From 634147dddca2c463342785518d3567b61c86bbaa Mon Sep 17 00:00:00 2001 From: Max Holman Date: Wed, 6 May 2026 16:31:47 +0700 Subject: [PATCH 1/3] chore: bump standards submodule --- standards | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/standards b/standards index 0c5d454..39e0764 160000 --- a/standards +++ b/standards @@ -1 +1 @@ -Subproject commit 0c5d45442a94aafa240ee7bd6cca746991c45761 +Subproject commit 39e0764f1327e417eb5cd8312f44482cdc767523 From ecdfd41f20866e4be05af91c66342e0f670b887d Mon Sep 17 00:00:00 2001 From: Max Holman Date: Wed, 6 May 2026 16:31:57 +0700 Subject: [PATCH 2/3] chore(range): mark CTF credentials as fictional The cyber range layers contain plaintext passwords and an ed25519 private key that are part of the test fixture, not real secrets. Automated secret scanners were repeatedly flagging them. Add a paths-ignore for range/ to GitHub secret scanning, a top-level CTF-NOTICE explaining the fictional nature of the directory, and inline markers next to the chpasswd lines and the leaked-key layer. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/secret_scanning.yml | 2 ++ range/CTF-NOTICE.md | 18 ++++++++++++++++++ range/layers/backup-ssh/layer.yml | 1 + range/layers/ssh-bastion/layer.yml | 1 + range/layers/ssh-leaked-key/layer.yml | 2 ++ 5 files changed, 24 insertions(+) create mode 100644 .github/secret_scanning.yml create mode 100644 range/CTF-NOTICE.md diff --git a/.github/secret_scanning.yml b/.github/secret_scanning.yml new file mode 100644 index 0000000..b01bc28 --- /dev/null +++ b/.github/secret_scanning.yml @@ -0,0 +1,2 @@ +paths-ignore: + - "range/**" diff --git a/range/CTF-NOTICE.md b/range/CTF-NOTICE.md new file mode 100644 index 0000000..6e8807a --- /dev/null +++ b/range/CTF-NOTICE.md @@ -0,0 +1,18 @@ +# Cyber Range — Fictional Content Notice + +Everything under `range/` is content for a self-contained cyber range used to +test wallhack. The VMs run only inside an isolated, ephemeral pontoon network. +None of these credentials, keys, or hostnames are real and none of them grant +access to anything outside the range. + +This includes, but is not limited to: + +- Plaintext passwords in `range/layers/*/layer.yml` and discoverable "loot" + files (e.g. `intranet/.../creds.txt`, `app-api/.../ssh.conf`). +- The ed25519 private key at `range/layers/ftp-loot/ftp/backup/id_ed25519`, + generated specifically for the `ssh-leaked-key` challenge. +- Internal IPs in the `10.99.0.0/16` private range. + +If your secret scanner pointed you here: this directory is excluded via +`.github/secret_scanning.yml`. The credentials are part of the test fixture, +not a leak. diff --git a/range/layers/backup-ssh/layer.yml b/range/layers/backup-ssh/layer.yml index 25713ef..2e917c7 100644 --- a/range/layers/backup-ssh/layer.yml +++ b/range/layers/backup-ssh/layer.yml @@ -2,6 +2,7 @@ packages: - openssh - rsync start: | + # Fictional CTF range credentials. Not real passwords, not a leak. adduser -D backup 2>/dev/null || true echo "root:hacker" | chpasswd 2>/dev/null || true echo "backup:backup123" | chpasswd 2>/dev/null || true diff --git a/range/layers/ssh-bastion/layer.yml b/range/layers/ssh-bastion/layer.yml index 628e26d..3c6ebd4 100644 --- a/range/layers/ssh-bastion/layer.yml +++ b/range/layers/ssh-bastion/layer.yml @@ -1,6 +1,7 @@ packages: - openssh start: | + # Fictional CTF range credentials. Not a real password, not a leak. echo "pontoon:Tr0mb0n3!2024" | chpasswd ssh-keygen -A /usr/sbin/sshd -D & diff --git a/range/layers/ssh-leaked-key/layer.yml b/range/layers/ssh-leaked-key/layer.yml index 133ef0b..9aa402b 100644 --- a/range/layers/ssh-leaked-key/layer.yml +++ b/range/layers/ssh-leaked-key/layer.yml @@ -3,6 +3,8 @@ packages: configs: - home/deploy/.ssh/authorized_keys start: | + # Fictional CTF range key. The matching private key under ftp-loot/ + # is generated for this challenge and grants no real access. adduser -D deploy 2>/dev/null || true passwd -u deploy 2>/dev/null || true chown -R deploy:deploy /home/deploy/.ssh From 224aa478070caac815ea35fbb45611c64ee212e5 Mon Sep 17 00:00:00 2001 From: Max Holman Date: Wed, 6 May 2026 17:23:14 +0700 Subject: [PATCH 3/3] fix(deps): patch security advisories in rustls-webpki, rand, h3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes 8 open dependabot alerts via transitive lockfile bumps: - rustls-webpki 0.103.9 -> 0.103.13 — CRL/URI/wildcard name-constraint handling and panic-on-malformed-CRL DoS (alerts #27 #42 #43 #47) - rand 0.8.5 -> 0.8.6 and 0.9.2 -> 0.9.4 — soundness fix for callers using a custom logger with rand::rng() (#45 #46) - h3 1.15.8 -> 1.15.11 (website) — path traversal via double-decoded %252e%252e in serveStatic and SSE event injection via unsanitized carriage return (#24 #25) No direct dependency edits; all bumps are transitive. --- Cargo.lock | 28 ++++++++++++++-------------- website/pnpm-lock.yaml | 24 ++++++++++++------------ 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ed25134..dc41d2c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1439,7 +1439,7 @@ dependencies = [ "idna", "ipnet", "once_cell", - "rand 0.9.2", + "rand 0.9.4", "ring", "thiserror 2.0.18", "tinyvec", @@ -1460,7 +1460,7 @@ dependencies = [ "moka", "once_cell", "parking_lot", - "rand 0.9.2", + "rand 0.9.4", "smallvec", "thiserror 2.0.18", "tokio", @@ -2453,7 +2453,7 @@ dependencies = [ "bytes", "getrandom 0.3.4", "lru-slab", - "rand 0.9.2", + "rand 0.9.4", "ring", "rustc-hash", "rustls", @@ -2502,9 +2502,9 @@ checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf" [[package]] name = "rand" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +checksum = "5ca0ecfa931c29007047d1bc58e623ab12e5590e8c7cc53200d5202b69266d8a" dependencies = [ "libc", "rand_chacha 0.3.1", @@ -2513,9 +2513,9 @@ dependencies = [ [[package]] name = "rand" -version = "0.9.2" +version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1" +checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea" dependencies = [ "rand_chacha 0.9.0", "rand_core 0.9.5", @@ -2774,9 +2774,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.103.9" +version = "0.103.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53" +checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e" dependencies = [ "aws-lc-rs", "ring", @@ -3441,7 +3441,7 @@ dependencies = [ "indexmap 1.9.3", "pin-project", "pin-project-lite", - "rand 0.8.5", + "rand 0.8.6", "slab", "tokio", "tokio-util", @@ -3589,7 +3589,7 @@ dependencies = [ "http", "httparse", "log", - "rand 0.9.2", + "rand 0.9.4", "sha1", "thiserror 2.0.18", "utf-8", @@ -3792,7 +3792,7 @@ dependencies = [ "argh", "nu-ansi-term", "prost", - "rand 0.9.2", + "rand 0.9.4", "reedline", "serde", "serde_json", @@ -3821,7 +3821,7 @@ dependencies = [ "parking_lot", "prost", "quinn", - "rand 0.9.2", + "rand 0.9.4", "rcgen", "ring", "rustls", @@ -4460,7 +4460,7 @@ dependencies = [ "nohash-hasher", "parking_lot", "pin-project", - "rand 0.9.2", + "rand 0.9.4", "static_assertions", "web-time", ] diff --git a/website/pnpm-lock.yaml b/website/pnpm-lock.yaml index 3972f6b..401eaaf 100644 --- a/website/pnpm-lock.yaml +++ b/website/pnpm-lock.yaml @@ -1645,8 +1645,8 @@ packages: confbox@0.2.4: resolution: {integrity: sha512-ysOGlgTFbN2/Y6Cg3Iye8YKulHw+R2fNXHrgSmXISQdMnomY6eNDprVdW9R5xBguEqI954+S6709UyiO7B+6OQ==} - cookie-es@1.2.2: - resolution: {integrity: sha512-+W7VmiVINB+ywl1HGXJXmrqkOhpKrIiVZV6tQuV54ZyQC7MMuBt81Vc336GMLoHBq5hV/F9eXgt5Mnx0Rha5Fg==} + cookie-es@1.2.3: + resolution: {integrity: sha512-lXVyvUvrNXblMqzIRrxHb57UUVmqsSWlxqt3XIjCkUP0wDAf6uicO6KMbEgYrMNtEvWgWHwe42CKxPu9MYAnWw==} cookie@1.1.1: resolution: {integrity: sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ==} @@ -1707,8 +1707,8 @@ packages: decode-named-character-reference@1.3.0: resolution: {integrity: sha512-GtpQYB283KrPp6nRw50q3U9/VfOutZOe103qlN7BPP6Ad27xYnOIWv4lPzo8HCAL+mMZofJ9KEy30fq6MfaK6Q==} - defu@6.1.4: - resolution: {integrity: sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==} + defu@6.1.7: + resolution: {integrity: sha512-7z22QmUWiQ/2d0KkdYmANbRUVABpZ9SNYyH5vx6PZ+nE5bcC0l7uFvEfHlyld/HcGBFTL536ClDt3DEcSlEJAQ==} dequal@2.0.3: resolution: {integrity: sha512-0je+qPKHEMohvfRTCEo3CrPG6cAzAYgmzKyxRiYSSDkS6eGJdyVJm7WaYA5ECaAD9wLB2T4EEeymA5aFVcYXCA==} @@ -1862,8 +1862,8 @@ packages: graceful-fs@4.2.11: resolution: {integrity: sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==} - h3@1.15.8: - resolution: {integrity: sha512-iOH6Vl8mGd9nNfu9C0IZ+GuOAfJHcyf3VriQxWaSWIB76Fg4BnFuk4cxBxjmQSSxJS664+pgjP6e7VBnUzFfcg==} + h3@1.15.11: + resolution: {integrity: sha512-L3THSe2MPeBwgIZVSH5zLdBBU90TOxarvhK9d04IDY2AmVS8j2Jz2LIWtwsGOU3lu2I5jCN7FNvVfY2+XyF+mg==} hast-util-from-html@2.0.3: resolution: {integrity: sha512-CUSRHXyKjzHov8yKsQjGOElXy/3EKpyX56ELnkHH34vDVw1N1XSQ1ZcAvTyAPtGqLTuKP/uxM+aLkSPqF/EtMw==} @@ -4037,7 +4037,7 @@ snapshots: confbox@0.2.4: {} - cookie-es@1.2.2: {} + cookie-es@1.2.3: {} cookie@1.1.1: {} @@ -4096,7 +4096,7 @@ snapshots: dependencies: character-entities: 2.0.2 - defu@6.1.4: {} + defu@6.1.7: {} dequal@2.0.3: {} @@ -4273,11 +4273,11 @@ snapshots: graceful-fs@4.2.11: {} - h3@1.15.8: + h3@1.15.11: dependencies: - cookie-es: 1.2.2 + cookie-es: 1.2.3 crossws: 0.3.5 - defu: 6.1.4 + defu: 6.1.7 destr: 2.0.5 iron-webcrypto: 1.2.1 node-mock-http: 1.0.4 @@ -5418,7 +5418,7 @@ snapshots: anymatch: 3.1.3 chokidar: 5.0.0 destr: 2.0.5 - h3: 1.15.8 + h3: 1.15.11 lru-cache: 11.2.7 node-fetch-native: 1.6.7 ofetch: 1.5.1