feat(modules): add eureka and spring boot admin exposure modules#263
Open
TBX3D wants to merge 1 commit into
Open
feat(modules): add eureka and spring boot admin exposure modules#263TBX3D wants to merge 1 commit into
TBX3D wants to merge 1 commit into
Conversation
add two recon modules detecting anon-by-design service registries that leak the internal service map: - eureka-registry-exposure (medium): probes /eureka/apps and matches the registry envelope markers apps__hashcode and versions__delta (the EurekaJacksonCodec formats them with a default '_' -> '__' replacement, so they appear verbatim in both the xml and json forms); eureka has no auth, so an open registry discloses every instance's internal hostname, ip and ports and accepts rogue registrations, while a spring-security-secured eureka returns 401; extracts the first instance ip from either form - spring-boot-admin-exposure (medium): probes /instances and matches the registration/healthUrl/statusInfo shape; the codecentric server ships no security, so an open one discloses every registered app's internal management and health urls (a pivot to their actuators), while a secured one returns 401 or redirects to login; extracts the first internal health url both modules carry hard-test coverage: eureka is proven on both its xml and json forms, with an N-1 trap (an apps__hashcode-less envelope stays quiet) and a prose trap (a page that merely mentions the word applications stays quiet); sba has an N-1 statusInfo trap; both have 401 secured-instance cases and cross false-positive guards both ways.
github-actions
Bot
added
size/l
pr summary3 files changed (+225 -0)
|
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #263 +/- ##
=======================================
Coverage ? 53.23%
=======================================
Files ? 81
Lines ? 6852
Branches ? 0
=======================================
Hits ? 3648
Misses ? 2937
Partials ? 267 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
modules/recon/eureka-registry-exposure.yamlflags an exposed netflix eureka registry over/eureka/apps, keyed on theapps__hashcode,versions__deltaandapplicationsenvelope keys (the codec renders the single_as__in both the xml and json forms), then extracts the first instance ip from either form; eureka ships no auth, so the open registry leaks every instance's internal hostname, ip and ports and accepts rogue registrations.modules/recon/spring-boot-admin-exposure.yamlflags an exposed spring boot admin server over/instances, keyed on theregistration,healthUrlandstatusInfofields, then extracts the first health url; the codecentric server ships no security, so the open registry leaks every app's internal management and health actuator urls (a pivot), and a secured one answers 401 or redirects to login.build/vet/lint clean,
go test ./internal/modules/green (the two modules end to end viaExecuteHTTPModule, real-hit and near-miss cases).