Skip to content

fix: address credential logging, cert validation, arg injection, and port race#299

Closed
0xjustBen wants to merge 1 commit into
molenzwiebel:masterfrom
0xjustBen:security-fixes
Closed

fix: address credential logging, cert validation, arg injection, and port race#299
0xjustBen wants to merge 1 commit into
molenzwiebel:masterfrom
0xjustBen:security-fixes

Conversation

@0xjustBen
Copy link
Copy Markdown

@0xjustBen 0xjustBen commented May 11, 2026
edited
Loading

Closes #297

Changes

Utils.cs

  • Validate downloaded and cached proxy certificate matches deceive-localhost.molenzwiebel.xyz (CN or SAN) before use
  • Discard invalid cached cert and re-fetch rather than silently using a bad one
  • Validate GitHub release html_url starts with https://github.com/ before passing to Process.Start
  • Extract ValidateProxyCertificate() helper

ConfigProxy.cs

  • Remove full client config body from trace output (contained player-specific data and internal endpoints)
  • Remove raw PAS JWT value from trace output
  • Minimise TOCTOU window: release probe TcpListener immediately before WebServer binds rather than before setup begins

StartupHandler.cs

  • Reject riotClientParams containing --client-config-url to prevent proxy bypass via arg injection

Persistence.cs

  • Add DeleteCachedCertificate() used when cached cert fails domain validation

Test plan

  • Launch Deceive normally — proxy cert loads from cache or downloads and validates successfully
  • Verify debug.log no longer contains auth header values or PAS JWT content
  • Confirm riotClientParams with --client-config-url is ignored (logged warning instead)
  • Confirm update prompt still opens correct GitHub release page

@0xjustBen
fix: address security vulnerabilities in certificate handling, loggin…
a291940 
…g, and arg parsing

- Validate downloaded proxy certificate matches expected domain before use
- Delete and re-fetch cached certificate if domain validation fails
- Redact Riot auth tokens, entitlement JWTs, and PAS JWTs from debug logs
- Minimise TOCTOU window on config proxy port binding
- Block --client-config-url injection via riotClientParams to prevent proxy bypass
- Validate GitHub release URL starts with https://github.com/ before opening
- Add Persistence.DeleteCachedCertificate() helper for invalid cert cleanup
@0xjustBen 0xjustBen closed this by deleting the head repository May 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security vulnerabilities: credential logging, cert validation bypass, arg injection, TOCTOU port race

1 participant

@0xjustBen