Release v5.15.3 (#107)

* Stabilize WAF detection and fingerprint fallback

* Tune runtime fingerprint detection

* Harden report debug output

* Harden debug and report safety

* Stabilize WAF, fingerprint, and report safety

* Pass Codecov token to reusable Python CI

* Pass Codecov token to reusable Python CI

* ci: add GitHub Actions E2E scan for OpenDoor CLI reports

* Stabilize WAF challenge and cookie handling

* (enhancement) prettify HTML reports make it more intelligible for humans

* Improve debug diagnostics and fingerprint infrastructure

* Document transport flow hardening

* pre-relases 5.15.3 check

* Add stacktrace response sniffer

* (enhancement) expanded passive WAF recognition with block-response signatures for DDoS-GUARD, Tencent Cloud WAF, Google Cloud Armor, SafeLine, Vercel WAF, Wallarm and Wordfence, complementing existing infrastructure fingerprinting where applicable.

* (fix) pause/ resume from keyboard

* pre-release fixes

* Configure CodeQL analysis paths

* Address release security scanner findings

* Fix tolerant HTML closing tag filtering

* Progress shows processed requests, not only reportable findings. With include/exclude filters, auto-calibration or sniffers enabled, many responses can be ignored or shown only as transient debug progress lines.

* Finalize release checks and scanner fixes

* Disable Codecov patch gate

* Fix runtime pause resume prompt normalization

Author: stanislav-web

.codacy.yml

@@ -1,3 +1,4 @@
+---
 exclude_paths:
   - "benchmarks/results/**"
   - "results.sarif"
@@ -7,4 +8,5 @@ exclude_paths:
   - "**/*.pyc"
   - ".coverage"
   - ".DS_Store"
-  - "**/.DS_Store"
+  - "**/.DS_Store"
+  - "tests/**"

.dockerignore

@@ -65,6 +65,8 @@ data/openvpn-profiles/*.conf
 benchmarks
 docs
 tests
+e2e-server.log
+data/test.dat
 
 # Local helper scripts are not needed in runtime image
 scripts

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -122,7 +122,7 @@ body:
       description: What did you expect to happen?
       placeholder: "The scan should..., report should..., output should..."
     validations:
-      required: true
+      required: false
 
   - type: textarea
     id: reproduce
@@ -134,7 +134,7 @@ body:
         2. Run ...
         3. Observe ...
     validations:
-      required: true
+      required: false
 
   - type: textarea
     id: logs

.github/codeql/codeql-config.yml

@@ -0,0 +1,8 @@
+name: "OpenDoor CodeQL config"
+
+paths-ignore:
+  - "tests/**"
+
+query-filters:
+  - exclude:
+      id: py/incomplete-url-substring-sanitization

.github/e2e/server.py

@@ -0,0 +1,55 @@
+"""
+GitHub Actions E2E HTTP server for OpenDoor.
+
+The server exposes deterministic routes so the workflow can verify
+OpenDoor CLI scan behavior, JSON reporting and SARIF reporting.
+"""
+
+from http.server import BaseHTTPRequestHandler, HTTPServer
+
+
+ROUTES: dict[str, tuple[int, str]] = {
+    "/admin": (200, "Admin panel"),
+    "/backup": (200, "Backup index"),
+    "/health": (200, "Health OK"),
+    "/uploads": (200, "Uploads directory"),
+    "/login": (200, "Login page"),
+    "/forbidden": (403, "Forbidden"),
+    "/auth-required": (401, "Unauthorized"),
+    "/redirect": (301, "Moved"),
+}
+
+
+class Handler(BaseHTTPRequestHandler):
+    """Deterministic request handler for OpenDoor E2E."""
+
+    def do_HEAD(self) -> None:
+        self._respond(with_body=False)
+
+    def do_GET(self) -> None:
+        self._respond(with_body=True)
+
+    def _respond(self, with_body: bool = False) -> None:
+        path = self.path.split("?")[0]
+        status, body = ROUTES.get(path, (404, "Not Found"))
+
+        self.send_response(status)
+        self.send_header("Content-Type", "text/plain")
+
+        if status == 301:
+            self.send_header("Location", "https://example.com/")
+
+        self.send_header("Content-Length", str(len(body)))
+        self.end_headers()
+
+        if with_body:
+            self.wfile.write(body.encode("utf-8"))
+
+    def log_message(self, fmt: str, *args: object) -> None:
+        return
+
+
+if __name__ == "__main__":
+    server = HTTPServer(("127.0.0.1", 8088), Handler)
+    print("E2E server listening on http://127.0.0.1:8088", flush=True)
+    server.serve_forever()

.github/e2e/validate.py

@@ -0,0 +1,213 @@
+"""
+Validate OpenDoor GitHub Actions E2E reports against v5.15.2 report shape.
+"""
+
+import json
+import sys
+from pathlib import Path
+
+
+TARGET = "127.0.0.1"
+REPORTS_DIR = Path("./reports") / TARGET
+
+EXPECTED_SUCCESS_PATHS = {
+    "/admin",
+    "/backup",
+    "/health",
+    "/uploads",
+    "/login",
+}
+
+EXPECTED_IGNORED_404_PATHS = {
+    "/nonexistent",
+    "/ghost",
+    "/random-miss",
+    "/doesnotexist",
+}
+
+passed = 0
+failed = 0
+
+
+def assert_true(condition: bool, message: str) -> None:
+    global passed, failed
+
+    if condition:
+        print(f"✅ {message}")
+        passed += 1
+        return
+
+    print(f"❌ {message}", file=sys.stderr)
+    failed += 1
+
+
+def load_json(path: Path) -> dict:
+    with path.open("r", encoding="utf-8") as handler:
+        return json.load(handler)
+
+
+def item_urls(report: dict, bucket: str) -> list[str]:
+    details = report.get("report_items", {}).get(bucket)
+
+    if isinstance(details, list):
+        return [
+            str(item.get("url", ""))
+            for item in details
+            if isinstance(item, dict)
+        ]
+
+    return [
+        str(item)
+        for item in report.get("items", {}).get(bucket, [])
+    ]
+
+
+def item_details(report: dict, bucket: str) -> list[dict]:
+    details = report.get("report_items", {}).get(bucket)
+
+    if isinstance(details, list):
+        return [
+            item
+            for item in details
+            if isinstance(item, dict)
+        ]
+
+    return [
+        {"url": str(item), "code": "-"}
+        for item in report.get("items", {}).get(bucket, [])
+    ]
+
+
+def has_path(urls: list[str], path: str) -> bool:
+    return any(url.endswith(path) or path in url for url in urls)
+
+
+def validate_json_report() -> None:
+    report = load_json(REPORTS_DIR / f"{TARGET}.json")
+    total = report.get("total", {})
+
+    assert_true(total.get("success") == 5, "JSON: success bucket has exactly 5 hits")
+    assert_true(total.get("forbidden") == 1, "JSON: forbidden bucket has exactly 1 hit")
+    assert_true(total.get("auth") == 1, "JSON: auth bucket has exactly 1 hit")
+    assert_true(total.get("redirect") == 1, "JSON: redirect bucket has exactly 1 hit")
+    assert_true(total.get("ignored") == 4, "JSON: ignored bucket has exactly 4 filtered misses")
+
+    success_urls = item_urls(report, "success")
+
+    for path in sorted(EXPECTED_SUCCESS_PATHS):
+        assert_true(has_path(success_urls, path), f"JSON: {path} is in success bucket")
+
+    assert_true(
+        has_path(item_urls(report, "forbidden"), "/forbidden"),
+        "JSON: /forbidden is in forbidden bucket",
+    )
+
+    assert_true(
+        has_path(item_urls(report, "auth"), "/auth-required"),
+        "JSON: /auth-required is in auth bucket",
+    )
+
+    ignored_items = item_details(report, "ignored")
+
+    for path in sorted(EXPECTED_IGNORED_404_PATHS):
+        assert_true(
+            any(
+                has_path([str(item.get("url", ""))], path)
+                and str(item.get("code")) == "404"
+                for item in ignored_items
+            ),
+            f"JSON: {path} is preserved as ignored 404",
+        )
+
+    active_buckets = ("success", "forbidden", "auth", "redirect")
+    active_urls = [
+        url
+        for bucket in active_buckets
+        for url in item_urls(report, bucket)
+    ]
+
+    for path in sorted(EXPECTED_IGNORED_404_PATHS):
+        assert_true(
+            not has_path(active_urls, path),
+            f"JSON: {path} is not in active finding buckets",
+        )
+
+
+def validate_sarif_report() -> None:
+    sarif = load_json(REPORTS_DIR / f"{TARGET}.sarif")
+
+    runs = sarif.get("runs", [])
+    run = runs[0] if runs else {}
+    results = run.get("results", [])
+
+    assert_true(sarif.get("version") == "2.1.0", "SARIF: version is 2.1.0")
+    assert_true(
+        run.get("tool", {}).get("driver", {}).get("name") == "OpenDoor",
+        "SARIF: tool is OpenDoor",
+    )
+
+    def result_matches(rule_id: str, path: str | None = None, code: int | None = None) -> bool:
+        for result in results:
+            if result.get("ruleId") != rule_id:
+                continue
+
+            props = result.get("properties", {})
+            uri = (
+                result.get("locations", [{}])[0]
+                .get("physicalLocation", {})
+                .get("artifactLocation", {})
+                .get("uri", "")
+            )
+
+            if path is not None and path not in str(uri) and path not in str(props.get("url", "")):
+                continue
+
+            if code is not None and props.get("statusCode") != code:
+                continue
+
+            return True
+
+        return False
+
+    for path in sorted(EXPECTED_SUCCESS_PATHS):
+        assert_true(
+            result_matches("opendoor.finding.success", path, 200),
+            f"SARIF: {path} is success/200",
+        )
+
+    assert_true(
+        result_matches("opendoor.finding.forbidden", "/forbidden", 403),
+        "SARIF: /forbidden is forbidden/403",
+    )
+
+    assert_true(
+        result_matches("opendoor.finding.auth", "/auth-required", 401),
+        "SARIF: /auth-required is auth/401",
+    )
+
+    assert_true(
+        result_matches("opendoor.finding.redirect", None, 301),
+        "SARIF: redirect bucket has status 301",
+    )
+
+    for path in sorted(EXPECTED_IGNORED_404_PATHS):
+        assert_true(
+            result_matches("opendoor.finding.ignored", path, 404),
+            f"SARIF: {path} is ignored/404",
+        )
+
+
+def main() -> int:
+    try:
+        validate_json_report()
+        validate_sarif_report()
+    except Exception as error:
+        print(f"💥 Validation error: {error}", file=sys.stderr)
+        return 1
+
+    print(f"\nResults: {passed} passed, {failed} failed")
+    return 1 if failed else 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

.github/e2e/wordlist.txt

@@ -0,0 +1,12 @@
+admin
+backup
+health
+uploads
+login
+forbidden
+auth-required
+redirect
+nonexistent
+ghost
+random-miss
+doesnotexist

.github/pull_request_template.md

@@ -60,23 +60,10 @@
 - [ ] CHANGELOG updated
 - [ ] No documentation change required
 
-## Packaging / runtime assets
-
-<!-- Required for packaging, wheel/sdist, entrypoint, Docker, Homebrew, Debian/Kali, or runtime data changes. -->
-
-- [ ] This PR does not affect packaging or runtime assets
-- [ ] Source distribution was checked
-- [ ] Wheel installation was checked in a clean environment
-- [ ] Runtime assets were verified after installation
-- [ ] Docker image was checked
-- [ ] Linux distribution packaging impact was considered
-
 ## Security and responsible use
 
-- [ ] This PR does not add offensive behavior outside authorized testing workflows
 - [ ] This PR does not commit real tokens, cookies, VPN profiles, credentials, private targets, or scan reports
 - [ ] Security-sensitive details are not exposed in public logs, docs, examples, tests, or screenshots
-- [ ] If this fixes a vulnerability, disclosure details were handled according to `SECURITY.md`
 
 ## Backward compatibility
 

.github/workflows/ci-linux-py313.yml

@@ -16,3 +16,4 @@ jobs:
     with:
       runner: ubuntu-latest
       python-version: "3.13"
+    secrets: inherit

.github/workflows/ci-linux-py314.yml

@@ -16,3 +16,4 @@ jobs:
     with:
       runner: ubuntu-latest
       python-version: "3.14"
+    secrets: inherit