fix(evaders): bound PoW many-small count + annotate lab cert-skips (CodeQL)#33
Merged
Conversation
…odeQL) Clears the open CodeQL highs on evader code (all by-design for tools that run only against Kitsune's own detector + the allow-list): - go/uncontrolled-allocation-size (pow/pow.go): Challenge.Count arrives over JSON and flowed unbounded into make([]string, Count). Add MaxManySmallCount (1024, far above any real friendlycaptcha-style set) and clamp at both Mint and the puzzles() allocation site, so a malformed/hostile count cannot drive an unbounded allocation. Tested (Mint clamps; puzzles() bounds a hand-built count). - go/disabled-certificate-check (azuretls/main.go): annotate both InsecureSkipVerify sites with //nolint:gosec + rationale (lab edge/detector self-signed certs, allow-listed), matching the existing go-tls annotation. The cert-skip is required for the evader to reach the lab's self-signed endpoints — it is not a fixable bug, so the two go/disabled-certificate-check alerts are dismissed by-design on GitHub. pow gofmt/vet clean, tests green at 94.3% (was 92%) via Docker golang:1.26.
datascry
added a commit
that referenced
this pull request
Jul 8, 2026
…ounded) Dependabot #32/#33: golang.org/x/crypto <0.45.0 in os-spoof (indirect, v0.36.0) — the ssh/agent panic and ssh unbounded-memory advisories. Bumped to v0.53.0 (matching the other Go modules); go mod tidy, build green. os-spoof does not use x/crypto/ssh, but the bump clears the transitive alert.
datascry
added a commit
that referenced
this pull request
Jul 8, 2026
…ounded) Dependabot #32/#33: golang.org/x/crypto <0.45.0 in os-spoof (indirect, v0.36.0) — the ssh/agent panic and ssh unbounded-memory advisories. Bumped to v0.53.0 (matching the other Go modules); go mod tidy, build green. os-spoof does not use x/crypto/ssh, but the bump clears the transitive alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Clears the open CodeQL high alerts on evader code. All three are in red-team tools that, per the repo's ethics rules, run only against Kitsune's own detector + the
harness/allowlist.pyendpoints — so none are exploitable in the lab's threat model.Changes
go/uncontrolled-allocation-size(evaders/pow/pow.go) —Challenge.Countarrives over JSON and flowed unbounded intomake([]string, Count). AddedMaxManySmallCount(1024, far above any real friendlycaptcha-style set) and clamp at bothMintand thepuzzles()allocation site. Covered by a new test (Mint clamps;puzzles()bounds a hand-built hostile count).go/disabled-certificate-check(evaders/azuretls/main.go) — annotated bothInsecureSkipVerifysites with//nolint:gosec+ rationale (lab edge/detector self-signed certs, allow-listed), matching the existing go-tls annotation. The cert-skip is required for the evader to reach the lab's self-signed endpoints — not a fixable bug — so the twogo/disabled-certificate-checkalerts are dismissed by-design on GitHub.Verification
pow gofmt/vet clean, tests green at 94.3% (was 92%) via Docker golang:1.26.
Out of scope (documented accepted risk, unchanged): the 3
playwrightDependabot alerts (deliberate1.52.0pin) and the ScorecardPinnedDependenciesIDposture nits on evader Dockerfiles.