mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-04 03:45:08 -07:00
6575c2e5f7
a detector accuracy audit surfaced two classes of bug in the framework detectors. bare-brand header false positives: header-only signatures matched a brand name as a substring across every header name and value, so a detector fired on any response that merely referenced the brand (a vendor cdn named in a link or csp value, a cookie sharing the prefix). add an optional Header field to Signature that scopes a header-only match to one named header's value, and apply it (or a structural anchor) per detector: - express: "Express" scoped to x-powered-by, was firing on an express_checkout cookie. - flask: "Werkzeug" scoped to the server header. - symfony: dropped the bare "symfony" word (symfony sets no such header, it fired on symfony.com links); the x-debug-token header is the marker. - shopify: key on the x-shopify response headers instead of the bare "Shopify" word, which fired on a cdn.shopify.com link. - remix: dropped the bare "remix"/"_remix" substrings that fired on a track_remix.mp3 asset; window.__remixContext is the definitive marker. - spring boot: anchor the whitelabel title in its h1 tag context so a tutorial discussing the error does not fire. the gin and fastapi detectors are removed: gin keyed on the "gin-gonic" import-path string (appears in tutorials, never in a real gin response) and fastapi on bare words matching the projects' doc domains. neither framework advertises itself in a response header or a non-prose body marker, so there is no clean passive signal to anchor on. version mis-extraction: drop the low-confidence ".*?" version fallbacks (rails, django, laravel, spring), whose unbounded gap grabbed the first version-shaped number after the framework word and reported an unrelated asset's cache-buster when no real version was present. let isValidVersionString accept a single integer so a bare major such as drupal's "Drupal 10" is no longer rejected as "unknown". each false positive and version bug is covered by a regression test.
39 lines
1.8 KiB
Go
39 lines
1.8 KiB
Go
/*
|
|
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
|
: :
|
|
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
|
: ▄█ █ █▀ · BSD 3-Clause License :
|
|
: :
|
|
: (c) 2022-2026 vmfunc, xyzeva, :
|
|
: lunchcat alumni & contributors :
|
|
: :
|
|
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
|
*/
|
|
|
|
package frameworks_test
|
|
|
|
import (
|
|
"testing"
|
|
|
|
frameworks "github.com/vmfunc/sif/internal/scan/frameworks"
|
|
)
|
|
|
|
func TestExtractVersion_NoDecoyMisextraction(t *testing.T) {
|
|
got := frameworks.ExtractVersionOptimized(`<!-- rails app --><link href="/app-7.8.9.css">`, "Ruby on Rails").Version
|
|
if got == "7.8.9" {
|
|
t.Errorf("Rails: mis-extracted decoy asset version %q", got)
|
|
}
|
|
|
|
got = frameworks.ExtractVersionOptimized(`Server: Rails/7.1.3`, "Ruby on Rails").Version
|
|
if got != "7.1.3" {
|
|
t.Errorf("Rails: version = %q, want 7.1.3", got)
|
|
}
|
|
}
|
|
|
|
func TestExtractVersion_SingleInteger(t *testing.T) {
|
|
got := frameworks.ExtractVersionOptimized(`<meta name="Generator" content="Drupal 10 (https://www.drupal.org)">`, "Drupal").Version
|
|
if got != "10" {
|
|
t.Errorf("Drupal: version = %q, want 10", got)
|
|
}
|
|
}
|