mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-04 03:45:08 -07:00
94d375fc3b
modules/recon/vscode-sftp-exposure.yaml flags an exposed vscode-sftp config on its tool keys, remotePath and uploadOnSave, then extracts the deploy host. the tool keys keep an unrelated json config that merely carries host and credential fields from matching. modules/recon/sublime-sftp-exposure.yaml flags an exposed Sublime SFTP config on its snake case keys, upload_on_save and sync_down_on_open, and extracts the deploy host. modules/recon/ftpconfig-exposure.yaml flags an exposed remote-ftp config on its connection timeout keys, connTimeout and pasvTimeout, and extracts the deploy host. each module requires a credential field alongside the tool key and rejects an html body, so a login page served on the same path is not a leak and an unrelated json config is not a high severity credential finding. internal/modules/deploy_config_exposure_test.go drives the three modules end to end through ExecuteHTTPModule and asserts the leak alongside the near misses a strict review wants pinned: an html login page carrying the same keys, a plain json config without the tool keys, a tool config with a host but no credential field and a 404, none of which may match. it also pins a key auth config with no password as a leak the credential matcher must still catch. verify: go test ./internal/modules, each matcher, guard and extractor proven to bite (break -> red, restore -> green).