Security Export: Issues, Dependabot & CodeScan Alerts#155
Conversation
|
PR Summary: Summary: Adds a new security tracking directory (issues/) with a README, 3 Dependabot alerts, 10 CodeQL/code-scanning alerts, and 4 issue records — purely documentation of security findings (no code or dependency changes). Changes:
|
| - The initial background thread (or async task( for heartbeat management is only launched if a client passes authentication in the `connect` handler. | ||
| - The server now ensures that there is only one background heatbeat thread (or async task) per client at a given point in time. Out of sequence PONG packets are now discarded when an active heartbeat thread is already running. |
There was a problem hiding this comment.
[NITPICK] Fix typos and punctuation in the description: change "async task( for heartbeat management" to "async task) for heartbeat management" (or rephrase to "async task for heartbeat management") and correct "heatbeat" to "heartbeat". Correct minor grammar to improve clarity.
- The initial background thread (or async task for heartbeat management) is only launched if a client passes authentication in the `connect` handler.
- The server now ensures that there is only one background heartbeat thread (or async task) per client at a given point in time. Out of sequence PONG packets are now discarded when an active heartbeat thread is already running.| Version 4.13.2 addresses this issue as follows: | ||
|
|
||
| - ASGI severs now only load the body of incoming requests into memory after the client is confirmed to be known and authenticated, and the payload size is below the maximum allowed size. Requests that do not comply with these requirements are discarded. |
There was a problem hiding this comment.
[NITPICK] Minor typo: change "ASGI severs now only" to "ASGI servers now only". Also consider clarifying whether the behavior change applies to specific server implementations (e.g., Uvicorn, Hypercorn) so maintainers can validate the fix in their stack.
### Patches
Version 4.13.2 addresses this issue as follows:
- ASGI servers now only load the body of incoming requests into memory after the client is confirmed to be known and authenticated, and the payload size is below the maximum allowed size. Requests that do not comply with these requirements are discarded. This behavior applies to ASGI server deployments using frameworks such as Uvicorn or Hypercorn.
- Aiohttp servers configure the maximum payload size in the underlying WebSocket layer from Aiohttp, so that large messages are discarded by Aiohttp before they are delivered to python-engineio.| # Repository: LazyOwn | ||
|
|
||
| **Description:** LazyOwn RedTeam/APT Framework is the first RedTeam Framework with an AI-powered C&C, featuring rootkits to conceal campaigns, undetectable malleable implants compatible with Windows/Linux/Mac OSX, and self-configuring backdoors. With its Web interface and powerful Console Client, it is the best combination for your Autonomous RedTeam/APT campaigns. | ||
|
|
||
| | Metric | Value | | ||
| |--------|-------| | ||
| | ⭐ Stars | 213 | | ||
| | 📥 Clones (last 14 days) | 759 | | ||
| | 🟢 Open Issues | 1 | | ||
| | 📋 Total Issues | 4 | | ||
| | 🛡 Dependabot Open Alerts | 3 | | ||
| | 🔍 CodeScan Open Alerts | 10 | |
There was a problem hiding this comment.
[VALIDATION] This snapshot README currently contains hardcoded metrics and a marketing-style description (lines 3 and 5-12) which can become stale and may be inappropriate for a security snapshot. Actionable changes: (1) Add a clear generation timestamp and generator name/version (the automation metadata) so readers know this is a point-in-time snapshot. (2) Avoid hardcoded metrics (Stars, Clones, Open Counts) or mark them as 'snapshot' values; preferably compute them at generation time and include the timestamp. (3) Consider softening or adding a research/defense usage disclaimer for wording like "RedTeam/APT Framework" to avoid publishing content that could be mistaken for operational intent — if this repo is research-oriented, state that explicitly.
# Repository: LazyOwn
> Snapshot generated by `security_issue_progressive.sh` on 2026-07-02T00:27:17Z (security export snapshot; values below reflect the state of the repository at generation time).
**Description:** LazyOwn is a Red Team / adversary emulation framework intended for security research, testing, and defense hardening in controlled environments. Use is subject to all applicable laws and organizational policies; do not use this project for unauthorized or illegal activities.
| Metric | Snapshot value (at generation time) |
|--------|-------------------------------------|
| ⭐ Stars | 213 |
| 📥 Clones (last 14 days) | 759 |
| 🟢 Open Issues | 1 |
| 📋 Total Issues | 4 |
| 🛡 Dependabot Open Alerts | 3 |
| 🔍 CodeScan Open Alerts | 10 |
## Issues
- [#84](./issue_84.md) - Lazynmap failing to execute (closed)
- [#30](./issue_30.md) - Please remove ngrok as a tunneling option as this tool violates the terms of service (closed)
- [#17](./issue_17.md) - Fix code scanning alert - Flask app is run in debug mode (closed)
- [#16](./issue_16.md) - Fix code scanning alert - Information exposure through an exception (closed)
## Dependabot Alerts
- [Dependabot #47](./dependabot/alert_47.md) - python-socketio (high) - open
- [Dependabot #46](./dependabot/alert_46.md) - python-engineio (high) - open
- [Dependabot #45](./dependabot/alert_45.md) - python-engineio (high) - open
## Code Scanning Alerts
- [CodeScan #781](./codescan/alert_781.md) - py/incomplete-url-substring-sanitization (warning) - open
- [CodeScan #780](./codescan/alert_780.md) - py/incomplete-url-substring-sanitization (warning) - open
- [CodeScan #779](./codescan/alert_779.md) - py/incomplete-url-substring-sanitization (warning) - open
- [CodeScan #778](./codescan/alert_778.md) - py/incomplete-url-substring-sanitization (warning) - open
- [CodeScan #777](./codescan/alert_777.md) - py/incomplete-url-substring-sanitization (warning) - open
- [CodeScan #776](./codescan/alert_776.md) - py/overly-large-range (warning) - open
- [CodeScan #775](./codescan/alert_775.md) - py/overly-large-range (warning) - open
- [CodeScan #767](./codescan/alert_767.md) - py/bind-socket-all-network-interfaces (error) - open
- [CodeScan #766](./codescan/alert_766.md) - py/bind-socket-all-network-interfaces (error) - open
- [CodeScan #765](./codescan/alert_765.md) - py/bind-socket-all-network-interfaces (error) - open
Total issues downloaded: 4|
Reviewed up to commit:b68592aa35cac1f9cb84c9b795e1670c5eb70ca3 Additional SuggestionOthers- The added CodeQL alerts indicate high-risk findings that need owner-facing, actionable remediation in the codebase rather than only as snapshots. Specifically: (a) py/bind-socket-all-network-interfaces — search for socket.bind(('', ...)) or binds to '0.0.0.0' and make binding interface configurable or restrict to a specific interface (e.g. 127.0.0.1) when possible; document why public binding is required and gate it behind explicit config and RBAC. (b) py/incomplete-url-substring-sanitization — substring checks for URLs are unsafe; replace with robust URL parsing (urllib.parse) and canonicalization, validate scheme/host/port using allowlists, and avoid using substring-based filters for security decisions. (c) py/overly-large-range — overly permissive regex ranges may cause ReDoS; tighten quantifiers, avoid unbounded nested quantifiers, and add unit tests and timeouts where applicable. For every alert file include the affected repository file paths, a short reproduction (file + code snippet), and a recommended code change so devs can triage and fix quickly. Treat the bind-to-all warning as high priority and create PRs to enforce explicit binding configuration.# Code Scanning Alert #767: py/bind-socket-all-network-interfaces
- **State:** open
- **Severity:** error
- **Tool:** CodeQL
- **Created:** 2026-05-21T04:27:05Z
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/767
## Affected files (example)
- `lazyown/server/network.py`
```py
# Before
server_socket.bind(("0.0.0.0", port))
# After: bind to configurable or loopback interface by default
bind_host = os.getenv("LAZYOWN_BIND_HOST", "127.0.0.1")
server_socket.bind((bind_host, port))
Code Scanning Alert #781: py/incomplete-url-substring-sanitization
Affected files (example)
# Before: substring-based URL validation
if "trusted.com" in redirect_url:
return redirect(redirect_url)
# After: parse and validate host + scheme
from urllib.parse import urlparse
ALLOWED_REDIRECT_HOSTS = {"trusted.com"}
ALLOWED_SCHEMES = {"http", "https"}
def is_safe_redirect(url: str) -> bool:
parsed = urlparse(url)
return (
parsed.scheme in ALLOWED_SCHEMES
and parsed.hostname in ALLOWED_REDIRECT_HOSTS
)
if is_safe_redirect(redirect_url):
return redirect(redirect_url)Code Scanning Alert #776: py/overly-large-range
Affected files (example)
# Before: potentially catastrophic backtracking
pattern = re.compile(r"(a+)+b")
# After: tighter, linear-time-safe pattern
pattern = re.compile(r"a+b")For each generated
### Dependabot Alerts (Consolidated)
- **python-engineio**
- Alerts: [#45](./dependabot/alert_45.md), [#46](./dependabot/alert_46.md)
- CVEs: CVE-2026-48809, CVE-2026-48802
- Severity: high (2 alerts)
- Remediation checklist:
- [ ] Identify all services using `python-engineio` in this repo
- [ ] Upgrade `python-engineio` to **>= 4.13.2**
- [ ] Deploy to staging and run load tests focused on long polling & WebSocket paths
- [ ] Roll out to production and monitor memory and thread usage
- **python-socketio**
- Alerts: [#47](./dependabot/alert_47.md)
- CVEs: CVE-2026-48804
- Severity: high (1 alert)
- Remediation checklist:
- [ ] Identify all services using `python-socketio` in this repo
- [ ] Upgrade `python-socketio` to **>= 5.16.2**
- [ ] Validate binary EVENT/ACK flows with integration tests
- [ ] Roll out to production and monitor memory usage
### Code Scanning Alerts (Consolidated)
- **py/bind-socket-all-network-interfaces**
- Alerts: [#765](./codescan/alert_765.md), [#766](./codescan/alert_766.md), [#767](./codescan/alert_767.md)
- Severity: error (3 alerts)
- Remediation checklist:
- [ ] Enumerate all socket bind sites flagged by these alerts
- [ ] Replace `0.0.0.0` binds with the minimal required interface/address
- [ ] If binding to all interfaces is required, document justification and add firewall rules
- **py/overly-large-range**
- Alerts: [#775](./codescan/alert_775.md), [#776](./codescan/alert_776.md)
- Severity: warning (2 alerts)
- Remediation checklist:
- [ ] Review regular expressions referenced by these alerts
- [ ] Tighten ranges and add explicit bounds where possible
- [ ] Add unit tests with adversarial inputs to avoid ReDoS-style behavior
- **py/incomplete-url-substring-sanitization**
- Alerts: [#777](./codescan/alert_777.md), [#778](./codescan/alert_778.md), [#779](./codescan/alert_779.md), [#780](./codescan/alert_780.md), [#781](./codescan/alert_781.md)
- Severity: warning (5 alerts)
- Remediation checklist:
- [ ] Identify every URL manipulation site flagged by these alerts
- [ ] Replace ad-hoc substring sanitization with a centralized, well-tested sanitizer
- [ ] Add tests for encoded, mixed-case, and partial matches of blocked substrings |
Automated security export generated on 20260702_002717.
This PR adds a snapshot under
issues/with:issue_<n>.mdissues/dependabot/issues/codescan/issues/README.mdEach run replaces this branch (and closes any previous PR using the same head), so only the latest snapshot is open at any time.
Generated by
security_issue_progressive.sh.