mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-03 19:34:53 -07:00
cf159ad4a9
modules/recon/svn-exposure.yaml flags an exposed .svn working copy through the wc.db sqlite header anchored at the first byte paired with a working copy table name, so a generic sqlite database is not reported, then extracts the repository url. modules/recon/mercurial-exposure.yaml flags an exposed .hg repository through the revlog format requirements that the requires file lists, so prose that names mercurial is not reported, then extracts the requirement. modules/recon/bazaar-exposure.yaml flags an exposed .bzr repository through the Bazaar meta directory signature, so a page that names a bazaar is not reported, then extracts the format. internal/modules/vcs_metadata_exposure_test.go drives the three modules end to end through ExecuteHTTPModule and asserts the leak alongside the near misses a strict review wants pinned: a generic sqlite database, an unanchored magic, prose naming mercurial, a marketplace page, an html tutorial for the text formats, a plain 200 and a 404. verify: go test ./internal/modules, each matcher and extractor proven to bite (break -> red, restore -> green).