Skip to content

Security hardening patches for dev#3201

Merged
liquidsec merged 7 commits into
devfrom
dev-security-patches-2
Jun 17, 2026
Merged

Security hardening patches for dev#3201
liquidsec merged 7 commits into
devfrom
dev-security-patches-2

Conversation

@liquidsec

Copy link
Copy Markdown
Collaborator

Summary

Cherry-pick of security patches from #3199 (stable) into dev:

  • Fix arbitrary file write in postman_download via path traversal
  • Defense-in-depth hardening for gitdumper and git_clone (safe git flags, path traversal check, empty index on checkout failure for CVE-2025-10283)
  • Defense-in-depth hardening for apkpure (reject unsafe app_id)
  • Restrict pickle.load in preload cache to block arbitrary class instantiation
  • Cap unarchive extracted size at 1 GB with pre-extraction declared-size check and cumulative budget through recursive calls

- gitdumper: validate downloaded file paths stay within repo dir
- gitdumper/git_clone: pass safe config flags to all git commands
  (disable fsmonitor, symlinks, sshCommand; enable fsckObjects)
- apkpure: reject app_id values containing path separators
Write a valid empty git index when checkout fails, preventing
attacker-controlled index entries from surviving.
Restrict preload cache deserialization to block arbitrary class
instantiation. Cap unarchive extracted size at 1 GB.
Pre-check declared uncompressed size from 7z/tar listing before
extracting. Thread a shared byte budget through recursive calls
so nested archives cannot bypass the cap independently.
@ausmaster ausmaster self-requested a review June 17, 2026 03:25
@ausmaster ausmaster added this to the BBOT 3.0 - blazed_elijah milestone Jun 17, 2026
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🚀 Performance Benchmark Report

⚠️ No current benchmark data available

This might be because:

  • Benchmarks failed to run
  • No benchmark tests found
  • Dependencies missing

Also fix tagified postman workspace path in trufflehog test assertions.
@ausmaster ausmaster self-requested a review June 17, 2026 04:24
@codecov

codecov Bot commented Jun 17, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 81.81818% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 90%. Comparing base (a74da8a) to head (ca89657).
⚠️ Report is 11 commits behind head on dev.

Files with missing lines Patch % Lines
bbot/modules/internal/unarchive.py 75% 8 Missing ⚠️
bbot/modules/gitdumper.py 82% 3 Missing ⚠️
bbot/modules/apkpure.py 34% 2 Missing ⚠️
bbot/modules/postman_download.py 75% 2 Missing ⚠️
bbot/core/modules.py 75% 1 Missing ⚠️
Additional details and impacted files
@@          Coverage Diff           @@
##             dev   #3201    +/-   ##
======================================
+ Coverage     90%     90%    +1%     
======================================
  Files        453     453            
  Lines      45982   46101   +119     
======================================
+ Hits       41095   41216   +121     
+ Misses      4887    4885     -2     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@liquidsec liquidsec merged commit 2c65087 into dev Jun 17, 2026
15 checks passed
@liquidsec liquidsec deleted the dev-security-patches-2 branch June 17, 2026 05:41
@liquidsec liquidsec mentioned this pull request Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants