Skip to content

Security Export: Issues, Dependabot & CodeScan Alerts#152

Closed
grisuno wants to merge 1 commit into
mainfrom
security-export
Closed

Security Export: Issues, Dependabot & CodeScan Alerts#152
grisuno wants to merge 1 commit into
mainfrom
security-export

Conversation

@grisuno

@grisuno grisuno commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Automated security export generated on 20260630_213240.

This PR adds a snapshot under issues/ with:

  • All GitHub issues (open + closed) as issue_<n>.md
  • Open Dependabot alerts under issues/dependabot/
  • Open Code Scanning alerts under issues/codescan/
  • Index in issues/README.md

Each run replaces this branch (and closes any previous PR using the same head), so only the latest snapshot is open at any time.

Generated by security_issue_progressive.sh.

@pantoaibot

pantoaibot Bot commented Jul 1, 2026

Copy link
Copy Markdown

PR Summary:

Add repository security export: new issues documentation, Dependabot alerts, and CodeQL (CodeScan) alerts under issues/.

  • Added issues/README.md summarizing repository metrics and pointing to individual issue/alert files (4 issues, 3 Dependabot alerts, 10 CodeQL alerts).
  • Added issue tracker pages: issue_16, issue_17, issue_30, issue_84 (all recorded; 16/17/30 closed, 84 closed).
  • Added Dependabot alerts:
    • alert_45 (python-engineio) — CVE-2026-48809; recommends upgrading to python-engineio >= 4.13.2 to fix payload-size DoS.
    • alert_46 (python-engineio) — CVE-2026-48802; recommends 4.13.2 to prevent unbounded thread allocation via heartbeat.
    • alert_47 (python-socketio) — CVE-2026-48804; recommends python-socketio >= 5.16.2 to prevent memory buildup from partial binary attachments.
  • Added CodeQL (codescan) alerts:
    • Three high-severity "bind socket to all network interfaces" errors (alerts 765/766/767) — review socket binding defaults and restrict interfaces/addresses.
    • Multiple warnings for "incomplete URL substring sanitization" (alerts 777–781) — review URL handling/sanitization.
    • Two warnings for "overly-large regular expression range" (alerts 775/776) — tighten regex ranges.
  • No code changes or dependency upgrades applied in this PR; no breaking changes introduced.
  • Recommended actions: review and triage each alert, prioritize upgrading python-engineio and python-socketio to the patched versions, restrict socket bindings, fix URL sanitization and regex patterns.

Reviewed by Panto AI

Comment thread issues/README.md
@@ -0,0 +1,37 @@
# Repository: LazyOwn

**Description:** LazyOwn RedTeam/APT Framework is the first RedTeam Framework with an AI-powered C&C, featuring rootkits to conceal campaigns, undetectable malleable implants compatible with Windows/Linux/Mac OSX, and self-configuring backdoors. With its Web interface and powerful Console Client, it is the best combination for your Autonomous RedTeam/APT campaigns.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL_BUG] The repository description explicitly lists rootkits, malleable implants and self-configuring backdoors. Publishing this text in a public repository risks legal/ethical exposure, automated takedown, and draws attention from security teams and hosting platforms. Remove or sanitize this wording (move to a private tracker or internal documentation), restrict this snapshot to private access, and add an access-control policy before publishing such content.

# Repository: LazyOwn

**Description:** LazyOwn RedTeam/APT Framework provides an AI-powered C&C and related red-team capabilities for Windows, Linux, and macOS. It is intended for authorized security testing, training, and research by qualified professionals operating under appropriate legal agreements. With its Web interface and powerful Console Client, it can support automated red-team and APT-style campaign simulations.

Comment on lines +21 to +22
- The initial background thread (or async task( for heartbeat management is only launched if a client passes authentication in the `connect` handler.
- The server now ensures that there is only one background heatbeat thread (or async task) per client at a given point in time. Out of sequence PONG packets are now discarded when an active heartbeat thread is already running.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[NITPICK] Fix typos and stray punctuation in the patch description: change 'async task(' to 'async task)', 'severs' to 'servers', and 'heatbeat' to 'heartbeat'. Also rephrase the sentences for clarity (e.g. 'The initial background thread (or async task) for heartbeat management is only launched if a client passes authentication in the connect handler.').

### Patches
Version 4.13.2 addresses this issue as follows:

- The initial background thread (or async task) for heartbeat management is only launched if a client passes authentication in the `connect` handler.
- The server now ensures that there is only one background heartbeat thread (or async task) per client at a given point in time. Out-of-sequence PONG packets are now discarded when an active heartbeat thread is already running.

@pantoaibot

pantoaibot Bot commented Jul 1, 2026

Copy link
Copy Markdown

Reviewed up to commit:e5e157e02658039995ce0bf07e7b1bba03b48668

Additional Suggestion
Others - Dependabot alerts describe high-severity DoS vectors in python-engineio / python-socketio (alerts #45-#47). Action: upgrade to the patched versions cited (engineio -> 4.13.2, socketio -> 5.16.2 or later), and harden the server: enforce maximum payload sizes, gate binary attachments behind authentication, ensure underlying WebSocket/ASGI layers enforce limits, and add CI dependency checks to prevent regressions. If you cannot upgrade immediately, mitigate by restricting access and limiting message sizes at transport layer.
# Dependabot Alert #45: python-engineio

- **State:** open
- **Severity:** high
- **CVE:** CVE-2026-48809
- **Created:** 2026-06-29T09:59:20Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/45

## Summary
python-engineio has possible denial of service due to maximum payload size sometimes not being enforced. Upgrade to version **4.13.2 or later** and enforce transport-level limits.

## Recommended Actions
- **Upgrade:**
  - Bump `python-engineio` to `>=4.13.2`.
  - Bump `python-socketio` to `>=5.16.2`.
- **Server Hardening (application code, not this export repo):**
  - Enforce max payload/body size at the HTTP/ASGI gateway.
  - Configure WebSocket servers (e.g., Aiohttp/Uvicorn) with strict `max_size`/payload limits.
  - Only accept binary packets from authenticated clients.
  - On disconnect, clear any partial binary messages from memory.
- **CI/CD:**
  - Add a dependency policy file (e.g., `requirements-security.txt`) with minimal safe versions.
  - Add a CI job that fails on known vulnerable versions of `python-engineio` / `python-socketio`.

## Description
### Impact
There are two specific configurations of the python-engineio server in which the size of incoming messages is not checked before the messages are loaded into memory. An attacker can take advantage of these to cause unnecessary memory allocations in the python-engineio server. The two cases are:

- POST requests, when using ASGI with the long polling transport
- WebSocket messages, when using Aiohttp with the WebSocket transport

### Patches
Version 4.13.2 addresses this issue as follows:

- ASGI servers now only load the body of incoming requests into memory after the client is confirmed to be known and authenticated, and the payload size is below the maximum allowed size. Requests that do not comply with these requirements are discarded.
- Aiohttp servers configure the maximum payload size in the underlying WebSocket layer from Aiohttp, so that large messages are discarded by Aiohttp before they are delivered to python-engineio.

Reviewed by Panto AI

@grisuno grisuno closed this Jul 1, 2026
@grisuno grisuno deleted the security-export branch July 1, 2026 05:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant