||
io.WriteString(w, "ok")
|
||||
}))
|
||||
srv.Config.ConnState = func(c net.Conn, state http.ConnState) {
|
||||
if state != http.StateNew {
|
||||
return
|
||||
}
|
||||
mu.Lock()
|
||||
conns[c] = struct{}{}
|
||||
mu.Unlock()
|
||||
}
|
||||
srv.Start()
|
||||
t.Cleanup(srv.Close)
|
||||
|
||||
return srv, func() int {
|
||||
mu.Lock()
|
||||
defer mu.Unlock()
|
||||
return len(conns)
|
||||
}
|
||||
}
|
||||
|
||||
func TestTransportReusesConnections(t *testing.T) {
|
||||
resetConfig(t)
|
||||
|
||||
const (
|
||||
threads = 8
|
||||
requests = 30
|
||||
)
|
||||
if err := Configure(Options{Threads: threads}); err != nil {
|
||||
t.Fatalf("Configure: %v", err)
|
||||
}
|
||||
|
||||
srv, distinct := countConns(t)
|
||||
|
||||
// fire N sequential requests through the tuned client, draining each body so
|
||||
// the conn returns to the pool. a working pool serves all of them on one conn.
|
||||
client := Client(5 * time.Second)
|
||||
for i := 0; i < requests; i++ {
|
||||
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, srv.URL, http.NoBody)
|
||||
if err != nil {
|
||||
t.Fatalf("new request %d: %v", i, err)
|
||||
}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
t.Fatalf("do request %d: %v", i, err)
|
||||
}
|
||||
DrainClose(resp)
|
||||
}
|
||||
|
||||
// sequential reuse should land on exactly one conn; allow a tiny margin for
|
||||
// the rare race where a conn is reaped between requests.
|
||||
const maxReuseConns = 2
|
||||
if got := distinct(); got > maxReuseConns {
|
||||
t.Errorf("tuned client opened %d conns for %d requests, want <= %d (pool not reusing)",
|
||||
got, requests, maxReuseConns)
|
||||
}
|
||||
}
|
||||
|
||||
func TestBareClientDoesNotReuse(t *testing.T) {
|
||||
srv, distinct := countConns(t)
|
||||
|
||||
// the control: a bare DefaultTransport client whose caller closes but never
|
||||
// drains the body. go can't reuse a half-read conn, so each request dials
|
||||
// fresh - this is exactly the pre-tuning behavior we're fixing.
|
||||
client := &http.Client{
|
||||
Timeout: 5 * time.Second,
|
||||
Transport: http.DefaultTransport.(*http.Transport).Clone(),
|
||||
}
|
||||
|
||||
const requests = 30
|
||||
for i := 0; i < requests; i++ {
|
||||
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, srv.URL, http.NoBody)
|
||||
if err != nil {
|
||||
t.Fatalf("new request %d: %v", i, err)
|
||||
}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
t.Fatalf("do request %d: %v", i, err)
|
||||
}
|
||||
// close without draining - the leak that kills reuse.
|
||||
resp.Body.Close()
|
||||
}
|
||||
|
||||
// most requests should have dialed a fresh conn. don't demand exactly N (the
|
||||
// scheduler occasionally reuses one), just that it's clearly not pooling.
|
||||
const minDistinct = requests / 2
|
||||
if got := distinct(); got < minDistinct {
|
||||
t.Errorf("bare client opened only %d conns for %d requests, want >= %d "+
|
||||
"(expected near-zero reuse without draining)", got, requests, minDistinct)
|
||||
}
|
||||
}
|
||||
|
||||
// BenchmarkConnReuse contrasts the tuned, draining client against a bare client
|
||||
// that closes without draining. the reported conns/op metric is the distinct
|
||||
// tcp conns one pass of `requests` opened - tuned≈1, bare≈requests - so the
|
||||
// README can quote real before/after reuse numbers. the conn map is reset per
|
||||
// iteration so the metric stays a per-pass count and the bare path doesn't
|
||||
// accumulate b.N*requests live sockets and exhaust the ephemeral port range.
|
||||
//
|
||||
// run the bare sub-bench with a bounded -benchtime (e.g. -benchtime 5x): its
|
||||
// whole point is that it can't reuse, so a large b.N floods the local port
|
||||
// space with TIME_WAIT sockets. the tuned sub-bench reuses and runs unbounded.
|
||||
func BenchmarkConnReuse(b *testing.B) {
|
||||
const requests = 50
|
||||
|
||||
run := func(b *testing.B, drain bool, client *http.Client) {
|
||||
b.Helper()
|
||||
var (
|
||||
mu sync.Mutex
|
||||
conns = make(map[net.Conn]struct{})
|
||||
)
|
||||
srv := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
io.WriteString(w, strings.Repeat("x", 256))
|
||||
}))
|
||||
srv.Config.ConnState = func(c net.Conn, state http.ConnState) {
|
||||
if state != http.StateNew {
|
||||
return
|
||||
}
|
||||
mu.Lock()
|
||||
conns[c] = struct{}{}
|
||||
mu.Unlock()
|
||||
}
|
||||
srv.Start()
|
||||
defer srv.Close()
|
||||
|
||||
var lastPass int
|
||||
b.ResetTimer()
|
||||
for n := 0; n < b.N; n++ {
|
||||
mu.Lock()
|
||||
conns = make(map[net.Conn]struct{})
|
||||
mu.Unlock()
|
||||
for i := 0; i < requests; i++ {
|
||||
req, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, srv.URL, http.NoBody)
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
b.Fatalf("do: %v", err)
|
||||
}
|
||||
if drain {
|
||||
DrainClose(resp)
|
||||
} else {
|
||||
resp.Body.Close()
|
||||
}
|
||||
}
|
||||
// close idle conns between passes so the bare client's per-pass
|
||||
// sockets land in TIME_WAIT and free up before the next pass.
|
||||
client.CloseIdleConnections()
|
||||
mu.Lock()
|
||||
lastPass = len(conns)
|
||||
mu.Unlock()
|
||||
}
|
||||
b.StopTimer()
|
||||
|
||||
// distinct conns for a single pass of `requests`.
|
||||
b.ReportMetric(float64(lastPass), "conns/op")
|
||||
}
|
||||
|
||||
b.Run("tuned-drain", func(b *testing.B) {
|
||||
resetBench()
|
||||
tr, err := buildTransport("", 8)
|
||||
if err != nil {
|
||||
b.Fatalf("buildTransport: %v", err)
|
||||
}
|
||||
run(b, true, &http.Client{Timeout: 5 * time.Second, Transport: tr})
|
||||
})
|
||||
|
||||
b.Run("bare-noDrain", func(b *testing.B) {
|
||||
run(b, false, &http.Client{
|
||||
Timeout: 5 * time.Second,
|
||||
Transport: http.DefaultTransport.(*http.Transport).Clone(),
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
// resetBench clears the package transport without a *testing.T for benchmarks.
|
||||
func resetBench() {
|
||||
mu.Lock()
|
||||
configured = nil
|
||||
mu.Unlock()
|
||||
}
|
||||
|
||||
// retrySequenceServer serves codes[n] on the n-th hit, repeating the last once
|
||||
// the slice runs out; retryable codes carry Retry-After: 0 to keep tests fast.
|
||||
func retrySequenceServer(t *testing.T, hits *atomic.Int64, codes ...int) *httptest.Server {
|
||||
t.Helper()
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
n := int(hits.Add(1)) - 1
|
||||
code := codes[len(codes)-1]
|
||||
if n < len(codes) {
|
||||
code = codes[n]
|
||||
}
|
||||
if code == http.StatusTooManyRequests || code == http.StatusServiceUnavailable {
|
||||
w.Header().Set("Retry-After", "0")
|
||||
}
|
||||
w.WriteHeader(code)
|
||||
}))
|
||||
t.Cleanup(srv.Close)
|
||||
return srv
|
||||
}
|
||||
|
||||
// getStatus performs a GET and returns the final status code the caller sees.
|
||||
func getStatus(t *testing.T, client *http.Client, url string) int {
|
||||
t.Helper()
|
||||
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, http.NoBody)
|
||||
if err != nil {
|
||||
t.Fatalf("new request: %v", err)
|
||||
}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
t.Fatalf("do request: %v", err)
|
||||
}
|
||||
resp.Body.Close()
|
||||
return resp.StatusCode
|
||||
}
|
||||
|
||||
func TestRetryRecoversAfter429(t *testing.T) {
|
||||
resetConfig(t)
|
||||
|
||||
var hits atomic.Int64
|
||||
srv := retrySequenceServer(t, &hits, http.StatusTooManyRequests, http.StatusOK)
|
||||
if err := Configure(Options{MaxRetries: 2}); err != nil {
|
||||
t.Fatalf("Configure: %v", err)
|
||||
}
|
||||
|
||||
if code := getStatus(t, Client(5*time.Second), srv.URL); code != http.StatusOK {
|
||||
t.Errorf("status = %d, want 200 after retry", code)
|
||||
}
|
||||
if got := hits.Load(); got != 2 {
|
||||
t.Errorf("server hits = %d, want 2 (initial + one retry)", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRetryRecoversAfter503(t *testing.T) {
|
||||
resetConfig(t)
|
||||
|
||||
var hits atomic.Int64
|
||||
srv := retrySequenceServer(t, &hits, http.StatusServiceUnavailable, http.StatusOK)
|
||||
if err := Configure(Options{MaxRetries: 2}); err != nil {
|
||||
t.Fatalf("Configure: %v", err)
|
||||
}
|
||||
|
||||
if code := getStatus(t, Client(5*time.Second), srv.URL); code != http.StatusOK {
|
||||
t.Errorf("status = %d, want 200 after retry", code)
|
||||
}
|
||||
if got := hits.Load(); got != 2 {
|
||||
t.Errorf("server hits = %d, want 2", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRetryDisabled(t *testing.T) {
|
||||
resetConfig(t)
|
||||
|
||||
var hits atomic.Int64
|
||||
srv := retrySequenceServer(t, &hits, http.StatusTooManyRequests, http.StatusOK)
|
||||
if err := Configure(Options{MaxRetries: 0}); err != nil {
|
||||
t.Fatalf("Configure: %v", err)
|
||||
}
|
||||
|
||||
if code := getStatus(t, Client(5*time.Second), srv.URL); code != http.StatusTooManyRequests {
|
||||
t.Errorf("status = %d, want 429 with retries off", code)
|
||||
}
|
||||
if got := hits.Load(); got != 1 {
|
||||
t.Errorf("server hits = %d, want 1 (no retry)", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRetryExhausted(t *testing.T) {
|
||||
resetConfig(t)
|
||||
|
||||
var hits atomic.Int64
|
||||
srv := retrySequenceServer(t, &hits, http.StatusTooManyRequests) // always 429
|
||||
if err := Configure(Options{MaxRetries: 2}); err != nil {
|
||||
t.Fatalf("Configure: %v", err)
|
||||
}
|
||||
|
||||
if code := getStatus(t, Client(5*time.Second), srv.URL); code != http.StatusTooManyRequests {
|
||||
t.Errorf("status = %d, want 429 after exhausting retries", code)
|
||||
}
|
||||
if got := hits.Load(); got != 3 {
|
||||
t.Errorf("server hits = %d, want 3 (initial + 2 retries)", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRetryIgnoresNonRetryableStatus(t *testing.T) {
|
||||
resetConfig(t)
|
||||
|
||||
var hits atomic.Int64
|
||||
srv := retrySequenceServer(t, &hits, http.StatusInternalServerError, http.StatusOK)
|
||||
if err := Configure(Options{MaxRetries: 2}); err != nil {
|
||||
t.Fatalf("Configure: %v", err)
|
||||
}
|
||||
|
||||
if code := getStatus(t, Client(5*time.Second), srv.URL); code != http.StatusInternalServerError {
|
||||
t.Errorf("status = %d, want 500 (not retried)", code)
|
||||
}
|
||||
if got := hits.Load(); got != 1 {
|
||||
t.Errorf("server hits = %d, want 1 (500 not retried)", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRetryReplaysRequestBody(t *testing.T) {
|
||||
resetConfig(t)
|
||||
|
||||
var hits atomic.Int64
|
||||
var bmu sync.Mutex
|
||||
var bodies []string
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
body, _ := io.ReadAll(r.Body)
|
||||
bmu.Lock()
|
||||
bodies = append(bodies, string(body))
|
||||
bmu.Unlock()
|
||||
if hits.Add(1) == 1 {
|
||||
w.Header().Set("Retry-After", "0")
|
||||
w.WriteHeader(http.StatusTooManyRequests)
|
||||
return
|
||||
}
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
t.Cleanup(srv.Close)
|
||||
|
||||
if err := Configure(Options{MaxRetries: 2}); err != nil {
|
||||
t.Fatalf("Configure: %v", err)
|
||||
}
|
||||
|
||||
req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, srv.URL, strings.NewReader("payload"))
|
||||
if err != nil {
|
||||
t.Fatalf("new request: %v", err)
|
||||
}
|
||||
resp, err := Client(5 * time.Second).Do(req)
|
||||
if err != nil {
|
||||
t.Fatalf("do request: %v", err)
|
||||
}
|
||||
resp.Body.Close()
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
t.Fatalf("status = %d, want 200 after body replay", resp.StatusCode)
|
||||
}
|
||||
|
||||
bmu.Lock()
|
||||
defer bmu.Unlock()
|
||||
if len(bodies) != 2 {
|
||||
t.Fatalf("server saw %d requests, want 2", len(bodies))
|
||||
}
|
||||
for i, body := range bodies {
|
||||
if body != "payload" {
|
||||
t.Errorf("body[%d] = %q, want %q (rewind dropped the body)", i, body, "payload")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestRetryAfterHeader(t *testing.T) {
|
||||
noHeader := &http.Response{Header: http.Header{}}
|
||||
if got := retryAfter(noHeader, 0); got != retryBackoffBase {
|
||||
t.Errorf("missing header: attempt 0 = %v, want %v", got, retryBackoffBase)
|
||||
}
|
||||
if got := retryAfter(noHeader, 1); got != 2*retryBackoffBase {
|
||||
t.Errorf("missing header: attempt 1 = %v, want %v", got, 2*retryBackoffBase)
|
||||
}
|
||||
if got := retryAfter(noHeader, 1000); got != retryAfterCap {
|
||||
t.Errorf("missing header: attempt 1000 = %v, want cap %v", got, retryAfterCap)
|
||||
}
|
||||
|
||||
withSeconds := func(v string) *http.Response {
|
||||
return &http.Response{Header: http.Header{"Retry-After": {v}}}
|
||||
}
|
||||
if got := retryAfter(withSeconds("3"), 0); got != 3*time.Second {
|
||||
t.Errorf("Retry-After 3 = %v, want 3s", got)
|
||||
}
|
||||
if got := retryAfter(withSeconds("0"), 5); got != 0 {
|
||||
t.Errorf("Retry-After 0 = %v, want 0", got)
|
||||
}
|
||||
if got := retryAfter(withSeconds("9999"), 0); got != retryAfterCap {
|
||||
t.Errorf("Retry-After 9999 = %v, want cap %v", got, retryAfterCap)
|
||||
}
|
||||
if got := retryAfter(withSeconds("soon"), 0); got != retryBackoffBase {
|
||||
t.Errorf("Retry-After junk = %v, want backoff %v", got, retryBackoffBase)
|
||||
}
|
||||
|
||||
future := time.Now().Add(5 * time.Second).UTC().Format(http.TimeFormat)
|
||||
if got := retryAfter(withSeconds(future), 0); got <= 0 || got > 5*time.Second {
|
||||
t.Errorf("Retry-After http-date = %v, want (0, 5s]", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestCapDuration(t *testing.T) {
|
||||
cases := []struct{ in, want time.Duration }{
|
||||
{-time.Second, 0},
|
||||
{0, 0},
|
||||
{5 * time.Second, 5 * time.Second},
|
||||
{retryAfterCap, retryAfterCap},
|
||||
{retryAfterCap + time.Second, retryAfterCap},
|
||||
}
|
||||
for _, c := range cases {
|
||||
if got := capDuration(c.in); got != c.want {
|
||||
t.Errorf("capDuration(%v) = %v, want %v", c.in, got, c.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestSleepCtxCancelled(t *testing.T) {
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
cancel()
|
||||
if err := sleepCtx(ctx, time.Hour); err == nil {
|
||||
t.Error("sleepCtx on a cancelled context should return its error, not block")
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,216 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runOrchestrationModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func orchestrationExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestAIOrchestrationExposureModules(t *testing.T) {
|
||||
const langflow = "../../modules/recon/langflow-exposure.yaml"
|
||||
const dify = "../../modules/recon/dify-console-exposure.yaml"
|
||||
const ray = "../../modules/recon/ray-dashboard-exposure.yaml"
|
||||
const skypilot = "../../modules/recon/skypilot-api-exposure.yaml"
|
||||
|
||||
langflowVersion := `{"version":"1.0.19","main_version":"1.0.19","package":"Langflow"}`
|
||||
|
||||
difyFeatures := `{"enable_app_deploy":true,"sso_enforced_for_signin":false,` +
|
||||
`"sso_enforced_for_signin_protocol":"","enable_marketplace":true,"enable_email_code_login":false,` +
|
||||
`"enable_email_password_login":true,"enable_social_oauth_login":false,"is_allow_register":true,` +
|
||||
`"is_allow_create_workspace":false,"is_email_setup":true,"license":{"status":"none","expired_at":""}}`
|
||||
|
||||
rayVersion := `{"version":"4","ray_version":"2.9.3","ray_commit":"a1b2c3d4e5","session_name":"session_2024"}`
|
||||
|
||||
skypilotHealth := `{"status":"healthy","api_version":"14","version":"0.9.3","version_on_disk":"0.9.3",` +
|
||||
`"commit":"abc1234def","basic_auth_enabled":false}`
|
||||
|
||||
t.Run("a langflow version api is flagged", func(t *testing.T) {
|
||||
res := runOrchestrationModule(t, langflow, 200, langflowVersion)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a langflow finding")
|
||||
}
|
||||
if v := orchestrationExtract(res, "langflow_version"); v != "1.0.19" {
|
||||
t.Errorf("langflow_version=%q, want 1.0.19", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a langflow base build is still flagged", func(t *testing.T) {
|
||||
body := `{"version":"1.0.19","main_version":"1.0.19","package":"Langflow Base"}`
|
||||
if res := runOrchestrationModule(t, langflow, 200, body); len(res.Findings) == 0 {
|
||||
t.Fatal("expected a finding for a langflow base build")
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a version api from another package is not flagged as langflow", func(t *testing.T) {
|
||||
body := `{"version":"1.0","main_version":"1.0","package":"SomeApp"}`
|
||||
if res := runOrchestrationModule(t, langflow, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("another package should not match langflow, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a langflow package without main_version is not flagged", func(t *testing.T) {
|
||||
if res := runOrchestrationModule(t, langflow, 200, `{"package":"Langflow"}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a package-only body should not match langflow, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a dify system-features is flagged and reports open registration", func(t *testing.T) {
|
||||
res := runOrchestrationModule(t, dify, 200, difyFeatures)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a dify finding")
|
||||
}
|
||||
if v := orchestrationExtract(res, "dify_allow_register"); v != "true" {
|
||||
t.Errorf("dify_allow_register=%q, want true", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without sso_enforced_for_signin is not flagged as dify", func(t *testing.T) {
|
||||
body := `{"enable_email_password_login":true,"is_allow_create_workspace":false,"is_allow_register":true}`
|
||||
if res := runOrchestrationModule(t, dify, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without sso_enforced_for_signin should not match dify, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without enable_email_password_login is not flagged as dify", func(t *testing.T) {
|
||||
body := `{"sso_enforced_for_signin":false,"is_allow_create_workspace":false}`
|
||||
if res := runOrchestrationModule(t, dify, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without enable_email_password_login should not match dify, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without is_allow_create_workspace is not flagged as dify", func(t *testing.T) {
|
||||
body := `{"sso_enforced_for_signin":false,"enable_email_password_login":true}`
|
||||
if res := runOrchestrationModule(t, dify, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without is_allow_create_workspace should not match dify, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a dify with registration disabled is not flagged", func(t *testing.T) {
|
||||
body := `{"sso_enforced_for_signin":false,"enable_email_password_login":true,"is_allow_create_workspace":true,"is_allow_register":false}`
|
||||
if res := runOrchestrationModule(t, dify, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a closed-registration dify should not be flagged, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a ray dashboard version is flagged", func(t *testing.T) {
|
||||
res := runOrchestrationModule(t, ray, 200, rayVersion)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a ray finding")
|
||||
}
|
||||
if v := orchestrationExtract(res, "ray_version"); v != "2.9.3" {
|
||||
t.Errorf("ray_version=%q, want 2.9.3", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a generic version api is not flagged as ray", func(t *testing.T) {
|
||||
body := `{"version":"4","api_version":"v1","build":"123"}`
|
||||
if res := runOrchestrationModule(t, ray, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a generic version api should not match ray, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a ray_version without a ray_commit is not flagged", func(t *testing.T) {
|
||||
body := `{"version":"4","ray_version":"2.9.3"}`
|
||||
if res := runOrchestrationModule(t, ray, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("ray_version alone should not match ray, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a skypilot health is flagged with its version and auth state", func(t *testing.T) {
|
||||
res := runOrchestrationModule(t, skypilot, 200, skypilotHealth)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a skypilot finding")
|
||||
}
|
||||
if v := orchestrationExtract(res, "skypilot_version"); v != "0.9.3" {
|
||||
t.Errorf("skypilot_version=%q, want 0.9.3", v)
|
||||
}
|
||||
if v := orchestrationExtract(res, "skypilot_basic_auth"); v != "false" {
|
||||
t.Errorf("skypilot_basic_auth=%q, want false", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a bare status health is not flagged as skypilot", func(t *testing.T) {
|
||||
if res := runOrchestrationModule(t, skypilot, 200, `{"status":"healthy"}`); len(res.Findings) > 0 {
|
||||
t.Errorf("an auth-gated bare health should not match skypilot, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without version_on_disk is not flagged as skypilot", func(t *testing.T) {
|
||||
body := `{"status":"healthy","api_version":"14","commit":"abc","basic_auth_enabled":false}`
|
||||
if res := runOrchestrationModule(t, skypilot, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without version_on_disk should not match skypilot, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without basic_auth_enabled is not flagged as skypilot", func(t *testing.T) {
|
||||
body := `{"status":"healthy","version_on_disk":"0.9.3","commit":"abc"}`
|
||||
if res := runOrchestrationModule(t, skypilot, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without basic_auth_enabled should not match skypilot, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without commit is not flagged as skypilot", func(t *testing.T) {
|
||||
body := `{"status":"healthy","version_on_disk":"0.9.3","basic_auth_enabled":false}`
|
||||
if res := runOrchestrationModule(t, skypilot, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without commit should not match skypilot, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a skypilot with basic auth enabled is not flagged", func(t *testing.T) {
|
||||
body := `{"status":"healthy","version_on_disk":"0.9.3","commit":"abc","basic_auth_enabled":true}`
|
||||
if res := runOrchestrationModule(t, skypilot, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an auth-enabled skypilot should not be flagged, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{langflow, dify, ray, skypilot} {
|
||||
if res := runOrchestrationModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{langflow, dify, ray, skypilot} {
|
||||
if res := runOrchestrationModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,87 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runAlertmanagerModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func alertmanagerExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestAlertmanagerExposureModule(t *testing.T) {
|
||||
const am = "../../modules/recon/alertmanager-status-exposure.yaml"
|
||||
|
||||
t.Run("an alertmanager status is flagged with its version", func(t *testing.T) {
|
||||
body := `{"cluster":{"name":"01HXYZ","status":"ready","peers":[{"name":"01HX","address":"10.0.0.7:9094"}]},` +
|
||||
`"versionInfo":{"branch":"HEAD","buildDate":"20240228","buildUser":"root@host","goVersion":"go1.21.7",` +
|
||||
`"revision":"0aa3c2a","version":"0.27.0"},"config":{"original":"global:\n smtp_smarthost: 'smtp:587'\n ` +
|
||||
`smtp_auth_password: 'hunter2'\nreceivers:\n- name: team\n slack_configs:\n - api_url: 'https://hooks.slack.com/services/T/B/X'\n"},` +
|
||||
`"uptime":"2024-06-01T10:00:00.000Z"}`
|
||||
res := runAlertmanagerModule(t, am, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an alertmanager finding")
|
||||
}
|
||||
if v := alertmanagerExtract(res, "alertmanager_version"); v != "0.27.0" {
|
||||
t.Errorf("alertmanager_version=%q, want 0.27.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a versionInfo+cluster body without config is not flagged", func(t *testing.T) {
|
||||
body := `{"cluster":{"name":"01HXYZ","status":"ready"},"versionInfo":{"version":"0.27.0"},"uptime":"x"}`
|
||||
if res := runAlertmanagerModule(t, am, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a configless status should not match alertmanager, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a config+versionInfo body without cluster is not flagged", func(t *testing.T) {
|
||||
body := `{"versionInfo":{"version":"0.27.0"},"config":{"original":"global:\n"},"uptime":"x"}`
|
||||
if res := runAlertmanagerModule(t, am, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a clusterless status should not match alertmanager, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
if res := runAlertmanagerModule(t, am, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("a plain 200 body should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
if res := runAlertmanagerModule(t, am, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("a 404 should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,164 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runAnalyticsModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func analyticsExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestAnalyticsUIExposureModules(t *testing.T) {
|
||||
const metabase = "../../modules/recon/metabase-api-exposure.yaml"
|
||||
const zeppelin = "../../modules/recon/zeppelin-api-exposure.yaml"
|
||||
const jupyter = "../../modules/recon/jupyter-api-exposure.yaml"
|
||||
|
||||
metabaseProps := `{"engines":{"postgres":{"driver-name":"PostgreSQL"}},` +
|
||||
`"setup-token":"245f5f7c-8f0b-4c20-9a1e-6b2d7e1f0a33","anon-tracking-enabled":true,` +
|
||||
`"available-locales":[["en","English"]],"password-complexity":{"total":6},` +
|
||||
`"version":{"date":"2023-10-01","tag":"v0.47.2","branch":"release-x.47.x","hash":"abc1234"}}`
|
||||
|
||||
zeppelinVersion := `{"status":"OK","message":"Zeppelin version",` +
|
||||
`"body":{"version":"0.10.1","git-commit-id":"a1b2c3d4e5","git-timestamp":"2022-01-15 10:00:00"}}`
|
||||
|
||||
jupyterStatus := `{"started":"2024-01-01T00:00:00.000000Z",` +
|
||||
`"last_activity":"2024-01-01T01:23:45.000000Z","connections":2,"kernels":3}`
|
||||
|
||||
t.Run("an exposed metabase properties api is flagged and versioned", func(t *testing.T) {
|
||||
res := runAnalyticsModule(t, metabase, 200, metabaseProps)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a metabase finding")
|
||||
}
|
||||
if v := analyticsExtract(res, "metabase_version"); v != "v0.47.2" {
|
||||
t.Errorf("metabase_version=%q, want v0.47.2", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed zeppelin server is flagged and versioned", func(t *testing.T) {
|
||||
res := runAnalyticsModule(t, zeppelin, 200, zeppelinVersion)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a zeppelin finding")
|
||||
}
|
||||
if v := analyticsExtract(res, "zeppelin_version"); v != "0.10.1" {
|
||||
t.Errorf("zeppelin_version=%q, want 0.10.1", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed jupyter status api is flagged with the kernel count", func(t *testing.T) {
|
||||
res := runAnalyticsModule(t, jupyter, 200, jupyterStatus)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a jupyter finding")
|
||||
}
|
||||
if v := analyticsExtract(res, "jupyter_active_kernels"); v != "3" {
|
||||
t.Errorf("jupyter_active_kernels=%q, want 3", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a live metabase token without the tracking setting is not flagged", func(t *testing.T) {
|
||||
body := `{"setup-token":"245f5f7c-8f0b-4c20-9a1e-6b2d7e1f0a33","name":"app"}`
|
||||
if res := runAnalyticsModule(t, metabase, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a setup token alone should not match metabase, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a metabase tracking setting without a setup token is not flagged", func(t *testing.T) {
|
||||
body := `{"anon-tracking-enabled":true,"name":"app"}`
|
||||
if res := runAnalyticsModule(t, metabase, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a tracking setting alone should not match metabase, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a patched metabase with a null setup token is not flagged", func(t *testing.T) {
|
||||
body := `{"setup-token":null,"anon-tracking-enabled":true,` +
|
||||
`"version":{"tag":"v0.47.2"}}`
|
||||
if res := runAnalyticsModule(t, metabase, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a null setup token should not match metabase, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a zeppelin banner without a git commit id is not flagged", func(t *testing.T) {
|
||||
body := `{"status":"OK","message":"Zeppelin version","body":{}}`
|
||||
if res := runAnalyticsModule(t, zeppelin, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a banner alone should not match zeppelin, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a git commit id without the zeppelin banner is not flagged", func(t *testing.T) {
|
||||
body := `{"git-commit-id":"a1b2c3d","name":"app"}`
|
||||
if res := runAnalyticsModule(t, zeppelin, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a commit id alone should not match zeppelin, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a jupyter status without a kernels field is not flagged", func(t *testing.T) {
|
||||
body := `{"started":"2024-01-01T00:00:00Z","last_activity":"2024-01-01T01:00:00Z","connections":2}`
|
||||
if res := runAnalyticsModule(t, jupyter, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a status without kernels should not match jupyter, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a jupyter status without a connections field is not flagged", func(t *testing.T) {
|
||||
body := `{"started":"2024-01-01T00:00:00Z","last_activity":"2024-01-01T01:00:00Z","kernels":3}`
|
||||
if res := runAnalyticsModule(t, jupyter, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a status without connections should not match jupyter, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a generic version json is not an analytics service", func(t *testing.T) {
|
||||
body := `{"version":"1.0.0","name":"app"}`
|
||||
for _, file := range []string{metabase, zeppelin, jupyter} {
|
||||
if res := runAnalyticsModule(t, file, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a generic version should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{metabase, zeppelin, jupyter} {
|
||||
if res := runAnalyticsModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{metabase, zeppelin, jupyter} {
|
||||
if res := runAnalyticsModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,173 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runAppCfgModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func appCfgExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestAppConfigExposureModules(t *testing.T) {
|
||||
const spring = "../../modules/recon/spring-application-config-exposure.yaml"
|
||||
const appsettings = "../../modules/recon/appsettings-exposure.yaml"
|
||||
const wpconfig = "../../modules/recon/wp-config-backup-exposure.yaml"
|
||||
|
||||
springProps := "spring.application.name=billing\n" +
|
||||
"spring.datasource.url=jdbc:mysql://db.internal:3306/billing\n" +
|
||||
"spring.datasource.username=app\nspring.datasource.password=s3cr3tP@ss\n" +
|
||||
"spring.jpa.hibernate.ddl-auto=update\nserver.port=8080\n"
|
||||
|
||||
springYaml := "spring:\n datasource:\n url: jdbc:postgresql://pg.internal:5432/app\n" +
|
||||
" username: app\n password: hunter2\nserver:\n port: 8443\n"
|
||||
|
||||
appSettings := `{` + "\n" +
|
||||
` "Logging": { "LogLevel": { "Default": "Information" } },` + "\n" +
|
||||
` "ConnectionStrings": {` + "\n" +
|
||||
` "DefaultConnection": "Server=db;Database=app;User Id=sa;Password=P@ssw0rd;"` + "\n" +
|
||||
` },` + "\n" +
|
||||
` "AllowedHosts": "*"` + "\n}"
|
||||
|
||||
wpConfig := "<?php\ndefine( 'DB_NAME', 'wordpress' );\ndefine( 'DB_USER', 'wp' );\n" +
|
||||
"define( 'DB_PASSWORD', 'Tr0ub4dor&3' );\ndefine( 'DB_HOST', 'localhost' );\n" +
|
||||
"$table_prefix = 'wp_';\n"
|
||||
|
||||
t.Run("a spring properties file leaks the jdbc url", func(t *testing.T) {
|
||||
res := runAppCfgModule(t, spring, 200, springProps)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a spring config finding")
|
||||
}
|
||||
if v := appCfgExtract(res, "jdbc_url"); v != "jdbc:mysql://db.internal:3306/billing" {
|
||||
t.Errorf("jdbc_url=%q, want the mysql url", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a spring yaml file also matches and names the jdbc url", func(t *testing.T) {
|
||||
res := runAppCfgModule(t, spring, 200, springYaml)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a spring config finding for yaml")
|
||||
}
|
||||
if v := appCfgExtract(res, "jdbc_url"); v != "jdbc:postgresql://pg.internal:5432/app" {
|
||||
t.Errorf("jdbc_url=%q, want the postgres url", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an appsettings json leaks the connection string", func(t *testing.T) {
|
||||
res := runAppCfgModule(t, appsettings, 200, appSettings)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an appsettings finding")
|
||||
}
|
||||
want := "Server=db;Database=app;User Id=sa;Password=P@ssw0rd;"
|
||||
if v := appCfgExtract(res, "connection_string"); v != want {
|
||||
t.Errorf("connection_string=%q, want %q", v, want)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a wp-config backup leaks the database password", func(t *testing.T) {
|
||||
res := runAppCfgModule(t, wpconfig, 200, wpConfig)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a wp-config finding")
|
||||
}
|
||||
if v := appCfgExtract(res, "db_password"); v != "Tr0ub4dor&3" {
|
||||
t.Errorf("db_password=%q, want Tr0ub4dor&3", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a spring config with no credential is not flagged", func(t *testing.T) {
|
||||
body := "spring.application.name=app\nserver.port=8080\n"
|
||||
if res := runAppCfgModule(t, spring, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a credential-free config should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a spring config inside an html page is not flagged", func(t *testing.T) {
|
||||
body := "<!DOCTYPE html><html><body><pre>spring.datasource.password=x</pre></body></html>"
|
||||
if res := runAppCfgModule(t, spring, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html page should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an appsettings without a connection string is not flagged", func(t *testing.T) {
|
||||
body := `{"Logging":{"LogLevel":{"Default":"Information"}},"AllowedHosts":"*"}`
|
||||
if res := runAppCfgModule(t, appsettings, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a config without a connection string should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an appsettings with no password is not a credential leak", func(t *testing.T) {
|
||||
body := `{"ConnectionStrings":{"Db":"Server=db;Database=app;Integrated Security=true;"}}`
|
||||
if res := runAppCfgModule(t, appsettings, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a passwordless connection string should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an appsettings password outside a connection strings section is not flagged", func(t *testing.T) {
|
||||
body := `{"Smtp":{"Host":"Server=mail;Password=relaypass;"}}`
|
||||
if res := runAppCfgModule(t, appsettings, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a password outside ConnectionStrings should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("prose that names the wp-config password is not a backup", func(t *testing.T) {
|
||||
body := "set the DB_PASSWORD env var before running the installer"
|
||||
if res := runAppCfgModule(t, wpconfig, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("prose naming DB_PASSWORD should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a wp-config shown in an html page is not flagged", func(t *testing.T) {
|
||||
body := "<html><head><title>setup</title></head><body>define( 'DB_PASSWORD', 'x' ); DB_NAME</body></html>"
|
||||
if res := runAppCfgModule(t, wpconfig, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html page should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{spring, appsettings, wpconfig} {
|
||||
if res := runAppCfgModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{spring, appsettings, wpconfig} {
|
||||
if res := runAppCfgModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,92 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runArgocdModule(t *testing.T, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule("../../modules/recon/argocd-api-exposure.yaml")
|
||||
if err != nil {
|
||||
t.Fatalf("parse argocd module: %v", err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute argocd module: %v", err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func argocdExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestArgocdExposureModule(t *testing.T) {
|
||||
argocdVersion := `{"Version":"v2.9.3+a1b2c3d","BuildDate":"2024-01-15T12:00:00Z","GitCommit":"a1b2c3d",` +
|
||||
`"GitTreeState":"clean","GoVersion":"go1.21.5","Compiler":"gc","Platform":"linux/amd64",` +
|
||||
`"KustomizeVersion":"v5.2.1 2023-10-19","HelmVersion":"v3.13.2+gadc03ef",` +
|
||||
`"KubectlVersion":"v0.26.11","JsonnetVersion":"v0.20.0"}`
|
||||
|
||||
t.Run("an exposed argocd version endpoint is flagged and versioned", func(t *testing.T) {
|
||||
res := runArgocdModule(t, 200, argocdVersion)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an argocd finding")
|
||||
}
|
||||
if v := argocdExtract(res, "argocd_version"); v != "v2.9.3+a1b2c3d" {
|
||||
t.Errorf("argocd_version=%q, want v2.9.3+a1b2c3d", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an argocd kustomize version without a helm version is not flagged", func(t *testing.T) {
|
||||
body := `{"Version":"v2.9.3","KustomizeVersion":"v5.2.1 2023-10-19"}`
|
||||
if res := runArgocdModule(t, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a kustomize version alone should not match argocd, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an argocd helm version without a kustomize version is not flagged", func(t *testing.T) {
|
||||
body := `{"Version":"v2.9.3","HelmVersion":"v3.13.2+gadc03ef"}`
|
||||
if res := runArgocdModule(t, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a helm version alone should not match argocd, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a generic version endpoint is not argocd", func(t *testing.T) {
|
||||
body := `{"Version":"v1.0.0","GitCommit":"abc"}`
|
||||
if res := runArgocdModule(t, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a generic version json should not match argocd, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
if res := runArgocdModule(t, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("a plain 200 body should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
if res := runArgocdModule(t, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("a 404 should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,148 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package modules
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"reflect"
|
||||
"sort"
|
||||
"sync"
|
||||
"testing"
|
||||
|
||||
"github.com/vmfunc/sif/internal/httpx"
|
||||
)
|
||||
|
||||
func reqURLs(reqs []*httpRequest) []string {
|
||||
urls := make([]string, len(reqs))
|
||||
for i, r := range reqs {
|
||||
urls[i] = r.URL
|
||||
}
|
||||
sort.Strings(urls)
|
||||
return urls
|
||||
}
|
||||
|
||||
func TestGenerateHTTPRequestsAttack(t *testing.T) {
|
||||
const target = "http://t"
|
||||
paths2 := []string{"{{BaseURL}}/a?x={{payload}}", "{{BaseURL}}/b?x={{payload}}"}
|
||||
pay2 := []string{"1", "2"}
|
||||
cross := []string{"http://t/a?x=1", "http://t/a?x=2", "http://t/b?x=1", "http://t/b?x=2"}
|
||||
paired := []string{"http://t/a?x=1", "http://t/b?x=2"}
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
paths []string
|
||||
payloads []string
|
||||
attack string
|
||||
want []string
|
||||
}{
|
||||
{"clusterbomb default crosses all", paths2, pay2, "", cross},
|
||||
{"clusterbomb explicit crosses all", paths2, pay2, "clusterbomb", cross},
|
||||
{"pitchfork pairs by index", paths2, pay2, "pitchfork", paired},
|
||||
{"pitchfork stops at fewer payloads", append(paths2, "{{BaseURL}}/c?x={{payload}}"), pay2, "pitchfork", paired},
|
||||
{"pitchfork stops at fewer paths", paths2, []string{"1", "2", "3"}, "pitchfork", paired},
|
||||
{"attack is case insensitive", paths2, pay2, "Pitchfork", paired},
|
||||
{"no payloads ignores attack", []string{"{{BaseURL}}/a", "{{BaseURL}}/b"}, nil, "pitchfork", []string{"http://t/a", "http://t/b"}},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
cfg := &HTTPConfig{Paths: tt.paths, Payloads: tt.payloads, Attack: tt.attack}
|
||||
reqs, err := generateHTTPRequests(target, cfg)
|
||||
if err != nil {
|
||||
t.Fatalf("generateHTTPRequests: %v", err)
|
||||
}
|
||||
got := reqURLs(reqs)
|
||||
want := append([]string(nil), tt.want...)
|
||||
sort.Strings(want)
|
||||
if !reflect.DeepEqual(got, want) {
|
||||
t.Errorf("attack %q:\n got %v\nwant %v", tt.attack, got, want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidateAttack(t *testing.T) {
|
||||
for _, ok := range []string{"", "clusterbomb", "pitchfork", "Pitchfork", "CLUSTERBOMB"} {
|
||||
if err := validateAttack(ok); err != nil {
|
||||
t.Errorf("validateAttack(%q) = %v, want nil", ok, err)
|
||||
}
|
||||
}
|
||||
for _, bad := range []string{"sniper", "batteringram", "bogus"} {
|
||||
if err := validateAttack(bad); err == nil {
|
||||
t.Errorf("validateAttack(%q) = nil, want error", bad)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestParseAttackValidation(t *testing.T) {
|
||||
dir := t.TempDir()
|
||||
write := func(name, body string) string {
|
||||
p := filepath.Join(dir, name)
|
||||
if err := os.WriteFile(p, []byte(body), 0o644); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
return p
|
||||
}
|
||||
|
||||
good := write("good.yaml", "id: ok\ntype: http\nhttp:\n attack: pitchfork\n paths: [\"{{BaseURL}}/\"]\n")
|
||||
if _, err := ParseYAMLModule(good); err != nil {
|
||||
t.Fatalf("valid attack rejected: %v", err)
|
||||
}
|
||||
|
||||
bad := write("bad.yaml", "id: bad\ntype: http\nhttp:\n attack: sniper\n paths: [\"{{BaseURL}}/\"]\n")
|
||||
if _, err := ParseYAMLModule(bad); err == nil {
|
||||
t.Fatal("invalid attack accepted")
|
||||
}
|
||||
}
|
||||
|
||||
// TestExecuteHTTPModulePitchfork drives the executor end to end and confirms
|
||||
// pitchfork only fires the index-paired requests, not the full cross product.
|
||||
func TestExecuteHTTPModulePitchfork(t *testing.T) {
|
||||
var mu sync.Mutex
|
||||
var hits []string
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
mu.Lock()
|
||||
hits = append(hits, r.URL.Path+"?"+r.URL.RawQuery)
|
||||
mu.Unlock()
|
||||
_, _ = w.Write([]byte("ok"))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
def := &YAMLModule{
|
||||
ID: "pf",
|
||||
Type: TypeHTTP,
|
||||
HTTP: &HTTPConfig{
|
||||
Attack: "pitchfork",
|
||||
Paths: []string{"{{BaseURL}}/a?x={{payload}}", "{{BaseURL}}/b?x={{payload}}"},
|
||||
Payloads: []string{"1", "2"},
|
||||
Matchers: []Matcher{{Type: "word", Part: "body", Words: []string{"ok"}}},
|
||||
},
|
||||
}
|
||||
|
||||
opts := Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)}
|
||||
if _, err := ExecuteHTTPModule(context.Background(), srv.URL, def, opts); err != nil {
|
||||
t.Fatalf("ExecuteHTTPModule: %v", err)
|
||||
}
|
||||
|
||||
mu.Lock()
|
||||
got := append([]string(nil), hits...)
|
||||
mu.Unlock()
|
||||
sort.Strings(got)
|
||||
want := []string{"/a?x=1", "/b?x=2"}
|
||||
if !reflect.DeepEqual(got, want) {
|
||||
t.Errorf("pitchfork hit %v, want %v (clusterbomb would also hit /a?x=2 and /b?x=1)", got, want)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,110 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runAutomationModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func automationExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestAutomationServerExposureModules(t *testing.T) {
|
||||
const jenkins = "../../modules/recon/jenkins-api-exposure.yaml"
|
||||
const nifi = "../../modules/recon/nifi-api-exposure.yaml"
|
||||
|
||||
t.Run("a jenkins controller api is flagged with the first job", func(t *testing.T) {
|
||||
body := `{"_class":"hudson.model.Hudson","assignedLabels":[{}],"mode":"NORMAL","nodeDescription":` +
|
||||
`"the master Jenkins node","nodeName":"","numExecutors":2,"jobs":[{"_class":` +
|
||||
`"hudson.model.FreeStyleProject","name":"deploy-prod","url":"http://ci/job/deploy-prod/","color":"blue"}],` +
|
||||
`"useSecurity":true,"views":[{"_class":"hudson.model.AllView","name":"all","url":"http://ci/"}]}`
|
||||
res := runAutomationModule(t, jenkins, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a jenkins finding")
|
||||
}
|
||||
if v := automationExtract(res, "jenkins_job"); v != "deploy-prod" {
|
||||
t.Errorf("jenkins_job=%q, want deploy-prod", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a non-root jenkins object is not flagged as the controller", func(t *testing.T) {
|
||||
body := `{"_class":"hudson.model.FreeStyleProject","name":"deploy-prod","jobs":[],"color":"blue"}`
|
||||
if res := runAutomationModule(t, jenkins, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a FreeStyleProject object should not match the controller, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a hudson root without a jobs key is not flagged", func(t *testing.T) {
|
||||
if res := runAutomationModule(t, jenkins, 200, `{"_class":"hudson.model.Hudson","mode":"NORMAL"}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a jobless controller blob should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a nifi about is flagged with its version", func(t *testing.T) {
|
||||
body := `{"about":{"title":"NiFi","version":"1.28.1","uri":"https://nifi:8443/nifi-api/",` +
|
||||
`"contentViewerUrl":"../nifi-content-viewer/","timezone":"UTC","buildTag":"nifi-1.28.1-RC1",` +
|
||||
`"buildRevision":"abc123","buildBranch":"support/nifi-1.x","buildTimestamp":"06/01/2024 10:00:00 UTC"}}`
|
||||
res := runAutomationModule(t, nifi, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a nifi finding")
|
||||
}
|
||||
if v := automationExtract(res, "nifi_version"); v != "1.28.1" {
|
||||
t.Errorf("nifi_version=%q, want 1.28.1", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an about block for another product is not flagged as nifi", func(t *testing.T) {
|
||||
if res := runAutomationModule(t, nifi, 200, `{"about":{"title":"SomeApp","version":"2.0.0"}}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a non-nifi about block should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{jenkins, nifi} {
|
||||
if res := runAutomationModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 403 or 401 is not a leak", func(t *testing.T) {
|
||||
if res := runAutomationModule(t, jenkins, 403, `{"_class":"hudson.model.Hudson","jobs":[]}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a 403 jenkins should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
if res := runAutomationModule(t, nifi, 401, `{"about":{"title":"NiFi","version":"1.28.1"}}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a 401 nifi should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,156 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runBigDataModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func bigDataExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestBigDataAPIExposureModules(t *testing.T) {
|
||||
const solr = "../../modules/recon/solr-api-exposure.yaml"
|
||||
const spark = "../../modules/recon/spark-api-exposure.yaml"
|
||||
const hadoop = "../../modules/recon/hadoop-yarn-api-exposure.yaml"
|
||||
|
||||
solrSystem := `{"responseHeader":{"status":0,"QTime":15},"mode":"std",` +
|
||||
`"solr_home":"/var/solr/data","lucene":{"solr-spec-version":"9.4.0",` +
|
||||
`"solr-impl-version":"9.4.0","lucene-spec-version":"9.8.0","lucene-impl-version":"9.8.0"},` +
|
||||
`"jvm":{"version":"17.0.9"}}`
|
||||
|
||||
sparkState := `{"url":"spark://master:7077","workers":[{"id":"worker-1","host":"10.0.0.5"}],` +
|
||||
`"aliveworkers":2,"cores":8,"coresused":0,"memory":15360,"activeapps":[],` +
|
||||
`"completedapps":[],"status":"ALIVE"}`
|
||||
|
||||
hadoopInfo := `{"clusterInfo":{"id":1700000000000,"startedOn":1700000000000,"state":"STARTED",` +
|
||||
`"haState":"ACTIVE","resourceManagerVersion":"3.3.6","resourceManagerBuildVersion":"3.3.6 from abc",` +
|
||||
`"hadoopVersion":"3.3.6","hadoopBuildVersion":"3.3.6 from abc","hadoopVersionBuiltOn":"2023-06-18"}}`
|
||||
|
||||
t.Run("an exposed solr admin api is flagged and versioned", func(t *testing.T) {
|
||||
res := runBigDataModule(t, solr, 200, solrSystem)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a solr finding")
|
||||
}
|
||||
if v := bigDataExtract(res, "solr_version"); v != "9.4.0" {
|
||||
t.Errorf("solr_version=%q, want 9.4.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed spark master leaks its url", func(t *testing.T) {
|
||||
res := runBigDataModule(t, spark, 200, sparkState)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a spark finding")
|
||||
}
|
||||
if v := bigDataExtract(res, "spark_master_url"); v != "spark://master:7077" {
|
||||
t.Errorf("spark_master_url=%q, want spark://master:7077", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed hadoop yarn api is flagged and versioned", func(t *testing.T) {
|
||||
res := runBigDataModule(t, hadoop, 200, hadoopInfo)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a hadoop finding")
|
||||
}
|
||||
if v := bigDataExtract(res, "hadoop_version"); v != "3.3.6" {
|
||||
t.Errorf("hadoop_version=%q, want 3.3.6", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a solr spec version without a solr home is not solr", func(t *testing.T) {
|
||||
body := `{"lucene":{"solr-spec-version":"9.4.0"},"name":"otherservice"}`
|
||||
if res := runBigDataModule(t, solr, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("spec version alone should not match solr, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a solr home without a spec version is not solr", func(t *testing.T) {
|
||||
body := `{"solr_home":"/var/solr/data","mode":"std"}`
|
||||
if res := runBigDataModule(t, solr, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("solr home alone should not match solr, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a spark url without alive workers is not flagged", func(t *testing.T) {
|
||||
body := `{"url":"spark://master:7077","workers":[],"status":"ALIVE"}`
|
||||
if res := runBigDataModule(t, spark, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a spark url alone should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("alive workers behind a non spark url is not flagged", func(t *testing.T) {
|
||||
body := `{"url":"http://internal:8080","aliveworkers":2}`
|
||||
if res := runBigDataModule(t, spark, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a non spark url should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a cluster info without a resource manager version is not hadoop", func(t *testing.T) {
|
||||
body := `{"clusterInfo":{"id":1,"state":"STARTED","hadoopVersion":"3.3.6"}}`
|
||||
if res := runBigDataModule(t, hadoop, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("cluster info alone should not match hadoop, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a resource manager version without a cluster info is not hadoop", func(t *testing.T) {
|
||||
body := `{"resourceManagerVersion":"3.3.6","app":"custom"}`
|
||||
if res := runBigDataModule(t, hadoop, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("rm version alone should not match hadoop, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a generic json endpoint is not a spark master", func(t *testing.T) {
|
||||
body := `{"url":"http://app","workers":5,"name":"myservice"}`
|
||||
if res := runBigDataModule(t, spark, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a generic json should not match spark, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{solr, spark, hadoop} {
|
||||
if res := runBigDataModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{solr, spark, hadoop} {
|
||||
if res := runBigDataModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,115 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runGridModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func gridExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
const seleniumStatusBody = `{"value":{"ready":true,"message":"Selenium Grid ready.","nodes":[` +
|
||||
`{"id":"028ca108-bfc4-430e-806c-6477b6b8569e","uri":"http://10.0.0.5:5555","maxSessions":1,` +
|
||||
`"osInfo":{"arch":"amd64","name":"Linux","version":"5.15.0"},"heartbeatPeriod":60000,` +
|
||||
`"availability":"UP","version":"4.18.1 (revision b1d3319b48)","slots":[{"lastStarted":` +
|
||||
`"2024-06-01T10:00:00Z","session":null,"id":{"hostId":"028ca108","id":"fdd41c10"},` +
|
||||
`"stereotype":{"browserName":"chrome","platformName":"LINUX"}}]}]}}`
|
||||
|
||||
const selenoidStatusBody = `{"total":80,"used":10,"queued":0,"pending":1,"browsers":{"chrome":` +
|
||||
`{"124.0":{"user1":{"count":1,"sessions":[{"id":"abc","container":"sel-abc"}]}}},"firefox":{"125.0":{}}}}`
|
||||
|
||||
func TestBrowserGridExposureModules(t *testing.T) {
|
||||
const selenium = "../../modules/recon/selenium-grid-exposure.yaml"
|
||||
const selenoid = "../../modules/recon/selenoid-exposure.yaml"
|
||||
|
||||
t.Run("a selenium grid status is flagged with a node version", func(t *testing.T) {
|
||||
res := runGridModule(t, selenium, 200, seleniumStatusBody)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a selenium finding")
|
||||
}
|
||||
if v := gridExtract(res, "selenium_version"); v != "4.18.1 (revision b1d3319b48)" {
|
||||
t.Errorf("selenium_version=%q, want the node build string", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a value+nodes envelope without the selenium grid message is not flagged", func(t *testing.T) {
|
||||
body := `{"value":{"ready":true,"nodes":[{"id":"n1","name":"router"}]}}`
|
||||
if res := runGridModule(t, selenium, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a generic value/nodes blob should not match selenium, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a selenoid status is flagged with the first browser", func(t *testing.T) {
|
||||
res := runGridModule(t, selenoid, 200, selenoidStatusBody)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a selenoid finding")
|
||||
}
|
||||
if v := gridExtract(res, "selenoid_browser"); v != "chrome" {
|
||||
t.Errorf("selenoid_browser=%q, want chrome", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a capacity blob without browsers is not flagged as selenoid", func(t *testing.T) {
|
||||
if res := runGridModule(t, selenoid, 200, `{"total":80,"used":10,"queued":0,"pending":1}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a browserless capacity blob should not match selenoid, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("the two grid modules do not cross-match each other", func(t *testing.T) {
|
||||
if res := runGridModule(t, selenoid, 200, seleniumStatusBody); len(res.Findings) > 0 {
|
||||
t.Errorf("selenium status should not match selenoid, got %d findings", len(res.Findings))
|
||||
}
|
||||
if res := runGridModule(t, selenium, 200, selenoidStatusBody); len(res.Findings) > 0 {
|
||||
t.Errorf("selenoid status should not match selenium, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{selenium, selenoid} {
|
||||
if res := runGridModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{selenium, selenoid} {
|
||||
if res := runGridModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,198 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runBuildCredModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func buildCredExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestBuildToolCredentialExposureModules(t *testing.T) {
|
||||
const maven = "../../modules/recon/maven-settings-exposure.yaml"
|
||||
const gradle = "../../modules/recon/gradle-properties-exposure.yaml"
|
||||
const nuget = "../../modules/recon/nuget-config-exposure.yaml"
|
||||
|
||||
mavenSettings := "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
|
||||
"<settings xmlns=\"http://maven.apache.org/SETTINGS/1.0.0\">\n" +
|
||||
" <servers>\n <server>\n <id>nexus-releases</id>\n" +
|
||||
" <username>deploy</username>\n <password>S3cretDeployPass</password>\n" +
|
||||
" </server>\n </servers>\n</settings>\n"
|
||||
|
||||
gradleProps := "org.gradle.jvmargs=-Xmx2g\nossrhUsername=deployer\n" +
|
||||
"ossrhPassword=mySonatypeSecret\nsigning.password=mySigningSecret\n"
|
||||
|
||||
nugetConfig := "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<configuration>\n" +
|
||||
" <packageSourceCredentials>\n <MyFeed>\n" +
|
||||
" <add key=\"Username\" value=\"deploy\" />\n" +
|
||||
" <add key=\"ClearTextPassword\" value=\"S3cretFeedPass\" />\n" +
|
||||
" </MyFeed>\n </packageSourceCredentials>\n</configuration>\n"
|
||||
|
||||
t.Run("an exposed maven settings leaks the server username", func(t *testing.T) {
|
||||
res := runBuildCredModule(t, maven, 200, mavenSettings)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a maven finding")
|
||||
}
|
||||
if v := buildCredExtract(res, "maven_username"); v != "deploy" {
|
||||
t.Errorf("maven_username=%q, want deploy", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed gradle properties leaks the secret property", func(t *testing.T) {
|
||||
res := runBuildCredModule(t, gradle, 200, gradleProps)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a gradle finding")
|
||||
}
|
||||
if v := buildCredExtract(res, "gradle_secret_property"); v != "ossrhPassword" {
|
||||
t.Errorf("gradle_secret_property=%q, want ossrhPassword", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed nuget config leaks the feed username", func(t *testing.T) {
|
||||
res := runBuildCredModule(t, nuget, 200, nugetConfig)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a nuget finding")
|
||||
}
|
||||
if v := buildCredExtract(res, "nuget_username"); v != "deploy" {
|
||||
t.Errorf("nuget_username=%q, want deploy", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a maven settings with mirrors but no password is not flagged", func(t *testing.T) {
|
||||
body := "<settings>\n <mirrors>\n <mirror>\n <id>central</id>\n" +
|
||||
" <url>https://repo.example.com/maven2</url>\n </mirror>\n </mirrors>\n</settings>\n"
|
||||
if res := runBuildCredModule(t, maven, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a settings without a password should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an html page demonstrating a maven settings is not a leak", func(t *testing.T) {
|
||||
body := "<!DOCTYPE html><html><body><pre><settings><server><password>x</password></server></settings></pre></body></html>"
|
||||
if res := runBuildCredModule(t, maven, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html maven tutorial should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a gradle properties with no credential property is not flagged", func(t *testing.T) {
|
||||
body := "org.gradle.jvmargs=-Xmx2g\nversion=1.0.0\norg.gradle.daemon=true\n"
|
||||
if res := runBuildCredModule(t, gradle, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a non credential properties file should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a comment naming a password is not a credential property", func(t *testing.T) {
|
||||
body := "# set your password=here before building\norg.gradle.daemon=true\n"
|
||||
if res := runBuildCredModule(t, gradle, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a comment line should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an empty password property is not flagged", func(t *testing.T) {
|
||||
body := "signing.password=\nsigning.keyId=24875D73\n"
|
||||
if res := runBuildCredModule(t, gradle, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an empty value should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an html page demonstrating a gradle property is not a leak", func(t *testing.T) {
|
||||
body := "<!DOCTYPE html>\n<html><body><pre>\nossrhPassword=mySonatypeSecret\n</pre></body></html>\n"
|
||||
if res := runBuildCredModule(t, gradle, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html gradle tutorial should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a nuget config without a credentials section is not flagged", func(t *testing.T) {
|
||||
body := "<configuration>\n <packageSources>\n" +
|
||||
" <add key=\"nuget.org\" value=\"https://api.nuget.org/v3/index.json\" />\n" +
|
||||
" </packageSources>\n</configuration>\n"
|
||||
if res := runBuildCredModule(t, nuget, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a config without credentials should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a nuget credentials section without a password is not flagged", func(t *testing.T) {
|
||||
body := "<configuration>\n <packageSourceCredentials>\n <MyFeed>\n" +
|
||||
" <add key=\"Username\" value=\"deploy\" />\n" +
|
||||
" </MyFeed>\n </packageSourceCredentials>\n</configuration>\n"
|
||||
if res := runBuildCredModule(t, nuget, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a credentials section without a password should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an appsettings password is not a nuget feed credential", func(t *testing.T) {
|
||||
body := "<configuration>\n <appSettings>\n" +
|
||||
" <add key=\"Password\" value=\"appsecret\" />\n" +
|
||||
" </appSettings>\n</configuration>\n"
|
||||
if res := runBuildCredModule(t, nuget, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an appsettings password should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an html page demonstrating a nuget config is not a leak", func(t *testing.T) {
|
||||
body := "<!DOCTYPE html><html><body><pre><packageSourceCredentials><add key=\"ClearTextPassword\" value=\"x\" /></packageSourceCredentials></pre></body></html>"
|
||||
if res := runBuildCredModule(t, nuget, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html nuget tutorial should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{maven, gradle, nuget} {
|
||||
if res := runBuildCredModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{maven, gradle, nuget} {
|
||||
if res := runBuildCredModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,120 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runCICDModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func cicdExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestCICDServerExposureModules(t *testing.T) {
|
||||
const concourse = "../../modules/recon/concourse-info-exposure.yaml"
|
||||
const woodpecker = "../../modules/recon/woodpecker-version-exposure.yaml"
|
||||
const gocd = "../../modules/recon/gocd-version-exposure.yaml"
|
||||
|
||||
t.Run("a concourse info is flagged with its version", func(t *testing.T) {
|
||||
body := `{"version":"7.11.2","worker_version":"2.4","external_url":"https://ci.example.com","cluster_name":"prod"}`
|
||||
res := runCICDModule(t, concourse, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a concourse finding")
|
||||
}
|
||||
if v := cicdExtract(res, "concourse_version"); v != "7.11.2" {
|
||||
t.Errorf("concourse_version=%q, want 7.11.2", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an info without worker_version is not flagged as concourse", func(t *testing.T) {
|
||||
body := `{"version":"1.0","external_url":"https://x"}`
|
||||
if res := runCICDModule(t, concourse, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without worker_version should not match concourse, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a woodpecker version is flagged with its version", func(t *testing.T) {
|
||||
body := `{"source":"https://github.com/woodpecker-ci/woodpecker","version":"2.1.0"}`
|
||||
res := runCICDModule(t, woodpecker, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a woodpecker finding")
|
||||
}
|
||||
if v := cicdExtract(res, "woodpecker_version"); v != "2.1.0" {
|
||||
t.Errorf("woodpecker_version=%q, want 2.1.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a drone version with the same shape is not flagged as woodpecker", func(t *testing.T) {
|
||||
body := `{"source":"https://github.com/harness/drone","version":"2.20.0"}`
|
||||
if res := runCICDModule(t, woodpecker, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a drone source should not match woodpecker, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a gocd version is flagged with its version", func(t *testing.T) {
|
||||
body := `{"_links":{"self":{"href":"https://ci/go/api/version"}},"version":"21.4.0",` +
|
||||
`"build_number":"13183","git_sha":"abc123","full_version":"21.4.0 (13183-abc123)",` +
|
||||
`"commit_url":"https://github.com/gocd/gocd/commit/abc123"}`
|
||||
res := runCICDModule(t, gocd, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a gocd finding")
|
||||
}
|
||||
if v := cicdExtract(res, "gocd_version"); v != "21.4.0" {
|
||||
t.Errorf("gocd_version=%q, want 21.4.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a version with a non-gocd commit url is not flagged as gocd", func(t *testing.T) {
|
||||
body := `{"version":"1.0","full_version":"1.0 (1-x)","commit_url":"https://github.com/other/repo/commit/x"}`
|
||||
if res := runCICDModule(t, gocd, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a non-gocd commit url should not match gocd, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{concourse, woodpecker, gocd} {
|
||||
if res := runCICDModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{concourse, woodpecker, gocd} {
|
||||
if res := runCICDModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,205 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runCMSCfgModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func cmsCfgExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestCMSConfigExposureModules(t *testing.T) {
|
||||
const joomla = "../../modules/recon/joomla-config-exposure.yaml"
|
||||
const drupal = "../../modules/recon/drupal-config-exposure.yaml"
|
||||
const magento = "../../modules/recon/magento-config-exposure.yaml"
|
||||
|
||||
joomlaConfig := "<?php\nclass JConfig {\n\tpublic $offline = '0';\n" +
|
||||
"\tpublic $host = 'localhost';\n\tpublic $user = 'joomla_user';\n" +
|
||||
"\tpublic $password = 'S3cretJoomlaPass';\n\tpublic $db = 'joomla_db';\n" +
|
||||
"\tpublic $dbprefix = 'jos_';\n\tpublic $secret = 'AbCdEfGhIjKlMnOp';\n}\n"
|
||||
|
||||
drupalConfig := "<?php\n$databases['default']['default'] = array (\n" +
|
||||
" 'database' => 'drupal_db',\n 'username' => 'drupal_user',\n" +
|
||||
" 'password' => 'S3cretDrupalPass',\n 'host' => 'localhost',\n" +
|
||||
" 'driver' => 'mysql',\n);\n$settings['hash_salt'] = 'longrandomhashsalt';\n"
|
||||
|
||||
magentoConfig := "<?php\nreturn [\n 'backend' => ['frontName' => 'admin_x7y'],\n" +
|
||||
" 'crypt' => ['key' => 'a1b2c3d4e5f6g7h8'],\n 'db' => [\n" +
|
||||
" 'connection' => ['default' => [\n 'host' => 'localhost',\n" +
|
||||
" 'dbname' => 'magento',\n 'username' => 'magento_user',\n" +
|
||||
" 'password' => 'S3cretMagentoPass',\n ]],\n ],\n 'MAGE_MODE' => 'production',\n];\n"
|
||||
|
||||
t.Run("an exposed joomla configuration leaks the password", func(t *testing.T) {
|
||||
res := runCMSCfgModule(t, joomla, 200, joomlaConfig)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a joomla finding")
|
||||
}
|
||||
if v := cmsCfgExtract(res, "joomla_password"); v != "S3cretJoomlaPass" {
|
||||
t.Errorf("joomla_password=%q, want S3cretJoomlaPass", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed drupal settings leaks the password", func(t *testing.T) {
|
||||
res := runCMSCfgModule(t, drupal, 200, drupalConfig)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a drupal finding")
|
||||
}
|
||||
if v := cmsCfgExtract(res, "drupal_password"); v != "S3cretDrupalPass" {
|
||||
t.Errorf("drupal_password=%q, want S3cretDrupalPass", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed magento env leaks the crypt key", func(t *testing.T) {
|
||||
res := runCMSCfgModule(t, magento, 200, magentoConfig)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a magento finding")
|
||||
}
|
||||
if v := cmsCfgExtract(res, "magento_crypt_key"); v != "a1b2c3d4e5f6g7h8" {
|
||||
t.Errorf("magento_crypt_key=%q, want a1b2c3d4e5f6g7h8", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a joomla config missing the password is not flagged", func(t *testing.T) {
|
||||
body := "<?php\nclass JConfig {\n\tpublic $host = 'localhost';\n" +
|
||||
"\tpublic $db = 'joomla_db';\n\tpublic $dbprefix = 'jos_';\n}\n"
|
||||
if res := runCMSCfgModule(t, joomla, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a config without a password should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a php class with a public password but no jconfig is not joomla", func(t *testing.T) {
|
||||
body := "<?php\nclass MyAuth {\n\tpublic $password = 'changeme';\n" +
|
||||
"\tpublic $username = 'admin';\n}\n"
|
||||
if res := runCMSCfgModule(t, joomla, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a generic class should not match joomla, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a php array with a password but no databases is not drupal", func(t *testing.T) {
|
||||
body := "<?php\n$config = array('password' => 'x', 'host' => 'y');\n"
|
||||
if res := runCMSCfgModule(t, drupal, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a generic array should not match drupal, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a drupal databases array without a password is not flagged", func(t *testing.T) {
|
||||
body := "<?php\n$databases['default']['default'] = array (\n" +
|
||||
" 'database' => 'drupal_db',\n 'host' => 'localhost',\n 'driver' => 'mysql',\n);\n"
|
||||
if res := runCMSCfgModule(t, drupal, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a databases array without a password should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a php return array with a password but no magento markers is not flagged", func(t *testing.T) {
|
||||
body := "<?php\nreturn ['db' => ['password' => 'secret', 'host' => 'localhost']];\n"
|
||||
if res := runCMSCfgModule(t, magento, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a generic return array should not match magento, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a magento config without a credential is not flagged", func(t *testing.T) {
|
||||
body := "<?php\nreturn ['MAGE_MODE' => 'production', 'db' => ['host' => 'localhost']];\n"
|
||||
if res := runCMSCfgModule(t, magento, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a magento config without a credential should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an html page demonstrating a joomla config is not a leak", func(t *testing.T) {
|
||||
body := "<!DOCTYPE html><html><body><pre>class JConfig { public $password = 'x'; public $db = 'y'; }</pre></body></html>"
|
||||
if res := runCMSCfgModule(t, joomla, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html joomla tutorial should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a drupal settings using env indirection is not a literal password leak", func(t *testing.T) {
|
||||
body := "<?php\n$databases['default']['default'] = array (\n" +
|
||||
" 'database' => 'drupal_db',\n 'username' => 'drupal_user',\n" +
|
||||
" 'password' => getenv('DB_PASS'),\n 'host' => 'localhost',\n);\n"
|
||||
if res := runCMSCfgModule(t, drupal, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("env indirection should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a magento env with a cloud placeholder key is not a literal leak", func(t *testing.T) {
|
||||
body := "<?php\nreturn ['crypt' => ['key' => '#env.CRYPT_KEY#'], 'MAGE_MODE' => 'production'];\n"
|
||||
if res := runCMSCfgModule(t, magento, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a cloud placeholder should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a magento env with a placeholder key but a literal password is flagged not mis-extracted", func(t *testing.T) {
|
||||
body := "<?php\nreturn ['crypt' => ['key' => '#env.CRYPT_KEY#'],\n" +
|
||||
" 'db' => ['connection' => ['default' => ['password' => 'RealDbPass']]],\n" +
|
||||
" 'MAGE_MODE' => 'production'];\n"
|
||||
res := runCMSCfgModule(t, magento, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a magento finding on the literal password")
|
||||
}
|
||||
if v := cmsCfgExtract(res, "magento_crypt_key"); v == "#env.CRYPT_KEY#" {
|
||||
t.Errorf("extractor surfaced the placeholder %q as the crypt key", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an html page demonstrating a drupal config is not a leak", func(t *testing.T) {
|
||||
body := "<!DOCTYPE html><html><body><pre>$databases['default']['default'] = array('password' => 'x');</pre></body></html>"
|
||||
if res := runCMSCfgModule(t, drupal, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html drupal tutorial should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an html page demonstrating a magento config is not a leak", func(t *testing.T) {
|
||||
body := "<!DOCTYPE html><html><body><pre>'crypt' => ['key' => 'x'], 'MAGE_MODE' => 'production'</pre></body></html>"
|
||||
if res := runCMSCfgModule(t, magento, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html magento tutorial should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{joomla, drupal, magento} {
|
||||
if res := runCMSCfgModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{joomla, drupal, magento} {
|
||||
if res := runCMSCfgModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,113 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runCredModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func credExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestCredentialExposureModules(t *testing.T) {
|
||||
const aws = "../../modules/recon/aws-credentials-exposure.yaml"
|
||||
const npmrc = "../../modules/recon/npmrc-exposure.yaml"
|
||||
const docker = "../../modules/recon/docker-config-exposure.yaml"
|
||||
|
||||
t.Run("aws credentials leak the access key id", func(t *testing.T) {
|
||||
body := "[default]\naws_access_key_id = AKIAIOSFODNN7EXAMPLE\n" +
|
||||
"aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\n"
|
||||
res := runCredModule(t, aws, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an aws credentials finding")
|
||||
}
|
||||
if v := credExtract(res, "aws_access_key_id"); v != "AKIAIOSFODNN7EXAMPLE" {
|
||||
t.Errorf("aws_access_key_id=%q, want AKIAIOSFODNN7EXAMPLE", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("npmrc leaks the registry of an auth token", func(t *testing.T) {
|
||||
body := "//registry.npmjs.org/:_authToken=npm_AbCdEf0123456789AbCdEf0123456789\n"
|
||||
res := runCredModule(t, npmrc, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an npmrc finding")
|
||||
}
|
||||
if v := credExtract(res, "npm_registry"); v != "registry.npmjs.org" {
|
||||
t.Errorf("npm_registry=%q, want registry.npmjs.org", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("docker config leaks the registry host", func(t *testing.T) {
|
||||
body := `{"auths":{"registry.example.com":{"auth":"dXNlcm5hbWU6c3VwZXJzZWNyZXRwYXNz"}}}`
|
||||
res := runCredModule(t, docker, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a docker config finding")
|
||||
}
|
||||
if v := credExtract(res, "docker_registry"); v != "registry.example.com" {
|
||||
t.Errorf("docker_registry=%q, want registry.example.com", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("html page mentioning the key name is not a leak", func(t *testing.T) {
|
||||
body := `<html><head><title>Docs</title></head><body>` +
|
||||
`set your aws_secret_access_key in ~/.aws/credentials</body></html>`
|
||||
if res := runCredModule(t, aws, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html doc mentioning the key should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{aws, npmrc, docker} {
|
||||
if res := runCredModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{aws, npmrc, docker} {
|
||||
if res := runCredModule(t, file, 200, "nothing to see here"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a docker auth field holding a jwt is not a leak", func(t *testing.T) {
|
||||
body := `{"token":"x","auth":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"}`
|
||||
if res := runCredModule(t, docker, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a jwt in an auth field should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,99 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runDataOrchModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func dataOrchExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestDataOrchestrationExposureModules(t *testing.T) {
|
||||
const dagster = "../../modules/recon/dagster-webserver-exposure.yaml"
|
||||
const mage = "../../modules/recon/mage-status-exposure.yaml"
|
||||
|
||||
t.Run("a dagster server_info is flagged with its version", func(t *testing.T) {
|
||||
body := `{"dagster_webserver_version":"1.7.0","dagster_version":"1.7.0","dagster_graphql_version":"1.7.0"}`
|
||||
res := runDataOrchModule(t, dagster, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a dagster finding")
|
||||
}
|
||||
if v := dataOrchExtract(res, "dagster_version"); v != "1.7.0" {
|
||||
t.Errorf("dagster_version=%q, want 1.7.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a bare core-version body is not flagged as dagster", func(t *testing.T) {
|
||||
if res := runDataOrchModule(t, dagster, 200, `{"dagster_version":"1.7.0"}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without dagster_webserver_version should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a mage status is flagged with its repo path", func(t *testing.T) {
|
||||
body := `{"statuses":[{"is_instance_manager":false,"repo_path":"/home/src/default_repo",` +
|
||||
`"repo_path_relative":"default_repo","scheduler_status":"running","project_type":"standalone",` +
|
||||
`"project_uuid":"abc-123"}]}`
|
||||
res := runDataOrchModule(t, mage, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a mage finding")
|
||||
}
|
||||
if v := dataOrchExtract(res, "mage_repo_path"); v != "/home/src/default_repo" {
|
||||
t.Errorf("mage_repo_path=%q, want /home/src/default_repo", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a statuses collection without scheduler fields is not flagged as mage", func(t *testing.T) {
|
||||
if res := runDataOrchModule(t, mage, 200, `{"statuses":[{"id":1,"name":"ok"}]}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a generic statuses array should not match mage, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{dagster, mage} {
|
||||
if res := runDataOrchModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{dagster, mage} {
|
||||
if res := runDataOrchModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,151 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runPipelineModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func pipelineExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestDataPipelineAPIExposureModules(t *testing.T) {
|
||||
const airflow = "../../modules/recon/airflow-api-exposure.yaml"
|
||||
const flink = "../../modules/recon/flink-api-exposure.yaml"
|
||||
const kafka = "../../modules/recon/kafka-connect-api-exposure.yaml"
|
||||
|
||||
airflowHealth := `{"metadatabase":{"status":"healthy"},"scheduler":{"status":"healthy",` +
|
||||
`"latest_scheduler_heartbeat":"2023-09-13T09:35:49.123456+00:00"}}`
|
||||
|
||||
flinkOverview := `{"taskmanagers":1,"slots-total":4,"slots-available":4,"jobs-running":0,` +
|
||||
`"jobs-finished":2,"jobs-cancelled":0,"jobs-failed":0,"flink-version":"1.17.1","flink-commit":"2750d5c"}`
|
||||
|
||||
kafkaConnect := `{"version":"3.5.0","commit":"c97b88d5db4de28d","kafka_cluster_id":"M_oad8FjQ1eMShri6_jjQg"}`
|
||||
|
||||
t.Run("an exposed airflow health endpoint is flagged", func(t *testing.T) {
|
||||
res := runPipelineModule(t, airflow, 200, airflowHealth)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an airflow finding")
|
||||
}
|
||||
if v := pipelineExtract(res, "airflow_scheduler_heartbeat"); v != "2023-09-13T09:35:49.123456+00:00" {
|
||||
t.Errorf("airflow_scheduler_heartbeat=%q, want the heartbeat timestamp", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed flink dashboard is flagged and versioned", func(t *testing.T) {
|
||||
res := runPipelineModule(t, flink, 200, flinkOverview)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a flink finding")
|
||||
}
|
||||
if v := pipelineExtract(res, "flink_version"); v != "1.17.1" {
|
||||
t.Errorf("flink_version=%q, want 1.17.1", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed kafka connect api is flagged and versioned", func(t *testing.T) {
|
||||
res := runPipelineModule(t, kafka, 200, kafkaConnect)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a kafka connect finding")
|
||||
}
|
||||
if v := pipelineExtract(res, "kafka_version"); v != "3.5.0" {
|
||||
t.Errorf("kafka_version=%q, want 3.5.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an airflow metadatabase without a scheduler is not flagged", func(t *testing.T) {
|
||||
body := `{"metadatabase":{"status":"healthy"}}`
|
||||
if res := runPipelineModule(t, airflow, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("metadatabase alone should not match airflow, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an airflow scheduler without a metadatabase is not flagged", func(t *testing.T) {
|
||||
body := `{"scheduler":{"status":"healthy","latest_scheduler_heartbeat":"2023-09-13T09:35:49.123456+00:00"}}`
|
||||
if res := runPipelineModule(t, airflow, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("scheduler alone should not match airflow, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a flink version without a slot total is not flagged", func(t *testing.T) {
|
||||
body := `{"flink-version":"1.17.1","taskmanagers":1}`
|
||||
if res := runPipelineModule(t, flink, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("flink version alone should not match flink, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a slot total without a flink version is not flagged", func(t *testing.T) {
|
||||
body := `{"slots-total":4,"jobs-running":0}`
|
||||
if res := runPipelineModule(t, flink, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a slot total alone should not match flink, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a kafka cluster id without a version is not flagged", func(t *testing.T) {
|
||||
body := `{"kafka_cluster_id":"M_oad8FjQ1eMShri6_jjQg","commit":"abc"}`
|
||||
if res := runPipelineModule(t, kafka, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a cluster id alone should not match kafka connect, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a version without a kafka cluster id is not flagged", func(t *testing.T) {
|
||||
body := `{"version":"3.5.0","name":"someservice"}`
|
||||
if res := runPipelineModule(t, kafka, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a version alone should not match kafka connect, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a generic health json is not airflow", func(t *testing.T) {
|
||||
body := `{"status":"UP","components":{"db":{"status":"UP"}}}`
|
||||
if res := runPipelineModule(t, airflow, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a generic health should not match airflow, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{airflow, flink, kafka} {
|
||||
if res := runPipelineModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{airflow, flink, kafka} {
|
||||
if res := runPipelineModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,166 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runDBFileModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func dbFileExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestDatabaseFileExposureModules(t *testing.T) {
|
||||
const sqlDump = "../../modules/recon/sql-dump-exposure.yaml"
|
||||
const sqlite = "../../modules/recon/sqlite-database-exposure.yaml"
|
||||
const redis = "../../modules/recon/redis-dump-exposure.yaml"
|
||||
|
||||
mysqldump := "-- MySQL dump 10.13 Distrib 8.0.32, for Linux (x86_64)\n--\n" +
|
||||
"-- Host: localhost Database: appdb\n--\n-- Server version\t8.0.32\n\n" +
|
||||
"DROP TABLE IF EXISTS `users`;\nCREATE TABLE `users` (\n" +
|
||||
" `id` int NOT NULL AUTO_INCREMENT,\n `email` varchar(255) DEFAULT NULL,\n" +
|
||||
" PRIMARY KEY (`id`)\n) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;\n" +
|
||||
"INSERT INTO `users` VALUES (1,'admin@x.com');\n"
|
||||
|
||||
pgdump := "--\n-- PostgreSQL database dump\n--\n\nSET statement_timeout = 0;\n" +
|
||||
"CREATE TABLE public.accounts (\n id integer NOT NULL,\n email text\n);\n" +
|
||||
"COPY public.accounts (id, email) FROM stdin;\n1\tadmin@x.com\n\\.\n"
|
||||
|
||||
sqliteFile := "SQLite format 3\x00" + strings.Repeat("\x00", 84) +
|
||||
"\x05\x00CREATE TABLE users(id INTEGER PRIMARY KEY, email TEXT, password TEXT)\x00"
|
||||
|
||||
redisDump := "REDIS0011\xfa\x09redis-ver\x055.0.7\xfa\x0aredis-bits\xc0@\xfe\x00\xfb\x02\x00" +
|
||||
"\x03key\x05value\xff\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
|
||||
t.Run("a mysqldump leaks the dumped table", func(t *testing.T) {
|
||||
res := runDBFileModule(t, sqlDump, 200, mysqldump)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a sql dump finding")
|
||||
}
|
||||
if v := dbFileExtract(res, "dump_table"); v != "users" {
|
||||
t.Errorf("dump_table=%q, want users", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a postgresql dump also matches and names its table", func(t *testing.T) {
|
||||
res := runDBFileModule(t, sqlDump, 200, pgdump)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a sql dump finding for pg_dump")
|
||||
}
|
||||
if v := dbFileExtract(res, "dump_table"); v != "accounts" {
|
||||
t.Errorf("dump_table=%q, want accounts", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a sqlite database file leaks its schema table", func(t *testing.T) {
|
||||
res := runDBFileModule(t, sqlite, 200, sqliteFile)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a sqlite finding")
|
||||
}
|
||||
if v := dbFileExtract(res, "table_name"); v != "users" {
|
||||
t.Errorf("table_name=%q, want users", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a redis rdb snapshot leaks its format version", func(t *testing.T) {
|
||||
res := runDBFileModule(t, redis, 200, redisDump)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a redis rdb finding")
|
||||
}
|
||||
if v := dbFileExtract(res, "rdb_version"); v != "0011" {
|
||||
t.Errorf("rdb_version=%q, want 0011", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("sql shown inside an html page is not a dump", func(t *testing.T) {
|
||||
body := "<!DOCTYPE html><html><head><title>SQL tutorial</title></head><body>" +
|
||||
"<pre>DROP TABLE IF EXISTS users; CREATE TABLE users (id int); INSERT INTO users VALUES (1);</pre>" +
|
||||
"</body></html>"
|
||||
if res := runDBFileModule(t, sqlDump, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html tutorial should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a sql file with no dump idiom is not flagged", func(t *testing.T) {
|
||||
body := "-- migration notes\nSELECT id FROM users WHERE active = 1;\n"
|
||||
if res := runDBFileModule(t, sqlDump, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a bare select should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a page that names the sqlite format is not the file", func(t *testing.T) {
|
||||
body := "This page documents the SQLite format 3 on-disk structure for readers."
|
||||
if res := runDBFileModule(t, sqlite, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("prose about sqlite should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a page that names redis is not an rdb snapshot", func(t *testing.T) {
|
||||
body := "redis-server is running on this host as the REDIS cache backend."
|
||||
if res := runDBFileModule(t, redis, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("prose about redis should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("the sqlite magic only counts at the start of the file", func(t *testing.T) {
|
||||
body := "<pre>hexdump of a header: " + sqliteFile + "</pre>"
|
||||
if res := runDBFileModule(t, sqlite, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an embedded sqlite header should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("the rdb magic only counts at the start of the file", func(t *testing.T) {
|
||||
body := "log line: loaded snapshot " + redisDump
|
||||
if res := runDBFileModule(t, redis, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an embedded rdb header should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{sqlDump, sqlite, redis} {
|
||||
if res := runDBFileModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{sqlDump, sqlite, redis} {
|
||||
if res := runDBFileModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,111 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runDBHTTPModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func dbHTTPExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestDatabaseHTTPExposureModules(t *testing.T) {
|
||||
const clickhouse = "../../modules/recon/clickhouse-http-exposure.yaml"
|
||||
const dgraph = "../../modules/recon/dgraph-api-exposure.yaml"
|
||||
|
||||
t.Run("a clickhouse FORMAT JSON result is flagged with the version", func(t *testing.T) {
|
||||
body := `{"meta":[{"name":"version()","type":"String"}],"data":[{"version()":"24.3.1.2672"}],` +
|
||||
`"rows":1,"statistics":{"elapsed":0.000123,"rows_read":1,"bytes_read":1}}`
|
||||
res := runDBHTTPModule(t, clickhouse, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a clickhouse finding")
|
||||
}
|
||||
if v := dbHTTPExtract(res, "clickhouse_version"); v != "24.3.1.2672" {
|
||||
t.Errorf("clickhouse_version=%q, want 24.3.1.2672", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a json result without the statistics envelope is not flagged as clickhouse", func(t *testing.T) {
|
||||
body := `{"meta":[{"name":"x"}],"data":[{"x":1}],"rows":1}`
|
||||
if res := runDBHTTPModule(t, clickhouse, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a statless json result should not match clickhouse, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a dgraph alpha health is flagged with its version", func(t *testing.T) {
|
||||
body := `[{"instance":"alpha","address":"localhost:7080","status":"healthy","group":"0",` +
|
||||
`"version":"v23.1.0","uptime":3600,"lastEcho":1700000000,"ongoing":["opRollup"],"max_assigned":30002}]`
|
||||
res := runDBHTTPModule(t, dgraph, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a dgraph finding")
|
||||
}
|
||||
if v := dbHTTPExtract(res, "dgraph_version"); v != "v23.1.0" {
|
||||
t.Errorf("dgraph_version=%q, want v23.1.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a dgraph alpha health without max_assigned is not flagged", func(t *testing.T) {
|
||||
body := `[{"instance":"alpha","status":"healthy","lastEcho":1700000000}]`
|
||||
if res := runDBHTTPModule(t, dgraph, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a partial alpha health should not match dgraph, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a non-alpha instance health is not flagged as dgraph", func(t *testing.T) {
|
||||
body := `[{"instance":"zero","max_assigned":30002,"lastEcho":1700000000}]`
|
||||
if res := runDBHTTPModule(t, dgraph, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a zero-node health should not match dgraph alpha, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{clickhouse, dgraph} {
|
||||
if res := runDBHTTPModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 403 or 404 is not a leak", func(t *testing.T) {
|
||||
if res := runDBHTTPModule(t, clickhouse, 403, "Authentication failed"); len(res.Findings) > 0 {
|
||||
t.Errorf("a 403 clickhouse should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
for _, file := range []string{clickhouse, dgraph} {
|
||||
if res := runDBHTTPModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,88 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runDBModule(t *testing.T, file string, status int, headers map[string]string, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
for k, v := range headers {
|
||||
w.Header().Set(k, v)
|
||||
}
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func dbExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestDBPanelModules(t *testing.T) {
|
||||
const adminer = "../../modules/info/adminer-panel.yaml"
|
||||
const phpmyadmin = "../../modules/info/phpmyadmin-panel.yaml"
|
||||
|
||||
adminerLogin := `<form action=""><input type="hidden" name="auth[driver]" value="server">` +
|
||||
`<input name="auth[username]"></form>` +
|
||||
`<p class="links"><a href="https://www.adminer.org/">Adminer</a> <span class="version">4.8.1</span></p>`
|
||||
pmaLogin := `<link rel="stylesheet" href="themes/pmahomme/css/theme.css">` +
|
||||
`<input type="text" name="pma_username"><script>var data = {"PMA_VERSION":"5.2.1"};</script>`
|
||||
|
||||
t.Run("adminer login", func(t *testing.T) {
|
||||
res := runDBModule(t, adminer, 200, nil, adminerLogin)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an adminer finding")
|
||||
}
|
||||
if v := dbExtract(res, "adminer_version"); v != "4.8.1" {
|
||||
t.Errorf("adminer_version=%q, want 4.8.1", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("adminer unrelated page", func(t *testing.T) {
|
||||
if res := runDBModule(t, adminer, 200, nil, "<html><body>nothing</body></html>"); len(res.Findings) > 0 {
|
||||
t.Errorf("unrelated page should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("phpmyadmin login", func(t *testing.T) {
|
||||
res := runDBModule(t, phpmyadmin, 200, map[string]string{"Set-Cookie": "phpMyAdmin=abc123; path=/"}, pmaLogin)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a phpmyadmin finding")
|
||||
}
|
||||
if v := dbExtract(res, "phpmyadmin_version"); v != "5.2.1" {
|
||||
t.Errorf("phpmyadmin_version=%q, want 5.2.1", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("phpmyadmin unrelated page", func(t *testing.T) {
|
||||
if res := runDBModule(t, phpmyadmin, 200, nil, "<html><body>nothing</body></html>"); len(res.Findings) > 0 {
|
||||
t.Errorf("unrelated page should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,121 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runDebugModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func debugExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestDebugExposureModules(t *testing.T) {
|
||||
const ignition = "../../modules/recon/laravel-ignition-exposure.yaml"
|
||||
const profiler = "../../modules/recon/symfony-profiler-exposure.yaml"
|
||||
const heapdump = "../../modules/recon/spring-heapdump-exposure.yaml"
|
||||
|
||||
t.Run("ignition health check exposes command execution", func(t *testing.T) {
|
||||
res := runDebugModule(t, ignition, 200, `{"can_execute_commands":true,"config":{}}`)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an ignition finding")
|
||||
}
|
||||
if v := debugExtract(res, "can_execute_commands"); v != "true" {
|
||||
t.Errorf("can_execute_commands=%q, want true", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("ignition exposed with debug off still flags and extracts false", func(t *testing.T) {
|
||||
res := runDebugModule(t, ignition, 200, `{"can_execute_commands":false}`)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an ignition finding even when command execution is off")
|
||||
}
|
||||
if v := debugExtract(res, "can_execute_commands"); v != "false" {
|
||||
t.Errorf("can_execute_commands=%q, want false", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("symfony profiler exposes a request token", func(t *testing.T) {
|
||||
body := `<html><head><title>Symfony Profiler</title></head><body>` +
|
||||
`<a href="/_profiler/5f3a2b">GET /</a></body></html>`
|
||||
res := runDebugModule(t, profiler, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a symfony profiler finding")
|
||||
}
|
||||
if v := debugExtract(res, "profiler_token"); v != "5f3a2b" {
|
||||
t.Errorf("profiler_token=%q, want 5f3a2b", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("spring heap dump exposes the hprof magic", func(t *testing.T) {
|
||||
body := "JAVA PROFILE 1.0.2\x00\x00\x00\x08heap bytes follow"
|
||||
res := runDebugModule(t, heapdump, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a heap dump finding")
|
||||
}
|
||||
if v := debugExtract(res, "hprof_version"); v != "1.0.2" {
|
||||
t.Errorf("hprof_version=%q, want 1.0.2", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("the hprof magic must be at the start not merely present", func(t *testing.T) {
|
||||
body := "<html><body>docs about the JAVA PROFILE 1.0.2 hprof header</body></html>"
|
||||
if res := runDebugModule(t, heapdump, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("the magic away from the start should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a page that only names ignition is not the endpoint", func(t *testing.T) {
|
||||
body := `<html><body>we use ignition to render errors in development</body></html>`
|
||||
if res := runDebugModule(t, ignition, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a prose mention should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{ignition, profiler, heapdump} {
|
||||
if res := runDebugModule(t, file, 200, "<html><body>plain</body></html>"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{ignition, profiler, heapdump} {
|
||||
if res := runDebugModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,134 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runDeployModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func deployExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestDeployConfigExposureModules(t *testing.T) {
|
||||
const vscode = "../../modules/recon/vscode-sftp-exposure.yaml"
|
||||
const sublime = "../../modules/recon/sublime-sftp-exposure.yaml"
|
||||
const ftpconfig = "../../modules/recon/ftpconfig-exposure.yaml"
|
||||
|
||||
t.Run("vscode sftp config leaks the deploy host", func(t *testing.T) {
|
||||
body := `{"name":"prod","host":"deploy.example.com","protocol":"sftp",` +
|
||||
`"username":"root","password":"s3cr3t","remotePath":"/var/www","uploadOnSave":true}`
|
||||
res := runDeployModule(t, vscode, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a vscode sftp finding")
|
||||
}
|
||||
if v := deployExtract(res, "remote_host"); v != "deploy.example.com" {
|
||||
t.Errorf("remote_host=%q, want deploy.example.com", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("vscode sftp config with key auth still flags and extracts the host", func(t *testing.T) {
|
||||
body := `{"host":"key.example.com","protocol":"sftp",` +
|
||||
`"username":"deploy","privateKeyPath":"~/.ssh/id_rsa","uploadOnSave":true}`
|
||||
res := runDeployModule(t, vscode, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a vscode sftp finding for a key-auth config")
|
||||
}
|
||||
if v := deployExtract(res, "remote_host"); v != "key.example.com" {
|
||||
t.Errorf("remote_host=%q, want key.example.com", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("sublime sftp config leaks the deploy host", func(t *testing.T) {
|
||||
body := `{"type":"sftp","host":"sftp.example.org","user":"www","password":"hunter2",` +
|
||||
`"remote_path":"/srv","upload_on_save":true,"sync_down_on_open":false}`
|
||||
res := runDeployModule(t, sublime, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a sublime sftp finding")
|
||||
}
|
||||
if v := deployExtract(res, "remote_host"); v != "sftp.example.org" {
|
||||
t.Errorf("remote_host=%q, want sftp.example.org", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("atom remote-ftp config leaks the deploy host", func(t *testing.T) {
|
||||
body := `{"protocol":"ftp","host":"ftp.example.net","port":21,"user":"upload",` +
|
||||
`"pass":"letmein","remote":"/","connTimeout":10000,"pasvTimeout":10000}`
|
||||
res := runDeployModule(t, ftpconfig, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an atom remote-ftp finding")
|
||||
}
|
||||
if v := deployExtract(res, "remote_host"); v != "ftp.example.net" {
|
||||
t.Errorf("remote_host=%q, want ftp.example.net", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an html login page carrying the same keys is not a leak", func(t *testing.T) {
|
||||
body := `<html><head><title>Sign in</title></head><body>` +
|
||||
`config keys "remotePath" "password" "host":"evil.example.com"</body></html>`
|
||||
if res := runDeployModule(t, vscode, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html page should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain json config without the tool keys is not a leak", func(t *testing.T) {
|
||||
body := `{"host":"db.internal","username":"admin","user":"admin","pass":"x","password":"hunter2"}`
|
||||
for _, file := range []string{vscode, sublime, ftpconfig} {
|
||||
if res := runDeployModule(t, file, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a config without the tool keys should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a tool config with a host but no credential field is not a leak", func(t *testing.T) {
|
||||
bodies := map[string]string{
|
||||
vscode: `{"host":"h.example.com","remotePath":"/var/www","uploadOnSave":true}`,
|
||||
sublime: `{"type":"sftp","host":"h.example.com","upload_on_save":true}`,
|
||||
ftpconfig: `{"protocol":"ftp","host":"h.example.com","connTimeout":10000,"pasvTimeout":10000}`,
|
||||
}
|
||||
for file, body := range bodies {
|
||||
if res := runDeployModule(t, file, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a config with no credential field should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{vscode, sublime, ftpconfig} {
|
||||
if res := runDeployModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,159 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runDistDBModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func distDBExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestDistributedDBExposureModules(t *testing.T) {
|
||||
const riak = "../../modules/recon/riak-api-exposure.yaml"
|
||||
const couchbase = "../../modules/recon/couchbase-api-exposure.yaml"
|
||||
const druid = "../../modules/recon/druid-api-exposure.yaml"
|
||||
|
||||
riakStats := `{"riak_kv_version":"3.0.16","riak_core_version":"3.0.99","riak_pipe_version":"3.0.16",` +
|
||||
`"sys_otp_release":"22","ring_members":["riak@10.0.0.1"],"ring_num_partitions":64,` +
|
||||
`"storage_backend":"riak_kv_bitcask_backend"}`
|
||||
|
||||
couchbasePools := `{"pools":[{"name":"default","uri":"/pools/default?uuid=abc",` +
|
||||
`"streamingUri":"/poolsStreaming/default?uuid=abc"}],"isAdminCreds":false,"isEnterprise":true,` +
|
||||
`"implementationVersion":"7.2.0-6053-enterprise","uuid":"abc",` +
|
||||
`"componentsVersion":{"ns_server":"7.2.0-6053","couchdb":"3.1.1"}}`
|
||||
|
||||
druidStatus := `{"version":"0.22.1","modules":[{"name":"org.apache.druid.server.initialization.jetty.JettyServerModule",` +
|
||||
`"artifact":"druid-server","version":"0.22.1"},{"name":"org.apache.druid.guice.AnnouncerModule",` +
|
||||
`"artifact":"druid-server","version":"0.22.1"}],"memory":{"maxMemory":1037959168,` +
|
||||
`"totalMemory":1037959168,"freeMemory":900000000,"directMemory":134217728}}`
|
||||
|
||||
t.Run("an exposed riak http api is flagged and versioned", func(t *testing.T) {
|
||||
res := runDistDBModule(t, riak, 200, riakStats)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a riak finding")
|
||||
}
|
||||
if v := distDBExtract(res, "riak_version"); v != "3.0.16" {
|
||||
t.Errorf("riak_version=%q, want 3.0.16", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed couchbase cluster api is flagged and versioned", func(t *testing.T) {
|
||||
res := runDistDBModule(t, couchbase, 200, couchbasePools)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a couchbase finding")
|
||||
}
|
||||
if v := distDBExtract(res, "couchbase_version"); v != "7.2.0-6053-enterprise" {
|
||||
t.Errorf("couchbase_version=%q, want 7.2.0-6053-enterprise", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed druid process is flagged and versioned", func(t *testing.T) {
|
||||
res := runDistDBModule(t, druid, 200, druidStatus)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a druid finding")
|
||||
}
|
||||
if v := distDBExtract(res, "druid_version"); v != "0.22.1" {
|
||||
t.Errorf("druid_version=%q, want 0.22.1", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a riak kv version without a core version is not flagged", func(t *testing.T) {
|
||||
body := `{"riak_kv_version":"3.0.16","name":"app"}`
|
||||
if res := runDistDBModule(t, riak, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a kv version alone should not match riak, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a riak core version without a kv version is not flagged", func(t *testing.T) {
|
||||
body := `{"riak_core_version":"3.0.16","name":"app"}`
|
||||
if res := runDistDBModule(t, riak, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a core version alone should not match riak, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a couchbase impl version without a components version is not flagged", func(t *testing.T) {
|
||||
body := `{"implementationVersion":"7.2.0","name":"app"}`
|
||||
if res := runDistDBModule(t, couchbase, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an impl version alone should not match couchbase, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a couchbase components version without an impl version is not flagged", func(t *testing.T) {
|
||||
body := `{"componentsVersion":{"ns_server":"7.2.0"},"name":"app"}`
|
||||
if res := runDistDBModule(t, couchbase, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a components version alone should not match couchbase, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a druid package without a memory block is not flagged", func(t *testing.T) {
|
||||
body := `{"modules":[{"name":"org.apache.druid.cli.Main"}],"app":"x"}`
|
||||
if res := runDistDBModule(t, druid, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a druid package alone should not match druid, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a memory block without a druid package is not flagged", func(t *testing.T) {
|
||||
body := `{"memory":{"maxMemory":123},"app":"x"}`
|
||||
if res := runDistDBModule(t, druid, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a memory block alone should not match druid, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a generic version json is not a distributed db", func(t *testing.T) {
|
||||
body := `{"version":"1.0.0","name":"app"}`
|
||||
for _, file := range []string{riak, couchbase, druid} {
|
||||
if res := runDistDBModule(t, file, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a generic version should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{riak, couchbase, druid} {
|
||||
if res := runDistDBModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{riak, couchbase, druid} {
|
||||
if res := runDistDBModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,164 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runDotfileModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func dotfileExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestDotfileCredentialExposureModules(t *testing.T) {
|
||||
const netrc = "../../modules/recon/netrc-exposure.yaml"
|
||||
const pgpass = "../../modules/recon/pgpass-exposure.yaml"
|
||||
const mycnf = "../../modules/recon/mysql-client-config-exposure.yaml"
|
||||
|
||||
netrcBody := "machine api.example.com\n login deploy\n password s3cr3tP@ss\n" +
|
||||
"machine ftp.example.com\n login anon\n password anon@site\n"
|
||||
|
||||
pgpassBody := "db.example.com:5432:appdb:appuser:Sup3rSecret\n*:*:*:replication:replpass\n"
|
||||
|
||||
mycnfBody := "[client]\nuser=root\npassword=R00tPass!\nhost=127.0.0.1\nport=3306\n"
|
||||
|
||||
t.Run("an exposed netrc leaks the machine host", func(t *testing.T) {
|
||||
res := runDotfileModule(t, netrc, 200, netrcBody)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a netrc finding")
|
||||
}
|
||||
if v := dotfileExtract(res, "netrc_machine"); v != "api.example.com" {
|
||||
t.Errorf("netrc_machine=%q, want api.example.com", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed pgpass leaks the host", func(t *testing.T) {
|
||||
res := runDotfileModule(t, pgpass, 200, pgpassBody)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a pgpass finding")
|
||||
}
|
||||
if v := dotfileExtract(res, "pgpass_host"); v != "db.example.com" {
|
||||
t.Errorf("pgpass_host=%q, want db.example.com", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed my.cnf leaks the client user", func(t *testing.T) {
|
||||
res := runDotfileModule(t, mycnf, 200, mycnfBody)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a my.cnf finding")
|
||||
}
|
||||
if v := dotfileExtract(res, "mysql_user"); v != "root" {
|
||||
t.Errorf("mysql_user=%q, want root", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("prose that names machine login and password out of order is not a netrc", func(t *testing.T) {
|
||||
body := "this machine requires a login; store the password securely"
|
||||
if res := runDotfileModule(t, netrc, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("out of order prose should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an html page demonstrating a netrc is not a leak", func(t *testing.T) {
|
||||
body := "<!DOCTYPE html><html><body><pre>machine api.example.com login deploy password s3cret</pre></body></html>"
|
||||
if res := runDotfileModule(t, netrc, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html netrc tutorial should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a yaml db config with colon keys is not a pgpass", func(t *testing.T) {
|
||||
body := "database:\n host: db.example.com\n port: 5432\n user: appuser\n password: secret\n"
|
||||
if res := runDotfileModule(t, pgpass, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a yaml db config should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a pgpass shaped line with a non numeric port is not flagged", func(t *testing.T) {
|
||||
body := "db.example.com:default:appdb:appuser:Sup3rSecret\n"
|
||||
if res := runDotfileModule(t, pgpass, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a non numeric port should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a multi line config with a number field does not match across lines", func(t *testing.T) {
|
||||
body := "timeout:30:seconds configured\nsee http://docs.example.com:8080 for details\n"
|
||||
if res := runDotfileModule(t, pgpass, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("fields must stay on one line, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an html page demonstrating a pgpass is not a leak", func(t *testing.T) {
|
||||
body := "<!DOCTYPE html>\n<html><body><pre>\ndb.example.com:5432:appdb:appuser:secret\n</pre></body></html>\n"
|
||||
if res := runDotfileModule(t, pgpass, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html pgpass tutorial should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a my.cnf client section without a password is not flagged", func(t *testing.T) {
|
||||
body := "[client]\nuser=root\nhost=localhost\nport=3306\n"
|
||||
if res := runDotfileModule(t, mycnf, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a section without a password should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a password line without a my.cnf section is not flagged", func(t *testing.T) {
|
||||
body := "password=hunter2\nfoo=bar\n"
|
||||
if res := runDotfileModule(t, mycnf, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a password without a section should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an html page demonstrating a my.cnf is not a leak", func(t *testing.T) {
|
||||
body := "<!DOCTYPE html><html><body><pre>[client]\npassword=secret</pre></body></html>"
|
||||
if res := runDotfileModule(t, mycnf, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html my.cnf tutorial should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{netrc, pgpass, mycnf} {
|
||||
if res := runDotfileModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{netrc, pgpass, mycnf} {
|
||||
if res := runDotfileModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,84 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
// runEnvModule runs the env exposure module end to end against a server that
|
||||
// returns the same status and body for every path it requests.
|
||||
func runEnvModule(t *testing.T, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule("../../modules/recon/env-file-exposure.yaml")
|
||||
if err != nil {
|
||||
t.Fatalf("parse: %v", err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute: %v", err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func envLeakedKey(res *modules.Result) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted["leaked_key"]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestEnvFileExposureModule(t *testing.T) {
|
||||
realEnv := "APP_NAME=Acme\nAPP_KEY=base64:Zm9vYmFy\nDB_PASSWORD=s3cr3t\nMAIL_PASSWORD=hunter2\n"
|
||||
htmlMentionsSecret := "<!DOCTYPE html>\n<html><head><title>Docs</title></head><body>" +
|
||||
"<code>APP_KEY=base64:...</code> put DB_PASSWORD= in your .env</body></html>"
|
||||
|
||||
t.Run("real env body leaks", func(t *testing.T) {
|
||||
res := runEnvModule(t, 200, realEnv)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a finding for a real .env body")
|
||||
}
|
||||
if key := envLeakedKey(res); key != "APP_KEY" {
|
||||
t.Errorf("leaked_key=%q, want APP_KEY", key)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("html page mentioning a key is not a leak", func(t *testing.T) {
|
||||
if res := runEnvModule(t, 200, htmlMentionsSecret); len(res.Findings) > 0 {
|
||||
t.Errorf("html page should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("secrets behind a 404 are not a leak", func(t *testing.T) {
|
||||
if res := runEnvModule(t, 404, realEnv); len(res.Findings) > 0 {
|
||||
t.Errorf("404 should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
}
|
||||
+188
-48
@@ -13,19 +13,29 @@
|
||||
package modules
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"os"
|
||||
"regexp"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/tidwall/gjson"
|
||||
)
|
||||
|
||||
// MaxBodySize limits response body to prevent memory exhaustion.
|
||||
const MaxBodySize = 5 * 1024 * 1024
|
||||
|
||||
// ErrUnsupportedModuleType signals an executor for a module type that is not
|
||||
// yet implemented. Returning it (rather than an empty result) keeps callers
|
||||
// from mistaking "not implemented" for "scanned, found nothing".
|
||||
var ErrUnsupportedModuleType = errors.New("unsupported module type")
|
||||
|
||||
// httpRequest represents a generated HTTP request.
|
||||
type httpRequest struct {
|
||||
Method string
|
||||
@@ -63,7 +73,10 @@ func ExecuteHTTPModule(ctx context.Context, target string, def *YAMLModule, opts
|
||||
}
|
||||
|
||||
// Generate requests based on paths and payloads
|
||||
requests := generateHTTPRequests(target, cfg)
|
||||
requests, err := generateHTTPRequests(target, cfg)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Determine thread count
|
||||
threads := cfg.Threads
|
||||
@@ -117,9 +130,14 @@ func ExecuteHTTPModule(ctx context.Context, target string, def *YAMLModule, opts
|
||||
}
|
||||
|
||||
// generateHTTPRequests creates all requests based on paths and payloads.
|
||||
func generateHTTPRequests(target string, cfg *HTTPConfig) []*httpRequest {
|
||||
func generateHTTPRequests(target string, cfg *HTTPConfig) ([]*httpRequest, error) {
|
||||
var requests []*httpRequest
|
||||
|
||||
paths, err := resolvePaths(cfg)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Ensure target has no trailing slash
|
||||
target = strings.TrimSuffix(target, "/")
|
||||
|
||||
@@ -130,7 +148,7 @@ func generateHTTPRequests(target string, cfg *HTTPConfig) []*httpRequest {
|
||||
|
||||
// If no payloads, just use paths directly
|
||||
if len(cfg.Payloads) == 0 {
|
||||
for _, path := range cfg.Paths {
|
||||
for _, path := range paths {
|
||||
url := substituteVariables(path, target, "")
|
||||
requests = append(requests, &httpRequest{
|
||||
Method: method,
|
||||
@@ -140,26 +158,106 @@ func generateHTTPRequests(target string, cfg *HTTPConfig) []*httpRequest {
|
||||
Original: path,
|
||||
})
|
||||
}
|
||||
return requests
|
||||
return requests, nil
|
||||
}
|
||||
|
||||
// Generate requests with payloads
|
||||
for _, path := range cfg.Paths {
|
||||
// pitchfork pairs path[i] with payload[i] and stops at the shorter list;
|
||||
// clusterbomb (default) crosses every path with every payload.
|
||||
if strings.EqualFold(cfg.Attack, "pitchfork") {
|
||||
n := len(paths)
|
||||
if len(cfg.Payloads) < n {
|
||||
n = len(cfg.Payloads)
|
||||
}
|
||||
for i := 0; i < n; i++ {
|
||||
requests = append(requests, newPayloadRequest(method, target, paths[i], cfg.Payloads[i], cfg))
|
||||
}
|
||||
return requests, nil
|
||||
}
|
||||
|
||||
for _, path := range paths {
|
||||
for _, payload := range cfg.Payloads {
|
||||
url := substituteVariables(path, target, payload)
|
||||
body := substituteVariables(cfg.Body, target, payload)
|
||||
requests = append(requests, &httpRequest{
|
||||
Method: method,
|
||||
URL: url,
|
||||
Headers: cfg.Headers,
|
||||
Body: body,
|
||||
Payload: payload,
|
||||
Original: path,
|
||||
})
|
||||
requests = append(requests, newPayloadRequest(method, target, path, payload, cfg))
|
||||
}
|
||||
}
|
||||
|
||||
return requests
|
||||
return requests, nil
|
||||
}
|
||||
|
||||
// resolvePaths expands a wordlist over any {{word}} path templates so one
|
||||
// "{{BaseURL}}/{{word}}" path fuzzes the whole list; paths without {{word}}
|
||||
// pass through literally. no wordlist leaves cfg.Paths untouched.
|
||||
func resolvePaths(cfg *HTTPConfig) ([]string, error) {
|
||||
if cfg.Wordlist == "" {
|
||||
return cfg.Paths, nil
|
||||
}
|
||||
|
||||
words, err := loadWordlist(cfg.Wordlist)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var paths []string
|
||||
for _, path := range cfg.Paths {
|
||||
if !strings.Contains(path, "{{word}}") && !strings.Contains(path, "{{Word}}") {
|
||||
paths = append(paths, path)
|
||||
continue
|
||||
}
|
||||
for _, word := range words {
|
||||
expanded := strings.ReplaceAll(path, "{{word}}", word)
|
||||
expanded = strings.ReplaceAll(expanded, "{{Word}}", word)
|
||||
paths = append(paths, expanded)
|
||||
}
|
||||
}
|
||||
|
||||
return paths, nil
|
||||
}
|
||||
|
||||
// loadWordlist reads non-empty lines from a local wordlist file, mirroring the
|
||||
// dirlist scanner's scanLines so a converted module fuzzes the identical words.
|
||||
func loadWordlist(path string) ([]string, error) {
|
||||
f, err := os.Open(path)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("open wordlist %q: %w", path, err)
|
||||
}
|
||||
defer f.Close()
|
||||
|
||||
var words []string
|
||||
scanner := bufio.NewScanner(f)
|
||||
scanner.Split(bufio.ScanLines)
|
||||
for scanner.Scan() {
|
||||
if line := scanner.Text(); line != "" {
|
||||
words = append(words, line)
|
||||
}
|
||||
}
|
||||
if err := scanner.Err(); err != nil {
|
||||
return nil, fmt.Errorf("read wordlist %q: %w", path, err)
|
||||
}
|
||||
|
||||
return words, nil
|
||||
}
|
||||
|
||||
// newPayloadRequest builds one request with the path and body templates
|
||||
// substituted for the given payload.
|
||||
func newPayloadRequest(method, target, path, payload string, cfg *HTTPConfig) *httpRequest {
|
||||
return &httpRequest{
|
||||
Method: method,
|
||||
URL: substituteVariables(path, target, payload),
|
||||
Headers: cfg.Headers,
|
||||
Body: substituteVariables(cfg.Body, target, payload),
|
||||
Payload: payload,
|
||||
Original: path,
|
||||
}
|
||||
}
|
||||
|
||||
// validateAttack rejects an attack mode that is not "", "clusterbomb", or
|
||||
// "pitchfork"; an empty value defaults to clusterbomb.
|
||||
func validateAttack(attack string) error {
|
||||
switch strings.ToLower(attack) {
|
||||
case "", "clusterbomb", "pitchfork":
|
||||
return nil
|
||||
default:
|
||||
return fmt.Errorf("invalid attack %q (want \"clusterbomb\" or \"pitchfork\")", attack)
|
||||
}
|
||||
}
|
||||
|
||||
// substituteVariables replaces template variables in a string.
|
||||
@@ -206,45 +304,63 @@ func executeHTTPRequest(ctx context.Context, client *http.Client, r *httpRequest
|
||||
bodyStr := string(respBody)
|
||||
|
||||
// Check matchers
|
||||
if !checkMatchers(cfg.Matchers, resp, bodyStr) {
|
||||
if !checkMatchers(cfg.Matchers, cfg.MatchersCondition, resp, bodyStr) {
|
||||
return Finding{}, false
|
||||
}
|
||||
|
||||
// Extract data
|
||||
extracted := runExtractors(cfg.Extractors, resp, bodyStr)
|
||||
|
||||
// favicon-only matches fire on binary icon bytes; report the hash, not the body.
|
||||
evidence := truncateEvidence(bodyStr)
|
||||
if fav, ok := faviconEvidence(cfg.Matchers, bodyStr); ok {
|
||||
evidence = fav
|
||||
}
|
||||
|
||||
return Finding{
|
||||
URL: r.URL,
|
||||
Severity: severity,
|
||||
Evidence: truncateEvidence(bodyStr),
|
||||
Evidence: evidence,
|
||||
Extracted: extracted,
|
||||
}, true
|
||||
}
|
||||
|
||||
// checkMatchers evaluates all matchers against the response.
|
||||
func checkMatchers(matchers []Matcher, resp *http.Response, body string) bool {
|
||||
// checkMatchers combines matchers with condition "and" (default, all match) or "or" (any).
|
||||
func checkMatchers(matchers []Matcher, condition string, resp *http.Response, body string) bool {
|
||||
if len(matchers) == 0 {
|
||||
return false
|
||||
}
|
||||
|
||||
// Default to AND condition across matchers
|
||||
or := strings.EqualFold(condition, "or")
|
||||
for i := range matchers {
|
||||
matched := checkMatcher(&matchers[i], resp, body)
|
||||
if matchers[i].Negative {
|
||||
matched = !matched
|
||||
}
|
||||
if !matched {
|
||||
return false // AND logic
|
||||
if or && matched {
|
||||
return true
|
||||
}
|
||||
if !or && !matched {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
// and: all matched; or: none matched.
|
||||
return !or
|
||||
}
|
||||
|
||||
// validateMatchersCondition rejects a matchers-condition that is not "", "and", or "or".
|
||||
func validateMatchersCondition(condition string) error {
|
||||
switch strings.ToLower(condition) {
|
||||
case "", "and", "or":
|
||||
return nil
|
||||
default:
|
||||
return fmt.Errorf("invalid matchers-condition %q (want \"and\" or \"or\")", condition)
|
||||
}
|
||||
}
|
||||
|
||||
// checkMatcher evaluates a single matcher.
|
||||
func checkMatcher(m *Matcher, resp *http.Response, body string) bool {
|
||||
part := getPart(m.Part, resp, body)
|
||||
|
||||
switch m.Type {
|
||||
case "status":
|
||||
for _, status := range m.Status {
|
||||
@@ -255,10 +371,22 @@ func checkMatcher(m *Matcher, resp *http.Response, body string) bool {
|
||||
return false
|
||||
|
||||
case "word":
|
||||
return checkWords(part, m.Words, m.Condition)
|
||||
return checkWords(getPart(m.Part, resp, body), m.Words, m.Condition)
|
||||
|
||||
case "regex":
|
||||
return checkRegex(part, m.Regex, m.Condition)
|
||||
return checkRegex(getPart(m.Part, resp, body), m.Regex, m.Condition)
|
||||
|
||||
case "favicon":
|
||||
return checkFaviconHash(body, m.Hash)
|
||||
|
||||
case "size":
|
||||
// size matches the response body length against any listed value.
|
||||
for _, n := range m.Size {
|
||||
if len(body) == n {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
|
||||
default:
|
||||
return false
|
||||
@@ -350,9 +478,9 @@ func runExtractors(extractors []Extractor, resp *http.Response, body string) map
|
||||
result := make(map[string]string)
|
||||
|
||||
for _, e := range extractors {
|
||||
part := getPart(e.Part, resp, body)
|
||||
|
||||
if e.Type == "regex" {
|
||||
switch e.Type {
|
||||
case "regex":
|
||||
part := getPart(e.Part, resp, body)
|
||||
for _, pattern := range e.Regex {
|
||||
re, err := regexp.Compile(pattern)
|
||||
if err != nil {
|
||||
@@ -364,6 +492,24 @@ func runExtractors(extractors []Extractor, resp *http.Response, body string) map
|
||||
break
|
||||
}
|
||||
}
|
||||
case "kv":
|
||||
// kv records response header key/values, namespaced by the extractor
|
||||
// name when set (e.g. a headers module surfacing every header).
|
||||
for k, v := range resp.Header {
|
||||
key := k
|
||||
if e.Name != "" {
|
||||
key = e.Name + "." + k
|
||||
}
|
||||
result[key] = strings.Join(v, ", ")
|
||||
}
|
||||
case "json":
|
||||
part := getPart(e.Part, resp, body)
|
||||
for _, path := range e.JSON {
|
||||
if r := gjson.Get(part, path); r.Exists() {
|
||||
result[e.Name] = r.String()
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -379,22 +525,16 @@ func truncateEvidence(s string) string {
|
||||
return s
|
||||
}
|
||||
|
||||
// ExecuteDNSModule runs a DNS-based module (stub for now).
|
||||
func ExecuteDNSModule(ctx context.Context, target string, def *YAMLModule, opts Options) (*Result, error) {
|
||||
// TODO: Implement DNS module execution
|
||||
return &Result{
|
||||
ModuleID: def.ID,
|
||||
Target: target,
|
||||
Findings: []Finding{},
|
||||
}, nil
|
||||
// ExecuteDNSModule runs a DNS-based module (not yet implemented).
|
||||
// returns ErrUnsupportedModuleType so the caller logs a clear failure rather
|
||||
// than reporting an empty (but successful-looking) result.
|
||||
func ExecuteDNSModule(_ context.Context, _ string, def *YAMLModule, _ Options) (*Result, error) {
|
||||
return nil, fmt.Errorf("dns module %q: %w", def.ID, ErrUnsupportedModuleType)
|
||||
}
|
||||
|
||||
// ExecuteTCPModule runs a TCP-based module (stub for now).
|
||||
func ExecuteTCPModule(ctx context.Context, target string, def *YAMLModule, opts Options) (*Result, error) {
|
||||
// TODO: Implement TCP module execution
|
||||
return &Result{
|
||||
ModuleID: def.ID,
|
||||
Target: target,
|
||||
Findings: []Finding{},
|
||||
}, nil
|
||||
// ExecuteTCPModule runs a TCP-based module (not yet implemented).
|
||||
// returns ErrUnsupportedModuleType so the caller logs a clear failure rather
|
||||
// than reporting an empty (but successful-looking) result.
|
||||
func ExecuteTCPModule(_ context.Context, _ string, def *YAMLModule, _ Options) (*Result, error) {
|
||||
return nil, fmt.Errorf("tcp module %q: %w", def.ID, ErrUnsupportedModuleType)
|
||||
}
|
||||
|
||||
@@ -0,0 +1,387 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package modules
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/httpx"
|
||||
)
|
||||
|
||||
const testTimeout = 5 * time.Second
|
||||
|
||||
// TestExecuteHTTPModuleMatchAndExtract drives the full executor against a live
|
||||
// httptest server: a request hits a path, a matcher fires, an extractor captures.
|
||||
func TestExecuteHTTPModuleMatchAndExtract(t *testing.T) {
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if r.URL.Path == "/admin" {
|
||||
w.Header().Set("X-App", "demo")
|
||||
w.WriteHeader(http.StatusOK)
|
||||
_, _ = w.Write([]byte(`flag{found-it} session=sess-4242`))
|
||||
return
|
||||
}
|
||||
w.WriteHeader(http.StatusNotFound)
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
def := &YAMLModule{
|
||||
ID: "test-http-hit",
|
||||
Type: TypeHTTP,
|
||||
Info: YAMLModuleInfo{Severity: "high"},
|
||||
HTTP: &HTTPConfig{
|
||||
Method: "GET",
|
||||
Paths: []string{"{{BaseURL}}/admin", "{{BaseURL}}/missing"},
|
||||
Matchers: []Matcher{
|
||||
{Type: "status", Status: []int{200}},
|
||||
{Type: "word", Part: "body", Words: []string{"flag{found-it}"}},
|
||||
},
|
||||
Extractors: []Extractor{
|
||||
{Type: "regex", Name: "session", Part: "body", Regex: []string{`session=(\S+)`}, Group: 1},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// route through the shared httpx client so proxy/-H/-rate-limit would apply.
|
||||
opts := Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)}
|
||||
|
||||
result, err := ExecuteHTTPModule(context.Background(), srv.URL, def, opts)
|
||||
if err != nil {
|
||||
t.Fatalf("ExecuteHTTPModule: %v", err)
|
||||
}
|
||||
|
||||
// only /admin satisfies status+word, /missing returns 404.
|
||||
if len(result.Findings) != 1 {
|
||||
t.Fatalf("got %d findings, want 1", len(result.Findings))
|
||||
}
|
||||
f := result.Findings[0]
|
||||
if f.Severity != "high" {
|
||||
t.Errorf("severity = %q, want high (carried from Info)", f.Severity)
|
||||
}
|
||||
if f.Extracted["session"] != "sess-4242" {
|
||||
t.Errorf("extracted session = %q, want sess-4242", f.Extracted["session"])
|
||||
}
|
||||
if f.URL != srv.URL+"/admin" {
|
||||
t.Errorf("finding url = %q, want %q", f.URL, srv.URL+"/admin")
|
||||
}
|
||||
}
|
||||
|
||||
// TestExecuteHTTPModuleNoMatch confirms a module that matches nothing reports
|
||||
// zero findings without erroring.
|
||||
func TestExecuteHTTPModuleNoMatch(t *testing.T) {
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
_, _ = w.Write([]byte("nothing interesting"))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
def := &YAMLModule{
|
||||
ID: "test-http-miss",
|
||||
Type: TypeHTTP,
|
||||
HTTP: &HTTPConfig{
|
||||
Paths: []string{"{{BaseURL}}/"},
|
||||
Matchers: []Matcher{
|
||||
{Type: "word", Part: "body", Words: []string{"never-present"}},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
result, err := ExecuteHTTPModule(context.Background(), srv.URL, def, Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)})
|
||||
if err != nil {
|
||||
t.Fatalf("ExecuteHTTPModule: %v", err)
|
||||
}
|
||||
if len(result.Findings) != 0 {
|
||||
t.Fatalf("got %d findings, want 0", len(result.Findings))
|
||||
}
|
||||
}
|
||||
|
||||
// TestExecuteHTTPModulePayloadExpansion verifies payload templates reach the
|
||||
// server and the matching response is captured.
|
||||
func TestExecuteHTTPModulePayloadExpansion(t *testing.T) {
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
// only the "boom" payload triggers the vulnerable branch.
|
||||
if r.URL.Query().Get("q") == "boom" {
|
||||
_, _ = w.Write([]byte("error: sql syntax near boom"))
|
||||
return
|
||||
}
|
||||
_, _ = w.Write([]byte("ok"))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
def := &YAMLModule{
|
||||
ID: "test-http-payload",
|
||||
Type: TypeHTTP,
|
||||
HTTP: &HTTPConfig{
|
||||
Paths: []string{"{{BaseURL}}/search?q={{payload}}"},
|
||||
Payloads: []string{"safe", "boom"},
|
||||
Matchers: []Matcher{
|
||||
{Type: "word", Part: "body", Words: []string{"sql syntax"}},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
result, err := ExecuteHTTPModule(context.Background(), srv.URL, def, Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)})
|
||||
if err != nil {
|
||||
t.Fatalf("ExecuteHTTPModule: %v", err)
|
||||
}
|
||||
if len(result.Findings) != 1 {
|
||||
t.Fatalf("got %d findings, want 1 (only boom payload)", len(result.Findings))
|
||||
}
|
||||
}
|
||||
|
||||
// TestExecuteHTTPModuleSizeMatcher pins the size matcher: it fires when the
|
||||
// response body length equals a listed value and stays silent otherwise.
|
||||
func TestExecuteHTTPModuleSizeMatcher(t *testing.T) {
|
||||
body := "1234567890" // 10 bytes
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
opts := Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)}
|
||||
mod := func(id string, size int) *YAMLModule {
|
||||
return &YAMLModule{
|
||||
ID: id, Type: TypeHTTP,
|
||||
HTTP: &HTTPConfig{
|
||||
Paths: []string{"{{BaseURL}}/"},
|
||||
Matchers: []Matcher{{Type: "size", Size: []int{size}}},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
hit, err := ExecuteHTTPModule(context.Background(), srv.URL, mod("size-hit", len(body)), opts)
|
||||
if err != nil {
|
||||
t.Fatalf("ExecuteHTTPModule(hit): %v", err)
|
||||
}
|
||||
if len(hit.Findings) != 1 {
|
||||
t.Fatalf("size match: got %d findings, want 1", len(hit.Findings))
|
||||
}
|
||||
|
||||
miss, err := ExecuteHTTPModule(context.Background(), srv.URL, mod("size-miss", len(body)+1), opts)
|
||||
if err != nil {
|
||||
t.Fatalf("ExecuteHTTPModule(miss): %v", err)
|
||||
}
|
||||
if len(miss.Findings) != 0 {
|
||||
t.Fatalf("size mismatch: got %d findings, want 0", len(miss.Findings))
|
||||
}
|
||||
}
|
||||
|
||||
// TestExecuteHTTPModuleKvExtractor pins the kv extractor: it records response
|
||||
// header key/values onto the finding, namespaced by the extractor name.
|
||||
func TestExecuteHTTPModuleKvExtractor(t *testing.T) {
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.Header().Set("Server", "nginx/1.25.3")
|
||||
w.Header().Set("X-Powered-By", "PHP/8.2.0")
|
||||
w.WriteHeader(http.StatusOK)
|
||||
_, _ = w.Write([]byte("hello"))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
def := &YAMLModule{
|
||||
ID: "kv-mod", Type: TypeHTTP,
|
||||
HTTP: &HTTPConfig{
|
||||
Paths: []string{"{{BaseURL}}/"},
|
||||
Matchers: []Matcher{{Type: "status", Status: []int{200}}},
|
||||
Extractors: []Extractor{{Type: "kv", Name: "headers", Part: "header"}},
|
||||
},
|
||||
}
|
||||
|
||||
result, err := ExecuteHTTPModule(context.Background(), srv.URL, def, Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)})
|
||||
if err != nil {
|
||||
t.Fatalf("ExecuteHTTPModule: %v", err)
|
||||
}
|
||||
if len(result.Findings) != 1 {
|
||||
t.Fatalf("got %d findings, want 1", len(result.Findings))
|
||||
}
|
||||
ex := result.Findings[0].Extracted
|
||||
if ex["headers.Server"] != "nginx/1.25.3" {
|
||||
t.Errorf("kv headers.Server = %q, want nginx/1.25.3", ex["headers.Server"])
|
||||
}
|
||||
if ex["headers.X-Powered-By"] != "PHP/8.2.0" {
|
||||
t.Errorf("kv headers.X-Powered-By = %q, want PHP/8.2.0", ex["headers.X-Powered-By"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestExecuteHTTPModuleNoConfig(t *testing.T) {
|
||||
def := &YAMLModule{ID: "x", Type: TypeHTTP}
|
||||
if _, err := ExecuteHTTPModule(context.Background(), "http://h", def, Options{}); err == nil {
|
||||
t.Fatal("expected error when HTTP config is nil")
|
||||
}
|
||||
}
|
||||
|
||||
// TestExecuteHTTPModuleContextCancel pins the cancellation path. The dispatch
|
||||
// loop selects between ctx.Done() and the concurrency semaphore, so a cancelled
|
||||
// context can either short-circuit with ctx.Err() or let the in-flight request
|
||||
// fail on the dead context. Both are correct: the contract is "never hang, never
|
||||
// invent a finding", which is what we assert here rather than forcing one race
|
||||
// winner (that made this test flaky under -count).
|
||||
func TestExecuteHTTPModuleContextCancel(t *testing.T) {
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
cancel()
|
||||
|
||||
def := &YAMLModule{
|
||||
ID: "test-http-cancel",
|
||||
Type: TypeHTTP,
|
||||
HTTP: &HTTPConfig{
|
||||
Paths: []string{"{{BaseURL}}/a"},
|
||||
Matchers: []Matcher{{Type: "status", Status: []int{200}}},
|
||||
},
|
||||
}
|
||||
|
||||
result, err := ExecuteHTTPModule(ctx, srv.URL, def, Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)})
|
||||
if err != nil {
|
||||
if !errors.Is(err, context.Canceled) {
|
||||
t.Fatalf("err = %v, want context.Canceled or nil", err)
|
||||
}
|
||||
return
|
||||
}
|
||||
// no error means the request was dispatched but failed on the dead context;
|
||||
// either way a cancelled scan must not surface findings.
|
||||
if len(result.Findings) != 0 {
|
||||
t.Fatalf("cancelled scan produced %d findings, want 0", len(result.Findings))
|
||||
}
|
||||
}
|
||||
|
||||
// TestExecuteDNSModuleUnsupported pins the current behavior: DNS execution is
|
||||
// not implemented and must signal it via ErrUnsupportedModuleType, not by
|
||||
// quietly returning an empty (successful-looking) result.
|
||||
func TestExecuteDNSModuleUnsupported(t *testing.T) {
|
||||
def := &YAMLModule{ID: "dns-mod", Type: TypeDNS, DNS: &DNSConfig{Type: "A"}}
|
||||
result, err := ExecuteDNSModule(context.Background(), "example.com", def, Options{})
|
||||
if result != nil {
|
||||
t.Errorf("result = %v, want nil for unsupported type", result)
|
||||
}
|
||||
if !errors.Is(err, ErrUnsupportedModuleType) {
|
||||
t.Fatalf("err = %v, want ErrUnsupportedModuleType", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestExecuteTCPModuleUnsupported(t *testing.T) {
|
||||
def := &YAMLModule{ID: "tcp-mod", Type: TypeTCP, TCP: &TCPConfig{Port: 22}}
|
||||
result, err := ExecuteTCPModule(context.Background(), "example.com", def, Options{})
|
||||
if result != nil {
|
||||
t.Errorf("result = %v, want nil for unsupported type", result)
|
||||
}
|
||||
if !errors.Is(err, ErrUnsupportedModuleType) {
|
||||
t.Fatalf("err = %v, want ErrUnsupportedModuleType", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestWrapperExecuteRoutesByType confirms the Module wrapper dispatches each
|
||||
// type to the right executor and propagates the unsupported-type sentinel.
|
||||
func TestWrapperExecuteRoutesByType(t *testing.T) {
|
||||
t.Run("dns routes to unsupported", func(t *testing.T) {
|
||||
def := &YAMLModule{ID: "d", Type: TypeDNS, DNS: &DNSConfig{}}
|
||||
w := newYAMLModuleWrapper(def, "d.yaml")
|
||||
if _, err := w.Execute(context.Background(), "t", Options{}); !errors.Is(err, ErrUnsupportedModuleType) {
|
||||
t.Fatalf("err = %v, want ErrUnsupportedModuleType", err)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("tcp routes to unsupported", func(t *testing.T) {
|
||||
def := &YAMLModule{ID: "t", Type: TypeTCP, TCP: &TCPConfig{}}
|
||||
w := newYAMLModuleWrapper(def, "t.yaml")
|
||||
if _, err := w.Execute(context.Background(), "t", Options{}); !errors.Is(err, ErrUnsupportedModuleType) {
|
||||
t.Fatalf("err = %v, want ErrUnsupportedModuleType", err)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("missing http config errors", func(t *testing.T) {
|
||||
def := &YAMLModule{ID: "h", Type: TypeHTTP}
|
||||
w := newYAMLModuleWrapper(def, "h.yaml")
|
||||
if _, err := w.Execute(context.Background(), "t", Options{}); err == nil {
|
||||
t.Fatal("expected error for missing http config")
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("unknown type errors", func(t *testing.T) {
|
||||
def := &YAMLModule{ID: "z", Type: ModuleType("bogus")}
|
||||
w := newYAMLModuleWrapper(def, "z.yaml")
|
||||
if _, err := w.Execute(context.Background(), "t", Options{}); err == nil {
|
||||
t.Fatal("expected error for unknown module type")
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
// TestExecuteHTTPModuleWordlist proves a {{word}} path templated against a local
|
||||
// wordlist drives one real request per word, and only the path that exists fires.
|
||||
func TestExecuteHTTPModuleWordlist(t *testing.T) {
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if r.URL.Path == "/admin" {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
return
|
||||
}
|
||||
w.WriteHeader(http.StatusNotFound)
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
list := filepath.Join(t.TempDir(), "words.txt")
|
||||
if err := os.WriteFile(list, []byte("login\nadmin\nbackup\n"), 0o600); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
def := &YAMLModule{
|
||||
ID: "test-wordlist",
|
||||
Type: TypeHTTP,
|
||||
Info: YAMLModuleInfo{Severity: "low"},
|
||||
HTTP: &HTTPConfig{
|
||||
Method: "GET",
|
||||
Wordlist: list,
|
||||
Paths: []string{"{{BaseURL}}/{{word}}"},
|
||||
Matchers: []Matcher{{Type: "status", Status: []int{200}}},
|
||||
},
|
||||
}
|
||||
|
||||
opts := Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)}
|
||||
res, err := ExecuteHTTPModule(context.Background(), srv.URL, def, opts)
|
||||
if err != nil {
|
||||
t.Fatalf("execute: %v", err)
|
||||
}
|
||||
if len(res.Findings) != 1 {
|
||||
t.Fatalf("got %d findings, want 1 (only /admin exists)", len(res.Findings))
|
||||
}
|
||||
if got := res.Findings[0].URL; got != srv.URL+"/admin" {
|
||||
t.Errorf("finding url = %q, want %q", got, srv.URL+"/admin")
|
||||
}
|
||||
}
|
||||
|
||||
func TestTruncateEvidence(t *testing.T) {
|
||||
short := "short evidence"
|
||||
if got := truncateEvidence(short); got != short {
|
||||
t.Errorf("short evidence changed: %q", got)
|
||||
}
|
||||
|
||||
long := make([]byte, 600)
|
||||
for i := range long {
|
||||
long[i] = 'a'
|
||||
}
|
||||
got := truncateEvidence(string(long))
|
||||
// 500 chars of content plus the ellipsis marker.
|
||||
if len(got) != 503 {
|
||||
t.Errorf("truncated len = %d, want 503", len(got))
|
||||
}
|
||||
if got[len(got)-3:] != "..." {
|
||||
t.Errorf("truncated evidence missing ellipsis: %q", got[len(got)-3:])
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,82 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package modules
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math"
|
||||
|
||||
"github.com/vmfunc/sif/internal/fingerprint"
|
||||
)
|
||||
|
||||
// checkFaviconHash reports whether the body's shodan mmh3 hash matches any
|
||||
// configured value. only the body (the icon) is hashed; part is ignored.
|
||||
func checkFaviconHash(body string, want []int64) bool {
|
||||
if len(want) == 0 {
|
||||
return false
|
||||
}
|
||||
got := fingerprint.FaviconHash([]byte(body))
|
||||
for _, w := range want {
|
||||
if n, ok := normalizeFaviconHash(w); ok && n == got {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// normalizeFaviconHash folds a hash to the signed int32 shodan stores, accepting
|
||||
// either 32-bit form so a signed or unsigned value pastes in as-is. out-of-range
|
||||
// values are rejected so a stray number can't wrap into a false match.
|
||||
func normalizeFaviconHash(v int64) (int32, bool) {
|
||||
if v < math.MinInt32 || v > math.MaxUint32 {
|
||||
return 0, false
|
||||
}
|
||||
return int32(uint32(v)), true //nolint:gosec // intentional 32-bit fold to shodan's signed form
|
||||
}
|
||||
|
||||
// faviconEvidence gives the hash as evidence for a favicon-only finding, and
|
||||
// nothing when a word/regex matcher is present so its body evidence stands.
|
||||
func faviconEvidence(matchers []Matcher, body string) (string, bool) {
|
||||
favicon := false
|
||||
for i := range matchers {
|
||||
switch matchers[i].Type {
|
||||
case "word", "regex":
|
||||
return "", false
|
||||
case "favicon":
|
||||
favicon = true
|
||||
}
|
||||
}
|
||||
if !favicon {
|
||||
return "", false
|
||||
}
|
||||
return fmt.Sprintf("favicon mmh3=%d", fingerprint.FaviconHash([]byte(body))), true
|
||||
}
|
||||
|
||||
// validateMatchers fails favicon matchers that would silently never fire (no
|
||||
// hash, or one out of 32-bit range) at load rather than at match time.
|
||||
func validateMatchers(matchers []Matcher) error {
|
||||
for i := range matchers {
|
||||
if matchers[i].Type != "favicon" {
|
||||
continue
|
||||
}
|
||||
if len(matchers[i].Hash) == 0 {
|
||||
return fmt.Errorf("favicon matcher requires at least one hash")
|
||||
}
|
||||
for _, h := range matchers[i].Hash {
|
||||
if _, ok := normalizeFaviconHash(h); !ok {
|
||||
return fmt.Errorf("favicon hash %d out of range (use a signed int32 or unsigned uint32 value)", h)
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
@@ -0,0 +1,191 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package modules
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"math"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/vmfunc/sif/internal/fingerprint"
|
||||
"github.com/vmfunc/sif/internal/httpx"
|
||||
)
|
||||
|
||||
// faviconFixture hashes to a negative int32, so its signed and unsigned forms
|
||||
// differ and the unsigned-match case below actually exercises the fold.
|
||||
var faviconFixture = []byte(strings.Repeat("sif-favicon-golden-test-bytes-", 8))
|
||||
|
||||
func TestCheckMatcherFavicon(t *testing.T) {
|
||||
body := string(faviconFixture)
|
||||
signed := int64(fingerprint.FaviconHash(faviconFixture))
|
||||
if signed >= 0 {
|
||||
t.Fatalf("fixture must hash to a negative int32 for the unsigned case to be meaningful, got %d", signed)
|
||||
}
|
||||
unsigned := int64(uint32(fingerprint.FaviconHash(faviconFixture)))
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
hashes []int64
|
||||
expect bool
|
||||
}{
|
||||
{name: "signed match", hashes: []int64{signed}, expect: true},
|
||||
{name: "unsigned match", hashes: []int64{unsigned}, expect: true},
|
||||
{name: "one of many", hashes: []int64{1, 2, signed}, expect: true},
|
||||
{name: "no match", hashes: []int64{1, 2, 3}, expect: false},
|
||||
{name: "empty list", hashes: nil, expect: false},
|
||||
{name: "out-of-range ignored", hashes: []int64{1 << 40}, expect: false},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
m := &Matcher{Type: "favicon", Hash: tt.hashes}
|
||||
resp := fakeResponse(t, 200, nil)
|
||||
if got := checkMatcher(m, resp, body); got != tt.expect {
|
||||
t.Errorf("checkMatcher favicon = %v, want %v", got, tt.expect)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestNormalizeFaviconHash(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
in int64
|
||||
want int32
|
||||
wantOK bool
|
||||
}{
|
||||
{name: "signed passthrough", in: -235701012, want: -235701012, wantOK: true},
|
||||
{name: "unsigned folds to signed", in: 4059266284, want: -235701012, wantOK: true},
|
||||
{name: "positive in range", in: 116323821, want: 116323821, wantOK: true},
|
||||
{name: "min int32", in: math.MinInt32, want: math.MinInt32, wantOK: true},
|
||||
{name: "max uint32 folds to -1", in: math.MaxUint32, want: -1, wantOK: true},
|
||||
{name: "above uint32 rejected", in: math.MaxUint32 + 1, wantOK: false},
|
||||
{name: "below int32 rejected", in: math.MinInt32 - 1, wantOK: false},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got, ok := normalizeFaviconHash(tt.in)
|
||||
if ok != tt.wantOK {
|
||||
t.Fatalf("ok = %v, want %v", ok, tt.wantOK)
|
||||
}
|
||||
if ok && got != tt.want {
|
||||
t.Errorf("normalizeFaviconHash(%d) = %d, want %d", tt.in, got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestFaviconEvidence(t *testing.T) {
|
||||
body := string(faviconFixture)
|
||||
hashLine := fmt.Sprintf("favicon mmh3=%d", fingerprint.FaviconHash(faviconFixture))
|
||||
tests := []struct {
|
||||
name string
|
||||
matchers []Matcher
|
||||
want string
|
||||
wantOK bool
|
||||
}{
|
||||
{name: "favicon only", matchers: []Matcher{{Type: "favicon"}}, want: hashLine, wantOK: true},
|
||||
{name: "favicon with status", matchers: []Matcher{{Type: "status"}, {Type: "favicon"}}, want: hashLine, wantOK: true},
|
||||
{name: "favicon with word keeps body", matchers: []Matcher{{Type: "word"}, {Type: "favicon"}}, wantOK: false},
|
||||
{name: "favicon with regex keeps body", matchers: []Matcher{{Type: "regex"}, {Type: "favicon"}}, wantOK: false},
|
||||
{name: "no favicon matcher", matchers: []Matcher{{Type: "status"}}, wantOK: false},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got, ok := faviconEvidence(tt.matchers, body)
|
||||
if ok != tt.wantOK {
|
||||
t.Fatalf("ok = %v, want %v", ok, tt.wantOK)
|
||||
}
|
||||
if ok && got != tt.want {
|
||||
t.Errorf("evidence = %q, want %q", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidateMatchers(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
matchers []Matcher
|
||||
wantErr bool
|
||||
}{
|
||||
{name: "valid signed", matchers: []Matcher{{Type: "favicon", Hash: []int64{-235701012}}}, wantErr: false},
|
||||
{name: "valid unsigned", matchers: []Matcher{{Type: "favicon", Hash: []int64{4059266284}}}, wantErr: false},
|
||||
{name: "favicon with no hash", matchers: []Matcher{{Type: "favicon"}}, wantErr: true},
|
||||
{name: "out-of-range hash", matchers: []Matcher{{Type: "favicon", Hash: []int64{99999999999}}}, wantErr: true},
|
||||
{name: "non-favicon ignored", matchers: []Matcher{{Type: "word", Words: []string{"x"}}}, wantErr: false},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if err := validateMatchers(tt.matchers); (err != nil) != tt.wantErr {
|
||||
t.Errorf("validateMatchers err = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// favicon composes with the negative flag like any other matcher.
|
||||
func TestCheckMatcherFaviconNegative(t *testing.T) {
|
||||
signed := int64(fingerprint.FaviconHash(faviconFixture))
|
||||
matchers := []Matcher{{Type: "favicon", Hash: []int64{signed}, Negative: true}}
|
||||
resp := fakeResponse(t, 200, nil)
|
||||
if checkMatchers(matchers, "", resp, string(faviconFixture)) {
|
||||
t.Error("negative favicon matcher should not match its own hash")
|
||||
}
|
||||
}
|
||||
|
||||
// drives the full executor: fetch favicon, match on its hash, report the hash.
|
||||
func TestExecuteHTTPModuleFavicon(t *testing.T) {
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if r.URL.Path == "/favicon.ico" {
|
||||
w.Header().Set("Content-Type", "image/x-icon")
|
||||
_, _ = w.Write(faviconFixture)
|
||||
return
|
||||
}
|
||||
w.WriteHeader(http.StatusNotFound)
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
// unsigned form must still match end to end
|
||||
unsigned := int64(uint32(fingerprint.FaviconHash(faviconFixture)))
|
||||
def := &YAMLModule{
|
||||
ID: "favicon-fp",
|
||||
Type: TypeHTTP,
|
||||
Info: YAMLModuleInfo{Severity: "info"},
|
||||
HTTP: &HTTPConfig{
|
||||
Method: "GET",
|
||||
Paths: []string{"{{BaseURL}}/favicon.ico"},
|
||||
Matchers: []Matcher{
|
||||
{Type: "status", Status: []int{200}},
|
||||
{Type: "favicon", Hash: []int64{unsigned}},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
opts := Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)}
|
||||
result, err := ExecuteHTTPModule(context.Background(), srv.URL, def, opts)
|
||||
if err != nil {
|
||||
t.Fatalf("ExecuteHTTPModule: %v", err)
|
||||
}
|
||||
if len(result.Findings) != 1 {
|
||||
t.Fatalf("got %d findings, want 1", len(result.Findings))
|
||||
}
|
||||
|
||||
wantEvidence := fmt.Sprintf("favicon mmh3=%d", fingerprint.FaviconHash(faviconFixture))
|
||||
if got := result.Findings[0].Evidence; got != wantEvidence {
|
||||
t.Errorf("evidence = %q, want %q", got, wantEvidence)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,93 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runGrafanaModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func grafanaExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestGrafanaAnonymousExposureModule(t *testing.T) {
|
||||
const grafana = "../../modules/recon/grafana-anonymous-exposure.yaml"
|
||||
|
||||
t.Run("an anonymous search result is flagged with a dashboard title", func(t *testing.T) {
|
||||
body := `[{"id":1,"uid":"abc123","title":"Production Overview","uri":"db/production-overview",` +
|
||||
`"url":"/d/abc123/production-overview","slug":"","type":"dash-db","tags":["prod"],` +
|
||||
`"isStarred":false,"sortMeta":0}]`
|
||||
res := runGrafanaModule(t, grafana, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a grafana finding")
|
||||
}
|
||||
if v := grafanaExtract(res, "grafana_dashboard"); v != "Production Overview" {
|
||||
t.Errorf("grafana_dashboard=%q, want Production Overview", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a folder-only result is not flagged", func(t *testing.T) {
|
||||
body := `[{"id":1,"uid":"f","title":"General","uri":"db/general","url":"/dashboards/f/general",` +
|
||||
`"type":"dash-folder","isStarred":false}]`
|
||||
if res := runGrafanaModule(t, grafana, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a folder-only search should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a dash-db result without isStarred is not flagged", func(t *testing.T) {
|
||||
body := `[{"uid":"abc","title":"x","uri":"db/x","type":"dash-db"}]`
|
||||
if res := runGrafanaModule(t, grafana, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a partial search blob should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a login-required grafana is not flagged", func(t *testing.T) {
|
||||
body := `{"message":"Unauthorized"}`
|
||||
if res := runGrafanaModule(t, grafana, 401, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a 401 grafana should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
if res := runGrafanaModule(t, grafana, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("a plain 200 body should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
if res := runGrafanaModule(t, grafana, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("a 404 should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,128 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
const zkMonitorBody = `{"command":"monitor","error":null,"version":"3.9.2-a8d7f3e",` +
|
||||
`"server_state":"leader","avg_latency":0,"max_latency":12,"min_latency":0,` +
|
||||
`"packets_received":1532,"packets_sent":1531,"num_alive_connections":3,` +
|
||||
`"outstanding_requests":0,"znode_count":127,"watch_count":4,"ephemerals_count":2,` +
|
||||
`"approximate_data_size":45219,"open_file_descriptor_count":67,"max_file_descriptor_count":1048576}`
|
||||
|
||||
const nameNodeInfoBody = `{"beans":[{"name":"Hadoop:service=NameNode,name=NameNodeInfo",` +
|
||||
`"modelerType":"org.apache.hadoop.hdfs.server.namenode.FSNamesystem",` +
|
||||
`"SoftwareVersion":"3.3.6","Version":"3.3.6, rUNKNOWN","Total":2147483648,"Free":1073741824,` +
|
||||
`"Safemode":"","ClusterId":"CID-abc123","BlockPoolId":"BP-998-10.0.0.1-170",` +
|
||||
`"LiveNodes":"{\"dn1.hdfs.internal:9866\":{\"infoAddr\":\"10.0.0.2:9864\"}}",` +
|
||||
`"DeadNodes":"{}","DecomNodes":"{}","TotalBlocks":1024,"TotalFiles":512}]}`
|
||||
|
||||
func runHadoopZKModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func hadoopZKExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestHadoopZooKeeperExposureModules(t *testing.T) {
|
||||
const zk = "../../modules/recon/zookeeper-admin-exposure.yaml"
|
||||
const namenode = "../../modules/recon/hadoop-namenode-exposure.yaml"
|
||||
|
||||
t.Run("an open zookeeper monitor is flagged with the version", func(t *testing.T) {
|
||||
res := runHadoopZKModule(t, zk, 200, zkMonitorBody)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a zookeeper finding")
|
||||
}
|
||||
if v := hadoopZKExtract(res, "zookeeper_version"); v != "3.9.2-a8d7f3e" {
|
||||
t.Errorf("zookeeper_version=%q, want 3.9.2-a8d7f3e", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a different adminserver command is not flagged", func(t *testing.T) {
|
||||
body := `{"command":"configuration","error":null,"version":"3.9.2","clientPort":2181}`
|
||||
if res := runHadoopZKModule(t, zk, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a non-monitor command should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a firewalled or absent adminserver is not flagged", func(t *testing.T) {
|
||||
if res := runHadoopZKModule(t, zk, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("a 404 should not match zookeeper, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a namenode jmx body does not match the zookeeper module", func(t *testing.T) {
|
||||
if res := runHadoopZKModule(t, zk, 200, nameNodeInfoBody); len(res.Findings) > 0 {
|
||||
t.Errorf("a namenode body should not match zookeeper, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an open namenode jmx is flagged with the hdfs version", func(t *testing.T) {
|
||||
res := runHadoopZKModule(t, namenode, 200, nameNodeInfoBody)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a namenode finding")
|
||||
}
|
||||
if v := hadoopZKExtract(res, "hdfs_version"); v != "3.3.6" {
|
||||
t.Errorf("hdfs_version=%q, want 3.3.6", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a different hadoop jmx bean is not flagged", func(t *testing.T) {
|
||||
body := `{"beans":[{"name":"Hadoop:service=DataNode,name=DataNodeInfo",` +
|
||||
`"SoftwareVersion":"3.3.6","LiveNodes":"","DeadNodes":""}]}`
|
||||
if res := runHadoopZKModule(t, namenode, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a non-NameNodeInfo bean should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a kerberos-secured namenode is not flagged", func(t *testing.T) {
|
||||
if res := runHadoopZKModule(t, namenode, 401, "Authentication required"); len(res.Findings) > 0 {
|
||||
t.Errorf("a 401 namenode should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a zookeeper monitor body does not match the namenode module", func(t *testing.T) {
|
||||
if res := runHadoopZKModule(t, namenode, 200, zkMonitorBody); len(res.Findings) > 0 {
|
||||
t.Errorf("a zookeeper body should not match namenode, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("plain 200 bodies are not leaks", func(t *testing.T) {
|
||||
if res := runHadoopZKModule(t, zk, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("a plain 200 should not match zookeeper, got %d findings", len(res.Findings))
|
||||
}
|
||||
if res := runHadoopZKModule(t, namenode, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("a plain 200 should not match namenode, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,168 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runHTTPDBModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func httpdbExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestHTTPDatabaseExposureModules(t *testing.T) {
|
||||
const influxdb = "../../modules/recon/influxdb-api-exposure.yaml"
|
||||
const arangodb = "../../modules/recon/arangodb-api-exposure.yaml"
|
||||
const neo4j = "../../modules/recon/neo4j-api-exposure.yaml"
|
||||
|
||||
influxHealth := `{"name":"influxdb","message":"ready for queries and writes","status":"pass",` +
|
||||
`"checks":[],"version":"2.9.1","commit":"a1b2c3d4"}`
|
||||
|
||||
arangoVersion := `{"server":"arango","version":"3.11.5","license":"community"}`
|
||||
|
||||
neo4jDiscovery := `{"bolt_routing":"neo4j://localhost:7687","transaction":"http://localhost:7474/db/{databaseName}/tx",` +
|
||||
`"bolt_direct":"bolt://localhost:7687","neo4j_version":"5.13.0","neo4j_edition":"community"}`
|
||||
|
||||
t.Run("an exposed influxdb health endpoint is flagged and versioned", func(t *testing.T) {
|
||||
res := runHTTPDBModule(t, influxdb, 200, influxHealth)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an influxdb finding")
|
||||
}
|
||||
if v := httpdbExtract(res, "influxdb_version"); v != "2.9.1" {
|
||||
t.Errorf("influxdb_version=%q, want 2.9.1", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an anonymous arangodb version endpoint is flagged and versioned", func(t *testing.T) {
|
||||
res := runHTTPDBModule(t, arangodb, 200, arangoVersion)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an arangodb finding")
|
||||
}
|
||||
if v := httpdbExtract(res, "arangodb_version"); v != "3.11.5" {
|
||||
t.Errorf("arangodb_version=%q, want 3.11.5", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed neo4j discovery endpoint is flagged and versioned", func(t *testing.T) {
|
||||
res := runHTTPDBModule(t, neo4j, 200, neo4jDiscovery)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a neo4j finding")
|
||||
}
|
||||
if v := httpdbExtract(res, "neo4j_version"); v != "5.13.0" {
|
||||
t.Errorf("neo4j_version=%q, want 5.13.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an influxdb name without the health message is not flagged", func(t *testing.T) {
|
||||
body := `{"name":"influxdb","status":"pass"}`
|
||||
if res := runHTTPDBModule(t, influxdb, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an influxdb name alone should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a health message without the influxdb name is not flagged", func(t *testing.T) {
|
||||
body := `{"name":"telegraf","message":"ready for queries and writes"}`
|
||||
if res := runHTTPDBModule(t, influxdb, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("the message alone should not match influxdb, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an arango without a license field is still flagged", func(t *testing.T) {
|
||||
body := `{"server":"arango","version":"3.11.5"}`
|
||||
res := runHTTPDBModule(t, arangodb, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an arangodb finding without a license field (pre-3.12)")
|
||||
}
|
||||
if v := httpdbExtract(res, "arangodb_version"); v != "3.11.5" {
|
||||
t.Errorf("arangodb_version=%q, want 3.11.5", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a non-arango version response is not flagged", func(t *testing.T) {
|
||||
body := `{"server":"foundationdb","version":"1.0.0"}`
|
||||
if res := runHTTPDBModule(t, arangodb, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a non-arango server should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an arango response without a version is not flagged", func(t *testing.T) {
|
||||
body := `{"server":"arango"}`
|
||||
if res := runHTTPDBModule(t, arangodb, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an arango without a version should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an arango that requires auth is not flagged", func(t *testing.T) {
|
||||
if res := runHTTPDBModule(t, arangodb, 401, arangoVersion); len(res.Findings) > 0 {
|
||||
t.Errorf("a 401 arango should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a neo4j version without an edition is not flagged", func(t *testing.T) {
|
||||
body := `{"neo4j_version":"5.13.0","transaction":"http://localhost:7474/db/neo4j/tx"}`
|
||||
if res := runHTTPDBModule(t, neo4j, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a neo4j version alone should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a neo4j edition without a version is not flagged", func(t *testing.T) {
|
||||
body := `{"neo4j_edition":"community","bolt_routing":"neo4j://localhost:7687"}`
|
||||
if res := runHTTPDBModule(t, neo4j, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a neo4j edition alone should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a generic health json is not influxdb", func(t *testing.T) {
|
||||
body := `{"status":"UP","components":{"db":{"status":"UP"}}}`
|
||||
if res := runHTTPDBModule(t, influxdb, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a generic health should not match influxdb, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{influxdb, arangodb, neo4j} {
|
||||
if res := runHTTPDBModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{influxdb, arangodb, neo4j} {
|
||||
if res := runHTTPDBModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,195 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runImageGenModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func imageGenExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestImageGenExposureModules(t *testing.T) {
|
||||
const comfyui = "../../modules/recon/comfyui-api-exposure.yaml"
|
||||
const a1111 = "../../modules/recon/automatic1111-api-exposure.yaml"
|
||||
const fooocus = "../../modules/recon/fooocus-api-exposure.yaml"
|
||||
const iopaint = "../../modules/recon/iopaint-api-exposure.yaml"
|
||||
|
||||
comfyStats := `{"system":{"os":"posix","ram_total":67430219776,"ram_free":12345678,` +
|
||||
`"comfyui_version":"0.3.40","python_version":"3.11.9","pytorch_version":"2.3.1",` +
|
||||
`"embedded_python":false,"argv":["main.py"]},"devices":[{"name":"cuda:0 NVIDIA RTX 4090",` +
|
||||
`"type":"cuda","index":0,"vram_total":25757220864,"vram_free":24000000000,` +
|
||||
`"torch_vram_total":268435456,"torch_vram_free":260000000}]}`
|
||||
|
||||
a1111Models := `[{"title":"sd_xl_base_1.0.safetensors [31e35c80fc]","model_name":"sd_xl_base_1.0",` +
|
||||
`"hash":"31e35c80fc","sha256":"31e35c80fc4829d14f90153f4c74cd59c90b779f6afe05a74cd6120b893f7e5b",` +
|
||||
`"filename":"/home/sd/models/Stable-diffusion/sd_xl_base_1.0.safetensors","config":null}]`
|
||||
|
||||
fooocusModels := `{"model_filenames":["juggernautXL_v8.safetensors","sd_xl_base_1.0.safetensors"],` +
|
||||
`"lora_filenames":["sdxl_lcm_lora.safetensors"]}`
|
||||
|
||||
iopaintConfig := `{"plugins":[{"name":"RemoveBG","support_gen_image":true,"support_gen_mask":false}],` +
|
||||
`"modelInfos":[{"name":"lama","path":"lama","model_type":"inpaint"}],` +
|
||||
`"removeBGModel":"briaai/RMBG-1.4","removeBGModels":["briaai/RMBG-1.4","u2net"],` +
|
||||
`"realesrganModel":"realesr-general-x4v3","realesrganModels":["realesr-general-x4v3"],` +
|
||||
`"interactiveSegModel":"sam2_1_tiny","interactiveSegModels":["vit_b","sam2_1_tiny"],` +
|
||||
`"enableFileManager":true,"enableAutoSaving":false,"enableControlnet":false,` +
|
||||
`"controlnetMethod":null,"disableModelSwitch":false,"isDesktop":false,` +
|
||||
`"samplers":["DPM++ 2M","Euler","Euler a"]}`
|
||||
|
||||
t.Run("a comfyui system_stats is flagged with its version", func(t *testing.T) {
|
||||
res := runImageGenModule(t, comfyui, 200, comfyStats)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a comfyui finding")
|
||||
}
|
||||
if v := imageGenExtract(res, "comfyui_version"); v != "0.3.40" {
|
||||
t.Errorf("comfyui_version=%q, want 0.3.40", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a system_stats without comfyui keys is not flagged", func(t *testing.T) {
|
||||
body := `{"system":{"os":"linux","ram_total":123},"devices":[]}`
|
||||
if res := runImageGenModule(t, comfyui, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a generic system stats should not match comfyui, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a comfyui version without device memory is not flagged", func(t *testing.T) {
|
||||
body := `{"system":{"comfyui_version":"0.3.40"}}`
|
||||
if res := runImageGenModule(t, comfyui, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a version-only body should not match comfyui, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an automatic1111 sd-models list is flagged with its checkpoint", func(t *testing.T) {
|
||||
res := runImageGenModule(t, a1111, 200, a1111Models)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an automatic1111 finding")
|
||||
}
|
||||
if v := imageGenExtract(res, "sd_model_name"); v != "sd_xl_base_1.0" {
|
||||
t.Errorf("sd_model_name=%q, want sd_xl_base_1.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a list with a model_name but no filename is not flagged as a1111", func(t *testing.T) {
|
||||
body := `[{"title":"some entry","model_name":"thing"}]`
|
||||
if res := runImageGenModule(t, a1111, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a partial entry should not match automatic1111, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a generic titled list is not flagged as a1111", func(t *testing.T) {
|
||||
body := `[{"title":"My Blog Post","filename":"post.md","author":"someone"}]`
|
||||
if res := runImageGenModule(t, a1111, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a generic list should not match automatic1111, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a model_name and filename without a title is not flagged as a1111", func(t *testing.T) {
|
||||
body := `[{"model_name":"thing","filename":"/tmp/thing.bin"}]`
|
||||
if res := runImageGenModule(t, a1111, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a titleless entry should not match automatic1111, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a fooocus-api all-models is flagged with its checkpoint", func(t *testing.T) {
|
||||
res := runImageGenModule(t, fooocus, 200, fooocusModels)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a fooocus finding")
|
||||
}
|
||||
if v := imageGenExtract(res, "fooocus_model"); v != "juggernautXL_v8.safetensors" {
|
||||
t.Errorf("fooocus_model=%q, want juggernautXL_v8.safetensors", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without model_filenames is not flagged as fooocus", func(t *testing.T) {
|
||||
if res := runImageGenModule(t, fooocus, 200, `{"lora_filenames":["x.safetensors"]}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without model_filenames should not match fooocus, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without lora_filenames is not flagged as fooocus", func(t *testing.T) {
|
||||
if res := runImageGenModule(t, fooocus, 200, `{"model_filenames":["x.safetensors"]}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without lora_filenames should not match fooocus, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an iopaint server-config is flagged with its file-manager state", func(t *testing.T) {
|
||||
res := runImageGenModule(t, iopaint, 200, iopaintConfig)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an iopaint finding")
|
||||
}
|
||||
if v := imageGenExtract(res, "iopaint_file_manager"); v != "true" {
|
||||
t.Errorf("iopaint_file_manager=%q, want true", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a config without interactiveSegModel is not flagged as iopaint", func(t *testing.T) {
|
||||
body := `{"modelInfos":[],"enableFileManager":true,"disableModelSwitch":false,"samplers":[]}`
|
||||
if res := runImageGenModule(t, iopaint, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without interactiveSegModel should not match iopaint, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a config without enableFileManager is not flagged as iopaint", func(t *testing.T) {
|
||||
body := `{"interactiveSegModel":"vit_b","disableModelSwitch":false,"samplers":[]}`
|
||||
if res := runImageGenModule(t, iopaint, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without enableFileManager should not match iopaint, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a config without disableModelSwitch is not flagged as iopaint", func(t *testing.T) {
|
||||
body := `{"interactiveSegModel":"vit_b","enableFileManager":true,"samplers":[]}`
|
||||
if res := runImageGenModule(t, iopaint, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without disableModelSwitch should not match iopaint, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{comfyui, a1111, fooocus, iopaint} {
|
||||
if res := runImageGenModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{comfyui, a1111, fooocus, iopaint} {
|
||||
if res := runImageGenModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,151 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runInfraModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func infraExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestInfraConfigExposureModules(t *testing.T) {
|
||||
const terraform = "../../modules/recon/terraform-state-exposure.yaml"
|
||||
const kubeconfig = "../../modules/recon/kubeconfig-exposure.yaml"
|
||||
const compose = "../../modules/recon/docker-compose-exposure.yaml"
|
||||
|
||||
t.Run("terraform state leaks the terraform version", func(t *testing.T) {
|
||||
body := `{"version":4,"terraform_version":"1.5.7","serial":12,"lineage":"a1b2",` +
|
||||
`"outputs":{},"resources":[{"type":"aws_db_instance","name":"main"}]}`
|
||||
res := runInfraModule(t, terraform, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a terraform state finding")
|
||||
}
|
||||
if v := infraExtract(res, "terraform_version"); v != "1.5.7" {
|
||||
t.Errorf("terraform_version=%q, want 1.5.7", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("terraform state with a pre-release version still extracts the number", func(t *testing.T) {
|
||||
body := `{"version":4,"terraform_version":"0.12.0-beta1","serial":1,"lineage":"x","resources":[]}`
|
||||
res := runInfraModule(t, terraform, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a terraform state finding")
|
||||
}
|
||||
if v := infraExtract(res, "terraform_version"); v != "0.12.0" {
|
||||
t.Errorf("terraform_version=%q, want 0.12.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("kubeconfig leaks the cluster server", func(t *testing.T) {
|
||||
body := "apiVersion: v1\nkind: Config\nclusters:\n- cluster:\n" +
|
||||
" server: https://10.0.0.1:6443\n name: prod\ncurrent-context: prod\n"
|
||||
res := runInfraModule(t, kubeconfig, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a kubeconfig finding")
|
||||
}
|
||||
if v := infraExtract(res, "cluster_server"); v != "https://10.0.0.1:6443" {
|
||||
t.Errorf("cluster_server=%q, want https://10.0.0.1:6443", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("docker compose leaks the image version", func(t *testing.T) {
|
||||
body := "version: \"3.8\"\nservices:\n web:\n image: nginx:1.25\n ports:\n" +
|
||||
" - \"80:80\"\n db:\n image: postgres:15\n"
|
||||
res := runInfraModule(t, compose, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a docker compose finding")
|
||||
}
|
||||
if v := infraExtract(res, "compose_image"); v != "nginx:1.25" {
|
||||
t.Errorf("compose_image=%q, want nginx:1.25", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a terraform_version mention without the state structure is not a leak", func(t *testing.T) {
|
||||
body := `{"terraform_version":"1.5.7"}`
|
||||
if res := runInfraModule(t, terraform, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a bare version mention should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a kind Config mention without the kubeconfig structure is not a leak", func(t *testing.T) {
|
||||
body := "kind: Config\ndescription: an unrelated document\n"
|
||||
if res := runInfraModule(t, kubeconfig, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a bare kind mention should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a services key without a service definition is not a leak", func(t *testing.T) {
|
||||
body := "services: enabled\nnote: not a compose file\n"
|
||||
if res := runInfraModule(t, compose, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a bare services key should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an html page carrying the markers is not a leak", func(t *testing.T) {
|
||||
body := `<html><head><title>x</title></head><body>"terraform_version":"1.5.7" "lineage":"a1b2"</body></html>`
|
||||
if res := runInfraModule(t, terraform, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an html page should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{terraform, kubeconfig, compose} {
|
||||
if res := runInfraModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{terraform, kubeconfig, compose} {
|
||||
if res := runInfraModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,129 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runInfraControlplaneModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func controlplaneExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestInfraControlplaneExposureModules(t *testing.T) {
|
||||
const traefik = "../../modules/recon/traefik-api-exposure.yaml"
|
||||
const nomad = "../../modules/recon/nomad-agent-exposure.yaml"
|
||||
const portainer = "../../modules/recon/portainer-status-exposure.yaml"
|
||||
|
||||
t.Run("a traefik overview is flagged with its first provider", func(t *testing.T) {
|
||||
body := `{"http":{"routers":{"total":12,"warnings":0,"errors":1},"services":{"total":8,"warnings":0,` +
|
||||
`"errors":0},"middlewares":{"total":5,"warnings":0,"errors":0}},"tcp":{"routers":{"total":0},` +
|
||||
`"services":{"total":0}},"udp":{"routers":{"total":0},"services":{"total":0}},` +
|
||||
`"features":{"tracing":"Noop","metrics":"Prometheus","accessLog":true},"providers":["Docker","File"]}`
|
||||
res := runInfraControlplaneModule(t, traefik, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a traefik finding")
|
||||
}
|
||||
if v := controlplaneExtract(res, "traefik_provider"); v != "Docker" {
|
||||
t.Errorf("traefik_provider=%q, want Docker", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a routing summary without features is not flagged as traefik", func(t *testing.T) {
|
||||
body := `{"http":{"routers":{"total":1}},"providers":["Docker"]}`
|
||||
if res := runInfraControlplaneModule(t, traefik, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without features should not match traefik, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an open nomad agent self is flagged with its version", func(t *testing.T) {
|
||||
body := `{"config":{"Region":"global","Datacenter":"dc1","BindAddr":"0.0.0.0"},` +
|
||||
`"member":{"Name":"node1.global","Addr":"10.0.0.5","Port":4648,` +
|
||||
`"Tags":{"role":"nomad","region":"global","dc":"dc1","build":"1.7.2","vsn":"1"},"Status":"alive"},` +
|
||||
`"stats":{"nomad":{"server":"true"},"runtime":{"version":"go1.21"}}}`
|
||||
res := runInfraControlplaneModule(t, nomad, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a nomad finding")
|
||||
}
|
||||
if v := controlplaneExtract(res, "nomad_version"); v != "1.7.2" {
|
||||
t.Errorf("nomad_version=%q, want 1.7.2", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an acl-enabled nomad returns 403 and is not flagged", func(t *testing.T) {
|
||||
if res := runInfraControlplaneModule(t, nomad, 403, `{"errors":["Permission denied"]}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a 403 from an acl-enabled nomad should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a config+stats body without member is not flagged as nomad", func(t *testing.T) {
|
||||
body := `{"config":{"a":1},"stats":{"b":2}}`
|
||||
if res := runInfraControlplaneModule(t, nomad, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without member should not match nomad, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a portainer status is flagged with its instance id", func(t *testing.T) {
|
||||
body := `{"Version":"2.19.4","InstanceID":"299ab403-70a8-4c05-92f7-bf7a994d50df"}`
|
||||
res := runInfraControlplaneModule(t, portainer, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a portainer finding")
|
||||
}
|
||||
if v := controlplaneExtract(res, "portainer_instance_id"); v != "299ab403-70a8-4c05-92f7-bf7a994d50df" {
|
||||
t.Errorf("portainer_instance_id=%q, want the uuid", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a bare version body is not flagged as portainer", func(t *testing.T) {
|
||||
if res := runInfraControlplaneModule(t, portainer, 200, `{"Version":"2.19.4"}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a bare version should not match portainer, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{traefik, nomad, portainer} {
|
||||
if res := runInfraControlplaneModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{traefik, nomad, portainer} {
|
||||
if res := runInfraControlplaneModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,126 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runJobDashModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func jobDashExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestJobDashboardExposureModules(t *testing.T) {
|
||||
const sidekiq = "../../modules/recon/sidekiq-web-exposure.yaml"
|
||||
const flower = "../../modules/recon/celery-flower-exposure.yaml"
|
||||
const rq = "../../modules/recon/rq-dashboard-exposure.yaml"
|
||||
|
||||
t.Run("a sidekiq stats dump is flagged with its redis version", func(t *testing.T) {
|
||||
body := `{"sidekiq":{"processed":12345,"failed":67,"busy":3,"processes":2,"enqueued":10,` +
|
||||
`"scheduled":5,"retries":1,"dead":0,"default_latency":0},"redis":{"redis_version":"7.2.4",` +
|
||||
`"uptime_in_days":"12","connected_clients":"8","used_memory_human":"2.50M",` +
|
||||
`"used_memory_peak_human":"3.10M"},"server_utc_time":"18:00:00 UTC"}`
|
||||
res := runJobDashModule(t, sidekiq, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a sidekiq finding")
|
||||
}
|
||||
if v := jobDashExtract(res, "redis_version"); v != "7.2.4" {
|
||||
t.Errorf("redis_version=%q, want 7.2.4", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a bare redis-info body without default_latency is not flagged as sidekiq", func(t *testing.T) {
|
||||
if res := runJobDashModule(t, sidekiq, 200, `{"redis_version":"7.2.4","server_utc_time":"x"}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a redis info blob should not match sidekiq, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a flower workers api is flagged with the celery version", func(t *testing.T) {
|
||||
body := `{"celery@worker1":{"active_queues":[{"name":"celery","exchange":{"name":"celery",` +
|
||||
`"type":"direct"},"routing_key":"celery"}],"conf":{"broker_url":"redis://localhost:6379/0",` +
|
||||
`"result_backend":"redis://localhost:6379/0"},"registered":["tasks.add","tasks.send_email"],` +
|
||||
`"stats":{"sw_ident":"py-celery","sw_ver":"5.3.6","sw_sys":"Linux","pool":{"max-concurrency":4},` +
|
||||
`"broker":{"hostname":"localhost","transport":"redis"}},"timestamp":1719345600.0}}`
|
||||
res := runJobDashModule(t, flower, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a flower finding")
|
||||
}
|
||||
if v := jobDashExtract(res, "celery_version"); v != "5.3.6" {
|
||||
t.Errorf("celery_version=%q, want 5.3.6", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a worker blob without conf is not flagged as flower", func(t *testing.T) {
|
||||
if res := runJobDashModule(t, flower, 200, `{"celery@w":{"active_queues":[],"registered":["tasks.add"]}}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a confless worker blob should not match flower, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an rq queues dump is flagged with the first queue name", func(t *testing.T) {
|
||||
body := `{"queues":[{"name":"default","count":42,"queued_url":"/0/view/jobs/default/queued/...",` +
|
||||
`"failed_job_registry_count":3,"failed_url":"...","started_job_registry_count":1,"started_url":"...",` +
|
||||
`"deferred_job_registry_count":0,"deferred_url":"...","finished_job_registry_count":100,` +
|
||||
`"finished_url":"...","canceled_job_registry_count":0,"canceled_url":"...",` +
|
||||
`"scheduled_job_registry_count":5,"scheduled_url":"..."}]}`
|
||||
res := runJobDashModule(t, rq, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an rq finding")
|
||||
}
|
||||
if v := jobDashExtract(res, "rq_queue_name"); v != "default" {
|
||||
t.Errorf("rq_queue_name=%q, want default", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a queues blob without the registry counts is not flagged as rq", func(t *testing.T) {
|
||||
if res := runJobDashModule(t, rq, 200, `{"queues":[{"name":"q","failed_job_registry_count":0}]}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a partial queues blob should not match rq, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{sidekiq, flower, rq} {
|
||||
if res := runJobDashModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{sidekiq, flower, rq} {
|
||||
if res := runJobDashModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,86 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package modules
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/vmfunc/sif/internal/httpx"
|
||||
)
|
||||
|
||||
func TestRunExtractorsJSON(t *testing.T) {
|
||||
const body = `{"version":"1.2.3","app":{"name":"sif"},"items":[{"id":7}]}`
|
||||
resp := fakeResponse(t, 200, nil)
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
paths []string
|
||||
want string // "" means the extractor should set nothing
|
||||
}{
|
||||
{"top level", []string{"version"}, "1.2.3"},
|
||||
{"nested", []string{"app.name"}, "sif"},
|
||||
{"array index", []string{"items.0.id"}, "7"},
|
||||
{"first existing wins", []string{"missing", "version"}, "1.2.3"},
|
||||
{"no match", []string{"nope"}, ""},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
ex := []Extractor{{Type: "json", Name: "v", Part: "body", JSON: tt.paths}}
|
||||
got := runExtractors(ex, resp, body)
|
||||
if tt.want == "" {
|
||||
if v, ok := got["v"]; ok {
|
||||
t.Errorf("expected no extraction, got %q", v)
|
||||
}
|
||||
return
|
||||
}
|
||||
if got["v"] != tt.want {
|
||||
t.Errorf("got %q, want %q", got["v"], tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestExecuteHTTPModuleJSONExtractor(t *testing.T) {
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
_, _ = w.Write([]byte(`{"version":"9.9.9"}`))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
def := &YAMLModule{
|
||||
ID: "j",
|
||||
Type: TypeHTTP,
|
||||
Info: YAMLModuleInfo{Severity: "info"},
|
||||
HTTP: &HTTPConfig{
|
||||
Method: "GET",
|
||||
Paths: []string{"{{BaseURL}}/"},
|
||||
Matchers: []Matcher{{Type: "status", Status: []int{200}}},
|
||||
Extractors: []Extractor{{Type: "json", Name: "version", Part: "body", JSON: []string{"version"}}},
|
||||
},
|
||||
}
|
||||
|
||||
opts := Options{Timeout: testTimeout, Client: httpx.Client(testTimeout)}
|
||||
res, err := ExecuteHTTPModule(context.Background(), srv.URL, def, opts)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if len(res.Findings) != 1 {
|
||||
t.Fatalf("got %d findings, want 1", len(res.Findings))
|
||||
}
|
||||
if got := res.Findings[0].Extracted["version"]; got != "9.9.9" {
|
||||
t.Errorf("extracted version = %q, want 9.9.9", got)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,130 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
const kafkaUIClustersBody = `[{"name":"production","defaultCluster":true,"status":"online",` +
|
||||
`"brokerCount":3,"onlinePartitionCount":128,"topicCount":42,"bytesInPerSec":10485.5,` +
|
||||
`"bytesOutPerSec":20971.0,"readOnly":false,"version":"3.7.0",` +
|
||||
`"features":["TOPIC_DELETION","KAFKA_CONNECT","KSQL_DB"]}]`
|
||||
|
||||
const kafdropOverviewBody = `{"summary":{"topicCount":42,"partitionCount":128,` +
|
||||
`"underReplicatedCount":0,"preferredReplicaPercent":1.0,"brokerLeaderPartitionCount":{"1":43},` +
|
||||
`"brokerPreferredLeaderPartitionCount":{"1":43},"expectedBrokerIds":[1,2,3]},` +
|
||||
`"brokers":[{"id":1,"host":"kafka-0.svc.internal","port":9092,"controller":true,"rack":"r1"}],` +
|
||||
`"topics":[{"name":"orders","partitions":[]}]}`
|
||||
|
||||
func runKafkaModule(t *testing.T, file string, status int, body string) (*modules.Result, http.Header) {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
var gotHeaders http.Header
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
gotHeaders = r.Header.Clone()
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res, gotHeaders
|
||||
}
|
||||
|
||||
func kafkaExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestKafkaManagementUIExposureModules(t *testing.T) {
|
||||
const kafkaUI = "../../modules/recon/kafka-ui-exposure.yaml"
|
||||
const kafdrop = "../../modules/recon/kafdrop-exposure.yaml"
|
||||
|
||||
t.Run("an open kafka-ui /api/clusters is flagged with the version", func(t *testing.T) {
|
||||
res, _ := runKafkaModule(t, kafkaUI, 200, kafkaUIClustersBody)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a kafka-ui finding")
|
||||
}
|
||||
if v := kafkaExtract(res, "kafka_version"); v != "3.7.0" {
|
||||
t.Errorf("kafka_version=%q, want 3.7.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a kafka-ui cluster with a non-enum status is not flagged", func(t *testing.T) {
|
||||
body := `[{"name":"x","defaultCluster":true,"status":"degraded","brokerCount":1}]`
|
||||
if res, _ := runKafkaModule(t, kafkaUI, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a non-enum status should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a login-protected kafka-ui is not flagged", func(t *testing.T) {
|
||||
if res, _ := runKafkaModule(t, kafkaUI, 401, `{"message":"Unauthorized"}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a 401 kafka-ui should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a kafdrop overview does not match the kafka-ui module", func(t *testing.T) {
|
||||
if res, _ := runKafkaModule(t, kafkaUI, 200, kafdropOverviewBody); len(res.Findings) > 0 {
|
||||
t.Errorf("a kafdrop body should not match kafka-ui, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an open kafdrop overview is flagged with a broker host", func(t *testing.T) {
|
||||
res, hdr := runKafkaModule(t, kafdrop, 200, kafdropOverviewBody)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a kafdrop finding")
|
||||
}
|
||||
if v := kafkaExtract(res, "kafka_broker"); v != "kafka-0.svc.internal" {
|
||||
t.Errorf("kafka_broker=%q, want kafka-0.svc.internal", v)
|
||||
}
|
||||
if got := hdr.Get("Accept"); got != "application/json" {
|
||||
t.Errorf("Accept header=%q, want application/json", got)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a cluster overview without preferredReplicaPercent is not flagged", func(t *testing.T) {
|
||||
body := `{"summary":{"topicCount":1},"brokers":[{"id":1,"host":"h"}],"topics":[]}`
|
||||
if res, _ := runKafkaModule(t, kafdrop, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a preferredReplicaPercent-less overview should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a basic-auth-protected kafdrop is not flagged", func(t *testing.T) {
|
||||
if res, _ := runKafkaModule(t, kafdrop, 401, "Unauthorized"); len(res.Findings) > 0 {
|
||||
t.Errorf("a 401 kafdrop should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a kafka-ui cluster list does not match the kafdrop module", func(t *testing.T) {
|
||||
if res, _ := runKafkaModule(t, kafdrop, 200, kafkaUIClustersBody); len(res.Findings) > 0 {
|
||||
t.Errorf("a kafka-ui body should not match kafdrop, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("plain 200 bodies are not leaks", func(t *testing.T) {
|
||||
if res, _ := runKafkaModule(t, kafkaUI, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("a plain 200 should not match kafka-ui, got %d findings", len(res.Findings))
|
||||
}
|
||||
if res, _ := runKafkaModule(t, kafdrop, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("a 404 should not match kafdrop, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,85 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runGatewayModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func gatewayExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestLLMGatewayExposureModules(t *testing.T) {
|
||||
const oneapi = "../../modules/recon/oneapi-status-exposure.yaml"
|
||||
|
||||
oneapiStatus := `{"success":true,"message":"","data":{"version":"v0.8.4","start_time":1719100000,` +
|
||||
`"system_name":"New API","quota_per_unit":500000,"github_oauth":false}}`
|
||||
|
||||
t.Run("a oneapi status is flagged with its version", func(t *testing.T) {
|
||||
res := runGatewayModule(t, oneapi, 200, oneapiStatus)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a oneapi finding")
|
||||
}
|
||||
if v := gatewayExtract(res, "oneapi_version"); v != "v0.8.4" {
|
||||
t.Errorf("oneapi_version=%q, want v0.8.4", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without system_name is not flagged as oneapi", func(t *testing.T) {
|
||||
body := `{"data":{"start_time":1,"quota_per_unit":500000}}`
|
||||
if res := runGatewayModule(t, oneapi, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without system_name should not match oneapi, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without quota_per_unit is not flagged as oneapi", func(t *testing.T) {
|
||||
body := `{"data":{"system_name":"X","start_time":1}}`
|
||||
if res := runGatewayModule(t, oneapi, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without quota_per_unit should not match oneapi, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
if res := runGatewayModule(t, oneapi, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("a plain 200 body should not match oneapi, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
if res := runGatewayModule(t, oneapi, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("a 404 should not match oneapi, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,161 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runGPUServingModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func gpuServingExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestLLMGPUServingExposureModules(t *testing.T) {
|
||||
const triton = "../../modules/recon/triton-api-exposure.yaml"
|
||||
const sglang = "../../modules/recon/sglang-api-exposure.yaml"
|
||||
const torchserve = "../../modules/recon/torchserve-api-exposure.yaml"
|
||||
|
||||
tritonMeta := `{"name":"triton","version":"2.45.0","extensions":["classification","sequence",` +
|
||||
`"model_repository","schedule_policy","model_configuration","statistics","trace","logging"]}`
|
||||
|
||||
sglangInfo := `{"model_path":"meta-llama/Llama-3-8B","tokenizer_path":"meta-llama/Llama-3-8B",` +
|
||||
`"is_generation":true,"preferred_sampling_params":null,"weight_version":"default",` +
|
||||
`"has_image_understanding":false,"has_audio_understanding":false,"model_type":"llama",` +
|
||||
`"architectures":["LlamaForCausalLM"]}`
|
||||
|
||||
torchserveModels := `{"nextPageToken":"4","models":[{"modelName":"resnet-18","modelUrl":"resnet-18.mar"},` +
|
||||
`{"modelName":"noop","modelUrl":"noop-v1.0"}]}`
|
||||
|
||||
t.Run("a triton metadata api is flagged with its version", func(t *testing.T) {
|
||||
res := runGPUServingModule(t, triton, 200, tritonMeta)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a triton finding")
|
||||
}
|
||||
if v := gpuServingExtract(res, "triton_version"); v != "2.45.0" {
|
||||
t.Errorf("triton_version=%q, want 2.45.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a sglang model_info is flagged with its model path", func(t *testing.T) {
|
||||
res := runGPUServingModule(t, sglang, 200, sglangInfo)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a sglang finding")
|
||||
}
|
||||
if v := gpuServingExtract(res, "sglang_model"); v != "meta-llama/Llama-3-8B" {
|
||||
t.Errorf("sglang_model=%q, want meta-llama/Llama-3-8B", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a torchserve models api is flagged with its model name", func(t *testing.T) {
|
||||
res := runGPUServingModule(t, torchserve, 200, torchserveModels)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a torchserve finding")
|
||||
}
|
||||
if v := gpuServingExtract(res, "torchserve_model"); v != "resnet-18" {
|
||||
t.Errorf("torchserve_model=%q, want resnet-18", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a hugging face config with model_type is not flagged as sglang", func(t *testing.T) {
|
||||
body := `{"model_type":"llama","architectures":["LlamaForCausalLM"],"hidden_size":4096}`
|
||||
if res := runGPUServingModule(t, sglang, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a model config should not match sglang, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a generation flag alone is not flagged as sglang", func(t *testing.T) {
|
||||
body := `{"is_generation":true,"model":"x"}`
|
||||
if res := runGPUServingModule(t, sglang, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("is_generation alone should not match sglang, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an image understanding flag alone is not flagged as sglang", func(t *testing.T) {
|
||||
body := `{"has_image_understanding":false,"model_path":"x"}`
|
||||
if res := runGPUServingModule(t, sglang, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("has_image_understanding alone should not match sglang, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a model url without a page token is not flagged as torchserve", func(t *testing.T) {
|
||||
body := `{"models":[{"modelName":"x","modelUrl":"x.mar"}]}`
|
||||
if res := runGPUServingModule(t, torchserve, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("modelUrl without nextPageToken should not match torchserve, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an ollama style models list is not flagged as torchserve", func(t *testing.T) {
|
||||
body := `{"models":[{"name":"llama3:latest","model":"llama3:latest"}]}`
|
||||
if res := runGPUServingModule(t, torchserve, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an ollama model list should not match torchserve, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a paginated list without a model url is not flagged as torchserve", func(t *testing.T) {
|
||||
body := `{"nextPageToken":"4","items":[{"id":"a"}]}`
|
||||
if res := runGPUServingModule(t, torchserve, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a generic paginated list should not match torchserve, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a kserve server that is not triton is not flagged", func(t *testing.T) {
|
||||
body := `{"name":"my-model-server","version":"1.0","extensions":["model_repository"]}`
|
||||
if res := runGPUServingModule(t, triton, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a non-triton kserve server should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a triton name without extensions is not flagged", func(t *testing.T) {
|
||||
if res := runGPUServingModule(t, triton, 200, `{"name":"triton"}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a name-only body should not match triton, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{triton, sglang, torchserve} {
|
||||
if res := runGPUServingModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{triton, sglang, torchserve} {
|
||||
if res := runGPUServingModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
}
|
||||
@@ -0,0 +1,125 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runInferenceExposureModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func inferenceExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestLLMInferenceExposureModules(t *testing.T) {
|
||||
const tgi = "../../modules/recon/tgi-api-exposure.yaml"
|
||||
const tei = "../../modules/recon/tei-api-exposure.yaml"
|
||||
|
||||
tgiInfo := `{"model_id":"meta-llama/Llama-2-7b-chat-hf","model_sha":"abc","model_pipeline_tag":"text-generation",` +
|
||||
`"max_concurrent_requests":128,"max_best_of":2,"max_input_tokens":4095,"max_total_tokens":4096,` +
|
||||
`"max_batch_total_tokens":16384,"router":"text-generation-router","version":"2.0.4","sha":"deadbeef"}`
|
||||
|
||||
teiInfo := `{"model_id":"BAAI/bge-large-en-v1.5","model_sha":"abc","model_dtype":"float16",` +
|
||||
`"model_type":{"embedding":{"pooling":"cls"}},"max_concurrent_requests":512,"max_input_length":512,` +
|
||||
`"max_batch_tokens":16384,"max_client_batch_size":32,"tokenization_workers":8,"version":"1.5.0"}`
|
||||
|
||||
t.Run("a tgi info is flagged with its model id", func(t *testing.T) {
|
||||
res := runInferenceExposureModule(t, tgi, 200, tgiInfo)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a tgi finding")
|
||||
}
|
||||
if v := inferenceExtract(res, "tgi_model"); v != "meta-llama/Llama-2-7b-chat-hf" {
|
||||
t.Errorf("tgi_model=%q, want meta-llama/Llama-2-7b-chat-hf", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a tei info is flagged with its model id", func(t *testing.T) {
|
||||
res := runInferenceExposureModule(t, tei, 200, teiInfo)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a tei finding")
|
||||
}
|
||||
if v := inferenceExtract(res, "tei_model"); v != "BAAI/bge-large-en-v1.5" {
|
||||
t.Errorf("tei_model=%q, want BAAI/bge-large-en-v1.5", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a tgi info is not flagged as tei", func(t *testing.T) {
|
||||
if res := runInferenceExposureModule(t, tei, 200, tgiInfo); len(res.Findings) > 0 {
|
||||
t.Errorf("a tgi info should not match the tei module, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a tei info is not flagged as tgi", func(t *testing.T) {
|
||||
if res := runInferenceExposureModule(t, tgi, 200, teiInfo); len(res.Findings) > 0 {
|
||||
t.Errorf("a tei info should not match the tgi module, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a hugging face model config is not flagged as tei", func(t *testing.T) {
|
||||
body := `{"model_type":"bert","hidden_size":768,"num_attention_heads":12,"vocab_size":30522}`
|
||||
if res := runInferenceExposureModule(t, tei, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a model config.json should not match tei, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a batch-tokens body without model_type is not flagged as tei", func(t *testing.T) {
|
||||
body := `{"max_batch_tokens":16384,"max_concurrent_requests":512}`
|
||||
if res := runInferenceExposureModule(t, tei, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without model_type should not match tei, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a different router is not flagged as tgi", func(t *testing.T) {
|
||||
body := `{"router":"some-other-router","max_concurrent_requests":10}`
|
||||
if res := runInferenceExposureModule(t, tgi, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a non-tgi router should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{tgi, tei} {
|
||||
if res := runInferenceExposureModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{tgi, tei} {
|
||||
if res := runInferenceExposureModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
}
|
||||
@@ -0,0 +1,212 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runLocalRunnerModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func localRunnerExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestLLMLocalRunnerExposureModules(t *testing.T) {
|
||||
const ollama = "../../modules/recon/ollama-api-exposure.yaml"
|
||||
const koboldcpp = "../../modules/recon/koboldcpp-api-exposure.yaml"
|
||||
const tabby = "../../modules/recon/tabby-api-exposure.yaml"
|
||||
const oobabooga = "../../modules/recon/oobabooga-api-exposure.yaml"
|
||||
|
||||
ollamaTags := `{"models":[{"name":"deepseek-r1:latest","model":"deepseek-r1:latest",` +
|
||||
`"modified_at":"2025-05-10T08:06:48.639712648-07:00","size":4683075271,` +
|
||||
`"digest":"0a8c266910232fd3291e71e5ba1e058cc5af9d411192cf88b6d30e92b6e73163",` +
|
||||
`"details":{"parent_model":"","format":"gguf","family":"qwen2","families":["qwen2"],` +
|
||||
`"parameter_size":"7.6B","quantization_level":"Q4_K_M"}}]}`
|
||||
|
||||
koboldVersion := `{"result":"KoboldCpp","version":"1.71.1","protected":false,"llm":true,` +
|
||||
`"txt2img":true,"vision":false,"audio":false,"transcribe":false,"multiplayer":false,` +
|
||||
`"websearch":false,"tts":false,"embeddings":false,"music":false,"savedata":false,` +
|
||||
`"admin":0,"router":false,"guidance":false,"jinja":true,"mcp":false}`
|
||||
|
||||
tabbyHealth := `{"model":"TabbyML/StarCoder-1B","chat_model":"Qwen2.5-Coder-7B-Instruct",` +
|
||||
`"device":"cuda","cuda_devices":["NVIDIA GeForce RTX 4090"],"models":{"completion":{"vram":1234}},` +
|
||||
`"arch":"x86_64","cpu_info":"AMD Ryzen 9 5950X","cpu_count":32,` +
|
||||
`"version":{"build_date":"2024-06-01","build_timestamp":"2024-06-01T00:00:00Z",` +
|
||||
`"git_sha":"deadbeef","git_describe":"v0.13.0"},"webserver":true}`
|
||||
|
||||
oobaModelInfo := `{"model_name":"TheBloke_Llama-2-13B-chat-GPTQ","lora_names":["alpaca-lora"],` +
|
||||
`"loader":"ExLlamav2_HF"}`
|
||||
|
||||
t.Run("an ollama tags api is flagged with its model name", func(t *testing.T) {
|
||||
res := runLocalRunnerModule(t, ollama, 200, ollamaTags)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an ollama finding")
|
||||
}
|
||||
if v := localRunnerExtract(res, "ollama_model"); v != "deepseek-r1:latest" {
|
||||
t.Errorf("ollama_model=%q, want deepseek-r1:latest", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an ollama tags list without model details is not flagged", func(t *testing.T) {
|
||||
body := `{"models":[{"name":"llama3:latest","digest":"abc"}]}`
|
||||
if res := runLocalRunnerModule(t, ollama, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a bare model list should not match ollama, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an ollama version response is not flagged", func(t *testing.T) {
|
||||
if res := runLocalRunnerModule(t, ollama, 200, `{"version":"0.5.1"}`); len(res.Findings) > 0 {
|
||||
t.Errorf("a version response should not match ollama, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a koboldcpp version probe is flagged with its version", func(t *testing.T) {
|
||||
res := runLocalRunnerModule(t, koboldcpp, 200, koboldVersion)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a koboldcpp finding")
|
||||
}
|
||||
if v := localRunnerExtract(res, "koboldcpp_version"); v != "1.71.1" {
|
||||
t.Errorf("koboldcpp_version=%q, want 1.71.1", v)
|
||||
}
|
||||
if v := localRunnerExtract(res, "koboldcpp_protected"); v != "false" {
|
||||
t.Errorf("koboldcpp_protected=%q, want false", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a koboldcpp result without txt2img is not flagged", func(t *testing.T) {
|
||||
body := `{"result":"KoboldCpp","protected":false}`
|
||||
if res := runLocalRunnerModule(t, koboldcpp, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a probe without txt2img should not match koboldcpp, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a koboldcpp result without protected is not flagged", func(t *testing.T) {
|
||||
body := `{"result":"KoboldCpp","txt2img":true}`
|
||||
if res := runLocalRunnerModule(t, koboldcpp, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a probe without protected should not match koboldcpp, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("another server reporting capabilities is not flagged as koboldcpp", func(t *testing.T) {
|
||||
body := `{"result":"SomeOtherServer","protected":false,"txt2img":true}`
|
||||
if res := runLocalRunnerModule(t, koboldcpp, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a non-kobold result should not match koboldcpp, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a tabby health is flagged with its model", func(t *testing.T) {
|
||||
res := runLocalRunnerModule(t, tabby, 200, tabbyHealth)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a tabby finding")
|
||||
}
|
||||
if v := localRunnerExtract(res, "tabby_model"); v != "TabbyML/StarCoder-1B" {
|
||||
t.Errorf("tabby_model=%q, want TabbyML/StarCoder-1B", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a tabby health without git_describe is not flagged", func(t *testing.T) {
|
||||
body := `{"cpu_info":"AMD Ryzen","cuda_devices":["RTX 4090"],"device":"cuda"}`
|
||||
if res := runLocalRunnerModule(t, tabby, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a health body without git_describe should not match tabby, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a tabby health without cuda_devices is not flagged", func(t *testing.T) {
|
||||
body := `{"cpu_info":"AMD Ryzen","version":{"git_describe":"v0.13.0"}}`
|
||||
if res := runLocalRunnerModule(t, tabby, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a health body without cuda_devices should not match tabby, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a build info without cpu_info is not flagged as tabby", func(t *testing.T) {
|
||||
body := `{"cuda_devices":["RTX 4090"],"version":{"git_describe":"v0.13.0"}}`
|
||||
if res := runLocalRunnerModule(t, tabby, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without cpu_info should not match tabby, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an oobabooga model info is flagged with its model name", func(t *testing.T) {
|
||||
res := runLocalRunnerModule(t, oobabooga, 200, oobaModelInfo)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an oobabooga finding")
|
||||
}
|
||||
if v := localRunnerExtract(res, "oobabooga_model"); v != "TheBloke_Llama-2-13B-chat-GPTQ" {
|
||||
t.Errorf("oobabooga_model=%q, want TheBloke_Llama-2-13B-chat-GPTQ", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without lora_names is not flagged as oobabooga", func(t *testing.T) {
|
||||
body := `{"model_name":"some-model","loader":"Transformers"}`
|
||||
if res := runLocalRunnerModule(t, oobabooga, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without lora_names should not match oobabooga, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without model_name is not flagged as oobabooga", func(t *testing.T) {
|
||||
body := `{"lora_names":["x"],"loader":"Transformers"}`
|
||||
if res := runLocalRunnerModule(t, oobabooga, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without model_name should not match oobabooga, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a model_names plural list is not flagged as oobabooga", func(t *testing.T) {
|
||||
body := `{"model_names":["TheBloke_Llama-2-13B-chat-GPTQ","mistral-7b-instruct"]}`
|
||||
if res := runLocalRunnerModule(t, oobabooga, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a model_names plural list should not match oobabooga, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an idle oobabooga with no model loaded is still flagged", func(t *testing.T) {
|
||||
body := `{"model_name":"None","lora_names":[],"loader":"Transformers"}`
|
||||
if res := runLocalRunnerModule(t, oobabooga, 200, body); len(res.Findings) == 0 {
|
||||
t.Error("expected an idle oobabooga (model_name None) to still be flagged")
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{ollama, koboldcpp, oobabooga, tabby} {
|
||||
if res := runLocalRunnerModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{ollama, koboldcpp, oobabooga, tabby} {
|
||||
if res := runLocalRunnerModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
}
|
||||
@@ -0,0 +1,225 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runOpenAICompatModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func openAICompatExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestLLMOpenAICompatExposureModules(t *testing.T) {
|
||||
const vllm = "../../modules/recon/vllm-api-exposure.yaml"
|
||||
const llamacpp = "../../modules/recon/llamacpp-api-exposure.yaml"
|
||||
const infinity = "../../modules/recon/infinity-embedding-api-exposure.yaml"
|
||||
const lmstudio = "../../modules/recon/lmstudio-api-exposure.yaml"
|
||||
|
||||
vllmModels := `{"object":"list","data":[{"id":"meta-llama/Llama-3.1-8B-Instruct","object":"model",` +
|
||||
`"created":1718900000,"owned_by":"vllm","root":"meta-llama/Llama-3.1-8B-Instruct",` +
|
||||
`"parent":null,"max_model_len":131072}]}`
|
||||
|
||||
llamacppModels := `{"object":"list","data":[{"id":"/models/llama-2-7b.Q4_K_M.gguf","object":"model",` +
|
||||
`"created":1718900000,"owned_by":"llamacpp"}]}`
|
||||
|
||||
infinityModels := `{"data":[{"id":"BAAI/bge-small-en-v1.5","stats":{"queue_fraction":0.0,` +
|
||||
`"queue_absolute":0,"results_pending":0,"results_queue":0},"object":"model","owned_by":"infinity",` +
|
||||
`"created":1718900000,"backend":"torch","capabilities":["embed"]}],"object":"list"}`
|
||||
|
||||
lmstudioModels := `{"object":"list","data":[{"id":"qwen2-vl-7b-instruct","object":"model",` +
|
||||
`"type":"vlm","publisher":"mlx-community","arch":"qwen2_vl","compatibility_type":"mlx",` +
|
||||
`"quantization":"4bit","state":"not-loaded","max_context_length":32768},` +
|
||||
`{"id":"text-embedding-nomic-embed-text-v1.5","object":"model","type":"embeddings",` +
|
||||
`"publisher":"nomic-ai","arch":"nomic-bert","compatibility_type":"gguf","quantization":"Q4_0",` +
|
||||
`"state":"not-loaded","max_context_length":2048}]}`
|
||||
|
||||
t.Run("a vllm models api is flagged with its model id", func(t *testing.T) {
|
||||
res := runOpenAICompatModule(t, vllm, 200, vllmModels)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a vllm finding")
|
||||
}
|
||||
if v := openAICompatExtract(res, "vllm_model"); v != "meta-llama/Llama-3.1-8B-Instruct" {
|
||||
t.Errorf("vllm_model=%q, want meta-llama/Llama-3.1-8B-Instruct", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a vllm-prefixed but distinct owned_by is not flagged as vllm", func(t *testing.T) {
|
||||
body := `{"object":"list","data":[{"id":"meta-llama/Llama-3.1-8B-Instruct","object":"model",` +
|
||||
`"created":1718900000,"owned_by":"vllm-frontend-rs","root":"meta-llama/Llama-3.1-8B-Instruct"}]}`
|
||||
if res := runOpenAICompatModule(t, vllm, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("owned_by vllm-frontend-rs should not match the anchored vllm regex, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a llamacpp models api is flagged with its model id", func(t *testing.T) {
|
||||
res := runOpenAICompatModule(t, llamacpp, 200, llamacppModels)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a llamacpp finding")
|
||||
}
|
||||
if v := openAICompatExtract(res, "llamacpp_model"); v != "/models/llama-2-7b.Q4_K_M.gguf" {
|
||||
t.Errorf("llamacpp_model=%q, want /models/llama-2-7b.Q4_K_M.gguf", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a llamacpp models api is not flagged as vllm", func(t *testing.T) {
|
||||
if res := runOpenAICompatModule(t, vllm, 200, llamacppModels); len(res.Findings) > 0 {
|
||||
t.Errorf("a llamacpp list should not match the vllm module, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a vllm models api is not flagged as llamacpp", func(t *testing.T) {
|
||||
if res := runOpenAICompatModule(t, llamacpp, 200, vllmModels); len(res.Findings) > 0 {
|
||||
t.Errorf("a vllm list should not match the llamacpp module, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an openai compatible list owned by openai is not flagged as vllm", func(t *testing.T) {
|
||||
body := `{"object":"list","data":[{"id":"gpt-4o","object":"model","owned_by":"openai"}]}`
|
||||
if res := runOpenAICompatModule(t, vllm, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an openai-owned list should not match vllm, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an infinity models list is flagged with its model id", func(t *testing.T) {
|
||||
res := runOpenAICompatModule(t, infinity, 200, infinityModels)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an infinity finding")
|
||||
}
|
||||
if v := openAICompatExtract(res, "infinity_model"); v != "BAAI/bge-small-en-v1.5" {
|
||||
t.Errorf("infinity_model=%q, want BAAI/bge-small-en-v1.5", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an infinity list without owned_by is not flagged", func(t *testing.T) {
|
||||
body := `{"data":[{"id":"x","backend":"torch","capabilities":["embed"]}],"object":"list"}`
|
||||
if res := runOpenAICompatModule(t, infinity, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a list without owned_by should not match infinity, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an infinity list without a backend is not flagged", func(t *testing.T) {
|
||||
body := `{"data":[{"id":"x","owned_by":"infinity","capabilities":["embed"]}],"object":"list"}`
|
||||
if res := runOpenAICompatModule(t, infinity, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a list without backend should not match infinity, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an infinity list without capabilities is not flagged", func(t *testing.T) {
|
||||
body := `{"data":[{"id":"x","owned_by":"infinity","backend":"torch"}],"object":"list"}`
|
||||
if res := runOpenAICompatModule(t, infinity, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a list without capabilities should not match infinity, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a non-infinity server with backend and capabilities is not flagged", func(t *testing.T) {
|
||||
body := `{"object":"list","data":[{"id":"m","object":"model","owned_by":"acme-org",` +
|
||||
`"backend":"vllm","capabilities":["chat"]}]}`
|
||||
if res := runOpenAICompatModule(t, infinity, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("backend+capabilities with a non-infinity owned_by should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a vllm models list is not flagged as infinity", func(t *testing.T) {
|
||||
if res := runOpenAICompatModule(t, infinity, 200, vllmModels); len(res.Findings) > 0 {
|
||||
t.Errorf("a vllm list should not match infinity, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an infinity list is not flagged as vllm", func(t *testing.T) {
|
||||
if res := runOpenAICompatModule(t, vllm, 200, infinityModels); len(res.Findings) > 0 {
|
||||
t.Errorf("an infinity list should not match the vllm module, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an lmstudio models api is flagged with its model id", func(t *testing.T) {
|
||||
res := runOpenAICompatModule(t, lmstudio, 200, lmstudioModels)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an lmstudio finding")
|
||||
}
|
||||
if v := openAICompatExtract(res, "lmstudio_model"); v != "qwen2-vl-7b-instruct" {
|
||||
t.Errorf("lmstudio_model=%q, want qwen2-vl-7b-instruct", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without compatibility_type is not flagged as lmstudio", func(t *testing.T) {
|
||||
body := `{"object":"list","data":[{"id":"x","quantization":"4bit","max_context_length":4096}]}`
|
||||
if res := runOpenAICompatModule(t, lmstudio, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without compatibility_type should not match lmstudio, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without quantization is not flagged as lmstudio", func(t *testing.T) {
|
||||
body := `{"object":"list","data":[{"id":"x","compatibility_type":"gguf","max_context_length":4096}]}`
|
||||
if res := runOpenAICompatModule(t, lmstudio, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without quantization should not match lmstudio, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without max_context_length is not flagged as lmstudio", func(t *testing.T) {
|
||||
body := `{"object":"list","data":[{"id":"x","compatibility_type":"gguf","quantization":"4bit"}]}`
|
||||
if res := runOpenAICompatModule(t, lmstudio, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without max_context_length should not match lmstudio, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an openai compatible v1 models list is not flagged as lmstudio", func(t *testing.T) {
|
||||
if res := runOpenAICompatModule(t, lmstudio, 200, vllmModels); len(res.Findings) > 0 {
|
||||
t.Errorf("a plain v1 models list should not match lmstudio, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an lmstudio models list is not flagged as vllm", func(t *testing.T) {
|
||||
if res := runOpenAICompatModule(t, vllm, 200, lmstudioModels); len(res.Findings) > 0 {
|
||||
t.Errorf("an lmstudio list should not match the vllm module, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{vllm, llamacpp, lmstudio, infinity} {
|
||||
if res := runOpenAICompatModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{vllm, llamacpp, lmstudio, infinity} {
|
||||
if res := runOpenAICompatModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
}
|
||||
@@ -0,0 +1,201 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runRAGUIModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func ragUIExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestLLMRAGUIExposureModules(t *testing.T) {
|
||||
const fastgpt = "../../modules/recon/fastgpt-init-exposure.yaml"
|
||||
const perplexica = "../../modules/recon/perplexica-config-exposure.yaml"
|
||||
const onyx = "../../modules/recon/onyx-auth-exposure.yaml"
|
||||
const verba = "../../modules/recon/verba-health-exposure.yaml"
|
||||
|
||||
fastgptInit := `{"code":200,"data":{"bufferId":"unAuth_x","feConfigs":{"systemTitle":"FastGPT",` +
|
||||
`"docUrl":"https://doc.fastgpt.io","show_git":true},"modelProviders":[{"provider":"openai"}],` +
|
||||
`"aiproxyChannels":[]}}`
|
||||
|
||||
perplexicaConfig := `{"values":{"general":{"theme":"dark","measureUnit":"Metric","autoMediaSearch":true,` +
|
||||
`"showWeatherWidget":true},"modelProviders":[{"id":"openai","name":"OpenAI",` +
|
||||
`"config":{"apiKey":"sk-secret","baseURL":""},"chatModels":[],"embeddingModels":[]}],` +
|
||||
`"search":{"searxngURL":"http://searxng:8080"}},"fields":[{"key":"measureUnit"},{"key":"autoMediaSearch"},` +
|
||||
`{"key":"searxngURL"}]}`
|
||||
|
||||
onyxAuth := `{"auth_type":"basic","requires_verification":false,"anonymous_user_enabled":false,` +
|
||||
`"password_min_length":8,"has_users":true,"oauth_enabled":false}`
|
||||
|
||||
verbaHealth := `{"message":"Alive!","production":"Local","gtag":"",` +
|
||||
`"deployments":{"WEAVIATE_URL_VERBA":"https://my-cluster.weaviate.network",` +
|
||||
`"WEAVIATE_API_KEY_VERBA":"sk-weaviate-AbC123secret"},"default_deployment":"Weaviate"}`
|
||||
|
||||
t.Run("a fastgpt init is flagged with its system title", func(t *testing.T) {
|
||||
res := runRAGUIModule(t, fastgpt, 200, fastgptInit)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a fastgpt finding")
|
||||
}
|
||||
if v := ragUIExtract(res, "fastgpt_title"); v != "FastGPT" {
|
||||
t.Errorf("fastgpt_title=%q, want FastGPT", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without feConfigs is not flagged as fastgpt", func(t *testing.T) {
|
||||
body := `{"data":{"modelProviders":[],"aiproxyChannels":[]}}`
|
||||
if res := runRAGUIModule(t, fastgpt, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without feConfigs should not match fastgpt, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without aiproxyChannels is not flagged as fastgpt", func(t *testing.T) {
|
||||
body := `{"data":{"feConfigs":{},"modelProviders":[]}}`
|
||||
if res := runRAGUIModule(t, fastgpt, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without aiproxyChannels should not match fastgpt, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a perplexica config is flagged with its searxng url", func(t *testing.T) {
|
||||
res := runRAGUIModule(t, perplexica, 200, perplexicaConfig)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a perplexica finding")
|
||||
}
|
||||
if v := ragUIExtract(res, "perplexica_searxng"); v != "http://searxng:8080" {
|
||||
t.Errorf("perplexica_searxng=%q, want http://searxng:8080", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without searxngURL is not flagged as perplexica", func(t *testing.T) {
|
||||
body := `{"values":{"general":{"measureUnit":"Metric","autoMediaSearch":true}}}`
|
||||
if res := runRAGUIModule(t, perplexica, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without searxngURL should not match perplexica, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without autoMediaSearch is not flagged as perplexica", func(t *testing.T) {
|
||||
body := `{"values":{"general":{"measureUnit":"Metric"},"search":{"searxngURL":"http://x"}}}`
|
||||
if res := runRAGUIModule(t, perplexica, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without autoMediaSearch should not match perplexica, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an onyx auth type is flagged with its auth scheme", func(t *testing.T) {
|
||||
res := runRAGUIModule(t, onyx, 200, onyxAuth)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an onyx finding")
|
||||
}
|
||||
if v := ragUIExtract(res, "onyx_auth_type"); v != "basic" {
|
||||
t.Errorf("onyx_auth_type=%q, want basic", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without anonymous_user_enabled is not flagged as onyx", func(t *testing.T) {
|
||||
body := `{"auth_type":"basic","requires_verification":false,"password_min_length":8}`
|
||||
if res := runRAGUIModule(t, onyx, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without anonymous_user_enabled should not match onyx, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without password_min_length is not flagged as onyx", func(t *testing.T) {
|
||||
body := `{"auth_type":"basic","requires_verification":false,"anonymous_user_enabled":false}`
|
||||
if res := runRAGUIModule(t, onyx, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without password_min_length should not match onyx, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a verba health is flagged and leaks the weaviate url", func(t *testing.T) {
|
||||
res := runRAGUIModule(t, verba, 200, verbaHealth)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a verba finding")
|
||||
}
|
||||
if v := ragUIExtract(res, "verba_weaviate_url"); v != "https://my-cluster.weaviate.network" {
|
||||
t.Errorf("verba_weaviate_url=%q, want https://my-cluster.weaviate.network", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without WEAVIATE_API_KEY_VERBA is not flagged as verba", func(t *testing.T) {
|
||||
body := `{"message":"Alive!","deployments":{"WEAVIATE_URL_VERBA":"http://x"},"default_deployment":""}`
|
||||
if res := runRAGUIModule(t, verba, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without WEAVIATE_API_KEY_VERBA should not match verba, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without WEAVIATE_URL_VERBA is not flagged as verba", func(t *testing.T) {
|
||||
body := `{"message":"Alive!","deployments":{"WEAVIATE_API_KEY_VERBA":"k"},"default_deployment":""}`
|
||||
if res := runRAGUIModule(t, verba, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without WEAVIATE_URL_VERBA should not match verba, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without default_deployment is not flagged as verba", func(t *testing.T) {
|
||||
body := `{"message":"Alive!","deployments":{"WEAVIATE_URL_VERBA":"http://x","WEAVIATE_API_KEY_VERBA":"k"}}`
|
||||
if res := runRAGUIModule(t, verba, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without default_deployment should not match verba, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a verba health with an empty weaviate url is not flagged", func(t *testing.T) {
|
||||
body := `{"message":"Alive!","production":"Local","deployments":{"WEAVIATE_URL_VERBA":"",` +
|
||||
`"WEAVIATE_API_KEY_VERBA":""},"default_deployment":""}`
|
||||
if res := runRAGUIModule(t, verba, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an embedded verba that leaks no backend url should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a generic alive health is not flagged as verba", func(t *testing.T) {
|
||||
body := `{"message":"Alive!","status":"ok","uptime":1234}`
|
||||
if res := runRAGUIModule(t, verba, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a generic health should not match verba, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{perplexica, verba, onyx, fastgpt} {
|
||||
if res := runRAGUIModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{perplexica, verba, onyx, fastgpt} {
|
||||
if res := runRAGUIModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
}
|
||||
@@ -0,0 +1,204 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runUIExposureModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func uiExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestLLMUIExposureModules(t *testing.T) {
|
||||
const openWebUI = "../../modules/recon/open-webui-exposure.yaml"
|
||||
const librechat = "../../modules/recon/librechat-exposure.yaml"
|
||||
const nextchat = "../../modules/recon/nextchat-config-exposure.yaml"
|
||||
const anythingllm = "../../modules/recon/anythingllm-exposure.yaml"
|
||||
|
||||
openWebUIConfig := `{"status":true,"name":"Open WebUI","version":"0.6.15","default_locale":"",` +
|
||||
`"oauth":{"providers":{}},"features":{"auth":false,"auth_trusted_header":false,` +
|
||||
`"enable_ldap":false,"enable_signup":true,"enable_login_form":true,"enable_websocket":true}}`
|
||||
|
||||
librechatConfig := `{"appTitle":"LibreChat","serverDomain":"https://chat.example.com",` +
|
||||
`"emailLoginEnabled":true,"registrationEnabled":true,"socialLogins":["google","github"]}`
|
||||
|
||||
nextchatConfig := `{"needCode":false,"hideUserApiKey":false,"disableGPT4":false,` +
|
||||
`"hideBalanceQuery":true,"disableFastLink":false,"customModels":"","defaultModel":"gpt-4o-mini",` +
|
||||
`"visionModels":""}`
|
||||
|
||||
anythingllmSetup := `{"results":{"RequiresAuth":false,"MultiUserMode":false,"EmbeddingEngine":"native",` +
|
||||
`"VectorDB":"lancedb","LLMProvider":"openai","LLMModel":"gpt-4o","WhisperProvider":"local"}}`
|
||||
|
||||
t.Run("an open webui with auth disabled is flagged with its version", func(t *testing.T) {
|
||||
res := runUIExposureModule(t, openWebUI, 200, openWebUIConfig)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an open webui finding")
|
||||
}
|
||||
if v := uiExtract(res, "open_webui_version"); v != "0.6.15" {
|
||||
t.Errorf("open_webui_version=%q, want 0.6.15", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a rebranded open webui with auth disabled is still flagged", func(t *testing.T) {
|
||||
body := `{"status":true,"name":"Acme AI Portal","version":"0.6.15",` +
|
||||
`"features":{"auth":false,"auth_trusted_header":false,"enable_signup":true}}`
|
||||
res := runUIExposureModule(t, openWebUI, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a finding for a rebranded open webui")
|
||||
}
|
||||
if v := uiExtract(res, "open_webui_version"); v != "0.6.15" {
|
||||
t.Errorf("open_webui_version=%q, want 0.6.15", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a librechat with open registration is flagged with its title", func(t *testing.T) {
|
||||
res := runUIExposureModule(t, librechat, 200, librechatConfig)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a librechat finding")
|
||||
}
|
||||
if v := uiExtract(res, "librechat_title"); v != "LibreChat" {
|
||||
t.Errorf("librechat_title=%q, want LibreChat", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an open webui with auth enabled is not flagged", func(t *testing.T) {
|
||||
body := `{"status":true,"name":"Open WebUI","version":"0.6.15",` +
|
||||
`"features":{"auth":true,"auth_trusted_header":false,"enable_signup":true}}`
|
||||
if res := runUIExposureModule(t, openWebUI, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an auth-enabled open webui should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an open webui auth_trusted_header false does not satisfy the auth regex", func(t *testing.T) {
|
||||
body := `{"status":true,"name":"Open WebUI","version":"0.6.15",` +
|
||||
`"features":{"auth":true,"auth_trusted_header":false}}`
|
||||
if res := runUIExposureModule(t, openWebUI, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("auth_trusted_header false should not match the auth regex, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a librechat with registration disabled is not flagged", func(t *testing.T) {
|
||||
body := `{"appTitle":"LibreChat","emailLoginEnabled":true,"registrationEnabled":false,"socialLogins":[]}`
|
||||
if res := runUIExposureModule(t, librechat, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a closed-registration librechat should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an unrelated app with open registration is not flagged as librechat", func(t *testing.T) {
|
||||
body := `{"name":"otherapp","registrationEnabled":true}`
|
||||
if res := runUIExposureModule(t, librechat, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an unrelated app should not match librechat, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a nextchat config is flagged and reports its access-code gate", func(t *testing.T) {
|
||||
res := runUIExposureModule(t, nextchat, 200, nextchatConfig)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a nextchat finding")
|
||||
}
|
||||
if v := uiExtract(res, "nextchat_needcode"); v != "false" {
|
||||
t.Errorf("nextchat_needcode=%q, want false", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without needCode is not flagged as nextchat", func(t *testing.T) {
|
||||
body := `{"hideUserApiKey":false,"hideBalanceQuery":true}`
|
||||
if res := runUIExposureModule(t, nextchat, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without needCode should not match nextchat, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without hideUserApiKey is not flagged as nextchat", func(t *testing.T) {
|
||||
body := `{"needCode":false,"hideBalanceQuery":true}`
|
||||
if res := runUIExposureModule(t, nextchat, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without hideUserApiKey should not match nextchat, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without hideBalanceQuery is not flagged as nextchat", func(t *testing.T) {
|
||||
body := `{"needCode":false,"hideUserApiKey":false}`
|
||||
if res := runUIExposureModule(t, nextchat, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without hideBalanceQuery should not match nextchat, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a code-gated nextchat is not flagged", func(t *testing.T) {
|
||||
body := `{"needCode":true,"hideUserApiKey":false,"hideBalanceQuery":true,"disableGPT4":false}`
|
||||
if res := runUIExposureModule(t, nextchat, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a needCode:true nextchat is access-code gated and should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an anythingllm setup is flagged with its model", func(t *testing.T) {
|
||||
res := runUIExposureModule(t, anythingllm, 200, anythingllmSetup)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected an anythingllm finding")
|
||||
}
|
||||
if v := uiExtract(res, "anythingllm_model"); v != "gpt-4o" {
|
||||
t.Errorf("anythingllm_model=%q, want gpt-4o", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without LLMProvider is not flagged as anythingllm", func(t *testing.T) {
|
||||
body := `{"results":{"VectorDB":"lancedb","EmbeddingEngine":"native"}}`
|
||||
if res := runUIExposureModule(t, anythingllm, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without LLMProvider should not match anythingllm, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a body without a VectorDB is not flagged as anythingllm", func(t *testing.T) {
|
||||
body := `{"results":{"LLMProvider":"openai","EmbeddingEngine":"native"}}`
|
||||
if res := runUIExposureModule(t, anythingllm, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a body without VectorDB should not match anythingllm, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{openWebUI, librechat, anythingllm, nextchat} {
|
||||
if res := runUIExposureModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{openWebUI, librechat, anythingllm, nextchat} {
|
||||
if res := runUIExposureModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
}
|
||||
@@ -19,7 +19,7 @@ import (
|
||||
"runtime"
|
||||
|
||||
"github.com/charmbracelet/log"
|
||||
"github.com/dropalldatabases/sif/internal/output"
|
||||
"github.com/vmfunc/sif/internal/output"
|
||||
)
|
||||
|
||||
// Loader handles module discovery and loading.
|
||||
|
||||
@@ -0,0 +1,269 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package modules
|
||||
|
||||
import (
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
)
|
||||
|
||||
// writeModule drops a yaml file into a temp dir and returns its path.
|
||||
func writeModule(t *testing.T, dir, name, content string) string {
|
||||
t.Helper()
|
||||
path := filepath.Join(dir, name)
|
||||
if err := os.WriteFile(path, []byte(content), 0o600); err != nil {
|
||||
t.Fatalf("write module: %v", err)
|
||||
}
|
||||
return path
|
||||
}
|
||||
|
||||
func TestParseYAMLModuleValid(t *testing.T) {
|
||||
const doc = `id: example-http
|
||||
type: http
|
||||
info:
|
||||
name: Example
|
||||
author: azzie
|
||||
severity: medium
|
||||
description: a test module
|
||||
tags: [test, demo]
|
||||
http:
|
||||
method: GET
|
||||
paths:
|
||||
- "{{BaseURL}}/admin"
|
||||
matchers:
|
||||
- type: status
|
||||
status: [200]
|
||||
- type: word
|
||||
part: body
|
||||
words: ["admin"]
|
||||
condition: and
|
||||
extractors:
|
||||
- type: regex
|
||||
name: token
|
||||
part: body
|
||||
regex: ["token=(\\w+)"]
|
||||
group: 1
|
||||
`
|
||||
dir := t.TempDir()
|
||||
path := writeModule(t, dir, "ok.yaml", doc)
|
||||
|
||||
def, err := ParseYAMLModule(path)
|
||||
if err != nil {
|
||||
t.Fatalf("ParseYAMLModule: %v", err)
|
||||
}
|
||||
if def.ID != "example-http" {
|
||||
t.Errorf("id = %q, want example-http", def.ID)
|
||||
}
|
||||
if def.Type != TypeHTTP {
|
||||
t.Errorf("type = %q, want http", def.Type)
|
||||
}
|
||||
if def.Info.Severity != "medium" {
|
||||
t.Errorf("severity = %q, want medium", def.Info.Severity)
|
||||
}
|
||||
if def.HTTP == nil {
|
||||
t.Fatal("http config not parsed")
|
||||
}
|
||||
if len(def.HTTP.Matchers) != 2 {
|
||||
t.Errorf("got %d matchers, want 2", len(def.HTTP.Matchers))
|
||||
}
|
||||
if len(def.HTTP.Extractors) != 1 || def.HTTP.Extractors[0].Group != 1 {
|
||||
t.Errorf("extractor not parsed correctly: %+v", def.HTTP.Extractors)
|
||||
}
|
||||
if len(def.Info.Tags) != 2 {
|
||||
t.Errorf("got %d tags, want 2", len(def.Info.Tags))
|
||||
}
|
||||
}
|
||||
|
||||
func TestParseYAMLModuleErrors(t *testing.T) {
|
||||
dir := t.TempDir()
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
content string
|
||||
}{
|
||||
{
|
||||
name: "missing id",
|
||||
content: "type: http\nhttp:\n paths: [\"/\"]\n",
|
||||
},
|
||||
{
|
||||
name: "missing type",
|
||||
content: "id: no-type\nhttp:\n paths: [\"/\"]\n",
|
||||
},
|
||||
{
|
||||
name: "malformed yaml",
|
||||
content: "id: bad\ntype: http\n paths: [unbalanced\n : nope\n",
|
||||
},
|
||||
{
|
||||
// a scalar where a mapping is expected must fail to unmarshal.
|
||||
name: "type mismatch",
|
||||
content: "id: bad-shape\ntype: http\nhttp: \"should-be-a-map\"\n",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
path := writeModule(t, dir, tt.name+".yaml", tt.content)
|
||||
if _, err := ParseYAMLModule(path); err == nil {
|
||||
t.Fatalf("expected error for %s", tt.name)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestParseYAMLModuleMissingFile(t *testing.T) {
|
||||
if _, err := ParseYAMLModule(filepath.Join(t.TempDir(), "does-not-exist.yaml")); err == nil {
|
||||
t.Fatal("expected error for missing file")
|
||||
}
|
||||
}
|
||||
|
||||
func TestYAMLModuleWrapperInfoAndType(t *testing.T) {
|
||||
def := &YAMLModule{
|
||||
ID: "wrap-test",
|
||||
Type: TypeHTTP,
|
||||
Info: YAMLModuleInfo{
|
||||
Name: "Wrapped",
|
||||
Author: "azzie",
|
||||
Severity: "low",
|
||||
Description: "desc",
|
||||
Tags: []string{"a", "b"},
|
||||
},
|
||||
}
|
||||
w := newYAMLModuleWrapper(def, "wrap.yaml")
|
||||
|
||||
if w.Type() != TypeHTTP {
|
||||
t.Errorf("Type() = %q, want http", w.Type())
|
||||
}
|
||||
info := w.Info()
|
||||
if info.ID != "wrap-test" || info.Name != "Wrapped" || info.Severity != "low" {
|
||||
t.Errorf("Info() mismatch: %+v", info)
|
||||
}
|
||||
if len(info.Tags) != 2 {
|
||||
t.Errorf("Info().Tags = %v, want 2 entries", info.Tags)
|
||||
}
|
||||
}
|
||||
|
||||
// TestLoaderLoadAll exercises the directory walk: a valid module registers, a
|
||||
// malformed one is skipped without aborting the walk.
|
||||
func TestLoaderLoadAll(t *testing.T) {
|
||||
Clear()
|
||||
t.Cleanup(Clear)
|
||||
|
||||
dir := t.TempDir()
|
||||
writeModule(t, dir, "good.yaml", "id: good-mod\ntype: http\nhttp:\n paths: [\"{{BaseURL}}/\"]\n matchers:\n - type: status\n status: [200]\n")
|
||||
writeModule(t, dir, "bad.yml", "id: bad-mod\n") // missing type -> skipped
|
||||
writeModule(t, dir, "ignore.txt", "not a module")
|
||||
|
||||
l := &Loader{builtinDir: dir, userDir: filepath.Join(dir, "nonexistent-user")}
|
||||
if err := l.LoadAll(); err != nil {
|
||||
t.Fatalf("LoadAll: %v", err)
|
||||
}
|
||||
|
||||
// only the good module loads; the malformed one is logged and skipped.
|
||||
if l.Loaded() != 1 {
|
||||
t.Errorf("Loaded() = %d, want 1", l.Loaded())
|
||||
}
|
||||
if _, ok := Get("good-mod"); !ok {
|
||||
t.Error("good-mod not registered")
|
||||
}
|
||||
if _, ok := Get("bad-mod"); ok {
|
||||
t.Error("bad-mod should not have registered")
|
||||
}
|
||||
}
|
||||
|
||||
func TestNewLoaderDirs(t *testing.T) {
|
||||
l, err := NewLoader()
|
||||
if err != nil {
|
||||
t.Fatalf("NewLoader: %v", err)
|
||||
}
|
||||
if l.BuiltinDir() == "" {
|
||||
t.Error("BuiltinDir is empty")
|
||||
}
|
||||
if l.UserDir() == "" {
|
||||
t.Error("UserDir is empty")
|
||||
}
|
||||
}
|
||||
|
||||
// TestRegistry exercises the package-level registry: register, get, dedupe by
|
||||
// id, filter by tag and type, count and clear.
|
||||
func TestRegistry(t *testing.T) {
|
||||
Clear()
|
||||
t.Cleanup(Clear)
|
||||
|
||||
http1 := newYAMLModuleWrapper(&YAMLModule{ID: "h1", Type: TypeHTTP, Info: YAMLModuleInfo{Tags: []string{"web", "cve"}}}, "h1")
|
||||
http2 := newYAMLModuleWrapper(&YAMLModule{ID: "h2", Type: TypeHTTP, Info: YAMLModuleInfo{Tags: []string{"web"}}}, "h2")
|
||||
dns1 := newYAMLModuleWrapper(&YAMLModule{ID: "d1", Type: TypeDNS, Info: YAMLModuleInfo{Tags: []string{"dns"}}}, "d1")
|
||||
|
||||
Register(http1)
|
||||
Register(http2)
|
||||
Register(dns1)
|
||||
|
||||
if Count() != 3 {
|
||||
t.Fatalf("Count() = %d, want 3", Count())
|
||||
}
|
||||
|
||||
got, ok := Get("h1")
|
||||
if !ok || got.Info().ID != "h1" {
|
||||
t.Errorf("Get(h1) = %v, %v", got, ok)
|
||||
}
|
||||
if _, ok := Get("missing"); ok {
|
||||
t.Error("Get(missing) should report not found")
|
||||
}
|
||||
|
||||
if n := len(ByType(TypeHTTP)); n != 2 {
|
||||
t.Errorf("ByType(http) = %d, want 2", n)
|
||||
}
|
||||
if n := len(ByType(TypeDNS)); n != 1 {
|
||||
t.Errorf("ByType(dns) = %d, want 1", n)
|
||||
}
|
||||
if n := len(ByTag("web")); n != 2 {
|
||||
t.Errorf("ByTag(web) = %d, want 2", n)
|
||||
}
|
||||
if n := len(ByTag("cve")); n != 1 {
|
||||
t.Errorf("ByTag(cve) = %d, want 1", n)
|
||||
}
|
||||
if n := len(ByTag("none")); n != 0 {
|
||||
t.Errorf("ByTag(none) = %d, want 0", n)
|
||||
}
|
||||
if n := len(All()); n != 3 {
|
||||
t.Errorf("All() = %d, want 3", n)
|
||||
}
|
||||
|
||||
// re-registering the same id overwrites rather than duplicating.
|
||||
Register(newYAMLModuleWrapper(&YAMLModule{ID: "h1", Type: TypeHTTP}, "h1-v2"))
|
||||
if Count() != 3 {
|
||||
t.Errorf("Count() after re-register = %d, want 3", Count())
|
||||
}
|
||||
|
||||
Clear()
|
||||
if Count() != 0 {
|
||||
t.Errorf("Count() after Clear = %d, want 0", Count())
|
||||
}
|
||||
}
|
||||
|
||||
// TestResultType pins the ScanResult interface bridge.
|
||||
func TestResultType(t *testing.T) {
|
||||
r := &Result{ModuleID: "abc"}
|
||||
if r.ResultType() != "abc" {
|
||||
t.Errorf("ResultType() = %q, want abc", r.ResultType())
|
||||
}
|
||||
}
|
||||
|
||||
// TestLoaderScriptStubNoop confirms the go-script loader is currently a no-op
|
||||
// that registers nothing and returns no error.
|
||||
func TestLoaderScriptStubNoop(t *testing.T) {
|
||||
l := &Loader{}
|
||||
if err := l.loadScript("anything.go"); err != nil {
|
||||
t.Errorf("loadScript stub returned error: %v", err)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,106 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2026 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runLoginModule(t *testing.T, file string, status int, headers map[string]string, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
for k, v := range headers {
|
||||
w.Header().Set(k, v)
|
||||
}
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func loginExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestLoginPanelModules(t *testing.T) {
|
||||
const grafana = "../../modules/info/grafana-panel.yaml"
|
||||
const kibana = "../../modules/info/kibana-panel.yaml"
|
||||
const jenkins = "../../modules/info/jenkins-panel.yaml"
|
||||
|
||||
grafanaBody := `<body class="app-grafana"><grafana-app></grafana-app>` +
|
||||
`<script>window.grafanaBootData = {"settings":{"buildInfo":{"version":"10.4.2","commit":"abc"}}};</script></body>`
|
||||
kibanaBody := `<div data-test-subj="kibanaChrome"><kbn-injected-metadata data="x"></kbn-injected-metadata></div>`
|
||||
|
||||
t.Run("grafana login", func(t *testing.T) {
|
||||
res := runLoginModule(t, grafana, 200, nil, grafanaBody)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a grafana finding")
|
||||
}
|
||||
if v := loginExtract(res, "grafana_version"); v != "10.4.2" {
|
||||
t.Errorf("grafana_version=%q, want 10.4.2", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("kibana via response headers", func(t *testing.T) {
|
||||
res := runLoginModule(t, kibana, 200, map[string]string{"kbn-version": "8.13.0", "kbn-name": "node-1"}, kibanaBody)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a kibana finding")
|
||||
}
|
||||
if v := loginExtract(res, "kibana_version"); v != "8.13.0" {
|
||||
t.Errorf("kibana_version=%q, want 8.13.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("jenkins via X-Jenkins header on a 403", func(t *testing.T) {
|
||||
res := runLoginModule(t, jenkins, 403, map[string]string{"X-Jenkins": "2.426.1"},
|
||||
`<html><head><title>Authentication required</title></head></html>`)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a jenkins finding")
|
||||
}
|
||||
if v := loginExtract(res, "jenkins_version"); v != "2.426.1" {
|
||||
t.Errorf("jenkins_version=%q, want 2.426.1", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("unrelated page is not a panel", func(t *testing.T) {
|
||||
for _, file := range []string{grafana, kibana, jenkins} {
|
||||
if res := runLoginModule(t, file, 200, nil, "<html><body>plain</body></html>"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: unrelated page should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,155 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runMgmtModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func mgmtExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestManagementAPIExposureModules(t *testing.T) {
|
||||
const kong = "../../modules/recon/kong-api-exposure.yaml"
|
||||
const jolokia = "../../modules/recon/jolokia-api-exposure.yaml"
|
||||
const nats = "../../modules/recon/nats-api-exposure.yaml"
|
||||
|
||||
kongRoot := `{"version":"3.4.0","tagline":"Welcome to kong","hostname":"kong-node","node_id":"abc",` +
|
||||
`"lua_version":"LuaJIT 2.1.0","plugins":{"available_on_server":{}},` +
|
||||
`"configuration":{"database":"postgres","admin_listen":["0.0.0.0:8001"]}}`
|
||||
|
||||
jolokiaVersion := `{"request":{"type":"version"},"value":{"agent":"1.7.2","protocol":"7.2",` +
|
||||
`"config":{"agentType":"servlet"},"info":{"product":"tomcat"}},"status":200,"timestamp":1694598949}`
|
||||
|
||||
natsVarz := `{"server_id":"NDABC","server_name":"NDABC","version":"2.10.1","proto":1,"go":"go1.21.1",` +
|
||||
`"host":"0.0.0.0","port":4222,"max_connections":65536,"max_payload":1048576,"connections":3,"total_connections":10}`
|
||||
|
||||
t.Run("an exposed kong admin api is flagged and versioned", func(t *testing.T) {
|
||||
res := runMgmtModule(t, kong, 200, kongRoot)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a kong finding")
|
||||
}
|
||||
if v := mgmtExtract(res, "kong_version"); v != "3.4.0" {
|
||||
t.Errorf("kong_version=%q, want 3.4.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed jolokia agent is flagged and versioned", func(t *testing.T) {
|
||||
res := runMgmtModule(t, jolokia, 200, jolokiaVersion)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a jolokia finding")
|
||||
}
|
||||
if v := mgmtExtract(res, "jolokia_agent_version"); v != "1.7.2" {
|
||||
t.Errorf("jolokia_agent_version=%q, want 1.7.2", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an exposed nats monitor is flagged and versioned", func(t *testing.T) {
|
||||
res := runMgmtModule(t, nats, 200, natsVarz)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a nats finding")
|
||||
}
|
||||
if v := mgmtExtract(res, "nats_version"); v != "2.10.1" {
|
||||
t.Errorf("nats_version=%q, want 2.10.1", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an available plugins map without an admin listen is not flagged", func(t *testing.T) {
|
||||
body := `{"plugins":{"available_on_server":{}},"version":"3.4.0"}`
|
||||
if res := runMgmtModule(t, kong, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an available plugins map alone should not match kong, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("an admin listen without an available plugins map is not flagged", func(t *testing.T) {
|
||||
body := `{"configuration":{"admin_listen":["0.0.0.0:8001"]},"version":"1.0"}`
|
||||
if res := runMgmtModule(t, kong, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an admin listen alone should not match kong, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a jolokia agent without a protocol is not flagged", func(t *testing.T) {
|
||||
body := `{"value":{"agent":"1.7.2"}}`
|
||||
if res := runMgmtModule(t, jolokia, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("an agent alone should not match jolokia, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a jolokia protocol without an agent is not flagged", func(t *testing.T) {
|
||||
body := `{"value":{"protocol":"7.2"},"info":{}}`
|
||||
if res := runMgmtModule(t, jolokia, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a protocol alone should not match jolokia, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a nats server id without a max payload is not flagged", func(t *testing.T) {
|
||||
body := `{"server_id":"NDABC","version":"2.10.1"}`
|
||||
if res := runMgmtModule(t, nats, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a server id alone should not match nats, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a max payload without a nats server id is not flagged", func(t *testing.T) {
|
||||
body := `{"max_payload":1048576,"port":4222}`
|
||||
if res := runMgmtModule(t, nats, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a max payload alone should not match nats, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a generic version json is not a management api", func(t *testing.T) {
|
||||
body := `{"version":"1.0.0","name":"app"}`
|
||||
for _, file := range []string{kong, jolokia, nats} {
|
||||
if res := runMgmtModule(t, file, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a generic version should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{kong, jolokia, nats} {
|
||||
if res := runMgmtModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 404 is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{kong, jolokia, nats} {
|
||||
if res := runMgmtModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user