Pierre-Olivier Mercier
086d3e151d
All checks were successful
continuous-integration/drone/push Build is passing
Probes 20 known-bad paths (/.env, /.git/config, /actuator/env, etc.) that CT-log scanners hit immediately after a new certificate is issued. Critical credential/source-leak paths raise StatusCrit; other exposed paths raise StatusWarn; 401/403 responses raise StatusInfo. Fixes: #1
92 lines
3.1 KiB
Go
92 lines
3.1 KiB
Go
// This file is part of the happyDomain (R) project.
|
|
// Copyright (c) 2020-2026 happyDomain
|
|
// Authors: Pierre-Olivier Mercier, et al.
|
|
|
|
package checker
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"net/url"
|
|
"time"
|
|
)
|
|
|
|
// Target captures everything a Collector needs to probe one logical host.
|
|
// It is built once by the orchestrator from CheckerOptions and passed to
|
|
// every Collector, so individual collectors don't have to re-parse options
|
|
// or re-resolve IPs.
|
|
type Target struct {
|
|
Host string
|
|
IPs []string
|
|
Timeout time.Duration
|
|
MaxRedirects int
|
|
UserAgent string
|
|
}
|
|
|
|
// Collector contributes a typed observation about a Target. Each collector
|
|
// owns one slice of the work (root probe, well-known endpoints, CORS
|
|
// preflight, etc.) and writes its result under Key() in the final
|
|
// payload's Extensions map.
|
|
//
|
|
// The current orchestrator wires only the root collector and writes its
|
|
// result directly under ObservationKeyHTTP for backward compatibility.
|
|
// Additional collectors are introduced in step 4; they will populate
|
|
// HTTPData.Extensions[Key()] without disturbing existing rules.
|
|
type Collector interface {
|
|
Key() string
|
|
Collect(ctx context.Context, t Target) (any, error)
|
|
}
|
|
|
|
// PathProbe is the common result of a single HTTPS path probe. It is
|
|
// embedded by collector-specific probe types that may add extra fields
|
|
// (e.g. HoneypotProbe adds Critical).
|
|
type PathProbe struct {
|
|
URL string `json:"url"`
|
|
StatusCode int `json:"status_code,omitempty"`
|
|
Bytes int `json:"bytes,omitempty"`
|
|
Error string `json:"error,omitempty"`
|
|
}
|
|
|
|
// fetchHTTPSPath issues a single GET against the given path using client,
|
|
// reads up to limit bytes (just to measure size), and returns a PathProbe.
|
|
func fetchHTTPSPath(ctx context.Context, client *http.Client, host, path, ua string, limit int64) PathProbe {
|
|
u := (&url.URL{Scheme: "https", Host: host, Path: path}).String()
|
|
probe := PathProbe{URL: u}
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, u, nil)
|
|
if err != nil {
|
|
probe.Error = err.Error()
|
|
return probe
|
|
}
|
|
req.Header.Set("User-Agent", ua)
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
probe.Error = err.Error()
|
|
return probe
|
|
}
|
|
defer resp.Body.Close()
|
|
probe.StatusCode = resp.StatusCode
|
|
n, _ := io.Copy(io.Discard, io.LimitReader(resp.Body, limit))
|
|
probe.Bytes = int(n)
|
|
return probe
|
|
}
|
|
|
|
// newPinnedHTTPSTransport returns an http.Transport that dials every request
|
|
// to ip:443 and presents host as the TLS ServerName. The caller must defer
|
|
// the returned cleanup func to drain idle connections.
|
|
func newPinnedHTTPSTransport(ip, host string, timeout time.Duration) (*http.Transport, func()) {
|
|
addr := net.JoinHostPort(ip, "443")
|
|
dialer := &net.Dialer{Timeout: timeout}
|
|
t := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, _ string) (net.Conn, error) {
|
|
return dialer.DialContext(ctx, network, addr)
|
|
},
|
|
TLSClientConfig: &tls.Config{ServerName: host},
|
|
TLSHandshakeTimeout: timeout,
|
|
ResponseHeaderTimeout: timeout,
|
|
DisableKeepAlives: true,
|
|
}
|
|
return t, t.CloseIdleConnections
|
|
}
|