Skip to content

Security Export: Issues, Dependabot & CodeScan Alerts#155

Closed
grisuno wants to merge 1 commit into
mainfrom
security-export
Closed

Security Export: Issues, Dependabot & CodeScan Alerts#155
grisuno wants to merge 1 commit into
mainfrom
security-export

Conversation

@grisuno

@grisuno grisuno commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Automated security export generated on 20260702_002717.

This PR adds a snapshot under issues/ with:

  • All GitHub issues (open + closed) as issue_<n>.md
  • Open Dependabot alerts under issues/dependabot/
  • Open Code Scanning alerts under issues/codescan/
  • Index in issues/README.md

Each run replaces this branch (and closes any previous PR using the same head), so only the latest snapshot is open at any time.

Generated by security_issue_progressive.sh.

@pantoaibot

pantoaibot Bot commented Jul 2, 2026

Copy link
Copy Markdown

PR Summary:

Summary: Adds a new security tracking directory (issues/) with a README, 3 Dependabot alerts, 10 CodeQL/code-scanning alerts, and 4 issue records — purely documentation of security findings (no code or dependency changes).

Changes:

  • Added issues/README.md summarizing repo metrics and linking to all added alerts and issues.
  • Added Dependabot alert pages (issues/dependabot/alert_45.md, alert_46.md, alert_47.md):
  • Added CodeQL/code-scanning alert pages (issues/codescan/alert_765.md through alert_781.md):
    • Errors: py/bind-socket-all-network-interfaces (alerts 765, 766, 767).
    • Warnings: py/incomplete-url-substring-sanitization (777–781) and py/overly-large-range (775, 776).
  • Added issue records (issues/issue_16.md, issue_17.md, issue_30.md, issue_84.md) with metadata and brief descriptions (all marked closed).
  • No source code, tests, or dependency updates are applied in this PR — it is a reporting/triage addition only.

Reviewed by Panto AI

Comment on lines +21 to +22
- The initial background thread (or async task( for heartbeat management is only launched if a client passes authentication in the `connect` handler.
- The server now ensures that there is only one background heatbeat thread (or async task) per client at a given point in time. Out of sequence PONG packets are now discarded when an active heartbeat thread is already running.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[NITPICK] Fix typos and punctuation in the description: change "async task( for heartbeat management" to "async task) for heartbeat management" (or rephrase to "async task for heartbeat management") and correct "heatbeat" to "heartbeat". Correct minor grammar to improve clarity.

- The initial background thread (or async task for heartbeat management) is only launched if a client passes authentication in the `connect` handler.
- The server now ensures that there is only one background heartbeat thread (or async task) per client at a given point in time. Out of sequence PONG packets are now discarded when an active heartbeat thread is already running.

Comment on lines +20 to +22
Version 4.13.2 addresses this issue as follows:

- ASGI severs now only load the body of incoming requests into memory after the client is confirmed to be known and authenticated, and the payload size is below the maximum allowed size. Requests that do not comply with these requirements are discarded.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[NITPICK] Minor typo: change "ASGI severs now only" to "ASGI servers now only". Also consider clarifying whether the behavior change applies to specific server implementations (e.g., Uvicorn, Hypercorn) so maintainers can validate the fix in their stack.

### Patches
Version 4.13.2 addresses this issue as follows:

- ASGI servers now only load the body of incoming requests into memory after the client is confirmed to be known and authenticated, and the payload size is below the maximum allowed size. Requests that do not comply with these requirements are discarded. This behavior applies to ASGI server deployments using frameworks such as Uvicorn or Hypercorn.
- Aiohttp servers configure the maximum payload size in the underlying WebSocket layer from Aiohttp, so that large messages are discarded by Aiohttp before they are delivered to python-engineio.

Comment thread issues/README.md
Comment on lines +1 to +12
# Repository: LazyOwn

**Description:** LazyOwn RedTeam/APT Framework is the first RedTeam Framework with an AI-powered C&C, featuring rootkits to conceal campaigns, undetectable malleable implants compatible with Windows/Linux/Mac OSX, and self-configuring backdoors. With its Web interface and powerful Console Client, it is the best combination for your Autonomous RedTeam/APT campaigns.

| Metric | Value |
|--------|-------|
| ⭐ Stars | 213 |
| 📥 Clones (last 14 days) | 759 |
| 🟢 Open Issues | 1 |
| 📋 Total Issues | 4 |
| 🛡 Dependabot Open Alerts | 3 |
| 🔍 CodeScan Open Alerts | 10 |

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[VALIDATION] This snapshot README currently contains hardcoded metrics and a marketing-style description (lines 3 and 5-12) which can become stale and may be inappropriate for a security snapshot. Actionable changes: (1) Add a clear generation timestamp and generator name/version (the automation metadata) so readers know this is a point-in-time snapshot. (2) Avoid hardcoded metrics (Stars, Clones, Open Counts) or mark them as 'snapshot' values; preferably compute them at generation time and include the timestamp. (3) Consider softening or adding a research/defense usage disclaimer for wording like "RedTeam/APT Framework" to avoid publishing content that could be mistaken for operational intent — if this repo is research-oriented, state that explicitly.

# Repository: LazyOwn

> Snapshot generated by `security_issue_progressive.sh` on 2026-07-02T00:27:17Z (security export snapshot; values below reflect the state of the repository at generation time).

**Description:** LazyOwn is a Red Team / adversary emulation framework intended for security research, testing, and defense hardening in controlled environments. Use is subject to all applicable laws and organizational policies; do not use this project for unauthorized or illegal activities.

| Metric | Snapshot value (at generation time) |
|--------|-------------------------------------|
| ⭐ Stars | 213 |
| 📥 Clones (last 14 days) | 759 |
| 🟢 Open Issues | 1 |
| 📋 Total Issues | 4 |
| 🛡 Dependabot Open Alerts | 3 |
| 🔍 CodeScan Open Alerts | 10 |

## Issues
- [#84](./issue_84.md) - Lazynmap failing to execute (closed)
- [#30](./issue_30.md) - Please remove ngrok as a tunneling option as this tool violates the terms of service (closed)
- [#17](./issue_17.md) - Fix code scanning alert - Flask app is run in debug mode (closed)
- [#16](./issue_16.md) - Fix code scanning alert - Information exposure through an exception (closed)

## Dependabot Alerts
- [Dependabot #47](./dependabot/alert_47.md) - python-socketio (high) - open
- [Dependabot #46](./dependabot/alert_46.md) - python-engineio (high) - open
- [Dependabot #45](./dependabot/alert_45.md) - python-engineio (high) - open

## Code Scanning Alerts
- [CodeScan #781](./codescan/alert_781.md) - py/incomplete-url-substring-sanitization (warning) - open
- [CodeScan #780](./codescan/alert_780.md) - py/incomplete-url-substring-sanitization (warning) - open
- [CodeScan #779](./codescan/alert_779.md) - py/incomplete-url-substring-sanitization (warning) - open
- [CodeScan #778](./codescan/alert_778.md) - py/incomplete-url-substring-sanitization (warning) - open
- [CodeScan #777](./codescan/alert_777.md) - py/incomplete-url-substring-sanitization (warning) - open
- [CodeScan #776](./codescan/alert_776.md) - py/overly-large-range (warning) - open
- [CodeScan #775](./codescan/alert_775.md) - py/overly-large-range (warning) - open
- [CodeScan #767](./codescan/alert_767.md) - py/bind-socket-all-network-interfaces (error) - open
- [CodeScan #766](./codescan/alert_766.md) - py/bind-socket-all-network-interfaces (error) - open
- [CodeScan #765](./codescan/alert_765.md) - py/bind-socket-all-network-interfaces (error) - open

Total issues downloaded: 4

@pantoaibot

pantoaibot Bot commented Jul 2, 2026

Copy link
Copy Markdown

Reviewed up to commit:b68592aa35cac1f9cb84c9b795e1670c5eb70ca3

Additional Suggestion
Others - The added CodeQL alerts indicate high-risk findings that need owner-facing, actionable remediation in the codebase rather than only as snapshots. Specifically: (a) py/bind-socket-all-network-interfaces — search for socket.bind(('', ...)) or binds to '0.0.0.0' and make binding interface configurable or restrict to a specific interface (e.g. 127.0.0.1) when possible; document why public binding is required and gate it behind explicit config and RBAC. (b) py/incomplete-url-substring-sanitization — substring checks for URLs are unsafe; replace with robust URL parsing (urllib.parse) and canonicalization, validate scheme/host/port using allowlists, and avoid using substring-based filters for security decisions. (c) py/overly-large-range — overly permissive regex ranges may cause ReDoS; tighten quantifiers, avoid unbounded nested quantifiers, and add unit tests and timeouts where applicable. For every alert file include the affected repository file paths, a short reproduction (file + code snippet), and a recommended code change so devs can triage and fix quickly. Treat the bind-to-all warning as high priority and create PRs to enforce explicit binding configuration.
# Code Scanning Alert #767: py/bind-socket-all-network-interfaces

- **State:** open
- **Severity:** error
- **Tool:** CodeQL
- **Created:** 2026-05-21T04:27:05Z
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/767

## Affected files (example)
- `lazyown/server/network.py`

```py
# Before
server_socket.bind(("0.0.0.0", port))

# After: bind to configurable or loopback interface by default
bind_host = os.getenv("LAZYOWN_BIND_HOST", "127.0.0.1")
server_socket.bind((bind_host, port))

If public binding is required (e.g. for remote C2), document the rationale and ensure it is only enabled via explicit configuration plus RBAC-controlled deployment.


Code Scanning Alert #781: py/incomplete-url-substring-sanitization

Affected files (example)

  • lazyown/web/redirects.py
# Before: substring-based URL validation
if "trusted.com" in redirect_url:
    return redirect(redirect_url)

# After: parse and validate host + scheme
from urllib.parse import urlparse

ALLOWED_REDIRECT_HOSTS = {"trusted.com"}
ALLOWED_SCHEMES = {"http", "https"}

def is_safe_redirect(url: str) -> bool:
    parsed = urlparse(url)
    return (
        parsed.scheme in ALLOWED_SCHEMES
        and parsed.hostname in ALLOWED_REDIRECT_HOSTS
    )

if is_safe_redirect(redirect_url):
    return redirect(redirect_url)

Code Scanning Alert #776: py/overly-large-range

Affected files (example)

  • lazyown/core/parsers.py
# Before: potentially catastrophic backtracking
pattern = re.compile(r"(a+)+b")

# After: tighter, linear-time-safe pattern
pattern = re.compile(r"a+b")

For each generated issues/codescan/alert_*.md, extend the content with:

  • A bullet list of affected repository file paths and line ranges
  • A short, copied code snippet that triggers the alert
  • A concrete "Recommended fix" section similar to the examples above, so downstream engineers can quickly triage and patch.
 - Dependabot alerts list real CVEs (python-engineio / python-socketio) that permit DoS/resource exhaustion. Actionable steps: (1) Upgrade pinned dependency versions to the patched releases mentioned (engineio >= 4.13.2, socketio >= 5.16.2) in requirements.txt/pyproject.toml/setup.cfg and any Docker images; run CI to exercise ASGI/Aiohttp stacks. (2) Apply the configuration mitigations described in the alerts: enforce maximum payload sizes at the ASGI/Aiohttp layer, require authentication before accepting binary attachments, and ensure heartbeats/threads/tasks are rate limited or deduplicated per-client. (3) If upgrade isn't immediately possible, add mitigations (connection limits, request-size caps, auth checks) and document the temporary measures. Add specific guidance in each alert file on where dependencies live in the repo and how to run the test matrix after upgrade.

```md
# Dependabot Alert #45: python-engineio

- **State:** open
- **Severity:** high
- **CVE:** CVE-2026-48809
- **Created:** 2026-06-29T09:59:20Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/45

## Summary
python-engineio has possible denial of service due to maximum payload size sometimes not being enforced

## Description
### Impact
There are two specific configurations of the python-engineio server in which the size of incoming messages is not checked before the messages are loaded into memory. An attacker can take advantage of these to cause unnecessary memory allocations in the python-engineio server. The two cases are:

- POST requests, when using ASGI with the long polling transport
- WebSocket messages, when using Aiohttp with the WebSocket transport

### Patches
Version 4.13.2 or later addresses this issue as follows:

- ASGI severs now only load the body of incoming requests into memory after the client is confirmed to be known and authenticated, and the payload size is below the maximum allowed size. Requests that do not comply with these requirements are discarded.
- Aiohttp servers configure the maximum payload size in the underlying WebSocket layer from Aiohttp, so that large messages are discarded by Aiohttp before they are delivered to python-engineio.

### Remediation guidance
- Update python-engineio to `>=4.13.2` in all dependency manifests (e.g. `requirements.txt`, `pyproject.toml`, `setup.cfg`) and in any Docker images.
- Ensure ASGI/Aiohttp servers enforce `max_http_buffer_size` / maximum payload size settings and require authentication before accepting large payloads.
- If immediate upgrade is not possible, configure reverse proxies or WAF to cap request sizes and connection counts, and document these mitigations in the deployment runbooks.

---

# Dependabot Alert #46: python-engineio

- **State:** open
- **Severity:** high
- **CVE:** CVE-2026-48802
- **Created:** 2026-06-29T09:59:21Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/46

## Summary
python-engineio has unbound thread allocation that can cause denial of service

## Description
### Impact
An attacker can cause the creation of unnecessary background threads in the python-engineio server by exploiting the heartbeat mechanism, which launches a thread when a new connection is received, and when the client sends a PONG packet.

Note: this issue primarily affects synchronous servers. Asynchronous servers allocate background tasks instead of physical threads, which are lightweight and less likely to cause denial of service. However, the fix that was implemented was also applied to the asynchronous case.

### Patches
Version 4.13.2 or later addresses this issue as follows:

- The initial background thread (or async task) for heartbeat management is only launched if a client passes authentication in the `connect` handler.
- The server now ensures that there is only one background heartbeat thread (or async task) per client at a given point in time. Out of sequence PONG packets are now discarded when an active heartbeat thread is already running.

### Remediation guidance
- Update python-engineio to `>=4.13.2`.
- Ensure the `connect` handler enforces authentication before starting heartbeat management.
- Configure connection limits and per-client rate limiting for heartbeat/PING-PONG traffic at the application or reverse-proxy layer.

---

# Dependabot Alert #47: python-socketio

- **State:** open
- **Severity:** high
- **CVE:** CVE-2026-48804
- **Created:** 2026-06-29T09:59:21Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/47

## Summary
python-socketio: Binary attachment accumulation can cause denial of service

## Description
### Impact
The python-socketio server stores binary `EVENT` and `ACK` messages in memory while it waits to receive their binary attachments. Once all the attachments are received, these messages are then processed. An attacker can submit a binary message and intentionally omit sending one or more of its attachments to cause the message along with the partial list of received attachments to stay in memory for a long time.

### Patches
Version 5.16.2 or later takes the following measures to address this issue:
- Binary packets are only accepted from authenticated clients.
- When a client disconnects, the server checks if there is a partial binary message being held for the client and deletes it.

### Remediation guidance
- Update python-socketio to `>=5.16.2`.
- Require authentication before accepting binary EVENT/ACK messages.
- Configure per-client limits on outstanding binary messages and global memory caps where possible (e.g. via server config or reverse proxy).
- After upgrading, run the existing test suite (especially any ASGI/Aiohttp integration tests) to validate compatibility.
  • The generated snapshot lists many near-duplicate alerts (multiple files for the same CodeQL rule and multiple Dependabot entries of the same package). To make this snapshot actionable for maintainers: consolidate similar alerts into a single entry per unique rule/CVE with a count and list of occurrences, include the exact affected file paths (where available), and add a short remediation checklist per consolidated alert. This reduces noise and speeds triage.
### Dependabot Alerts (Consolidated)
- **python-engineio**  
  - Alerts: [#45](./dependabot/alert_45.md), [#46](./dependabot/alert_46.md)  
  - CVEs: CVE-2026-48809, CVE-2026-48802  
  - Severity: high (2 alerts)  
  - Remediation checklist:
    - [ ] Identify all services using `python-engineio` in this repo
    - [ ] Upgrade `python-engineio` to **>= 4.13.2**
    - [ ] Deploy to staging and run load tests focused on long polling & WebSocket paths
    - [ ] Roll out to production and monitor memory and thread usage

- **python-socketio**  
  - Alerts: [#47](./dependabot/alert_47.md)  
  - CVEs: CVE-2026-48804  
  - Severity: high (1 alert)  
  - Remediation checklist:
    - [ ] Identify all services using `python-socketio` in this repo
    - [ ] Upgrade `python-socketio` to **>= 5.16.2**
    - [ ] Validate binary EVENT/ACK flows with integration tests
    - [ ] Roll out to production and monitor memory usage

### Code Scanning Alerts (Consolidated)
- **py/bind-socket-all-network-interfaces**  
  - Alerts: [#765](./codescan/alert_765.md), [#766](./codescan/alert_766.md), [#767](./codescan/alert_767.md)  
  - Severity: error (3 alerts)  
  - Remediation checklist:
    - [ ] Enumerate all socket bind sites flagged by these alerts
    - [ ] Replace `0.0.0.0` binds with the minimal required interface/address
    - [ ] If binding to all interfaces is required, document justification and add firewall rules

- **py/overly-large-range**  
  - Alerts: [#775](./codescan/alert_775.md), [#776](./codescan/alert_776.md)  
  - Severity: warning (2 alerts)  
  - Remediation checklist:
    - [ ] Review regular expressions referenced by these alerts
    - [ ] Tighten ranges and add explicit bounds where possible
    - [ ] Add unit tests with adversarial inputs to avoid ReDoS-style behavior

- **py/incomplete-url-substring-sanitization**  
  - Alerts: [#777](./codescan/alert_777.md), [#778](./codescan/alert_778.md), [#779](./codescan/alert_779.md), [#780](./codescan/alert_780.md), [#781](./codescan/alert_781.md)  
  - Severity: warning (5 alerts)  
  - Remediation checklist:
    - [ ] Identify every URL manipulation site flagged by these alerts
    - [ ] Replace ad-hoc substring sanitization with a centralized, well-tested sanitizer
    - [ ] Add tests for encoded, mixed-case, and partial matches of blocked substrings

Reviewed by Panto AI

@grisuno grisuno closed this Jul 2, 2026
@grisuno grisuno deleted the security-export branch July 2, 2026 14:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant