Skip to content

fix(evaders): bound PoW many-small count + annotate lab cert-skips (CodeQL)#33

Merged
datascry merged 1 commit into
mainfrom
fix/codeql-evader-hardening
Jun 22, 2026
Merged

fix(evaders): bound PoW many-small count + annotate lab cert-skips (CodeQL)#33
datascry merged 1 commit into
mainfrom
fix/codeql-evader-hardening

Conversation

@datascry

Copy link
Copy Markdown
Owner

Clears the open CodeQL high alerts on evader code. All three are in red-team tools that, per the repo's ethics rules, run only against Kitsune's own detector + the harness/allowlist.py endpoints — so none are exploitable in the lab's threat model.

Changes

  • go/uncontrolled-allocation-size (evaders/pow/pow.go) — Challenge.Count arrives over JSON and flowed unbounded into make([]string, Count). Added MaxManySmallCount (1024, far above any real friendlycaptcha-style set) and clamp at both Mint and the puzzles() allocation site. Covered by a new test (Mint clamps; puzzles() bounds a hand-built hostile count).
  • go/disabled-certificate-check (evaders/azuretls/main.go) — annotated both InsecureSkipVerify sites with //nolint:gosec + rationale (lab edge/detector self-signed certs, allow-listed), matching the existing go-tls annotation. The cert-skip is required for the evader to reach the lab's self-signed endpoints — not a fixable bug — so the two go/disabled-certificate-check alerts are dismissed by-design on GitHub.

Verification

pow gofmt/vet clean, tests green at 94.3% (was 92%) via Docker golang:1.26.

Out of scope (documented accepted risk, unchanged): the 3 playwright Dependabot alerts (deliberate 1.52.0 pin) and the Scorecard PinnedDependenciesID posture nits on evader Dockerfiles.

…odeQL)

Clears the open CodeQL highs on evader code (all by-design for tools that run
only against Kitsune's own detector + the allow-list):

- go/uncontrolled-allocation-size (pow/pow.go): Challenge.Count arrives over JSON
  and flowed unbounded into make([]string, Count). Add MaxManySmallCount (1024,
  far above any real friendlycaptcha-style set) and clamp at both Mint and the
  puzzles() allocation site, so a malformed/hostile count cannot drive an
  unbounded allocation. Tested (Mint clamps; puzzles() bounds a hand-built count).
- go/disabled-certificate-check (azuretls/main.go): annotate both InsecureSkipVerify
  sites with //nolint:gosec + rationale (lab edge/detector self-signed certs,
  allow-listed), matching the existing go-tls annotation. The cert-skip is required
  for the evader to reach the lab's self-signed endpoints — it is not a fixable bug,
  so the two go/disabled-certificate-check alerts are dismissed by-design on GitHub.

pow gofmt/vet clean, tests green at 94.3% (was 92%) via Docker golang:1.26.
Comment thread evaders/azuretls/main.go Dismissed
Comment thread evaders/pow/pow.go Dismissed
@datascry datascry merged commit b6adb1b into main Jun 22, 2026
18 of 19 checks passed
datascry added a commit that referenced this pull request Jul 8, 2026
…ounded)

Dependabot #32/#33: golang.org/x/crypto <0.45.0 in os-spoof (indirect, v0.36.0) — the ssh/agent
panic and ssh unbounded-memory advisories. Bumped to v0.53.0 (matching the other Go modules); go mod
tidy, build green. os-spoof does not use x/crypto/ssh, but the bump clears the transitive alert.
datascry added a commit that referenced this pull request Jul 8, 2026
…ounded)

Dependabot #32/#33: golang.org/x/crypto <0.45.0 in os-spoof (indirect, v0.36.0) — the ssh/agent
panic and ssh unbounded-memory advisories. Bumped to v0.53.0 (matching the other Go modules); go mod
tidy, build green. os-spoof does not use x/crypto/ssh, but the bump clears the transitive alert.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants