diff --git a/.jules/sentinel.md b/.jules/sentinel.md index 5d0d416..f371625 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -85,6 +85,11 @@ **Vulnerability:** Attackers could bypass SSRF IP blocklists using SIIT (Stateless IP/ICMP Translation, RFC 2765) addresses. The format `::ffff:0:a.b.c.d` (using the `::ffff:0:0:0/96` prefix) evaluates as `is_global = True` in Python's `ipaddress` module and is NOT caught by the `ipv4_mapped` property. If an attacker passes such an address, the OS networking stack might route it directly to the embedded IPv4 target, bypassing internal security restrictions. **Learning:** Python's `ipaddress` module only natively extracts standard IPv4-mapped addresses (`::ffff:a.b.c.d`), failing to recognize or unwrap SIIT IPv4-translated addresses. **Prevention:** Always manually unwrap SIIT addresses by checking if the high 96 bits of the IPv6 integer match the SIIT prefix (`ip_int >> 32 == 0xffff0000`). If so, extract the underlying 32-bit IPv4 address using bitwise operations (`ip_int & 0xFFFFFFFF`) and validate it against the SSRF blocklist. + +## 2024-06-15 - Privilege Escalation via PATH Interception +**Vulnerability:** The application used `shutil.which('ping')` to locate the `ping` system utility. By default, `which()` searches the standard environment `PATH`. If the application is run in an environment where an attacker can write to a directory that appears early in the `PATH` (such as a local user directory or a compromised shared directory), the attacker could place a malicious executable named `ping` there. The application would then silently execute the attacker's script instead of the legitimate system binary, leading to arbitrary code execution or privilege escalation. +**Learning:** Depending on the environment's default standard `PATH` for resolving system utilities is dangerous if the application can be run with elevated privileges or in shared environments. +**Prevention:** Always enforce secure path resolution for system binaries by explicitly passing a trusted, restricted `path` to lookup functions like `shutil.which` (e.g., `shutil.which('ping', path='/bin:/usr/bin:/sbin:/usr/sbin')`). Never fall back to bare executable names in `subprocess.call` without ensuring an absolute, verified path is used. ## 2025-05-24 - Log Injection (CRLF) in Shared Exception Handlers **Vulnerability:** A Log Injection (CRLF) vulnerability existed in a shared exception handler. While Python's `ipaddress` module natively escapes control characters in its `ValueError` exceptions using `!r` formatting, catching broad exceptions (e.g., `except (ValueError, TypeError, RecursionError):`) and logging the `e` object via f-string interpolation (`f"Error: {e}"`) is dangerous. If a future, unrelated `raise ValueError("malicious\ninput")` is added to the try block, the unescaped control characters would be evaluated by the logger, allowing log spoofing. **Learning:** Shared, broad exception handlers that catch errors from multiple potential sources must assume that the exception payload is untrusted and un-sanitized. Relying on the safe formatting behavior of one specific underlying module (`ipaddress`) is insufficient defense-in-depth. diff --git a/testping1.py b/testping1.py index 5c05cd2..44d7f72 100644 --- a/testping1.py +++ b/testping1.py @@ -23,7 +23,11 @@ # Calling shutil.which() once at module load avoids the overhead of traversing # the system PATH environment variable during every subprocess.call() execution. # This yields a measurable speedup when firing thousands of concurrent pings. -PING_PATH = shutil.which("ping") +# 🛡️ Sentinel: Enforce secure path resolution for system binaries. +# Passing an explicit trusted path prevents local PATH interception attacks, +# where an attacker places a malicious executable in a user-writable directory +# included early in the system PATH. +PING_PATH = shutil.which("ping", path="/bin:/usr/bin:/sbin:/usr/sbin") if not PING_PATH: # 🛡️ Sentinel: Fail securely if the required system binary is missing, rather than # falling back to a relative path ("ping") which could execute a malicious local file.