Skip to content

1.2

Latest
Latest

Choose a tag to compare

View all tags
@liquidsec liquidsec released this 19 Jun 12:27
· 17 commits to main since this release
1.2.0
f06138f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

1.2.0

Major infrastructure overhaul and significant bug fixes for passive detection accuracy.

Breaking Changes

  • blacklist3r CLI tool removed — the standalone blacklist3r example script has been deprecated and deleted. Use the main badsecrets CLI instead.
  • httpxblasthttp — all HTTP client code migrated from httpx to blasthttp. If you import badsecrets and were relying on httpx transports or response objects, update accordingly.
  • poetryuv — build system migrated from poetry/poetry-dynamic-versioning to hatchling + uv. Use uv sync / uv run instead of poetry install / poetry run.
  • check_all_modules() now returns a list (matching carve_all_modules's shape), including IdentifyOnly hits alongside SecretFound results.
  • cookie_identify_only renamed to report_uncracked_cookies on module classes.

New Features

  • Docker support — added Dockerfile and .dockerignore (thanks @vortexau)
  • badsecrets.__version__ — version string now exposed at package level
  • IdentifyOnly results from cookies and manual product mode — cookies and the badsecrets <product> CLI path now fall back to identify() when check_secret() misses, surfacing recognizable crypto products with unknown keys (e.g. Laravel cookies)

Bug Fixes

  • Fix Python 3.13+ test failures: URL-unquote before slicing in PBKDF1/PBKDF2 crypt tests
  • Handle PyJWT 2.13.0 InvalidKeyError during JWT secret detection
  • Fix A-z character class typo in rack2, rails, and django identify regexes (was matching `[]^_`` characters)
  • Fix Telerik_HashKey.get_hashcat_commands: swapped variables and wrong encoding (was base64-decoding the HMAC message instead of hex-encoding raw bytes)
  • Guard Rack2.get_hashcat_commands against binascii.Error on malformed base64
  • Guard all IdentifyOnly get_hashcat_commands calls with _safe_hashcat wrapper to prevent malformed cookie values from crashing scans
  • Suppress cookie false positives from Shiro, PeopleSoft, LTPA, Flask, and Rails modules (broad base64 regexes were matching ordinary cookies like AWSALB)
  • Tighten identify_regex on loose-base64 modules; deduplicate IdentifyOnly results per module
  • Fix blasthttp body encoding: pass str not bytes

Dependency Updates

  • blasthttp (new) ≥ 0.8.0
  • pycryptodome ≥ 3.23.0
  • PyJWT ≥ 2.13.0
  • yara-python ≥ 4.5.4
  • idna 3.11 → 3.15
  • django ≥ 5.2.15
  • Various dev dependency bumps (pytest-cov, pytest-asyncio, pytest-mock, respx, dulwich)

Full Changelog: 1.1.0...1.2.0

Contributors

vortexau
Assets 2
Loading