mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-04 03:45:08 -07:00
d7d669e300
probe /actuator and the env, health and metrics endpoints for an
exposed actuator, which leaks environment variables, config and
runtime internals. sif already fingerprints spring boot as a framework
but never checks whether its actuator endpoints are left open.
the matchers key on structural shapes rather than bare tokens: the env
propertySources array, a hal index whose links resolve under /actuator,
detailed health components, and jvm metric names. a bare {"status":"UP"}
health check, a generic hateoas api and prose mentions do not match.
a custom management base-path (actuator moved off /actuator) and spring
boot 1.x root endpoints are not covered.