Files
sif/internal/modules/database_http_exposure_test.go
T
Tigah 3a289a3ac4 feat(modules): add clickhouse and dgraph exposure modules (#258)
add recon modules for self-hosted databases whose http interface is reachable
without credentials: clickhouse runs arbitrary sql because the default user has
an empty password, confirmed here by reading the server version through the
http interface, and the open-source dgraph alpha has no authentication so its
/health endpoint discloses the cluster while /query and /admin read and drop
all data; a clickhouse that requires a password returns 403 and an alpha behind
an authenticating proxy returns 401 and neither is flagged.
2026-07-02 13:22:24 -07:00

112 lines
3.9 KiB
Go

package modules_test
import (
"context"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/vmfunc/sif/internal/modules"
)
func runDBHTTPModule(t *testing.T, file string, status int, body string) *modules.Result {
t.Helper()
def, err := modules.ParseYAMLModule(file)
if err != nil {
t.Fatalf("parse %s: %v", file, err)
}
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(status)
_, _ = w.Write([]byte(body))
}))
defer srv.Close()
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
Timeout: 5 * time.Second,
Threads: 2,
})
if err != nil {
t.Fatalf("execute %s: %v", file, err)
}
return res
}
func dbHTTPExtract(res *modules.Result, key string) string {
for _, f := range res.Findings {
if v := f.Extracted[key]; v != "" {
return v
}
}
return ""
}
func TestDatabaseHTTPExposureModules(t *testing.T) {
const clickhouse = "../../modules/recon/clickhouse-http-exposure.yaml"
const dgraph = "../../modules/recon/dgraph-api-exposure.yaml"
t.Run("a clickhouse FORMAT JSON result is flagged with the version", func(t *testing.T) {
body := `{"meta":[{"name":"version()","type":"String"}],"data":[{"version()":"24.3.1.2672"}],` +
`"rows":1,"statistics":{"elapsed":0.000123,"rows_read":1,"bytes_read":1}}`
res := runDBHTTPModule(t, clickhouse, 200, body)
if len(res.Findings) == 0 {
t.Fatal("expected a clickhouse finding")
}
if v := dbHTTPExtract(res, "clickhouse_version"); v != "24.3.1.2672" {
t.Errorf("clickhouse_version=%q, want 24.3.1.2672", v)
}
})
t.Run("a json result without the statistics envelope is not flagged as clickhouse", func(t *testing.T) {
body := `{"meta":[{"name":"x"}],"data":[{"x":1}],"rows":1}`
if res := runDBHTTPModule(t, clickhouse, 200, body); len(res.Findings) > 0 {
t.Errorf("a statless json result should not match clickhouse, got %d findings", len(res.Findings))
}
})
t.Run("a dgraph alpha health is flagged with its version", func(t *testing.T) {
body := `[{"instance":"alpha","address":"localhost:7080","status":"healthy","group":"0",` +
`"version":"v23.1.0","uptime":3600,"lastEcho":1700000000,"ongoing":["opRollup"],"max_assigned":30002}]`
res := runDBHTTPModule(t, dgraph, 200, body)
if len(res.Findings) == 0 {
t.Fatal("expected a dgraph finding")
}
if v := dbHTTPExtract(res, "dgraph_version"); v != "v23.1.0" {
t.Errorf("dgraph_version=%q, want v23.1.0", v)
}
})
t.Run("a dgraph alpha health without max_assigned is not flagged", func(t *testing.T) {
body := `[{"instance":"alpha","status":"healthy","lastEcho":1700000000}]`
if res := runDBHTTPModule(t, dgraph, 200, body); len(res.Findings) > 0 {
t.Errorf("a partial alpha health should not match dgraph, got %d findings", len(res.Findings))
}
})
t.Run("a non-alpha instance health is not flagged as dgraph", func(t *testing.T) {
body := `[{"instance":"zero","max_assigned":30002,"lastEcho":1700000000}]`
if res := runDBHTTPModule(t, dgraph, 200, body); len(res.Findings) > 0 {
t.Errorf("a zero-node health should not match dgraph alpha, got %d findings", len(res.Findings))
}
})
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
for _, file := range []string{clickhouse, dgraph} {
if res := runDBHTTPModule(t, file, 200, "ok"); len(res.Findings) > 0 {
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
}
}
})
t.Run("a 403 or 404 is not a leak", func(t *testing.T) {
if res := runDBHTTPModule(t, clickhouse, 403, "Authentication failed"); len(res.Findings) > 0 {
t.Errorf("a 403 clickhouse should not match, got %d findings", len(res.Findings))
}
for _, file := range []string{clickhouse, dgraph} {
if res := runDBHTTPModule(t, file, 404, "not found"); len(res.Findings) > 0 {
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
}
}
})
}