anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
28e2a9335554c2a339e5677eba2795f4a4ff81d9
DECNET/decnet
History
anti 28e2a93355 sec(updater): harden tarball extraction and verify sha256 before extract 
Reject symlinks, hardlinks, device nodes and FIFOs in update tarballs;
validate each member's resolved path stays under dest after symlink
resolution; cap uncompressed size at 256 MiB to bound gzip-bomb damage;
strip setuid/setgid bits from extracted modes.

Add an optional sha256 form field to /update and /update-self; the
master client computes and sends it on every push, the executor
refuses to extract on mismatch. mTLS already authenticates the
master, so this is defence-in-depth against in-transit corruption
and gives operators a way to pin "exactly these bytes" for vetted
releases.
2026-04-27 21:14:48 -04:00
..
agent
feat(fleet): systemd unit + bus signal for fleet reconciler
2026-04-26 21:21:36 -04:00
asn
feat(asn): IP→ASN enrichment via iptoasn.com bulk dump
2026-04-25 03:58:58 -04:00
bus
feat(bus): canary token bus topics (placed/triggered/revoked)
2026-04-27 12:43:23 -04:00
canary
feat(canary): kind reflects trip surface per generator
2026-04-27 17:40:37 -04:00
cli
feat(realism): LLM enrichment for user-class file bodies
2026-04-27 16:42:58 -04:00
clustering
test(clustering): full-bound passes through production campaign clusterer
2026-04-26 09:13:59 -04:00
collector
fix(collector): label-based fleet container discovery
2026-04-25 08:11:21 -04:00
correlation
feat(correlation): credential-reuse engine + reuse-correlate worker
2026-04-26 03:37:49 -04:00
engine
feat(deploy): seed canary baseline at deploy time + tests
2026-04-27 13:19:08 -04:00
fleet
feat(fleet): systemd unit + bus signal for fleet reconciler
2026-04-26 21:21:36 -04:00
geoip
feat(attackers): PTR record (reverse DNS) enrichment
2026-04-24 17:26:40 -04:00
intel
refactor(intel): re-key attacker_intel on attacker_uuid (closes DEBT-041)
2026-04-26 05:35:29 -04:00
logging
refactor: strip DECNET tokens from container-visible surface
2026-04-17 22:57:53 -04:00
mutator
fix(topology/allocator): widen default subnet base to /12 for mass-scale
2026-04-24 18:57:55 -04:00
net
feat(net): stealth-egress httpx client factory
2026-04-26 04:59:34 -04:00
orchestrator
feat(realism): operator-tunable planner weights via realism_config
2026-04-27 18:00:08 -04:00
prober
feat(sniffer): ISN sequence classifier (reuses seq_class helper)
2026-04-26 20:30:24 -04:00
profiler
feat(sniffer): ISN sequence classifier (reuses seq_class helper)
2026-04-26 20:30:24 -04:00
realism
feat(realism): operator-tunable planner weights via realism_config
2026-04-27 18:00:08 -04:00
services
feat(creds): DEBT-040 Phase 3 — RDP NLA / CredSSP NTLMv2 capture
2026-04-25 07:42:52 -04:00
sniffer
feat(sniffer): ISN sequence classifier (reuses seq_class helper)
2026-04-26 20:30:24 -04:00
swarm
sec(updater): harden tarball extraction and verify sha256 before extract
2026-04-27 21:14:48 -04:00
templates
feat(templates): standalone NTLMSSP Type 3 parser + decnet-init wrapper
2026-04-27 10:12:30 -04:00
topology
Revert "feat(mazenet): host resolution + cross-host bridge guard"
2026-04-25 03:26:19 -04:00
updater
sec(updater): harden tarball extraction and verify sha256 before extract
2026-04-27 21:14:48 -04:00
vectorstore
feat(creds): cred-reuse foundation + vectorstore scaffold
2026-04-26 03:18:34 -04:00
web
feat(realism): operator-tunable planner weights via realism_config
2026-04-27 18:00:08 -04:00
webhook
fix(webhook/worker): self-heal when bus starts late or restarts
2026-04-24 16:39:38 -04:00
__init__.py
feat(env): run decnet.ini loader at package import; expose DECNET_MODE
2026-04-19 03:17:25 -04:00
archetypes.py
refactor(ssh): consolidate real_ssh into ssh, remove duplication
2026-04-11 19:51:41 -04:00
composer.py
fix(collector): label-based fleet container discovery
2026-04-25 08:11:21 -04:00
config_ini.py
feat(config): promote /etc/decnet/decnet.ini to real config with domain sections
2026-04-23 18:21:00 -04:00
config.py
fix(logging): don't crash the process if the system log can't be opened
2026-04-24 01:00:42 -04:00
custom_service.py
Add per-service customization, stealth hardening, and BYOS support
2026-04-04 04:08:27 -03:00
distros.py
fix: stabilize tests with synchronous DB init and handle Bandit security findings
2026-04-09 01:33:15 -04:00
env.py
fix(api): gate embedded Docker-log collector on DECNET_EMBED_COLLECTOR
2026-04-24 00:47:37 -04:00
ini_loader.py
fix: align tests with model validation and API error reporting
2026-04-13 01:43:52 -04:00
models.py
feat(swarm): DeckyConfig.host_uuid + fix agent log/status field refs
2026-04-18 19:10:25 -04:00
network.py
fix(network): sweep orphan Docker bridges that squat on our subnet
2026-04-20 23:19:42 -04:00
os_fingerprint.py
feat(os_fingerprint): Phase 2 — add icmp_ratelimit + icmp_ratemask sysctls
2026-04-10 16:41:23 -04:00
privdrop.py
fix: chown log files to sudo-invoking user so non-root API can append
2026-04-17 13:39:09 -04:00
telemetry.py
fix: resolve all ruff and bandit lint/security issues
2026-04-16 01:04:57 -04:00