Merge pull request #2995 from blacklanternsecurity/asndb-no-verify

Use asndb verify=False, respect global ssl_verify config

Author: liquidsec

bbot/core/event/helpers.py

@@ -112,7 +112,7 @@ def _sanitize_and_extract_host(self, data):
         """
         return data, None, None
 
-    async def _generate_children(self):
+    async def _generate_children(self, ssl_verify=False):
         return []
 
     def _override_input(self, input):
@@ -294,10 +294,10 @@ def _override_input(self, input):
     # ASNs are essentially just a superset of IP_RANGES.
     # This method resolves the ASN to a list of IP_RANGES using the ASN API, and then adds the cidr string as a child event seed.
     # These will later be automatically resolved to an IP_RANGE event seed and added to the target.
-    async def _generate_children(self):
+    async def _generate_children(self, ssl_verify=False):
         from asndb import ASNDB
 
-        client = ASNDB()
+        client = ASNDB(verify=ssl_verify)
         asn_data = await client.lookup_asn(str(self.data), include_subnets=True)
         children = []
         if asn_data:

bbot/core/helpers/asn.py

@@ -28,7 +28,8 @@ def client(self):
         if self._client is None:
             from asndb import ASNDB
 
-            self._client = ASNDB()
+            ssl_verify = self.parent_helper.web_config.get("ssl_verify", False)
+            self._client = ASNDB(verify=ssl_verify)
         return self._client
 
     def _normalize(self, response):

bbot/scanner/scanner.py

@@ -293,7 +293,8 @@ async def _prep(self):
         creates the scan's output folder, loads its modules, and calls their .setup() methods.
         """
         # expand async seed types (e.g. ASN → IP ranges)
-        await self.preset.target.generate_children()
+        ssl_verify = self.preset.web_config.get("ssl_verify", False)
+        await self.preset.target.generate_children(ssl_verify=ssl_verify)
 
         # evaluate preset conditions (may abort the scan)
         if self.preset.conditions:

bbot/scanner/target.py

@@ -415,7 +415,7 @@ def in_target(self, host):
     def __eq__(self, other):
         return self.hash == other.hash
 
-    async def generate_children(self):
+    async def generate_children(self, ssl_verify=False):
         """
         Generate children for the target, for seed types that expand into other seed types.
         E.g. ASN targets are expanded into their constituent IP ranges.
@@ -426,13 +426,13 @@ async def generate_children(self):
 
         # Expand seeds first
         for event_seed in list(self.seeds.event_seeds):
-            children = await event_seed._generate_children()
+            children = await event_seed._generate_children(ssl_verify=ssl_verify)
             for child in children:
                 self.seeds.add(child)
 
         # Also expand blacklist event seeds (like ASN targets)
         for event_seed in list(self.blacklist.event_seeds):
-            children = await event_seed._generate_children()
+            children = await event_seed._generate_children(ssl_verify=ssl_verify)
             for child in children:
                 self.blacklist.add(child)
 

pyproject.toml

@@ -43,7 +43,7 @@ dependencies = [
     "puremagic>=1.28,<2",
     "pydantic>=2.12.2,<3",
     "radixtarget>=4.0.1,<5",
-    "asndb>=1.0.0",
+    "asndb>=1.0.4",
     "orjson>=3.10.12,<4",
     "ansible-core>=2.17,<3",
     "tldextract>=5.3.0,<6",