CalvinBackup/Shadowbroker
1
0
Fork 0
mirror of https://github.com/BigBodyCobain/Shadowbroker.git synced 2026-05-27 17:42:29 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
7f96151e562fd617d94f04c216822261cc9cc8ee
Shadowbroker/.gitignore
T
Shadowbroker 7f96151e56 Fix #231: multi-source SHA-256 verification for the self-updater (#265) 
External audit (@tg12, May 18) found that backend/services/updater.py
silently skipped all SHA-256 integrity verification whenever the
MESH_UPDATE_SHA256 env var was unset — which is the default. Nothing
in any install doc tells operators to set it, so practically every
deployment was running the auto-updater with zero integrity check.
That made GitHub release pipeline compromise a single-step path to
arbitrary code execution on every node that auto-updates.

Investigation surfaced a deeper bug too: the updater downloads
zipball_url (GitHub's auto-generated source archive) but the
maintainer's release process publishes SHA256SUMS.txt for a separate
named asset (ShadowBroker_v*.zip). So even if MESH_UPDATE_SHA256
WERE set, operators had no published digest to compare against — the
file they were downloading wasn't the file the maintainer had signed.

This PR fixes both issues with the same multi-source verification
chain we shipped for the Tor bundle in PR #261:

  backend/services/updater.py
    _download_release() now prefers a maintainer-signed release asset
    matching ShadowBroker_v*.zip over zipball_url. Captures the
    SHA256SUMS.txt asset URL when present.

    _validate_zip_hash() rewritten as a four-source chain:
      1. MESH_UPDATE_SHA256 env var (operator override, preserved)
      2. SHA256SUMS.txt asset published with the release (primary —
         the maintainer's release process already publishes this)
      3. Baked-in backend/data/release_digests.json (second line of
         defense for releases that lack the SHA256SUMS asset, or when
         the asset can't be fetched at update time)
      4. HTTPS-only fallback with a loud warning (preserves the auto-
         update flow during transient outages)

    Mismatch from any source that DID respond is fatal — the update
    is refused and the existing install keeps running. Only the
    "no source reachable at all" case falls back to HTTPS-only.

    _fetch_sha256sums() new — fetches and parses a standard
    SHA256SUMS.txt asset. Handles both "<digest>  <name>" and binary-
    marker "<digest> *<name>" formats. Tolerant to comments, blank
    lines, and malformed entries.

  backend/data/release_digests.json (new)
    Baked-in digest list keyed by release tag. Seeded with the v0.9.79
    entries copied from the published SHA256SUMS.txt:
      ShadowBroker_v0.9.79.zip      = f6877c1d6661...
      ShadowBroker_0.9.79_x64-setup.exe = f7b676ada45c...
      ShadowBroker_0.9.79_x64_en-US.msi = e0713c3cdda1...
    Whitelisted in .gitignore alongside the other static reference
    data files (kiwisdr_directory.json, tor_bundle_digests.json,
    aisstream_spki_pins.json).

  backend/tests/test_update_integrity_chain.py (new, 16 tests)
    - Each source matches → success, identifies which source verified
    - Each source mismatches → RuntimeError "mismatch"
    - No source reachable → https-only fallback with loud warning
    - Env override beats all other sources (preserved precedence)
    - SHA256SUMS.txt parser handles standard, binary-marker, comments,
      and network-failure cases

Validation:
  pytest backend/tests/test_update_integrity_chain.py → 16 passed
  pytest (all 15 security test files together) → 105 passed

UX impact: zero. Normal auto-update flow is unchanged for legitimate
releases (path 2 catches everything because the release publishes
SHA256SUMS.txt). Transient network failures during update gracefully
fall through to path 3 then path 4 — no operator intervention needed.
The only user-visible behavior change is in the compromised-release
case, where the update is now refused instead of silently applied.

Credit: @tg12 for the original bug report and the specific call-out
that MESH_UPDATE_SHA256 was unreachable by default operators.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-21 01:31:20 -06:00

260 lines
5.4 KiB
Plaintext
Raw Blame History

# shadowbroker .gitignore
# ----------------------
# Dependencies
node_modules/
venv/
env/
.venv/
backend/.venv-dir
backend/venv-repair*/
backend/.venv-repair*/
# Environment Variables & Secrets
.env
.envrc
.env.local
.env.development.local
.env.test.local
.env.production.local
.npmrc
.pypirc
.netrc
*.pem
*.key
*.crt
*.csr
*.p12
*.pfx
id_rsa
id_rsa.*
id_ed25519
id_ed25519.*
known_hosts
authorized_keys
# Python caches & compiled files
__pycache__/
*.py[cod]
*$py.class
*.so
.Python
.ruff_cache/
.pytest_cache/
.mypy_cache/
.hypothesis/
.tox/
# Next.js build output
.next/
out/
build/
*.tsbuildinfo
# Deprecated standalone Infonet Terminal skeleton (migrated into frontend/src/components/InfonetTerminal/)
frontend/infonet-terminal/
# Rust build artifacts (privacy-core)
target/
target-test/
# ========================
# LOCAL-ONLY: extra/ folder
# ========================
# All internal docs, planning files, raw data, backups, and dev scratch
# live here. NEVER commit this folder.
extra/
# ========================
# Application caches & runtime DBs (regenerate on startup)
# ========================
backend/ais_cache.json
backend/carrier_cache.json
backend/cctv.db
cctv.db
*.db
*.sqlite
*.sqlite3
# ========================
# backend/data/ — blanket ignore, whitelist static reference files
# ========================
# Everything in data/ is runtime-generated state (encrypted keys,
# MLS bindings, relay spools, caches) and MUST NOT be committed.
# Only static reference datasets that ship with the repo are whitelisted.
backend/data/*
!backend/data/datacenters.json
!backend/data/datacenters_geocoded.json
!backend/data/military_bases.json
!backend/data/plan_ccg_vessels.json
!backend/data/plane_alert_db.json
!backend/data/power_plants.json
!backend/data/tracked_names.json
!backend/data/yacht_alert_db.json
# Issue #206: bundled KiwiSDR receiver directory used as last-resort
# fallback when rx.linkfanel.net (HTTP-only upstream) is unreachable
# or returns content that fails our integrity validation.
!backend/data/kiwisdr_directory.json
# Issue #201: pinned SHA-256 digests for known Tor Expert Bundle URLs.
# Used as a second verification source when upstream .sha256sum fails.
!backend/data/tor_bundle_digests.json
# Issue #258: SPKI pins for stream.aisstream.io so we can survive upstream
# Let's Encrypt renewal failures without disabling TLS validation entirely.
!backend/data/aisstream_spki_pins.json
# Issue #231: pinned SHA-256 digests for known release archives. Used by
# the self-updater as a second-line integrity check when the release's
# SHA256SUMS.txt asset can't be fetched.
!backend/data/release_digests.json
# OS generated files
.DS_Store
.DS_Store?
._*
.Spotlight-V100
.Trashes
ehthumbs.db
Thumbs.db
# IDEs and Editors
.vscode/
.idea/
*.suo
*.ntvs*
*.njsproj
*.sln
*.sw?
# Vercel / Deployment
.vercel
# ========================
# Temp / scratch / debug files
# ========================
tmp/
*.log
*.tmp
*.bak
*.swp
*.swo
out.txt
out_sys.txt
rss_output.txt
merged.txt
tmp_fast.json
diff.txt
local_diff.txt
map_diff.txt
TERMINAL
# Debug dumps & release artifacts
backend/dump.json
backend/debug_fast.json
backend/nyc_sample.json
backend/nyc_full.json
backend/liveua_test.html
backend/out_liveua.json
backend/out.json
backend/temp.json
backend/seattle_sample.json
backend/sgp_sample.json
backend/wsdot_sample.json
backend/xlsx_analysis.txt
frontend/server_logs*.txt
frontend/cctv.db
frontend/eslint-report.json
*.zip
*.tar.gz
*.xlsx
# Old backups & repo clones
.git_backup/
local-artifacts/
release-secrets/
shadowbroker_repo/
frontend/src/components.bak/
frontend/src/components/map/icons/backups/
# Coverage
coverage/
.coverage
.coverage.*
dist/
# Test scratch files (not in tests/ folder)
backend/test_*.py
backend/services/test_*.py
# Local analysis & dev tools
backend/analyze_xlsx.py
backend/services/ais_cache.json
graphify/
graphify-out/
# ========================
# Internal docs & brainstorming (never commit)
# ========================
docs/*
!docs/mesh/
docs/mesh/*
!docs/mesh/threat-model.md
!docs/mesh/claims-reconciliation.md
!docs/mesh/mesh-canonical-fixtures.json
!docs/mesh/mesh-merkle-fixtures.json
!docs/mesh/wormhole-dm-root-operations-runbook.md
.local-docs/
infonet-economy/
updatestuff.md
ROADMAP.md
UPDATEPROTOCOL.md
CLAUDE.md
DOCKER_SECRETS.md
# Misc dev artifacts
clean_zip.py
zip_repo.py
refactor_cesium.py
jobs.json
# Claude / AI
.claude
.mise.local.toml
.codex-tmp/
prototype/
.runtime/
# ========================
# Runtime state & operator-local data (never commit)
# ========================
# TimeMachine snapshot cache — regenerated at runtime, can be 100 MB+
backend/timemachine/
# Operator witness keys, identity material, transparency ledgers (machine-local)
ops/
# Runtime DM relay state
dm_relay.json
# Dev scratch notes
improvements.txt
# ========================
# Custody verification temp dirs (runtime test artifacts with private keys!)
# ========================
backend/sb-custody-verify-*/
# Python egg-info (build artifact, regenerated by pip install -e)
*.egg-info/
# Privacy-core debug build (Windows DLL, 3.6 MB, not shipped)
privacy-core/debug/
# Desktop-shell export stash dirs (empty temp dirs from Tauri build)
frontend/.desktop-export-stash-*/
# Wormhole logs (can be 30 MB+ each, runtime-generated)
backend/data/wormhole_stderr.log
backend/data/wormhole_stdout.log
# Runtime caches that already slip through the backend/data/* blanket
# (these are caught by the wildcard but listing for clarity)
# Compressed snapshot archives (can be 100 MB+)
*.json.gz
Reference in New Issue View Git Blame Copy Permalink