From 9ac140049caca6ccab153f90805fc3f82c362fb4 Mon Sep 17 00:00:00 2001 From: sickn33 Date: Sat, 28 Mar 2026 17:42:37 +0100 Subject: [PATCH] fix(ci): Sync canonical security artifacts --- README.md | 20 ++++++------ skills/claude-monitor/scripts/api_bench.py | 13 +++++++- .../scripts/send_test_message.py | 32 +++++++++++-------- .../scripts/validate_config.py | 31 ++++++++---------- 4 files changed, 55 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 5bc7cf7d..cca454dd 100644 --- a/README.md +++ b/README.md @@ -647,8 +647,8 @@ We officially thank the following contributors for their help in making this rep - [@zinzied](https://github.com/zinzied) - [@ssumanbiswas](https://github.com/ssumanbiswas) - [@Dokhacgiakhoa](https://github.com/Dokhacgiakhoa) -- [@IanJ332](https://github.com/IanJ332) - [@sx4im](https://github.com/sx4im) +- [@IanJ332](https://github.com/IanJ332) - [@maxdml](https://github.com/maxdml) - [@skyruh](https://github.com/skyruh) - [@Champbreed](https://github.com/Champbreed) @@ -671,18 +671,18 @@ We officially thank the following contributors for their help in making this rep - [@HuynhNhatKhanh](https://github.com/HuynhNhatKhanh) - [@taksrules](https://github.com/taksrules) - [@liyin2015](https://github.com/liyin2015) +- [@krabat-l](https://github.com/krabat-l) - [@fullstackcrew-alpha](https://github.com/fullstackcrew-alpha) -- [@arathiesh](https://github.com/arathiesh) - [@fernandezbaptiste](https://github.com/fernandezbaptiste) - [@Gizzant](https://github.com/Gizzant) - [@JayeHarrill](https://github.com/JayeHarrill) +- [@AssassinMaeve](https://github.com/AssassinMaeve) +- [@Musayrlsms](https://github.com/Musayrlsms) +- [@arathiesh](https://github.com/arathiesh) - [@Tiger-Foxx](https://github.com/Tiger-Foxx) - [@RamonRiosJr](https://github.com/RamonRiosJr) -- [@Musayrlsms](https://github.com/Musayrlsms) -- [@AssassinMaeve](https://github.com/AssassinMaeve) -- [@Wolfe-Jam](https://github.com/Wolfe-Jam) +- [@vuth-dogo](https://github.com/vuth-dogo) - [@Wittlesus](https://github.com/Wittlesus) -- [@PabloASMD](https://github.com/PabloASMD) - [@wahidzzz](https://github.com/wahidzzz) - [@Vonfry](https://github.com/Vonfry) - [@vprudnikoff](https://github.com/vprudnikoff) @@ -695,7 +695,6 @@ We officially thank the following contributors for their help in making this rep - [@TomGranot](https://github.com/TomGranot) - [@terryspitz](https://github.com/terryspitz) - [@Onsraa](https://github.com/Onsraa) -- [@ProgramadorBrasil](https://github.com/ProgramadorBrasil) - [@SebConejo](https://github.com/SebConejo) - [@SuperJMN](https://github.com/SuperJMN) - [@Enreign](https://github.com/Enreign) @@ -705,7 +704,9 @@ We officially thank the following contributors for their help in making this rep - [@shubhamdevx](https://github.com/shubhamdevx) - [@ronanguilloux](https://github.com/ronanguilloux) - [@sraphaz](https://github.com/sraphaz) -- [@vuth-dogo](https://github.com/vuth-dogo) +- [@ProgramadorBrasil](https://github.com/ProgramadorBrasil) +- [@PabloASMD](https://github.com/PabloASMD) +- [@yubing744](https://github.com/yubing744) - [@yang1002378395-cmyk](https://github.com/yang1002378395-cmyk) - [@viliawang-pm](https://github.com/viliawang-pm) - [@uucz](https://github.com/uucz) @@ -731,6 +732,7 @@ We officially thank the following contributors for their help in making this rep - [@amalsam](https://github.com/amalsam) - [@ziuus](https://github.com/ziuus) - [@Cerdore](https://github.com/Cerdore) +- [@Wolfe-Jam](https://github.com/Wolfe-Jam) - [@qcwssss](https://github.com/qcwssss) - [@rcigor](https://github.com/rcigor) - [@hvasconcelos](https://github.com/hvasconcelos) @@ -757,7 +759,6 @@ We officially thank the following contributors for their help in making this rep - [@ALEKGG1](https://github.com/ALEKGG1) - [@8144225309](https://github.com/8144225309) - [@1bcMax](https://github.com/1bcMax) -- [@yubing744](https://github.com/yubing744) - [@olgasafonova](https://github.com/olgasafonova) - [@sharmanilay](https://github.com/sharmanilay) - [@KhaiTrang1995](https://github.com/KhaiTrang1995) @@ -781,6 +782,7 @@ We officially thank the following contributors for their help in making this rep - [@kage-art](https://github.com/kage-art) - [@whatiskadudoing](https://github.com/whatiskadudoing) - [@jonathimer](https://github.com/jonathimer) +- [@Jonohobs](https://github.com/Jonohobs) - [@JaskiratAnand](https://github.com/JaskiratAnand) - [@jamescha-earley](https://github.com/jamescha-earley) diff --git a/skills/claude-monitor/scripts/api_bench.py b/skills/claude-monitor/scripts/api_bench.py index ce01cee4..f210af2e 100644 --- a/skills/claude-monitor/scripts/api_bench.py +++ b/skills/claude-monitor/scripts/api_bench.py @@ -34,6 +34,17 @@ ENDPOINTS = [ ] +def create_tls_context(): + """Cria contexto TLS restringindo conexoes a TLS 1.2+.""" + context = ssl.create_default_context() + if hasattr(ssl, "TLSVersion"): + context.minimum_version = ssl.TLSVersion.TLSv1_2 + else: + context.options |= getattr(ssl, "OP_NO_TLSv1", 0) + context.options |= getattr(ssl, "OP_NO_TLSv1_1", 0) + return context + + def test_tcp_latency(host, port, timeout=5): """Testa latĂȘncia TCP para um host:port.""" try: @@ -49,7 +60,7 @@ def test_tcp_latency(host, port, timeout=5): def test_tls_handshake(host, port=443, timeout=5): """Testa tempo do handshake TLS.""" try: - context = ssl.create_default_context() + context = create_tls_context() start = time.time() with socket.create_connection((host, port), timeout=timeout) as sock: with context.wrap_socket(sock, server_hostname=host) as ssock: diff --git a/skills/whatsapp-cloud-api/scripts/send_test_message.py b/skills/whatsapp-cloud-api/scripts/send_test_message.py index 7f121a1f..99196135 100644 --- a/skills/whatsapp-cloud-api/scripts/send_test_message.py +++ b/skills/whatsapp-cloud-api/scripts/send_test_message.py @@ -28,11 +28,21 @@ except ImportError: GRAPH_API = "https://graph.facebook.com/v21.0" -def _mask_secret(value: str) -> str: - """Return a masked version of a secret for safe logging.""" - if not value or len(value) < 8: - return "***masked***" - return f"{value[:6]}...masked" +def _redact_json(value): + """Recursively redact common secret-bearing keys before logging JSON.""" + sensitive_keys = {"authorization", "token", "access_token", "app_secret", "secret"} + + if isinstance(value, dict): + redacted = {} + for key, item in value.items(): + if key.lower() in sensitive_keys: + redacted[key] = "***redacted***" + else: + redacted[key] = _redact_json(item) + return redacted + if isinstance(value, list): + return [_redact_json(item) for item in value] + return value def send_test(to: str, message: str) -> None: @@ -84,11 +94,7 @@ def send_test(to: str, message: str) -> None: print() print("Full response:") - # Mask token in response output to prevent credential leakage - response_str = json.dumps(data, indent=2) - if token and token in response_str: - response_str = response_str.replace(token, _mask_secret(token)) - print(response_str) + print(json.dumps(_redact_json(data), indent=2)) except httpx.ConnectError: print("Error: Connection failed. Check your internet connection.") @@ -96,10 +102,8 @@ def send_test(to: str, message: str) -> None: except httpx.TimeoutException: print("Error: Request timed out.") sys.exit(1) - except Exception as e: - # Mask token in error output to prevent credential leakage - safe_err = str(e).replace(token, _mask_secret(token)) if token else str(e) - print(f"Error: {safe_err}") + except Exception as exc: + print(f"Error: unexpected {exc.__class__.__name__} while sending the test message.") sys.exit(1) diff --git a/skills/whatsapp-cloud-api/scripts/validate_config.py b/skills/whatsapp-cloud-api/scripts/validate_config.py index ab6a90e1..ff893851 100644 --- a/skills/whatsapp-cloud-api/scripts/validate_config.py +++ b/skills/whatsapp-cloud-api/scripts/validate_config.py @@ -47,11 +47,14 @@ def check_env_vars() -> tuple[bool, list[str]]: return len(missing) == 0, missing -def _mask_secret(value: str) -> str: - """Return a masked version of a secret for safe logging.""" - if not value or len(value) < 8: - return "***masked***" - return f"{value[:6]}...masked" +def _format_api_failure(response: httpx.Response) -> str: + """Return a sanitized API failure message without echoing sensitive payloads.""" + try: + error = response.json().get("error", {}) + except ValueError: + error = {} + error_code = error.get("code", "?") + return f"API request failed (status {response.status_code}, code {error_code})." def test_api_connection() -> tuple[bool, str]: @@ -76,17 +79,14 @@ def test_api_connection() -> tuple[bool, str]: f" Quality: {data.get('quality_rating', 'N/A')}" ) else: - error = response.json().get("error", {}) - return False, f"API Error {error.get('code', '?')}: {error.get('message', 'Unknown')}" + return False, _format_api_failure(response) except httpx.ConnectError: return False, "Connection failed. Check your internet connection." except httpx.TimeoutException: return False, "Request timed out after 10 seconds." - except Exception as e: - # Mask token in error output to prevent credential leakage - safe_err = str(e).replace(token, _mask_secret(token)) if token else str(e) - return False, f"Unexpected error: {safe_err}" + except Exception as exc: + return False, f"Unexpected {exc.__class__.__name__} while contacting the Graph API." def test_waba_access() -> tuple[bool, str]: @@ -106,13 +106,10 @@ def test_waba_access() -> tuple[bool, str]: count = len(data.get("data", [])) return True, f"WABA accessible. {count} phone number(s) found." else: - error = response.json().get("error", {}) - return False, f"API Error {error.get('code', '?')}: {error.get('message', 'Unknown')}" + return False, _format_api_failure(response) - except Exception as e: - # Mask token in error output to prevent credential leakage - safe_err = str(e).replace(token, _mask_secret(token)) if token else str(e) - return False, f"Error: {safe_err}" + except Exception as exc: + return False, f"Unexpected {exc.__class__.__name__} while checking WABA access." def main():