mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-03 19:34:53 -07:00
72f59532cf
modules/recon/metabase-api-exposure.yaml flags a Metabase instance that exposes a live setup token without authentication, keyed on a non-null uuid token paired with the anonymous tracking setting, then extracts the version tag. A live token is the pre-auth chain behind CVE-2023-38646; a patched instance reports it as null and is left alone. modules/recon/zeppelin-api-exposure.yaml flags an Apache Zeppelin server that discloses its version and build commit over the anonymous version api, keyed on the version banner paired with the git commit id, then extracts the version. The endpoint stays anonymous even on a shiro-secured instance, so this is rated as a version leak rather than an auth bypass. modules/recon/jupyter-api-exposure.yaml flags a Jupyter server whose status api answers without a token, keyed on the activity, connections and kernels fields it reports, then extracts the running kernel count. internal/modules/analytics_ui_exposure_test.go drives the three modules end to end through ExecuteHTTPModule and asserts the leak alongside the near misses a strict review wants pinned: each service with one keying field missing, a patched metabase that nulls its token, a generic version response, a plain 200 and a 404. verify: go test ./internal/modules, each matcher and extractor proven to bite (break -> red, restore -> green).