Skip to content

Commit b74775d

Browse files
committed
fix(security): redact secrets in evidence and fix finding ID collisions
- Reduced secret value exposure in evidence from 30 to 8 chars - Fixed finding ID collisions across 6 agents (sqli, xss, crawler, secrets, tech, api discover) - All agents now use enumerated counter instead of list.index() - Fixes secondary information disclosure risk
1 parent cf82940 commit b74775d

6 files changed

Lines changed: 15 additions & 15 deletions

File tree

bugfinder/agents/api/discover.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -125,8 +125,8 @@ async def execute(self) -> AgentResult:
125125
except Exception:
126126
continue
127127

128-
for f in findings:
129-
f["id"] = f"api-disc-{findings.index(f)}"
128+
for i, f in enumerate(findings):
129+
f["id"] = f"api-disc-{i}"
130130

131131
discovered = len(assets)
132132
secured = sum(1 for a in assets if a["properties"]["status"] in (401, 403))

bugfinder/agents/recon/tech.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -113,8 +113,8 @@ async def execute(self) -> AgentResult:
113113
summary=f"Tech detection failed: {e}",
114114
)
115115

116-
for f in findings:
117-
f["id"] = f"tech-finding-{len(findings)}"
116+
for i, f in enumerate(findings):
117+
f["id"] = f"tech-finding-{i}"
118118

119119
tech_names = [t["name"] for t in technologies]
120120
summary = f"Detected {len(technologies)} technologies: {', '.join(tech_names[:5])}"

bugfinder/agents/secrets/scan.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -58,14 +58,14 @@ async def execute(self) -> AgentResult:
5858
{
5959
"title": f"Potential Secret Found: {name}",
6060
"description": f"Found potential {name} in {url}. "
61-
"Value starts with: " + value[:20] + "...",
61+
"Value starts with: " + value[:4] + "...",
6262
"severity": severity,
6363
"confidence": "needs_review",
6464
"category": "secret_exposure",
6565
"evidence": {
6666
"url": url,
6767
"pattern": name,
68-
"value_prefix": value[:30],
68+
"value_prefix": value[:8],
6969
"position": match.start(),
7070
},
7171
}
@@ -85,7 +85,7 @@ async def execute(self) -> AgentResult:
8585
"url": url,
8686
"entropy": he["entropy"],
8787
"pattern": he["pattern"],
88-
"value_prefix": he["value"][:30],
88+
"value_prefix": he["value"][:8],
8989
},
9090
}
9191
)
@@ -104,8 +104,8 @@ async def execute(self) -> AgentResult:
104104
high = sum(1 for f in findings if f["severity"] == "high")
105105
summary = f"Found {len(findings)} potential secrets ({critical} critical, {high} high)"
106106

107-
for f in findings:
108-
f["id"] = f"secret-{findings.index(f)}"
107+
for i, f in enumerate(findings):
108+
f["id"] = f"secret-{i}"
109109

110110
return AgentResult(
111111
agent_name=self.name,

bugfinder/agents/web/crawler.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -140,8 +140,8 @@ async def execute(self) -> AgentResult:
140140
except Exception:
141141
continue
142142

143-
for f in findings:
144-
f["id"] = f"crawl-finding-{findings.index(f)}"
143+
for i, f in enumerate(findings):
144+
f["id"] = f"crawl-finding-{i}"
145145

146146
statuses = [a["properties"]["status"] for a in discovered_assets]
147147
accessible = sum(1 for s in statuses if s < 400)

bugfinder/agents/web/sqli.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -91,8 +91,8 @@ async def execute(self) -> AgentResult:
9191
except Exception:
9292
continue
9393

94-
for f in findings:
95-
f["id"] = f"sqli-{findings.index(f)}"
94+
for i, f in enumerate(findings):
95+
f["id"] = f"sqli-{i}"
9696

9797
summary = f"Tested {len(params)} parameters, {len(findings)} potential SQLi issues"
9898
return AgentResult(

bugfinder/agents/web/xss.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -99,8 +99,8 @@ async def execute(self) -> AgentResult:
9999
except Exception:
100100
continue
101101

102-
for f in findings:
103-
f["id"] = f"xss-{findings.index(f)}"
102+
for i, f in enumerate(findings):
103+
f["id"] = f"xss-{i}"
104104

105105
high_count = sum(1 for f in findings if f["severity"] == "high")
106106
summary = f"Tested {len(findings)} XSS vectors, {high_count} potential issues"

0 commit comments

Comments
 (0)