mirror of
https://github.com/BigBodyCobain/Shadowbroker.git
synced 2026-05-27 01:22:27 +02:00
BigBodyCobain
71a9d9e144
PR #227 hardened most Wormhole/Infonet control surfaces behind require_local_operator and made the CrowdThreat fetcher opt-in. An audit of the codebase against that PR's stated goals turned up four classes of gap that the original change missed: 1. Two operator-only endpoints were left unprotected: - POST /api/wormhole/join: calls bootstrap_wormhole_identity() and flips the node into Tor mode, exactly the surface #227 hardened on /api/wormhole/identity/bootstrap. - POST /api/sigint/transmit: relays APRS-IS packets over radio using operator-supplied credentials. Anything that reached the API could transmit on the operator's authority. Both now require_local_operator. test_control_surface_auth.py extended with regression coverage for both. 2. Five third-party fetchers were still default-on, phoning home to politically/commercially sensitive upstreams on every poll cycle: - fimi.py -> euvsdisinfo.eu -> FIMI_ENABLED - prediction_markets -> Polymarket + Kalshi -> PREDICTION_MARKETS_ENABLED - financial.py -> Finnhub / yfinance -> FINANCIAL_ENABLED or FINNHUB_API_KEY - nuforc_enrichment -> huggingface.co -> NUFORC_ENABLED - news.py -> configured RSS feeds -> NEWS_ENABLED (default on, kill switch) Same CrowdThreat-style pattern: explicit env-var opt-in, empty the data slot and mark_fresh when disabled. New regression test file test_third_party_fetchers_opt_in.py asserts each fetcher's network entry point is not called when its gate is off. 3. The outbound User-Agent leaked both the operator's personal email and a fork-specific GitHub URL on every fetcher request. Consolidated to a single DEFAULT_USER_AGENT in network_utils.py, project-generic by default (no contact info), overridable via SHADOWBROKER_USER_AGENT for operators who want to identify themselves (e.g. for Nominatim or weather.gov usage-policy compliance). Six call sites updated; the Nominatim-specific override is preserved. 4. The same generic UA now also flows through the peer prekey lookup in mesh_wormhole_prekey.py, so DM first-contact requests no longer identify the caller as a Shadowbroker fork to the peer being queried. .env.example updated to document all new opt-in env vars. Tests: backend/tests/test_control_surface_auth.py (extended), backend/tests/test_crowdthreat_opt_in.py (unchanged, still passes), backend/tests/test_third_party_fetchers_opt_in.py (new, 7 tests). All 31 tests pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
182 lines
7.3 KiB
Python
182 lines
7.3 KiB
Python
import logging
|
|
import json
|
|
import os
|
|
import subprocess
|
|
import shutil
|
|
import time
|
|
import threading
|
|
import requests
|
|
from urllib.parse import urlparse
|
|
from requests.adapters import HTTPAdapter
|
|
from urllib3.util.retry import Retry
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
# Reusable session with connection pooling and retry logic.
|
|
# Only retry once (total=1) to fail fast — the curl fallback is the real safety net.
|
|
_session = requests.Session()
|
|
_retry = Retry(total=1, backoff_factor=0.3, status_forcelist=[502, 503, 504])
|
|
_session.mount("https://", HTTPAdapter(max_retries=_retry, pool_maxsize=20))
|
|
_session.mount("http://", HTTPAdapter(max_retries=_retry, pool_maxsize=10))
|
|
|
|
|
|
# Default outbound User-Agent. Generic by design — does NOT include any
|
|
# personal contact info or a fork-specific repo URL. Operators who run a
|
|
# public-facing relay and want to identify themselves to upstreams (e.g.
|
|
# for Nominatim / weather.gov usage-policy compliance) can override this
|
|
# via the SHADOWBROKER_USER_AGENT env var.
|
|
DEFAULT_USER_AGENT = os.environ.get(
|
|
"SHADOWBROKER_USER_AGENT",
|
|
"ShadowBroker-OSINT/0.9",
|
|
)
|
|
|
|
# Find bash for curl fallback — Git bash's curl has the TLS features
|
|
# needed to pass CDN fingerprint checks (brotli, zstd, libpsl)
|
|
|
|
# Cache domains where requests fails — skip straight to curl for 5 minutes
|
|
_domain_fail_cache: dict[str, float] = {}
|
|
_DOMAIN_FAIL_TTL = 300 # 5 minutes
|
|
|
|
# Circuit breaker: track domains where BOTH requests AND curl fail
|
|
# If a domain failed completely within the last 2 minutes, skip it entirely
|
|
_circuit_breaker: dict[str, float] = {}
|
|
_CIRCUIT_BREAKER_TTL = 120 # 2 minutes
|
|
|
|
# Lock protecting _domain_fail_cache and _circuit_breaker mutations
|
|
_cb_lock = threading.Lock()
|
|
|
|
|
|
class UpstreamCircuitBreakerError(OSError):
|
|
"""Raised when a domain recently failed hard and is temporarily skipped."""
|
|
|
|
|
|
def _env_truthy(name: str) -> bool:
|
|
return str(os.getenv(name, "")).strip().lower() in {"1", "true", "yes", "on"}
|
|
|
|
|
|
def external_curl_fallback_enabled() -> bool:
|
|
"""Return whether the backend may spawn an external curl process."""
|
|
if os.name != "nt":
|
|
return True
|
|
return _env_truthy("SHADOWBROKER_ENABLE_WINDOWS_CURL_FALLBACK")
|
|
|
|
|
|
class _DummyResponse:
|
|
"""Minimal response object matching requests.Response interface."""
|
|
def __init__(self, status_code, text):
|
|
self.status_code = status_code
|
|
self.text = text
|
|
self.content = text.encode('utf-8', errors='replace')
|
|
|
|
def json(self):
|
|
return json.loads(self.text)
|
|
|
|
def raise_for_status(self):
|
|
if self.status_code >= 400:
|
|
raise Exception(f"HTTP {self.status_code}: {self.text[:100]}")
|
|
|
|
|
|
def fetch_with_curl(url, method="GET", json_data=None, timeout=15, headers=None, follow_redirects=False):
|
|
"""Wrapper to bypass aggressive local firewall that blocks Python but permits curl.
|
|
|
|
Falls back to running curl through Git bash, which has the TLS features
|
|
(brotli, zstd, libpsl) needed to pass CDN fingerprint checks that block
|
|
both Python requests and the barebones Windows system curl.
|
|
"""
|
|
default_headers = {
|
|
"User-Agent": DEFAULT_USER_AGENT,
|
|
}
|
|
if headers:
|
|
default_headers.update(headers)
|
|
|
|
domain = urlparse(url).netloc
|
|
|
|
# Circuit breaker: if domain failed completely <2min ago, fail fast
|
|
with _cb_lock:
|
|
if domain in _circuit_breaker and (time.time() - _circuit_breaker[domain]) < _CIRCUIT_BREAKER_TTL:
|
|
raise UpstreamCircuitBreakerError(
|
|
f"Circuit breaker open for {domain} (failed <{_CIRCUIT_BREAKER_TTL}s ago)"
|
|
)
|
|
|
|
# Check if this domain recently failed with requests — skip straight to curl
|
|
with _cb_lock:
|
|
_skip_requests = domain in _domain_fail_cache and (time.time() - _domain_fail_cache[domain]) < _DOMAIN_FAIL_TTL
|
|
if not _skip_requests:
|
|
try:
|
|
# Use a short connect timeout (3s) so firewall blocks fail fast,
|
|
# but allow the full timeout for reading the response body.
|
|
req_timeout = (min(3, timeout), timeout)
|
|
if method == "POST":
|
|
res = _session.post(url, json=json_data, timeout=req_timeout, headers=default_headers)
|
|
else:
|
|
res = _session.get(url, timeout=req_timeout, headers=default_headers)
|
|
if res.status_code == 429:
|
|
logger.warning(f"Upstream rate limit hit for {url}; not bypassing with curl.")
|
|
return res
|
|
res.raise_for_status()
|
|
# Clear failure caches on success
|
|
with _cb_lock:
|
|
_domain_fail_cache.pop(domain, None)
|
|
_circuit_breaker.pop(domain, None)
|
|
return res
|
|
except (requests.RequestException, ConnectionError, TimeoutError, OSError) as e:
|
|
fallback = "falling back to curl" if external_curl_fallback_enabled() else "skipping external curl"
|
|
logger.warning(f"Python requests failed for {url} ({e}), {fallback}...")
|
|
with _cb_lock:
|
|
_domain_fail_cache[domain] = time.time()
|
|
|
|
# Curl fallback — reached from both _skip_requests and requests-exception paths
|
|
if not external_curl_fallback_enabled():
|
|
logger.warning(
|
|
"External curl fallback disabled on Windows for %s; set "
|
|
"SHADOWBROKER_ENABLE_WINDOWS_CURL_FALLBACK=1 to opt in.",
|
|
domain,
|
|
)
|
|
with _cb_lock:
|
|
_circuit_breaker[domain] = time.time()
|
|
return _DummyResponse(500, "")
|
|
|
|
_CURL_PATH = shutil.which("curl") or "curl"
|
|
cmd = [_CURL_PATH, "-s", "-w", "\n%{http_code}"]
|
|
if follow_redirects:
|
|
cmd.append("-L")
|
|
for k, v in default_headers.items():
|
|
cmd += ["-H", f"{k}: {v}"]
|
|
if method == "POST" and json_data:
|
|
cmd += ["-X", "POST", "-H", "Content-Type: application/json",
|
|
"--data-binary", "@-"]
|
|
cmd.append(url)
|
|
|
|
try:
|
|
stdin_data = json.dumps(json_data) if (method == "POST" and json_data) else None
|
|
creationflags = 0
|
|
if os.name == "nt":
|
|
creationflags = (
|
|
getattr(subprocess, "CREATE_NO_WINDOW", 0)
|
|
| getattr(subprocess, "CREATE_NEW_PROCESS_GROUP", 0)
|
|
)
|
|
res = subprocess.run(
|
|
cmd, capture_output=True, text=True, timeout=timeout + 5,
|
|
input=stdin_data, encoding="utf-8", errors="replace",
|
|
creationflags=creationflags,
|
|
)
|
|
if res.returncode == 0 and (res.stdout or "").strip():
|
|
# Parse HTTP status code from -w output (last line)
|
|
lines = res.stdout.rstrip().rsplit("\n", 1)
|
|
body = lines[0] if len(lines) > 1 else res.stdout
|
|
http_code = int(lines[-1]) if len(lines) > 1 and lines[-1].strip().isdigit() else 200
|
|
if http_code < 400:
|
|
with _cb_lock:
|
|
_circuit_breaker.pop(domain, None) # Clear circuit breaker on success
|
|
return _DummyResponse(http_code, body)
|
|
else:
|
|
logger.error(f"curl fallback failed: exit={res.returncode} stderr={res.stderr[:200]}")
|
|
with _cb_lock:
|
|
_circuit_breaker[domain] = time.time()
|
|
return _DummyResponse(500, "")
|
|
except (subprocess.SubprocessError, ConnectionError, TimeoutError, OSError) as curl_e:
|
|
logger.error(f"curl fallback exception: {curl_e}")
|
|
with _cb_lock:
|
|
_circuit_breaker[domain] = time.time()
|
|
return _DummyResponse(500, "")
|