claude/festive-hamilton-80aHi#259
Open
bountyyfi wants to merge 1 commit into
Open
Conversation
- source_map_scanner.rs: grow get_common_source_map_paths with the deterministic output paths for CRA/webpack, Next.js (pages + app router, runtime, server chunks), Nuxt 3, Vite, SvelteKit, Remix, Gatsby, Angular CLI, Vue CLI, Ember, NestJS, Parcel/Rollup/esbuild, plus CSS map and generic public/js fallbacks. - source_map_scanner.rs: rewrite find_potential_secrets to key off vendor-prefixed / structurally-anchored tokens only — AWS AKIA/ASIA, Google AIza and ya29, GCP service_account JSON, every GitHub token class incl. fine-grained PATs, GitLab PAT, prefixed Slack tokens + hooks webhooks, Stripe live sk/rk, SendGrid, Twilio SK, OpenAI, Anthropic, Hugging Face, npm/PyPI/Docker Hub publishing tokens, DigitalOcean, every Shopify access/secret class, Square tokens, Mailgun/Mailchimp, Discord webhooks + bot tokens, Sentry DSN, Azure storage keys + SAS tokens, DB connection strings with embedded credentials, PEM PRIVATE KEY blocks, Laravel APP_KEY, JWT, and string-literal-anchored Telegram bot tokens. Findings are labelled with [Critical]/[High]/[Medium]/[Low] and deduped; over-long matches are dropped to avoid bundle-runaway noise. - arcgis_rest.rs: grow ARCGIS_PATHS with alternate Sharing/Portal roots, reverse-proxy context variants, and municipal/utility paths (kartta/kartor/kart/karten, map/maps, mapserver, gisweb, publicgis, external) that host the highest-impact PII datasets in the wild.
bountyyfi
pushed a commit
that referenced
this pull request
Apr 18, 2026
Work picks recon-oriented scanners that haven't been edited in the last month and that are not covered by open PRs (#258 sensitive_data/info_disclosure, #259 source_map_scanner/arcgis_rest, #260 cloud_storage/firebase/source_map). All additions are path/query payloads only - detection logic stays strict to keep false-positive rate at zero. - google_dorking: add high-impact dorks that target full-data leaks instead of noisy XSS/SQLi params - Confluence/Jira/Notion/Asana/Linear shared pages, company-scoped GitHub/Gist/Bitbucket/Gitee credential searches, exposed .env variants (.env.local, .env.production, config.env) and framework config files (appsettings.json, application.yml, web.config, parameters.yml), IaC artifacts (tfstate, tfvars, ansible-vault, inventory.ini), Kubernetes/Docker configs (kubeconfig, docker-compose, Dockerfile, .dockercfg), VCS metadata (.git/.svn/.hg), DB dumps (ext:sql + MySQL/PostgreSQL dump markers), sensitive directory listings, vendor-prefixed token scans (AKIA/ASIA/ AIza/ya29/xox[baprs]-/ghp_/gho_/glpat-/sk_live_), PEM private-key blocks, admin/ops dashboard titles (Jenkins, Kibana, Grafana, phpMyAdmin, SonarQube, Rundeck, Argo CD, Portainer, RabbitMQ, MinIO, Consul, Traefik), Spring Boot Actuator leak surfaces (/actuator/env|heapdump|httptrace), GraphQL introspection endpoints, Firebase client configs in frontend, Slack/Discord/Teams webhook URLs, Postman/SwaggerHub public collections, CI job consoles / build logs, public container images, and WordPress wp-config.* backups. - container_scanner: grow Docker Engine API version probes (v1.42-v1.47) and add Swarm-surface endpoints (/networks, /volumes, /swarm, /nodes, /services, /tasks, /secrets, /configs, /plugins, /system/df); extend Kubernetes API coverage to apps/batch/RBAC/ networking/storage groups, kube-system+default secret listings, openapi v2/v3, kubelet surfaces (/pods, /runningpods, /stats/summary, /configz, /exec, /attach, /run, /logs), and add etcd ports (2379/2380) and kube-proxy metrics (10256) to port probes; broaden registry endpoint list with Harbor (/api/v2.0/projects|systeminfo| users), Quay (/api/v1/repository|discovery), Nexus (/service/rest/v1/repositories|status), JFrog Artifactory (/artifactory/api/repositories|system/ping) and GitLab container registry, and extend is_registry_response with strict vendor signatures (harbor_version, x-harbor-version, x-jfrog-version, repokey, packagetype+rclass, kind:repository + is_public+namespace, format+url+type:hosted) to avoid FPs; expand container-secrets path probes with /proc/self/{cgroup,mountinfo}, EKS SA token, /var/lib/{kubelet,docker,etcd}, containerd/crio configs, kubeadm control-plane .conf files, PKI private keys; add strict secret-body signatures for kubeconfig, client-certificate-data, daemon.json insecure-registries, overlay mountinfo, cgroup kubepods/docker/ containerd hierarchy, short-hex container hostnames, and EC/OpenSSH private keys. - openapi_analyzer: extend OPENAPI_PATHS and SWAGGER_UI_PATHS with the deterministic defaults for Springdoc (/v3/api-docs + .yaml + /swagger-config), Springfox (/v2/api-docs), Spring Boot Actuator (/actuator/openapi), Quarkus (/q/openapi, /q/swagger-ui), FastAPI /NestJS/Flask (/openapi, /api-json, /docs-json, /apispec_*.json), ASP.NET / NSwag / older Swashbuckle (/swagger/docs/v1|v2, /swagger/v{1,2}/swagger.yaml, /NSwag/v1.json), .well-known YAML variants, /swagger-resources collection indexes, /graphql/schema(.json), GraphQL playground/GraphiQL/Altair UIs, and common CI-era fallbacks (/api/doc, /api/documentation, /webjars/swagger-ui/index.html, /redoc(.html), /rapidoc/). Swagger UI detection already requires "swagger-ui"|"redoc"|"rapidoc"|"api documentation" in the body, so new paths do not relax precision. https://claude.ai/code/session_016Bzf4LoGurr3HfaHMU7sJX
bountyyfi
pushed a commit
that referenced
this pull request
Apr 19, 2026
Broaden high-signal path probes and tighten signature-based content validators to find impactful sensitive-data disclosures while avoiding SPA catch-all 200 responses. No new XSS / SQLi logic, no payload work. Targets three modules that weren't covered by open PRs #258/#259/#260 and had not been touched in the last month. - rails_scanner.rs: - check_debug_mode: grow probes (rails/info variants, Action Mailbox conductor + ingress, mailer previews, active_storage) and gate each on a specific content marker. - check_environment_exposure: add Rails 5.2+ credential material (config/master.key, config/credentials/*.key, config/credentials.yml.enc, config/secrets.yml.enc), classic YAML configs (cable, storage, newrelic, sidekiq, puma, unicorn), production.rb, dependency + build manifests (Gemfile.lock, Rakefile, Procfile, .ruby-version, .rbenv-gemsets), schema / seeds (db/schema.rb, db/structure.sql, db/seeds.rb), deploy configs, and .bundle/config. master.key validated as exact 32-hex, encrypted creds validated on the iv--payload--auth base64 shape, and every other probe requires a per-file signature hit. SPA HTML bodies are short-circuited. - check_log_exposure: grow log paths (staging/test/sidekiq/unicorn/ puma/delayed_job/cron/rails). - check_asset_exposure: add runtime source maps (packs/js/*.map), .git/HEAD + .git/index (DIRC magic), .svn/entries, .hg/hgrc with per-path content validators. - New check_admin_dashboards covering common unauthenticated Rails ops dashboards (Sidekiq Web, Resque, GoodJob, Solid Queue, Mission Control, PgHero, Blazer, Flipper UI, Ahoy, RailsAdmin, ActiveAdmin, Avo, letter_opener, MailCatcher, Errbit, Action Cable), each gated on a framework-specific content signature. - laravel_security.rs: - check_env_exposure: add .env.testing/docker/beta/preview/qa/uat/ci, backup variants, swp/~, and docker-compose*.yml leftovers. - check_config_exposure: add bootstrap/cache routes/services/ packages/events, filesystems/queue/broadcasting/session/cors/ horizon/passport/sanctum/nova/scout/logging/cache/hashing/ telescope/view/jwt configs, composer/package/yarn manifests, phpunit + phpcs XML, webpack/vite configs, .editorconfig, and Laravel Passport OAuth private/public key paths. Per-file signature validators (PEM for keys, JSON shape for manifests, XML for phpunit, <?php otherwise); oauth-*.key treated as Critical with CVSS 9.8. - check_admin_panels: grow Telescope/Horizon sub-routes with requests/exceptions/logs/queries/cache/mail/notifications and Horizon workload + failed-jobs APIs; add Ignition health-check / execute-solution, Filament, Backpack, Voyager login/admin pages. - fastapi_scanner.rs: - check_docs_exposure: grow endpoint list with namespaced OpenAPI (/api/openapi.json, /api/v1/openapi.json, /api/v2/openapi.json), swagger-ui variants, /api/docs, /api/redoc, /schema(.json). Validators expanded to new endpoints (Swagger UI marker for any path containing swagger; openapi / paths for JSON / YAML / schema). - check_internal_endpoints: grow from 12 to 40 probes (livez/readyz, prometheus, actuator root + env/heapdump/configprops, info, version, internal/_internal, admin variants, Go debug/pprof/vars/ events, GraphQL altair / voyager / subscriptions, Celery Flower, RQ dashboard, Dash). Replace the single JSON-prefix heuristic with per-endpoint-family signature validators: Prometheus # HELP, HPROF JAVA PROFILE magic, actuator _links/status, pprof index markers, Flower / RQ dashboard strings, GraphQL __schema, admin HTML fingerprints (Django / FastAPI Admin / sqladmin), etc. - New check_python_artifacts: probe for Python build / deploy / credential artifacts regularly shipped alongside ASGI apps (pyproject.toml, Pipfile(.lock), poetry.lock, requirements*.txt, setup.py/.cfg, tox.ini, .env variants including /app/.env and /backend/.env, alembic.ini + alembic/env.py + versions dir, celeryconfig, main.py / asgi.py / wsgi.py, Dockerfile, docker- compose*.yml, gunicorn.conf.py, PEM key material, SSH id_rsa, .git/config + HEAD, .gitlab-ci.yml + GH Actions, service-account JSON / firebase-adminsdk.json / credentials.json, SQL dumps with MySQL / Postgres dump headers, sqlite DBs validated on "SQLite format 3" magic, tar.gz validated on gzip magic). Each finding requires a per-artifact content signature and is dropped on HTML SPA shells. https://claude.ai/code/session_01YcAY7DtrzE5Vq73PEDFo29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
deterministic output paths for CRA/webpack, Next.js (pages + app
router, runtime, server chunks), Nuxt 3, Vite, SvelteKit, Remix,
Gatsby, Angular CLI, Vue CLI, Ember, NestJS, Parcel/Rollup/esbuild,
plus CSS map and generic public/js fallbacks.
vendor-prefixed / structurally-anchored tokens only — AWS AKIA/ASIA,
Google AIza and ya29, GCP service_account JSON, every GitHub token
class incl. fine-grained PATs, GitLab PAT, prefixed Slack tokens +
hooks webhooks, Stripe live sk/rk, SendGrid, Twilio SK, OpenAI,
Anthropic, Hugging Face, npm/PyPI/Docker Hub publishing tokens,
DigitalOcean, every Shopify access/secret class, Square tokens,
Mailgun/Mailchimp, Discord webhooks + bot tokens, Sentry DSN,
Azure storage keys + SAS tokens, DB connection strings with embedded
credentials, PEM PRIVATE KEY blocks, Laravel APP_KEY, JWT, and
string-literal-anchored Telegram bot tokens. Findings are labelled
with [Critical]/[High]/[Medium]/[Low] and deduped; over-long matches
are dropped to avoid bundle-runaway noise.
reverse-proxy context variants, and municipal/utility paths
(kartta/kartor/kart/karten, map/maps, mapserver, gisweb, publicgis,
external) that host the highest-impact PII datasets in the wild.