Conversation
|
All contributors have signed the CLA ✍️ ✅ |
|
I have read the CLA Document and I hereby sign the CLA |
🚀 Performance Benchmark Report
📊 Current Results (dev) - Click to expandResults
🐍 Python Version 3.11.15 |
|
I have read the CLA Document and I hereby sign the CLA
…-------- Original Message --------
On Monday, 05/04/26 at 20:07 github-actions[bot] ***@***.***> wrote:
github-actions[bot] left a comment [(blacklanternsecurity/bbot#3079)](#3079 (comment))
🚀 Performance Benchmark Report
> ℹ️ No baseline benchmark data available
>
> Showing current results for dev only.
📊 Current Results (dev) - Click to expand
Results
Test Name Mean Time Ops/sec Min Max
Bloom Filter Dns Mutation Tracking Performance 4.12ms 242.6 ops/sec 4.09ms 4.17ms
Bloom Filter Large Scale Dns Brute Force 17.33ms 57.7 ops/sec 17.17ms 17.63ms
Large Closest Match Lookup 356.76ms 2.8 ops/sec 348.95ms 358.71ms
Realistic Closest Match Workload 191.18ms 5.2 ops/sec 188.25ms 194.24ms
Event Memory Medium Scan 2.197s 0.5 ops/sec 2.087s 2.363s
Event Memory Large Scan 10.850s 0.1 ops/sec 10.624s 11.127s
Event Validation Full Scan Startup Small Batch 406.67ms 2.5 ops/sec 400.26ms 411.14ms
Event Validation Full Scan Startup Large Batch 574.81ms 1.7 ops/sec 567.77ms 579.13ms
Make Event Autodetection Small 31.41ms 31.8 ops/sec 31.33ms 31.50ms
Make Event Autodetection Large 321.98ms 3.1 ops/sec 320.93ms 323.65ms
Make Event Explicit Types 14.09ms 71.0 ops/sec 14.02ms 14.16ms
Excavate Single Thread Small 4.046s 0.2 ops/sec 3.982s 4.082s
Excavate Single Thread Large 9.888s 0.1 ops/sec 9.767s 9.991s
Excavate Parallel Tasks Small 4.178s 0.2 ops/sec 4.125s 4.210s
Excavate Parallel Tasks Large 7.323s 0.1 ops/sec 7.248s 7.354s
Is Ip Performance 3.23ms 310.1 ops/sec 3.18ms 5.11ms
Make Ip Type Performance 11.72ms 85.3 ops/sec 11.62ms 12.58ms
Mixed Ip Operations 4.61ms 216.8 ops/sec 4.56ms 5.01ms
Memory Use Web Crawl 481ns 2079.0K ops/sec 481ns 481ns
Memory Use Subdomain Enum 571ns 1751.3K ops/sec 571ns 571ns
Scan Throughput 100 7.355s 0.1 ops/sec 6.334s 8.383s
Scan Throughput 1000 36.391s 0.0 ops/sec 35.854s 36.995s
Typical Queue Shuffle 64.03µs 15.6K ops/sec 59.64µs 722.31µs
Priority Queue Shuffle 726.13µs 1.4K ops/sec 683.46µs 1.24ms
---------------------------------------------------------------
🐍 Python Version 3.11.15
—
Reply to this email directly, [view it on GitHub](#3079 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AOIZCEYWQ3LFB2DNG22XZ7T4ZDS7BAVCNFSM6AAAAACYQRYROCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DGNZTG42DCMZWGY).
Triage notifications on the go with GitHub Mobile for [iOS](https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675) or [Android](https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub).
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Code reviewFound 1 issue:
bbot/bbot/modules/internal/dnsresolve.py Lines 118 to 122 in 3501f3a The check in Lines 501 to 506 in 3501f3a The fix is either to use the correct underscore-prefixed name ( 🤖 Generated with Claude Code - If this code review was useful, please react with 👍. Otherwise, react with 👎. |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## stable #3079 +/- ##
========================================
- Coverage 91% 90% -0%
========================================
Files 441 450 +9
Lines 37720 46100 +8380
========================================
+ Hits 34122 41362 +7240
- Misses 3598 4738 +1140 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
recheck |
The SPF mechanism prefix regex moves to regexes.py (compiled with the regex package like the rest). IP/CIDR extraction now only runs on records containing v=spf1, and SPF macro tokens are skipped. DNS child events no longer hardcode DNS_NAME: an IP was coerced anyway, but a CIDR failed validation and was silently dropped, so the type is now auto-detected (DNS_NAME / IP_ADDRESS / IP_RANGE). Adds an end-to-end test from TXT record to emitted IP_ADDRESS / IP_RANGE events, plus macro and gating coverage.
CodeQL's incomplete-url-substring-sanitization query flags hostname string literals in membership asserts; these are exact set-membership checks, so switch the three flagged asserts to subset comparisons.
…secrets Upgrade baddns to 2.4, badsecrets to 1.1
forward_event() distributes events to modules via sequential awaits. Between iterations, a fast module can process the event and call _minimize(), dropping _module_consumers to 0 and stripping fields like original_value before slower modules are even queued. Add a sentinel (+1 before the loop, _minimize() after) so the counter never transiently hits 0 during distribution. Also use defensive .get() in lightfuzz metadata() as a belt-and-suspenders guard.
…in-forward-event Fix _minimize() race in forward_event stripping WEB_PARAMETER fields
Shared helper on WebHelper detects hosts that return the same response regardless of URL path (SPAs, catch-all redirects, soft-404s). Probes two distinct random paths + root via HttpCompare with auto-filtered dynamic content. Cached per (scheme, host, port), 3 requests per host. Consumers: wayback skips CDX query, webbrute skips fuzzing, excavate suppresses URL_UNVERIFIED (other extractions still run).
- Crypto: skip digit-only values in keystream-reuse detection (they're decimal IDs misread as hex, not ciphertexts) - Add nlbi_ (Incapsula load balancer) to parameter_blacklist_prefixes
Prevents speculate from expanding out-of-scope CIDRs (e.g. from SPF records) into individual IP_ADDRESS events that no downstream module can use. Children land at distance+1, so enumerating a range beyond search_distance just produces unreachable pipeline churn.
event.md linked to ../../scanning/events (outside docs root); correct to ../scanning/events.md to match other dev pages. Wire the orphaned webbrute deep-dive page into the Modules nav.
…/ruff-0.15.20 Bump ruff from 0.15.18 to 0.15.20
Comprehensive docs update
- Remove SCAN event network section (feature was never committed) - Link blasthttp repo in HTTP internals bullet (mirrors blastdns) - Fix build-system bullet that split across lines due to a leading +
- Break the Message Queues table into per-module sections (kafka, rabbitmq, nats, zeromq, websocket) with config examples - Reword the http reassignment note in the 3.0 migration guide
- filter with is_global instead of is_private so CGNAT/reserved space (no public ASN) isn't looked up - serialize asndb requests via NamedLock so concurrent callers don't stampede the rate-limited bbot.io API
asn: filter non-global IPs and serialize asndb lookups
Updates the requirements on [fastapi](https://github.com/fastapi/fastapi) to permit the latest version. - [Release notes](https://github.com/fastapi/fastapi/releases) - [Commits](fastapi/fastapi@0.115.5...0.139.0) --- updated-dependencies: - dependency-name: fastapi dependency-version: 0.139.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
…/fastapi-gte-0.115.5-and-lt-0.140.0 Update fastapi requirement from <0.139.0,>=0.115.5 to >=0.115.5,<0.140.0
- _check_output_path: resolve paths before the containment check so ".." and escaping symlinks are rejected - filter_event: match github.com by hostname instead of substring - download_run_artifacts: sanitize artifact filename to a safe basename
Defense-in-depth: the registry-supplied tag is used unsanitized in the tarball filename, so reject any path that resolves outside output_dir before writing. Matches the pattern in github_workflows, postman_download, and gitdumper.
The symlink/hardlink rejection in unarchive._check_archive_safe() was applied
only to the tar branch. The zip/7z branch parsed the p7zip `Attributes` value
and rejected only when it started with "l", but p7zip prefixes a DOS attribute
block before the unix mode (e.g. "_ lrwxrwxrwx" for a symlink), so the check
never fired and no `Link = ` line is emitted for zip/7z symlinks. A symlink
stored in a downloaded zip/7z was therefore accepted and materialized on disk
by `7z x`.
Parse the trailing unix mode field of the `Attributes` value and reject when
its type flag is "l" (symlink) or "h" (hardlink), mirroring the tar branch's
`line[0] in ("l", "h")` test. Add a symlink_zip case to
TestUnarchiveTraversalCheck alongside the existing symlink_tar.
Signed-off-by: tonghuaroot <tonghuaroot@gmail.com>
A unix-symlink zip lists as " lrwxrwxrwx" on mainline 7-Zip, which the pre-fix
guard already caught, so the zip case only exercises the fix on p7zip. A
7z-native symlink lists with a DOS-attribute prefix ("A lrwxrwxrwx") that the
pre-fix guard missed, covering the fix on mainline 7-Zip (what CI runs) too.
Final 3.0 docs update
Reject symlink entries in zip/7z archives in unarchive module
Fix path traversal in github_workflows output path
Architecture / Core
Vulnerability / Finding Rework
Blasthttp
DNS
Performance
Lightfuzz
New Modules
Module Fixes / Removals
Config / Presets / Targets
UX / Output
downloadflag to modules #2757 Introduce newdownloadflag to modules by @TrebledJBug Fixes
URL_UNVERIFIEDevent upon detecting http protocols #3068 fingerprintx: emit URL_UNVERIFIED on http protocols by @TrebledJSecurity
Documentation
Misc
Merge Conflict Resolution