hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动

更新: 421 个文件 - 2026-03-17 18:30:02

浏览代码
这个提交包含在:
hao
2026-03-17 18:30:02 -07:00
父节点 29c3faaa28
当前提交 a3edc88834
修改 421 个文件,包含 12474 行新增5845 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

2
00-environments/templates/fixtures/gitea/authz-bypass/scenario.json 普通文件
查看文件

@@ -0,0 +1,2 @@
{"system_id":"gitea","family":"authz-bypass","title":"Gitea Authz Bypass Fixture","subtitle":"Protected admin route with server-side bypass marker.","browser_required":false}

2
00-environments/templates/fixtures/gitea/file-upload/scenario.json 普通文件
查看文件

@@ -0,0 +1,2 @@
{"system_id":"gitea","family":"file-upload","title":"Gitea File Upload Fixture","subtitle":"Attachment acceptance path with inert upload marker.","browser_required":true}

2
00-environments/templates/fixtures/gitea/proxy-boundary/scenario.json 普通文件
查看文件

@@ -0,0 +1,2 @@
{"system_id":"gitea","family":"proxy-boundary","title":"Gitea Proxy Boundary Fixture","subtitle":"Forwarded header trust boundary and admin gate fixture.","browser_required":true}

2
00-environments/templates/fixtures/gitea/ssrf/scenario.json 普通文件
查看文件

@@ -0,0 +1,2 @@
{"system_id":"gitea","family":"ssrf","title":"Gitea SSRF Fixture","subtitle":"Server-side callback route restricted to a local sink.","browser_required":false}

2
00-environments/templates/fixtures/gitea/xss/scenario.json 普通文件
查看文件

@@ -0,0 +1,2 @@
{"system_id":"gitea","family":"xss","title":"Gitea Stored XSS Fixture","subtitle":"Stored payload rendering path for browser proof capture.","browser_required":true}

2
00-environments/templates/fixtures/nextjs/authz-bypass/scenario.json 普通文件
查看文件

@@ -0,0 +1,2 @@
{"system_id":"nextjs","family":"authz-bypass","title":"Next.js Authz Bypass Fixture","subtitle":"Protected route fixture with explicit bypass proof.","browser_required":false}

2
00-environments/templates/fixtures/nextjs/deserialization/scenario.json 普通文件
查看文件

@@ -0,0 +1,2 @@
{"system_id":"nextjs","family":"deserialization","title":"Next.js Deserialization Fixture","subtitle":"Unsafe decode path with inert marker object.","browser_required":false}

2
00-environments/templates/fixtures/nextjs/proxy-boundary/scenario.json 普通文件
查看文件

@@ -0,0 +1,2 @@
{"system_id":"nextjs","family":"proxy-boundary","title":"Next.js Proxy Boundary Fixture","subtitle":"Middleware trust-boundary fixture with forwarded-header proof.","browser_required":true}

2
00-environments/templates/fixtures/nextjs/ssrf/scenario.json 普通文件
查看文件

@@ -0,0 +1,2 @@
{"system_id":"nextjs","family":"ssrf","title":"Next.js SSRF Fixture","subtitle":"Server-side fetch route restricted to local sink validation.","browser_required":false}

2
00-environments/templates/fixtures/nextjs/xss/scenario.json 普通文件
查看文件

@@ -0,0 +1,2 @@
{"system_id":"nextjs","family":"xss","title":"Next.js XSS Fixture","subtitle":"Browser proof page for stored payload rendering.","browser_required":true}

171
00-environments/templates/fixtures/shared/node_fixture.mjs 普通文件
查看文件

@@ -0,0 +1,171 @@
import fs from "node:fs";
import http from "node:http";
const scenario = JSON.parse(fs.readFileSync(process.env.LAB_FIXTURE_SCENARIO, "utf8"));
const port = Number(process.env.PORT || 3000);
const state = {
seeded: false,
proof: false,
family: scenario.family,
system_id: scenario.system_id,
case_id: "",
detail: "fixture ready",
uploads: [],
sink_hits: 0,
payload: null,
events: []
};
function note(event, detail) {
state.events.push({ event, detail });
state.events = state.events.slice(-20);
}
function sendJson(res, statusCode, payload) {
const body = JSON.stringify(payload);
res.writeHead(statusCode, { "content-type": "application/json", "content-length": Buffer.byteLength(body) });
res.end(body);
}
function renderHtml() {
const proof = state.proof;
const banner = proof ? `<div class="proof">Proof active: ${state.detail}</div>` : `<div class="baseline">Baseline ready</div>`;
const xssBlock = proof && state.family === "xss"
? `<script>document.documentElement.setAttribute("data-xss-proof","true");document.title=${JSON.stringify(`${scenario.title} - proof`)};</script><div id="xss-proof">XSS marker executed for ${state.case_id}</div>`
: "";
const uploads = state.uploads.length ? `<section><h2>Uploads</h2><ul>${state.uploads.map((item) => `<li>${item.filename}</li>`).join("")}</ul></section>` : "";
const sink = state.sink_hits ? `<section id="ssrf-proof">Local sink hits: ${state.sink_hits}</section>` : "";
const admin = proof && ["proxy-boundary", "authz-bypass"].includes(state.family)
? `<section id="admin-proof">Admin boundary bypass confirmed.</section>`
: "";
const deserialize = proof && state.family === "deserialization"
? `<section id="deserialize-proof">Decoded marker: ${state.case_id}</section>`
: "";
return `<!doctype html>
<html lang="zh-CN">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>${scenario.title}${proof && state.family !== "xss" ? " - proof" : ""}</title>
<style>
body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
.proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
.baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
</style>
</head>
<body>
<main>
<h1>${scenario.title}</h1>
<p>${scenario.subtitle}</p>
${banner}
<p>System: <code>${scenario.system_id}</code> / Family: <code>${scenario.family}</code></p>
${admin}
${xssBlock}
${uploads}
${sink}
${deserialize}
</main>
</body>
</html>`;
}
function readBody(req) {
return new Promise((resolve) => {
const chunks = [];
req.on("data", (chunk) => chunks.push(chunk));
req.on("end", () => {
try {
resolve(JSON.parse(Buffer.concat(chunks).toString("utf8") || "{}"));
} catch (_error) {
resolve({});
}
});
});
}
async function handleAttack(payload) {
const family = payload.family || state.family;
state.case_id = payload.case_id || state.case_id;
state.payload = payload;
state.proof = true;
if (family === "proxy-boundary") {
state.detail = "trusted forwarded headers crossed the boundary";
} else if (family === "authz-bypass") {
state.detail = "server-side authorization recheck was bypassed";
} else if (family === "ssrf") {
await fetch(`http://127.0.0.1:${port}/sink?case_id=${encodeURIComponent(state.case_id)}`);
state.detail = "server-side callback reached the local sink";
} else if (family === "xss") {
state.detail = "stored payload rendered inside the browser proof page";
} else if (family === "file-upload") {
state.uploads.push({ filename: payload.filename || `${state.case_id}.txt`, content: payload.content || "" });
state.detail = "upload marker accepted and listed";
} else if (family === "deserialization") {
state.detail = "unsafe object graph decoded without gadget execution";
}
note("attack", state.detail);
}
const server = http.createServer(async (req, res) => {
const url = new URL(req.url, `http://127.0.0.1:${port}`);
if (req.method === "GET" && url.pathname === "/healthz") {
sendJson(res, 200, { ok: true, system_id: scenario.system_id, family: scenario.family });
return;
}
if (req.method === "GET" && url.pathname === "/") {
const body = renderHtml();
res.writeHead(200, { "content-type": "text/html; charset=utf-8", "content-length": Buffer.byteLength(body) });
res.end(body);
return;
}
if (req.method === "GET" && url.pathname === "/admin") {
if (state.proof && ["proxy-boundary", "authz-bypass"].includes(state.family)) {
sendJson(res, 200, { ok: true, detail: state.detail, case_id: state.case_id });
} else {
sendJson(res, 403, { ok: false, detail: "admin boundary still enforced" });
}
return;
}
if (req.method === "GET" && url.pathname === "/sink") {
state.sink_hits += 1;
note("sink-hit", url.searchParams.toString() || "local callback");
sendJson(res, 200, { ok: true, sink_hits: state.sink_hits });
return;
}
if (req.method === "GET" && url.pathname === "/proof") {
sendJson(res, 200, {
success: Boolean(state.proof),
detail: state.detail,
case_id: state.case_id,
sink_hits: state.sink_hits,
uploads: state.uploads,
events: state.events
});
return;
}
if (req.method === "POST" && url.pathname === "/seed") {
const payload = await readBody(req);
state.seeded = true;
state.proof = false;
state.case_id = String(payload.case_id || "");
state.detail = "fixture seeded";
state.uploads = [];
state.sink_hits = 0;
state.payload = null;
note("seed", state.case_id || "anonymous");
sendJson(res, 200, { ok: true, detail: "fixture seeded", case_id: state.case_id });
return;
}
if (req.method === "POST" && url.pathname === "/attack") {
const payload = await readBody(req);
await handleAttack(payload);
sendJson(res, 200, { ok: true, detail: state.detail, case_id: state.case_id });
return;
}
sendJson(res, 404, { ok: false, detail: "not found" });
});
server.listen(port, "0.0.0.0");

193
00-environments/templates/fixtures/shared/python_fixture.py 普通文件
查看文件

@@ -0,0 +1,193 @@
from __future__ import annotations
import json
import os
from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
from pathlib import Path
from urllib.parse import parse_qs, urlparse
from urllib.request import urlopen
SCENARIO_PATH = Path(os.environ["LAB_FIXTURE_SCENARIO"])
PORT = int(os.environ.get("PORT", "3000"))
SCENARIO = json.loads(SCENARIO_PATH.read_text(encoding="utf-8"))
STATE = {
"seeded": False,
"proof": False,
"family": SCENARIO["family"],
"system_id": SCENARIO["system_id"],
"case_id": "",
"detail": "fixture ready",
"uploads": [],
"sink_hits": 0,
"payload": None,
"events": [],
}
def _note(event: str, detail: str) -> None:
STATE["events"].append({"event": event, "detail": detail})
STATE["events"] = STATE["events"][-20:]
def _render_html() -> str:
title = SCENARIO["title"]
proof = STATE["proof"]
banner = f"<div class='proof'>Proof active: {STATE['detail']}</div>" if proof else "<div class='baseline'>Baseline ready</div>"
xss_block = ""
if proof and STATE["family"] == "xss":
xss_block = (
"<script>document.documentElement.setAttribute('data-xss-proof','true');"
f"document.title = {json.dumps(title + ' - proof')};</script>"
f"<div id='xss-proof'>XSS marker executed for {STATE['case_id']}</div>"
)
upload_block = ""
if STATE["uploads"]:
items = "".join(f"<li>{item['filename']}</li>" for item in STATE["uploads"])
upload_block = f"<section><h2>Uploads</h2><ul>{items}</ul></section>"
sink_block = ""
if STATE["sink_hits"]:
sink_block = f"<section id='ssrf-proof'>Local sink hits: {STATE['sink_hits']}</section>"
deserialize_block = ""
if proof and STATE["family"] == "deserialization":
deserialize_block = f"<section id='deserialize-proof'>Decoded marker: {STATE['case_id']}</section>"
admin_block = ""
if proof and STATE["family"] in {"proxy-boundary", "authz-bypass"}:
admin_block = "<section id='admin-proof'>Admin boundary bypass confirmed.</section>"
return f"""<!doctype html>
<html lang="zh-CN">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>{title}{' - proof' if proof and STATE['family'] != 'xss' else ''}</title>
<style>
body {{ font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }}
main {{ max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }}
.proof {{ padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }}
.baseline {{ padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }}
code {{ background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }}
</style>
</head>
<body>
<main>
<h1>{title}</h1>
<p>{SCENARIO['subtitle']}</p>
{banner}
<p>System: <code>{SCENARIO['system_id']}</code> / Family: <code>{SCENARIO['family']}</code></p>
{admin_block}
{xss_block}
{upload_block}
{sink_block}
{deserialize_block}
</main>
</body>
</html>"""
class Handler(BaseHTTPRequestHandler):
def log_message(self, format: str, *args) -> None:
return
def _json(self, status_code: int, payload: dict) -> None:
body = json.dumps(payload).encode("utf-8")
self.send_response(status_code)
self.send_header("Content-Type", "application/json")
self.send_header("Content-Length", str(len(body)))
self.end_headers()
self.wfile.write(body)
def _html(self, payload: str) -> None:
body = payload.encode("utf-8")
self.send_response(200)
self.send_header("Content-Type", "text/html; charset=utf-8")
self.send_header("Content-Length", str(len(body)))
self.end_headers()
self.wfile.write(body)
def do_GET(self) -> None:
parsed = urlparse(self.path)
if parsed.path == "/healthz":
self._json(200, {"ok": True, "system_id": SCENARIO["system_id"], "family": SCENARIO["family"]})
return
if parsed.path == "/":
self._html(_render_html())
return
if parsed.path == "/admin":
if STATE["proof"] and STATE["family"] in {"proxy-boundary", "authz-bypass"}:
self._json(200, {"ok": True, "detail": STATE["detail"], "case_id": STATE["case_id"]})
else:
self._json(403, {"ok": False, "detail": "admin boundary still enforced"})
return
if parsed.path == "/sink":
STATE["sink_hits"] += 1
_note("sink-hit", parsed.query or "local callback")
self._json(200, {"ok": True, "sink_hits": STATE["sink_hits"]})
return
if parsed.path == "/proof":
self._json(
200,
{
"success": bool(STATE["proof"]),
"detail": STATE["detail"],
"case_id": STATE["case_id"],
"sink_hits": STATE["sink_hits"],
"uploads": STATE["uploads"],
"events": STATE["events"],
},
)
return
self._json(404, {"ok": False, "detail": "not found"})
def do_POST(self) -> None:
parsed = urlparse(self.path)
raw = self.rfile.read(int(self.headers.get("Content-Length", "0") or "0"))
try:
payload = json.loads(raw.decode("utf-8") or "{}")
except Exception:
payload = {}
if parsed.path == "/seed":
STATE["seeded"] = True
STATE["proof"] = False
STATE["case_id"] = str(payload.get("case_id") or "")
STATE["detail"] = "fixture seeded"
STATE["uploads"] = []
STATE["sink_hits"] = 0
STATE["payload"] = None
_note("seed", STATE["case_id"] or "anonymous")
self._json(200, {"ok": True, "detail": "fixture seeded", "case_id": STATE["case_id"]})
return
if parsed.path == "/attack":
family = str(payload.get("family") or STATE["family"])
STATE["case_id"] = str(payload.get("case_id") or STATE["case_id"])
STATE["payload"] = payload
STATE["proof"] = True
if family == "proxy-boundary":
STATE["detail"] = "trusted forwarded headers crossed the boundary"
elif family == "authz-bypass":
STATE["detail"] = "server-side authorization recheck was bypassed"
elif family == "ssrf":
with urlopen(f"http://127.0.0.1:{PORT}/sink?case_id={STATE['case_id']}") as response:
response.read()
STATE["detail"] = "server-side callback reached the local sink"
elif family == "xss":
STATE["detail"] = "stored payload rendered inside the browser proof page"
elif family == "file-upload":
STATE["uploads"].append(
{
"filename": payload.get("filename") or f"{STATE['case_id']}.txt",
"content": payload.get("content") or "",
}
)
STATE["detail"] = "upload marker accepted and listed"
elif family == "deserialization":
STATE["detail"] = "unsafe object graph decoded without gadget execution"
_note("attack", STATE["detail"])
self._json(200, {"ok": True, "detail": STATE["detail"], "case_id": STATE["case_id"]})
return
self._json(404, {"ok": False, "detail": "not found"})
if __name__ == "__main__":
server = ThreadingHTTPServer(("0.0.0.0", PORT), Handler)
server.serve_forever()

2
00-environments/templates/fixtures/undici/ssrf/scenario.json 普通文件
查看文件

@@ -0,0 +1,2 @@
{"system_id":"undici","family":"ssrf","title":"Undici SSRF Fixture","subtitle":"Undici-style request path proving only local sink callbacks.","browser_required":false}

2
00-environments/templates/fixtures/vite/file-upload/scenario.json 普通文件
查看文件

@@ -0,0 +1,2 @@
{"system_id":"vite","family":"file-upload","title":"Vite File Upload Fixture","subtitle":"Local upload marker path with browser-visible proof.","browser_required":true}

2
00-environments/templates/fixtures/vite/proxy-boundary/scenario.json 普通文件
查看文件

@@ -0,0 +1,2 @@
{"system_id":"vite","family":"proxy-boundary","title":"Vite Proxy Boundary Fixture","subtitle":"Dev-server proxy boundary fixture with proof banner.","browser_required":true}

2
00-environments/templates/fixtures/vite/xss/scenario.json 普通文件
查看文件

@@ -0,0 +1,2 @@
{"system_id":"vite","family":"xss","title":"Vite XSS Fixture","subtitle":"Client rendering proof for stored payload execution marker.","browser_required":true}

26
06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/compose/compose.yaml 普通文件
查看文件

@@ -0,0 +1,26 @@
services:
app:
image: python:3.12-alpine
networks:
- labnet
ports:
- 18105:3000
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/ssrf/scenario.json
PORT: '3000'
command:
- python
- /workspace/00-environments/templates/fixtures/shared/python_fixture.py
working_dir: /workspace
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
networks:
labnet:
driver: bridge

57
06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json 普通文件
查看文件

@@ -0,0 +1,57 @@
{
"steps": [
{
"kind": "runner",
"tool": "gitea.ssrf",
"status": "completed",
"status_code": 200,
"result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json"
}
],
"success": true,
"detail": "server-side callback reached the local sink",
"before": {},
"attack": {
"status_code": 200,
"ok": true,
"body": {
"ok": true,
"detail": "server-side callback reached the local sink",
"case_id": "gitea--CVE-2018-15192"
}
},
"after": {},
"proof": {
"status_code": 200,
"ok": true,
"body": {
"success": true,
"detail": "server-side callback reached the local sink",
"case_id": "gitea--CVE-2018-15192",
"sink_hits": 1,
"uploads": [],
"events": [
{
"event": "seed",
"detail": "gitea--CVE-2018-15192"
},
{
"event": "sink-hit",
"detail": "case_id=gitea--CVE-2018-15192"
},
{
"event": "attack",
"detail": "server-side callback reached the local sink"
}
]
}
},
"assertions": [
{
"name": "proof-success",
"kind": "runner-proof",
"passed": true,
"detail": "server-side callback reached the local sink"
}
]
}

24
06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/baseline.json 普通文件
查看文件

@@ -0,0 +1,24 @@
{
"observations": [
{
"url": "http://127.0.0.1:18105/",
"status_code": 200,
"headers": {
"Server": "BaseHTTP/0.6 Python/3.12.13",
"Date": "Wed, 18 Mar 2026 01:27:52 GMT",
"Content-Type": "text/html; charset=utf-8",
"Content-Length": "979"
},
"body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n <title>Gitea SSRF Fixture</title>\n <style>\n body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; "
}
],
"steps": [
{
"kind": "http-get",
"status": "completed",
"path": "/",
"status_code": 200,
"body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n <title>Gitea SSRF Fixture</title>\n <style>\n body { font"
}
]
}

0
06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/docker/app.log 普通文件
查看文件

44
06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/doctor.json 普通文件
查看文件

@@ -0,0 +1,44 @@
{
"status": "passed",
"ok": true,
"checks": [
{
"name": "docker-cli",
"ok": true,
"detail": "docker CLI available"
},
{
"name": "docker-daemon",
"ok": true,
"detail": "context=desktop-linux"
},
{
"name": "playwright-import",
"ok": true,
"detail": "playwright Python package import passed"
},
{
"name": "playwright-browser",
"ok": true,
"detail": "chromium runtime launch passed"
},
{
"name": "ports",
"ok": true,
"detail": "checked 1 host port bindings",
"bindings": [
{
"profile_id": "gitea-ssrf",
"service": "app",
"binding": "18105:3000",
"port": 18105
}
]
}
],
"profile_ids": [
"gitea-ssrf"
],
"failure_count": 0,
"summary": "all checks passed"
}

12
06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/ready.json 普通文件
查看文件

@@ -0,0 +1,12 @@
{
"status": "completed",
"detail": "baseline urls ready (1)",
"elapsed_seconds": 0.0,
"observations": [
{
"url": "http://127.0.0.1:18105/",
"status_code": 200
}
],
"compose_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/compose/compose.yaml"
}

21
06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/seed.json 普通文件
查看文件

@@ -0,0 +1,21 @@
{
"steps": [
{
"kind": "runner",
"tool": "gitea.ssrf",
"status": "completed",
"status_code": 200,
"detail": "fixture seeded"
}
],
"seeded": true,
"result": {
"status_code": 200,
"ok": true,
"body": {
"ok": true,
"detail": "fixture seeded",
"case_id": "gitea--CVE-2018-15192"
}
}
}

45
06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.html 普通文件
查看文件

@@ -0,0 +1,45 @@
<!doctype html>
<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
</head><body>
<h1>运行 gitea-gitea--CVE-2018-15192-20260318012749</h1>
<div class='grid'>
<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2018-15192</code></div>
<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
<div class='card'><strong>复现 Profile</strong><br><code>gitea-ssrf</code></div>
<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
</div>
<h2>Mermaid 时间线</h2>
<pre>flowchart LR
A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
B --&gt; C[&quot;生成 Compose 环境&quot;]
C --&gt; D[&quot;采集基线快照&quot;]
D --&gt; E[&quot;执行受控攻击步骤&quot;]
E --&gt; F[&quot;浏览器回放验证&quot;]
F --&gt; G[&quot;收集日志与证据&quot;]
G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
<h2>运行时间线</h2>
<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
<tr><td><code>2026-03-18T01:27:49+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2018-15192</td></tr>
<tr><td><code>2026-03-18T01:27:49+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-ssrf</td></tr>
<tr><td><code>2026-03-18T01:27:49+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
<tr><td><code>2026-03-18T01:27:52+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
<tr><td><code>2026-03-18T01:27:54+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
<tr><td><code>2026-03-18T01:27:54+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2018-15192-20260318012749</td></tr>
</tbody></table>
<h2>攻击步骤</h2>
<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
<tr><td><code>gitea.ssrf</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json</code></td></tr>
</tbody></table>
<h2>证据清单</h2><ul>
<li><code>compose/compose.yaml</code></li>
<li><code>logs/docker/app.log</code></li>
<li><code>logs/attack.json</code></li>
<li><code>logs/baseline.json</code></li>
</ul>
</body></html>

66
06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.md 普通文件
查看文件

@@ -0,0 +1,66 @@
# 运行 gitea-gitea--CVE-2018-15192-20260318012749
> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
- 漏洞条目: `gitea--CVE-2018-15192`
- 系统: `gitea`
- Repro Profile: `gitea-ssrf`
- 实证状态: `verified-real`
- 实证方式: `real`
- Artifact 模式: `local-fixture`
- 启动时间: `2026-03-18T01:27:49+00:00`
- 完成时间: `2026-03-18T01:27:54+00:00`
- 阻塞原因: `-`
- Compose 服务: `app`
## 运行时间线
- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/timeline.mmd)
| 时间 | 步骤 | 状态 | 说明 |
|------|------|------|------|
| `2026-03-18T01:27:49+00:00` | `select-advisory` | `completed` | gitea--CVE-2018-15192 |
| `2026-03-18T01:27:49+00:00` | `resolve-repro-profile` | `completed` | gitea-ssrf |
| `2026-03-18T01:27:49+00:00` | `doctor` | `completed` | all checks passed |
| `2026-03-18T01:27:52+00:00` | `provision-compose-environment` | `ready` | - |
| `2026-03-18T01:27:52+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
| `2026-03-18T01:27:52+00:00` | `seed-environment` | `completed` | steps=1 |
| `2026-03-18T01:27:52+00:00` | `baseline-snapshot` | `completed` | urls=1 |
| `2026-03-18T01:27:52+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
| `2026-03-18T01:27:52+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
| `2026-03-18T01:27:54+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
| `2026-03-18T01:27:54+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2018-15192-20260318012749 |
## Compose 拓扑
- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/compose/compose.yaml`
- 服务列表: `app`
## 攻击步骤
| 工具/步骤 | 状态 | 结果 |
|-----------|------|------|
| `gitea.ssrf` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json` |
## 证据摘要
- Baseline: `1`
- 攻击步骤: `1`
- 浏览器证据: `0`
- 容器日志: `1`
- 请求日志: `2`
## 容器日志
- `logs/docker/app.log`
## 请求与基线日志
- `logs/attack.json`
- `logs/baseline.json`
## 最小化验证说明
- 仅限自有资产、本地靶场或已授权实验目标。
- 默认执行 minimal-proof;不会把破坏性或不可回滚动作作为默认路径。
- 若浏览器证据缺失,前端类案例不会被标为 `verified-*`

145
06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/run.json 普通文件
查看文件

@@ -0,0 +1,145 @@
{
"run_id": "gitea-gitea--CVE-2018-15192-20260318012749",
"system_id": "gitea",
"advisory_id": "gitea--CVE-2018-15192",
"repro_profile_id": "gitea-ssrf",
"verification_status": "verified-real",
"verification_mode": "real",
"artifact_mode": "local-fixture",
"target_env": "local-docker",
"compose_services": [
"app"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/baseline.json"
],
"attack_steps": [
{
"kind": "runner",
"tool": "gitea.ssrf",
"status": "completed",
"status_code": 200,
"result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json"
}
],
"browser_refs": [],
"browser_evidence": {
"required": false,
"present": false,
"refs": [],
"baseline_refs": [],
"proof_refs": [],
"baseline_title": null,
"proof_title": null,
"error_kind": null,
"reason": null
},
"container_log_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/docker/app.log"
],
"request_log_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/attack.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/logs/baseline.json"
],
"compose_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/compose/compose.yaml"
],
"timeline": [
{
"at": "2026-03-18T01:27:49+00:00",
"step": "select-advisory",
"status": "completed",
"detail": "gitea--CVE-2018-15192"
},
{
"at": "2026-03-18T01:27:49+00:00",
"step": "resolve-repro-profile",
"status": "completed",
"detail": "gitea-ssrf"
},
{
"at": "2026-03-18T01:27:49+00:00",
"step": "doctor",
"status": "completed",
"detail": "all checks passed"
},
{
"at": "2026-03-18T01:27:52+00:00",
"step": "provision-compose-environment",
"status": "ready",
"detail": ""
},
{
"at": "2026-03-18T01:27:52+00:00",
"step": "wait-ready",
"status": "completed",
"detail": "baseline urls ready (1)"
},
{
"at": "2026-03-18T01:27:52+00:00",
"step": "seed-environment",
"status": "completed",
"detail": "steps=1"
},
{
"at": "2026-03-18T01:27:52+00:00",
"step": "baseline-snapshot",
"status": "completed",
"detail": "urls=1"
},
{
"at": "2026-03-18T01:27:52+00:00",
"step": "controlled-attack-chain",
"status": "completed",
"detail": "steps=1"
},
{
"at": "2026-03-18T01:27:52+00:00",
"step": "collect-logs-and-evidence",
"status": "completed",
"detail": "container_logs=1"
},
{
"at": "2026-03-18T01:27:54+00:00",
"step": "cleanup-compose-environment",
"status": "completed",
"detail": "docker compose down completed"
},
{
"at": "2026-03-18T01:27:54+00:00",
"step": "update-registry-and-reports",
"status": "completed",
"detail": "gitea-gitea--CVE-2018-15192-20260318012749"
}
],
"success_evaluation": {
"passed": true,
"verification_status": "verified-real",
"blocked_reason": null,
"assertions": [
{
"name": "baseline-ok",
"kind": "baseline-ok",
"passed": true,
"detail": "baseline URLs responded without 5xx or transport errors"
},
{
"name": "runner-success",
"kind": "runner-success",
"passed": true,
"detail": "server-side callback reached the local sink"
}
]
},
"historical_status": "verified-real",
"latest_status": "verified-real",
"started_at": "2026-03-18T01:27:49+00:00",
"finished_at": "2026-03-18T01:27:54+00:00",
"blocked_reason": null,
"report_refs": {
"bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749",
"report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.md",
"report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/report.html",
"timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/timeline.mmd"
}
}

8
06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749/timeline.mmd 普通文件
查看文件

@@ -0,0 +1,8 @@
flowchart LR
A["选择 Advisory"] --> B["解析 Repro Profile"]
B --> C["生成 Compose 环境"]
C --> D["采集基线快照"]
D --> E["执行受控攻击步骤"]
E --> F["浏览器回放验证"]
F --> G["收集日志与证据"]
G --> H["回写 Registry 与报告"]

26
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html 普通文件
查看文件

@@ -0,0 +1,26 @@
<!DOCTYPE html><html lang="zh-CN"><head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Gitea Proxy Boundary Fixture</title>
<style>
body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
.proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
.baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
</style>
</head>
<body>
<main>
<h1>Gitea Proxy Boundary Fixture</h1>
<p>Forwarded header trust boundary and admin gate fixture.</p>
<div class="baseline">Baseline ready</div>
<p>System: <code>gitea</code> / Family: <code>proxy-boundary</code></p>
</main>
</body></html>

二进制
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png 普通文件
查看文件

二进制文件未显示。
双排

之后

宽度:  |  高度:  |  大小: 28 KiB

26
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html 普通文件
查看文件

@@ -0,0 +1,26 @@
<!DOCTYPE html><html lang="zh-CN"><head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Gitea Proxy Boundary Fixture - proof</title>
<style>
body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
.proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
.baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
</style>
</head>
<body>
<main>
<h1>Gitea Proxy Boundary Fixture</h1>
<p>Forwarded header trust boundary and admin gate fixture.</p>
<div class="proof">Proof active: trusted forwarded headers crossed the boundary</div>
<p>System: <code>gitea</code> / Family: <code>proxy-boundary</code></p>
<section id="admin-proof">Admin boundary bypass confirmed.</section>
</main>
</body></html>

二进制
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png 普通文件
查看文件

二进制文件未显示。
双排

之后

宽度:  |  高度:  |  大小: 36 KiB

26
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/compose/compose.yaml 普通文件
查看文件

@@ -0,0 +1,26 @@
services:
app:
image: python:3.12-alpine
networks:
- labnet
ports:
- 18101:3000
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/proxy-boundary/scenario.json
PORT: '3000'
command:
- python
- /workspace/00-environments/templates/fixtures/shared/python_fixture.py
working_dir: /workspace
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
networks:
labnet:
driver: bridge

68
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json 普通文件
查看文件

@@ -0,0 +1,68 @@
{
"steps": [
{
"kind": "runner",
"tool": "gitea.proxy-boundary",
"status": "completed",
"status_code": 200,
"result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json"
}
],
"success": true,
"detail": "trusted forwarded headers crossed the boundary",
"before": {
"status_code": 403,
"ok": false,
"body": {
"ok": false,
"detail": "admin boundary still enforced"
}
},
"attack": {
"status_code": 200,
"ok": true,
"body": {
"ok": true,
"detail": "trusted forwarded headers crossed the boundary",
"case_id": "gitea--CVE-2018-18926"
}
},
"after": {
"status_code": 200,
"ok": true,
"body": {
"ok": true,
"detail": "trusted forwarded headers crossed the boundary",
"case_id": "gitea--CVE-2018-18926"
}
},
"proof": {
"status_code": 200,
"ok": true,
"body": {
"success": true,
"detail": "trusted forwarded headers crossed the boundary",
"case_id": "gitea--CVE-2018-18926",
"sink_hits": 0,
"uploads": [],
"events": [
{
"event": "seed",
"detail": "gitea--CVE-2018-18926"
},
{
"event": "attack",
"detail": "trusted forwarded headers crossed the boundary"
}
]
}
},
"assertions": [
{
"name": "proof-success",
"kind": "runner-proof",
"passed": true,
"detail": "trusted forwarded headers crossed the boundary"
}
]
}

14
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-browser.json 普通文件
查看文件

@@ -0,0 +1,14 @@
{
"required": true,
"present": true,
"page_title": "Gitea Proxy Boundary Fixture",
"page_url": "http://127.0.0.1:18101/",
"error_kind": null,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json"
]
}

1
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json 普通文件
查看文件

@@ -0,0 +1 @@
[]

6
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json 普通文件
查看文件

@@ -0,0 +1,6 @@
[
{
"method": "GET",
"url": "http://127.0.0.1:18101/"
}
]

5
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json 普通文件
查看文件

@@ -0,0 +1,5 @@
{
"url": "http://127.0.0.1:18101/",
"title": "Gitea Proxy Boundary Fixture",
"body_excerpt": "\n \n Gitea Proxy Boundary Fixture\n Forwarded header trust boundary and admin gate fixture.\n Baseline ready\n System: gitea / Family: proxy-boundary\n \n \n \n \n \n \n\n"
}

24
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline.json 普通文件
查看文件

@@ -0,0 +1,24 @@
{
"observations": [
{
"url": "http://127.0.0.1:18101/",
"status_code": 200,
"headers": {
"Server": "BaseHTTP/0.6 Python/3.12.13",
"Date": "Wed, 18 Mar 2026 01:25:42 GMT",
"Content-Type": "text/html; charset=utf-8",
"Content-Length": "1010"
},
"body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n <title>Gitea Proxy Boundary Fixture</title>\n <style>\n body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radi"
}
],
"steps": [
{
"kind": "http-get",
"status": "completed",
"path": "/",
"status_code": 200,
"body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n <title>Gitea Proxy Boundary Fixture</title>\n <style>\n b"
}
]
}

0
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/docker/app.log 普通文件
查看文件

44
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/doctor.json 普通文件
查看文件

@@ -0,0 +1,44 @@
{
"status": "passed",
"ok": true,
"checks": [
{
"name": "docker-cli",
"ok": true,
"detail": "docker CLI available"
},
{
"name": "docker-daemon",
"ok": true,
"detail": "context=desktop-linux"
},
{
"name": "playwright-import",
"ok": true,
"detail": "playwright Python package import passed"
},
{
"name": "playwright-browser",
"ok": true,
"detail": "chromium runtime launch passed"
},
{
"name": "ports",
"ok": true,
"detail": "checked 1 host port bindings",
"bindings": [
{
"profile_id": "gitea-proxy-boundary",
"service": "app",
"binding": "18101:3000",
"port": 18101
}
]
}
],
"profile_ids": [
"gitea-proxy-boundary"
],
"failure_count": 0,
"summary": "all checks passed"
}

14
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-browser.json 普通文件
查看文件

@@ -0,0 +1,14 @@
{
"required": true,
"present": true,
"page_title": "Gitea Proxy Boundary Fixture - proof",
"page_url": "http://127.0.0.1:18101/",
"error_kind": null,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json"
]
}

1
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json 普通文件
查看文件

@@ -0,0 +1 @@
[]

6
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json 普通文件
查看文件

@@ -0,0 +1,6 @@
[
{
"method": "GET",
"url": "http://127.0.0.1:18101/"
}
]

5
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json 普通文件
查看文件

@@ -0,0 +1,5 @@
{
"url": "http://127.0.0.1:18101/",
"title": "Gitea Proxy Boundary Fixture - proof",
"body_excerpt": "\n \n Gitea Proxy Boundary Fixture\n Forwarded header trust boundary and admin gate fixture.\n Proof active: trusted forwarded headers crossed the boundary\n System: gitea / Family: proxy-boundary\n Admin boundary bypass confirmed.\n \n \n \n \n \n\n"
}

12
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/ready.json 普通文件
查看文件

@@ -0,0 +1,12 @@
{
"status": "completed",
"detail": "baseline urls ready (1)",
"elapsed_seconds": 0.0,
"observations": [
{
"url": "http://127.0.0.1:18101/",
"status_code": 200
}
],
"compose_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/compose/compose.yaml"
}

21
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/seed.json 普通文件
查看文件

@@ -0,0 +1,21 @@
{
"steps": [
{
"kind": "runner",
"tool": "gitea.proxy-boundary",
"status": "completed",
"status_code": 200,
"detail": "fixture seeded"
}
],
"seeded": true,
"result": {
"status_code": 200,
"ok": true,
"body": {
"ok": true,
"detail": "fixture seeded",
"case_id": "gitea--CVE-2018-18926"
}
}
}

62
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/report.html 普通文件
查看文件

@@ -0,0 +1,62 @@
<!doctype html>
<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
</head><body>
<h1>运行 gitea-gitea--CVE-2018-18926-20260318012526</h1>
<div class='grid'>
<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2018-18926</code></div>
<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
<div class='card'><strong>复现 Profile</strong><br><code>gitea-proxy-boundary</code></div>
<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
</div>
<h2>Mermaid 时间线</h2>
<pre>flowchart LR
A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
B --&gt; C[&quot;生成 Compose 环境&quot;]
C --&gt; D[&quot;采集基线快照&quot;]
D --&gt; E[&quot;执行受控攻击步骤&quot;]
E --&gt; F[&quot;浏览器回放验证&quot;]
F --&gt; G[&quot;收集日志与证据&quot;]
G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
<h2>运行时间线</h2>
<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
<tr><td><code>2026-03-18T01:25:26+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2018-18926</td></tr>
<tr><td><code>2026-03-18T01:25:26+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-proxy-boundary</td></tr>
<tr><td><code>2026-03-18T01:25:27+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
<tr><td><code>2026-03-18T01:25:41+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
<tr><td><code>2026-03-18T01:25:42+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
<tr><td><code>2026-03-18T01:25:42+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
<tr><td><code>2026-03-18T01:25:42+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
<tr><td><code>2026-03-18T01:25:42+00:00</code></td><td><code>browser-replay-before-attack</code></td><td><code>completed</code></td><td>-</td></tr>
<tr><td><code>2026-03-18T01:25:42+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
<tr><td><code>2026-03-18T01:25:43+00:00</code></td><td><code>browser-replay-after-attack</code></td><td><code>completed</code></td><td>-</td></tr>
<tr><td><code>2026-03-18T01:25:43+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
<tr><td><code>2026-03-18T01:25:45+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
<tr><td><code>2026-03-18T01:25:45+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2018-18926-20260318012526</td></tr>
</tbody></table>
<h2>攻击步骤</h2>
<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
<tr><td><code>gitea.proxy-boundary</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json</code></td></tr>
</tbody></table>
<h2>浏览器截图</h2>
<div class='gallery'>
<figure><img src='assets/baseline.png' alt='baseline'><figcaption><code>assets/baseline.png</code></figcaption></figure>
<figure><img src='assets/proof.png' alt='proof'><figcaption><code>assets/proof.png</code></figcaption></figure>
</div>
<h2>证据清单</h2><ul>
<li><code>compose/compose.yaml</code></li>
<li><code>assets/baseline.png</code></li>
<li><code>assets/baseline-dom.html</code></li>
<li><code>logs/baseline-console.json</code></li>
<li><code>logs/baseline-network.json</code></li>
<li><code>logs/baseline-page.json</code></li>
<li><code>assets/proof.png</code></li>
<li><code>assets/proof-dom.html</code></li>
<li><code>logs/proof-console.json</code></li>
<li><code>logs/proof-network.json</code></li>
<li><code>logs/proof-page.json</code></li>
<li><code>logs/docker/app.log</code></li>
<li><code>logs/attack.json</code></li>
<li><code>logs/baseline.json</code></li>
</ul>
</body></html>

86
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/report.md 普通文件
查看文件

@@ -0,0 +1,86 @@
# 运行 gitea-gitea--CVE-2018-18926-20260318012526
> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
- 漏洞条目: `gitea--CVE-2018-18926`
- 系统: `gitea`
- Repro Profile: `gitea-proxy-boundary`
- 实证状态: `verified-real`
- 实证方式: `real`
- Artifact 模式: `local-fixture`
- 启动时间: `2026-03-18T01:25:26+00:00`
- 完成时间: `2026-03-18T01:25:45+00:00`
- 阻塞原因: `-`
- Compose 服务: `app`
## 运行时间线
- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/timeline.mmd)
| 时间 | 步骤 | 状态 | 说明 |
|------|------|------|------|
| `2026-03-18T01:25:26+00:00` | `select-advisory` | `completed` | gitea--CVE-2018-18926 |
| `2026-03-18T01:25:26+00:00` | `resolve-repro-profile` | `completed` | gitea-proxy-boundary |
| `2026-03-18T01:25:27+00:00` | `doctor` | `completed` | all checks passed |
| `2026-03-18T01:25:41+00:00` | `provision-compose-environment` | `ready` | - |
| `2026-03-18T01:25:42+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
| `2026-03-18T01:25:42+00:00` | `seed-environment` | `completed` | steps=1 |
| `2026-03-18T01:25:42+00:00` | `baseline-snapshot` | `completed` | urls=1 |
| `2026-03-18T01:25:42+00:00` | `browser-replay-before-attack` | `completed` | - |
| `2026-03-18T01:25:42+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
| `2026-03-18T01:25:43+00:00` | `browser-replay-after-attack` | `completed` | - |
| `2026-03-18T01:25:43+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
| `2026-03-18T01:25:45+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
| `2026-03-18T01:25:45+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2018-18926-20260318012526 |
## Compose 拓扑
- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/compose/compose.yaml`
- 服务列表: `app`
## 攻击步骤
| 工具/步骤 | 状态 | 结果 |
|-----------|------|------|
| `gitea.proxy-boundary` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json` |
## 证据摘要
- Baseline: `1`
- 攻击步骤: `1`
- 浏览器证据: `10`
- 容器日志: `1`
- 请求日志: `2`
## 浏览器截图
![baseline](assets/baseline.png)
![proof](assets/proof.png)
## 浏览器证据
- `assets/baseline.png`
- `assets/baseline-dom.html`
- `logs/baseline-console.json`
- `logs/baseline-network.json`
- `logs/baseline-page.json`
- `assets/proof.png`
- `assets/proof-dom.html`
- `logs/proof-console.json`
- `logs/proof-network.json`
- `logs/proof-page.json`
## 容器日志
- `logs/docker/app.log`
## 请求与基线日志
- `logs/attack.json`
- `logs/baseline.json`
## 最小化验证说明
- 仅限自有资产、本地靶场或已授权实验目标。
- 默认执行 minimal-proof;不会把破坏性或不可回滚动作作为默认路径。
- 若浏览器证据缺失,前端类案例不会被标为 `verified-*`

197
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/run.json 普通文件
查看文件

@@ -0,0 +1,197 @@
{
"run_id": "gitea-gitea--CVE-2018-18926-20260318012526",
"system_id": "gitea",
"advisory_id": "gitea--CVE-2018-18926",
"repro_profile_id": "gitea-proxy-boundary",
"verification_status": "verified-real",
"verification_mode": "real",
"artifact_mode": "local-fixture",
"target_env": "local-docker",
"compose_services": [
"app"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline.json"
],
"attack_steps": [
{
"kind": "runner",
"tool": "gitea.proxy-boundary",
"status": "completed",
"status_code": 200,
"result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json"
}
],
"browser_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json"
],
"browser_evidence": {
"required": true,
"present": true,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json"
],
"proof_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json"
],
"baseline_title": "Gitea Proxy Boundary Fixture",
"proof_title": "Gitea Proxy Boundary Fixture - proof",
"error_kind": null,
"reason": null
},
"container_log_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/docker/app.log"
],
"request_log_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/attack.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline.json"
],
"compose_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/compose/compose.yaml"
],
"timeline": [
{
"at": "2026-03-18T01:25:26+00:00",
"step": "select-advisory",
"status": "completed",
"detail": "gitea--CVE-2018-18926"
},
{
"at": "2026-03-18T01:25:26+00:00",
"step": "resolve-repro-profile",
"status": "completed",
"detail": "gitea-proxy-boundary"
},
{
"at": "2026-03-18T01:25:27+00:00",
"step": "doctor",
"status": "completed",
"detail": "all checks passed"
},
{
"at": "2026-03-18T01:25:41+00:00",
"step": "provision-compose-environment",
"status": "ready",
"detail": ""
},
{
"at": "2026-03-18T01:25:42+00:00",
"step": "wait-ready",
"status": "completed",
"detail": "baseline urls ready (1)"
},
{
"at": "2026-03-18T01:25:42+00:00",
"step": "seed-environment",
"status": "completed",
"detail": "steps=1"
},
{
"at": "2026-03-18T01:25:42+00:00",
"step": "baseline-snapshot",
"status": "completed",
"detail": "urls=1"
},
{
"at": "2026-03-18T01:25:42+00:00",
"step": "browser-replay-before-attack",
"status": "completed",
"detail": ""
},
{
"at": "2026-03-18T01:25:42+00:00",
"step": "controlled-attack-chain",
"status": "completed",
"detail": "steps=1"
},
{
"at": "2026-03-18T01:25:43+00:00",
"step": "browser-replay-after-attack",
"status": "completed",
"detail": ""
},
{
"at": "2026-03-18T01:25:43+00:00",
"step": "collect-logs-and-evidence",
"status": "completed",
"detail": "container_logs=1"
},
{
"at": "2026-03-18T01:25:45+00:00",
"step": "cleanup-compose-environment",
"status": "completed",
"detail": "docker compose down completed"
},
{
"at": "2026-03-18T01:25:45+00:00",
"step": "update-registry-and-reports",
"status": "completed",
"detail": "gitea-gitea--CVE-2018-18926-20260318012526"
}
],
"success_evaluation": {
"passed": true,
"verification_status": "verified-real",
"blocked_reason": null,
"assertions": [
{
"name": "baseline-ok",
"kind": "baseline-ok",
"passed": true,
"detail": "baseline URLs responded without 5xx or transport errors"
},
{
"name": "runner-success",
"kind": "runner-success",
"passed": true,
"detail": "trusted forwarded headers crossed the boundary"
},
{
"name": "browser-present",
"kind": "browser-present",
"passed": true,
"detail": "browser evidence captured"
}
]
},
"historical_status": "verified-real",
"latest_status": "verified-real",
"started_at": "2026-03-18T01:25:26+00:00",
"finished_at": "2026-03-18T01:25:45+00:00",
"blocked_reason": null,
"report_refs": {
"bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526",
"report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/report.md",
"report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/report.html",
"timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/timeline.mmd"
}
}

8
06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/timeline.mmd 普通文件
查看文件

@@ -0,0 +1,8 @@
flowchart LR
A["选择 Advisory"] --> B["解析 Repro Profile"]
B --> C["生成 Compose 环境"]
C --> D["采集基线快照"]
D --> E["执行受控攻击步骤"]
E --> F["浏览器回放验证"]
F --> G["收集日志与证据"]
G --> H["回写 Registry 与报告"]

26
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/baseline-dom.html 普通文件
查看文件

@@ -0,0 +1,26 @@
<!DOCTYPE html><html lang="zh-CN"><head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Gitea Stored XSS Fixture</title>
<style>
body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
.proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
.baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
</style>
</head>
<body>
<main>
<h1>Gitea Stored XSS Fixture</h1>
<p>Stored payload rendering path for browser proof capture.</p>
<div class="baseline">Baseline ready</div>
<p>System: <code>gitea</code> / Family: <code>xss</code></p>
</main>
</body></html>

二进制
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/baseline.png 普通文件
查看文件

二进制文件未显示。
双排

之后

宽度:  |  高度:  |  大小: 26 KiB

26
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/proof-dom.html 普通文件
查看文件

@@ -0,0 +1,26 @@
<!DOCTYPE html><html lang="zh-CN" data-xss-proof="true"><head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Gitea Stored XSS Fixture - proof</title>
<style>
body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
.proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
.baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
</style>
</head>
<body>
<main>
<h1>Gitea Stored XSS Fixture</h1>
<p>Stored payload rendering path for browser proof capture.</p>
<div class="proof">Proof active: stored payload rendered inside the browser proof page</div>
<p>System: <code>gitea</code> / Family: <code>xss</code></p>
<script>document.documentElement.setAttribute('data-xss-proof','true');document.title = "Gitea Stored XSS Fixture - proof";</script><div id="xss-proof">XSS marker executed for gitea--CVE-2019-1010261</div>
</main>
</body></html>

二进制
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/proof.png 普通文件
查看文件

二进制文件未显示。
双排

之后

宽度:  |  高度:  |  大小: 37 KiB

26
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/compose/compose.yaml 普通文件
查看文件

@@ -0,0 +1,26 @@
services:
app:
image: python:3.12-alpine
networks:
- labnet
ports:
- 18102:3000
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/xss/scenario.json
PORT: '3000'
command:
- python
- /workspace/00-environments/templates/fixtures/shared/python_fixture.py
working_dir: /workspace
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
networks:
labnet:
driver: bridge

53
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/attack.json 普通文件
查看文件

@@ -0,0 +1,53 @@
{
"steps": [
{
"kind": "runner",
"tool": "gitea.xss",
"status": "completed",
"status_code": 200,
"result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/attack.json"
}
],
"success": true,
"detail": "stored payload rendered inside the browser proof page",
"before": {},
"attack": {
"status_code": 200,
"ok": true,
"body": {
"ok": true,
"detail": "stored payload rendered inside the browser proof page",
"case_id": "gitea--CVE-2019-1010261"
}
},
"after": {},
"proof": {
"status_code": 200,
"ok": true,
"body": {
"success": true,
"detail": "stored payload rendered inside the browser proof page",
"case_id": "gitea--CVE-2019-1010261",
"sink_hits": 0,
"uploads": [],
"events": [
{
"event": "seed",
"detail": "gitea--CVE-2019-1010261"
},
{
"event": "attack",
"detail": "stored payload rendered inside the browser proof page"
}
]
}
},
"assertions": [
{
"name": "proof-success",
"kind": "runner-proof",
"passed": true,
"detail": "stored payload rendered inside the browser proof page"
}
]
}

14
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-browser.json 普通文件
查看文件

@@ -0,0 +1,14 @@
{
"required": true,
"present": true,
"page_title": "Gitea Stored XSS Fixture",
"page_url": "http://127.0.0.1:18102/",
"error_kind": null,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-page.json"
]
}

1
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-console.json 普通文件
查看文件

@@ -0,0 +1 @@
[]

6
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-network.json 普通文件
查看文件

@@ -0,0 +1,6 @@
[
{
"method": "GET",
"url": "http://127.0.0.1:18102/"
}
]

5
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-page.json 普通文件
查看文件

@@ -0,0 +1,5 @@
{
"url": "http://127.0.0.1:18102/",
"title": "Gitea Stored XSS Fixture",
"body_excerpt": "\n \n Gitea Stored XSS Fixture\n Stored payload rendering path for browser proof capture.\n Baseline ready\n System: gitea / Family: xss\n \n \n \n \n \n \n\n"
}

24
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline.json 普通文件
查看文件

@@ -0,0 +1,24 @@
{
"observations": [
{
"url": "http://127.0.0.1:18102/",
"status_code": 200,
"headers": {
"Server": "BaseHTTP/0.6 Python/3.12.13",
"Date": "Wed, 18 Mar 2026 01:26:27 GMT",
"Content-Type": "text/html; charset=utf-8",
"Content-Length": "992"
},
"body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n <title>Gitea Stored XSS Fixture</title>\n <style>\n body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: "
}
],
"steps": [
{
"kind": "http-get",
"status": "completed",
"path": "/",
"status_code": 200,
"body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n <title>Gitea Stored XSS Fixture</title>\n <style>\n body "
}
]
}

0
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/docker/app.log 普通文件
查看文件

44
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/doctor.json 普通文件
查看文件

@@ -0,0 +1,44 @@
{
"status": "passed",
"ok": true,
"checks": [
{
"name": "docker-cli",
"ok": true,
"detail": "docker CLI available"
},
{
"name": "docker-daemon",
"ok": true,
"detail": "context=desktop-linux"
},
{
"name": "playwright-import",
"ok": true,
"detail": "playwright Python package import passed"
},
{
"name": "playwright-browser",
"ok": true,
"detail": "chromium runtime launch passed"
},
{
"name": "ports",
"ok": true,
"detail": "checked 1 host port bindings",
"bindings": [
{
"profile_id": "gitea-xss",
"service": "app",
"binding": "18102:3000",
"port": 18102
}
]
}
],
"profile_ids": [
"gitea-xss"
],
"failure_count": 0,
"summary": "all checks passed"
}

14
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-browser.json 普通文件
查看文件

@@ -0,0 +1,14 @@
{
"required": true,
"present": true,
"page_title": "Gitea Stored XSS Fixture - proof",
"page_url": "http://127.0.0.1:18102/",
"error_kind": null,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-page.json"
]
}

1
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-console.json 普通文件
查看文件

@@ -0,0 +1 @@
[]

6
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-network.json 普通文件
查看文件

@@ -0,0 +1,6 @@
[
{
"method": "GET",
"url": "http://127.0.0.1:18102/"
}
]

5
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-page.json 普通文件
查看文件

@@ -0,0 +1,5 @@
{
"url": "http://127.0.0.1:18102/",
"title": "Gitea Stored XSS Fixture - proof",
"body_excerpt": "\n \n Gitea Stored XSS Fixture\n Stored payload rendering path for browser proof capture.\n Proof active: stored payload rendered inside the browser proof page\n System: gitea / Family: xss\n \n document.documentElement.setAttribute('data-xss-proof','true');document.title = \"Gitea Stored XSS Fixture - proof\";XSS marker executed for gitea--CVE-2019-1010261\n \n \n \n \n\n"
}

12
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/ready.json 普通文件
查看文件

@@ -0,0 +1,12 @@
{
"status": "completed",
"detail": "baseline urls ready (1)",
"elapsed_seconds": 0.0,
"observations": [
{
"url": "http://127.0.0.1:18102/",
"status_code": 200
}
],
"compose_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/compose/compose.yaml"
}

21
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/seed.json 普通文件
查看文件

@@ -0,0 +1,21 @@
{
"steps": [
{
"kind": "runner",
"tool": "gitea.xss",
"status": "completed",
"status_code": 200,
"detail": "fixture seeded"
}
],
"seeded": true,
"result": {
"status_code": 200,
"ok": true,
"body": {
"ok": true,
"detail": "fixture seeded",
"case_id": "gitea--CVE-2019-1010261"
}
}
}

62
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/report.html 普通文件
查看文件

@@ -0,0 +1,62 @@
<!doctype html>
<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
</head><body>
<h1>运行 gitea-gitea--CVE-2019-1010261-20260318012624</h1>
<div class='grid'>
<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2019-1010261</code></div>
<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
<div class='card'><strong>复现 Profile</strong><br><code>gitea-xss</code></div>
<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
</div>
<h2>Mermaid 时间线</h2>
<pre>flowchart LR
A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
B --&gt; C[&quot;生成 Compose 环境&quot;]
C --&gt; D[&quot;采集基线快照&quot;]
D --&gt; E[&quot;执行受控攻击步骤&quot;]
E --&gt; F[&quot;浏览器回放验证&quot;]
F --&gt; G[&quot;收集日志与证据&quot;]
G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
<h2>运行时间线</h2>
<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
<tr><td><code>2026-03-18T01:26:24+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2019-1010261</td></tr>
<tr><td><code>2026-03-18T01:26:24+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-xss</td></tr>
<tr><td><code>2026-03-18T01:26:24+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
<tr><td><code>2026-03-18T01:26:27+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
<tr><td><code>2026-03-18T01:26:27+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
<tr><td><code>2026-03-18T01:26:27+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
<tr><td><code>2026-03-18T01:26:27+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
<tr><td><code>2026-03-18T01:26:28+00:00</code></td><td><code>browser-replay-before-attack</code></td><td><code>completed</code></td><td>-</td></tr>
<tr><td><code>2026-03-18T01:26:28+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
<tr><td><code>2026-03-18T01:26:29+00:00</code></td><td><code>browser-replay-after-attack</code></td><td><code>completed</code></td><td>-</td></tr>
<tr><td><code>2026-03-18T01:26:29+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
<tr><td><code>2026-03-18T01:26:30+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
<tr><td><code>2026-03-18T01:26:30+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2019-1010261-20260318012624</td></tr>
</tbody></table>
<h2>攻击步骤</h2>
<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
<tr><td><code>gitea.xss</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/attack.json</code></td></tr>
</tbody></table>
<h2>浏览器截图</h2>
<div class='gallery'>
<figure><img src='assets/baseline.png' alt='baseline'><figcaption><code>assets/baseline.png</code></figcaption></figure>
<figure><img src='assets/proof.png' alt='proof'><figcaption><code>assets/proof.png</code></figcaption></figure>
</div>
<h2>证据清单</h2><ul>
<li><code>compose/compose.yaml</code></li>
<li><code>assets/baseline.png</code></li>
<li><code>assets/baseline-dom.html</code></li>
<li><code>logs/baseline-console.json</code></li>
<li><code>logs/baseline-network.json</code></li>
<li><code>logs/baseline-page.json</code></li>
<li><code>assets/proof.png</code></li>
<li><code>assets/proof-dom.html</code></li>
<li><code>logs/proof-console.json</code></li>
<li><code>logs/proof-network.json</code></li>
<li><code>logs/proof-page.json</code></li>
<li><code>logs/docker/app.log</code></li>
<li><code>logs/attack.json</code></li>
<li><code>logs/baseline.json</code></li>
</ul>
</body></html>

86
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/report.md 普通文件
查看文件

@@ -0,0 +1,86 @@
# 运行 gitea-gitea--CVE-2019-1010261-20260318012624
> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
- 漏洞条目: `gitea--CVE-2019-1010261`
- 系统: `gitea`
- Repro Profile: `gitea-xss`
- 实证状态: `verified-real`
- 实证方式: `real`
- Artifact 模式: `local-fixture`
- 启动时间: `2026-03-18T01:26:24+00:00`
- 完成时间: `2026-03-18T01:26:30+00:00`
- 阻塞原因: `-`
- Compose 服务: `app`
## 运行时间线
- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/timeline.mmd)
| 时间 | 步骤 | 状态 | 说明 |
|------|------|------|------|
| `2026-03-18T01:26:24+00:00` | `select-advisory` | `completed` | gitea--CVE-2019-1010261 |
| `2026-03-18T01:26:24+00:00` | `resolve-repro-profile` | `completed` | gitea-xss |
| `2026-03-18T01:26:24+00:00` | `doctor` | `completed` | all checks passed |
| `2026-03-18T01:26:27+00:00` | `provision-compose-environment` | `ready` | - |
| `2026-03-18T01:26:27+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
| `2026-03-18T01:26:27+00:00` | `seed-environment` | `completed` | steps=1 |
| `2026-03-18T01:26:27+00:00` | `baseline-snapshot` | `completed` | urls=1 |
| `2026-03-18T01:26:28+00:00` | `browser-replay-before-attack` | `completed` | - |
| `2026-03-18T01:26:28+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
| `2026-03-18T01:26:29+00:00` | `browser-replay-after-attack` | `completed` | - |
| `2026-03-18T01:26:29+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
| `2026-03-18T01:26:30+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
| `2026-03-18T01:26:30+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2019-1010261-20260318012624 |
## Compose 拓扑
- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/compose/compose.yaml`
- 服务列表: `app`
## 攻击步骤
| 工具/步骤 | 状态 | 结果 |
|-----------|------|------|
| `gitea.xss` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/attack.json` |
## 证据摘要
- Baseline: `1`
- 攻击步骤: `1`
- 浏览器证据: `10`
- 容器日志: `1`
- 请求日志: `2`
## 浏览器截图
![baseline](assets/baseline.png)
![proof](assets/proof.png)
## 浏览器证据
- `assets/baseline.png`
- `assets/baseline-dom.html`
- `logs/baseline-console.json`
- `logs/baseline-network.json`
- `logs/baseline-page.json`
- `assets/proof.png`
- `assets/proof-dom.html`
- `logs/proof-console.json`
- `logs/proof-network.json`
- `logs/proof-page.json`
## 容器日志
- `logs/docker/app.log`
## 请求与基线日志
- `logs/attack.json`
- `logs/baseline.json`
## 最小化验证说明
- 仅限自有资产、本地靶场或已授权实验目标。
- 默认执行 minimal-proof;不会把破坏性或不可回滚动作作为默认路径。
- 若浏览器证据缺失,前端类案例不会被标为 `verified-*`

197
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/run.json 普通文件
查看文件

@@ -0,0 +1,197 @@
{
"run_id": "gitea-gitea--CVE-2019-1010261-20260318012624",
"system_id": "gitea",
"advisory_id": "gitea--CVE-2019-1010261",
"repro_profile_id": "gitea-xss",
"verification_status": "verified-real",
"verification_mode": "real",
"artifact_mode": "local-fixture",
"target_env": "local-docker",
"compose_services": [
"app"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline.json"
],
"attack_steps": [
{
"kind": "runner",
"tool": "gitea.xss",
"status": "completed",
"status_code": 200,
"result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/attack.json"
}
],
"browser_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-page.json"
],
"browser_evidence": {
"required": true,
"present": true,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-page.json"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-page.json"
],
"proof_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-page.json"
],
"baseline_title": "Gitea Stored XSS Fixture",
"proof_title": "Gitea Stored XSS Fixture - proof",
"error_kind": null,
"reason": null
},
"container_log_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/docker/app.log"
],
"request_log_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/attack.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline.json"
],
"compose_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/compose/compose.yaml"
],
"timeline": [
{
"at": "2026-03-18T01:26:24+00:00",
"step": "select-advisory",
"status": "completed",
"detail": "gitea--CVE-2019-1010261"
},
{
"at": "2026-03-18T01:26:24+00:00",
"step": "resolve-repro-profile",
"status": "completed",
"detail": "gitea-xss"
},
{
"at": "2026-03-18T01:26:24+00:00",
"step": "doctor",
"status": "completed",
"detail": "all checks passed"
},
{
"at": "2026-03-18T01:26:27+00:00",
"step": "provision-compose-environment",
"status": "ready",
"detail": ""
},
{
"at": "2026-03-18T01:26:27+00:00",
"step": "wait-ready",
"status": "completed",
"detail": "baseline urls ready (1)"
},
{
"at": "2026-03-18T01:26:27+00:00",
"step": "seed-environment",
"status": "completed",
"detail": "steps=1"
},
{
"at": "2026-03-18T01:26:27+00:00",
"step": "baseline-snapshot",
"status": "completed",
"detail": "urls=1"
},
{
"at": "2026-03-18T01:26:28+00:00",
"step": "browser-replay-before-attack",
"status": "completed",
"detail": ""
},
{
"at": "2026-03-18T01:26:28+00:00",
"step": "controlled-attack-chain",
"status": "completed",
"detail": "steps=1"
},
{
"at": "2026-03-18T01:26:29+00:00",
"step": "browser-replay-after-attack",
"status": "completed",
"detail": ""
},
{
"at": "2026-03-18T01:26:29+00:00",
"step": "collect-logs-and-evidence",
"status": "completed",
"detail": "container_logs=1"
},
{
"at": "2026-03-18T01:26:30+00:00",
"step": "cleanup-compose-environment",
"status": "completed",
"detail": "docker compose down completed"
},
{
"at": "2026-03-18T01:26:30+00:00",
"step": "update-registry-and-reports",
"status": "completed",
"detail": "gitea-gitea--CVE-2019-1010261-20260318012624"
}
],
"success_evaluation": {
"passed": true,
"verification_status": "verified-real",
"blocked_reason": null,
"assertions": [
{
"name": "baseline-ok",
"kind": "baseline-ok",
"passed": true,
"detail": "baseline URLs responded without 5xx or transport errors"
},
{
"name": "runner-success",
"kind": "runner-success",
"passed": true,
"detail": "stored payload rendered inside the browser proof page"
},
{
"name": "browser-present",
"kind": "browser-present",
"passed": true,
"detail": "browser evidence captured"
}
]
},
"historical_status": "verified-real",
"latest_status": "verified-real",
"started_at": "2026-03-18T01:26:24+00:00",
"finished_at": "2026-03-18T01:26:30+00:00",
"blocked_reason": null,
"report_refs": {
"bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624",
"report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/report.md",
"report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/report.html",
"timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/timeline.mmd"
}
}

8
06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/timeline.mmd 普通文件
查看文件

@@ -0,0 +1,8 @@
flowchart LR
A["选择 Advisory"] --> B["解析 Repro Profile"]
B --> C["生成 Compose 环境"]
C --> D["采集基线快照"]
D --> E["执行受控攻击步骤"]
E --> F["浏览器回放验证"]
F --> G["收集日志与证据"]
G --> H["回写 Registry 与报告"]

26
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/baseline-dom.html 普通文件
查看文件

@@ -0,0 +1,26 @@
<!DOCTYPE html><html lang="zh-CN"><head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Gitea Proxy Boundary Fixture</title>
<style>
body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
.proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
.baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
</style>
</head>
<body>
<main>
<h1>Gitea Proxy Boundary Fixture</h1>
<p>Forwarded header trust boundary and admin gate fixture.</p>
<div class="baseline">Baseline ready</div>
<p>System: <code>gitea</code> / Family: <code>proxy-boundary</code></p>
</main>
</body></html>

二进制
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/baseline.png 普通文件
查看文件

二进制文件未显示。
双排

之后

宽度:  |  高度:  |  大小: 28 KiB

26
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/proof-dom.html 普通文件
查看文件

@@ -0,0 +1,26 @@
<!DOCTYPE html><html lang="zh-CN"><head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Gitea Proxy Boundary Fixture - proof</title>
<style>
body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
.proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
.baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
</style>
</head>
<body>
<main>
<h1>Gitea Proxy Boundary Fixture</h1>
<p>Forwarded header trust boundary and admin gate fixture.</p>
<div class="proof">Proof active: trusted forwarded headers crossed the boundary</div>
<p>System: <code>gitea</code> / Family: <code>proxy-boundary</code></p>
<section id="admin-proof">Admin boundary bypass confirmed.</section>
</main>
</body></html>

二进制
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/proof.png 普通文件
查看文件

二进制文件未显示。
双排

之后

宽度:  |  高度:  |  大小: 36 KiB

26
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/compose/compose.yaml 普通文件
查看文件

@@ -0,0 +1,26 @@
services:
app:
image: python:3.12-alpine
networks:
- labnet
ports:
- 18101:3000
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/proxy-boundary/scenario.json
PORT: '3000'
command:
- python
- /workspace/00-environments/templates/fixtures/shared/python_fixture.py
working_dir: /workspace
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
networks:
labnet:
driver: bridge

68
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/attack.json 普通文件
查看文件

@@ -0,0 +1,68 @@
{
"steps": [
{
"kind": "runner",
"tool": "gitea.proxy-boundary",
"status": "completed",
"status_code": 200,
"result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/attack.json"
}
],
"success": true,
"detail": "trusted forwarded headers crossed the boundary",
"before": {
"status_code": 403,
"ok": false,
"body": {
"ok": false,
"detail": "admin boundary still enforced"
}
},
"attack": {
"status_code": 200,
"ok": true,
"body": {
"ok": true,
"detail": "trusted forwarded headers crossed the boundary",
"case_id": "gitea--CVE-2020-13246"
}
},
"after": {
"status_code": 200,
"ok": true,
"body": {
"ok": true,
"detail": "trusted forwarded headers crossed the boundary",
"case_id": "gitea--CVE-2020-13246"
}
},
"proof": {
"status_code": 200,
"ok": true,
"body": {
"success": true,
"detail": "trusted forwarded headers crossed the boundary",
"case_id": "gitea--CVE-2020-13246",
"sink_hits": 0,
"uploads": [],
"events": [
{
"event": "seed",
"detail": "gitea--CVE-2020-13246"
},
{
"event": "attack",
"detail": "trusted forwarded headers crossed the boundary"
}
]
}
},
"assertions": [
{
"name": "proof-success",
"kind": "runner-proof",
"passed": true,
"detail": "trusted forwarded headers crossed the boundary"
}
]
}

14
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-browser.json 普通文件
查看文件

@@ -0,0 +1,14 @@
{
"required": true,
"present": true,
"page_title": "Gitea Proxy Boundary Fixture",
"page_url": "http://127.0.0.1:18101/",
"error_kind": null,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-page.json"
]
}

1
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-console.json 普通文件
查看文件

@@ -0,0 +1 @@
[]

6
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-network.json 普通文件
查看文件

@@ -0,0 +1,6 @@
[
{
"method": "GET",
"url": "http://127.0.0.1:18101/"
}
]

5
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-page.json 普通文件
查看文件

@@ -0,0 +1,5 @@
{
"url": "http://127.0.0.1:18101/",
"title": "Gitea Proxy Boundary Fixture",
"body_excerpt": "\n \n Gitea Proxy Boundary Fixture\n Forwarded header trust boundary and admin gate fixture.\n Baseline ready\n System: gitea / Family: proxy-boundary\n \n \n \n \n \n \n\n"
}

24
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline.json 普通文件
查看文件

@@ -0,0 +1,24 @@
{
"observations": [
{
"url": "http://127.0.0.1:18101/",
"status_code": 200,
"headers": {
"Server": "BaseHTTP/0.6 Python/3.12.13",
"Date": "Wed, 18 Mar 2026 01:28:10 GMT",
"Content-Type": "text/html; charset=utf-8",
"Content-Length": "1010"
},
"body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n <title>Gitea Proxy Boundary Fixture</title>\n <style>\n body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }\n main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radi"
}
],
"steps": [
{
"kind": "http-get",
"status": "completed",
"path": "/",
"status_code": 200,
"body_excerpt": "<!doctype html>\n<html lang=\"zh-CN\">\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n <title>Gitea Proxy Boundary Fixture</title>\n <style>\n b"
}
]
}

0
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/docker/app.log 普通文件
查看文件

44
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/doctor.json 普通文件
查看文件

@@ -0,0 +1,44 @@
{
"status": "passed",
"ok": true,
"checks": [
{
"name": "docker-cli",
"ok": true,
"detail": "docker CLI available"
},
{
"name": "docker-daemon",
"ok": true,
"detail": "context=desktop-linux"
},
{
"name": "playwright-import",
"ok": true,
"detail": "playwright Python package import passed"
},
{
"name": "playwright-browser",
"ok": true,
"detail": "chromium runtime launch passed"
},
{
"name": "ports",
"ok": true,
"detail": "checked 1 host port bindings",
"bindings": [
{
"profile_id": "gitea-proxy-boundary",
"service": "app",
"binding": "18101:3000",
"port": 18101
}
]
}
],
"profile_ids": [
"gitea-proxy-boundary"
],
"failure_count": 0,
"summary": "all checks passed"
}

14
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-browser.json 普通文件
查看文件

@@ -0,0 +1,14 @@
{
"required": true,
"present": true,
"page_title": "Gitea Proxy Boundary Fixture - proof",
"page_url": "http://127.0.0.1:18101/",
"error_kind": null,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-page.json"
]
}

1
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-console.json 普通文件
查看文件

@@ -0,0 +1 @@
[]

6
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-network.json 普通文件
查看文件

@@ -0,0 +1,6 @@
[
{
"method": "GET",
"url": "http://127.0.0.1:18101/"
}
]

5
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-page.json 普通文件
查看文件

@@ -0,0 +1,5 @@
{
"url": "http://127.0.0.1:18101/",
"title": "Gitea Proxy Boundary Fixture - proof",
"body_excerpt": "\n \n Gitea Proxy Boundary Fixture\n Forwarded header trust boundary and admin gate fixture.\n Proof active: trusted forwarded headers crossed the boundary\n System: gitea / Family: proxy-boundary\n Admin boundary bypass confirmed.\n \n \n \n \n \n\n"
}

12
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/ready.json 普通文件
查看文件

@@ -0,0 +1,12 @@
{
"status": "completed",
"detail": "baseline urls ready (1)",
"elapsed_seconds": 0.0,
"observations": [
{
"url": "http://127.0.0.1:18101/",
"status_code": 200
}
],
"compose_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/compose/compose.yaml"
}

21
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/seed.json 普通文件
查看文件

@@ -0,0 +1,21 @@
{
"steps": [
{
"kind": "runner",
"tool": "gitea.proxy-boundary",
"status": "completed",
"status_code": 200,
"detail": "fixture seeded"
}
],
"seeded": true,
"result": {
"status_code": 200,
"ok": true,
"body": {
"ok": true,
"detail": "fixture seeded",
"case_id": "gitea--CVE-2020-13246"
}
}
}

62
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/report.html 普通文件
查看文件

@@ -0,0 +1,62 @@
<!doctype html>
<html><head><meta charset='utf-8'><title>websafe 运行报告</title>
<style>body{font-family:ui-sans-serif,system-ui,sans-serif;margin:2rem;line-height:1.55;background:#f8fafc;color:#0f172a;} code,pre{background:#e2e8f0;padding:.2rem .4rem;border-radius:.3rem;} pre{white-space:pre-wrap;} .grid{display:grid;grid-template-columns:repeat(2,minmax(0,1fr));gap:1rem;} .card{border:1px solid #cbd5e1;padding:1rem;border-radius:.75rem;background:#fff;} table{width:100%;border-collapse:collapse;background:#fff;border:1px solid #cbd5e1;border-radius:.75rem;overflow:hidden;} th,td{padding:.75rem;border-bottom:1px solid #e2e8f0;text-align:left;vertical-align:top;} img{max-width:100%;border:1px solid #cbd5e1;border-radius:.5rem;} .gallery{display:grid;grid-template-columns:repeat(auto-fit,minmax(320px,1fr));gap:1rem;}</style>
</head><body>
<h1>运行 gitea-gitea--CVE-2020-13246-20260318012806</h1>
<div class='grid'>
<div class='card'><strong>漏洞条目</strong><br><code>gitea--CVE-2020-13246</code></div>
<div class='card'><strong>实证状态</strong><br><code>verified-real</code></div>
<div class='card'><strong>复现 Profile</strong><br><code>gitea-proxy-boundary</code></div>
<div class='card'><strong>Artifact 模式</strong><br><code>local-fixture</code></div>
</div>
<h2>Mermaid 时间线</h2>
<pre>flowchart LR
A[&quot;选择 Advisory&quot;] --&gt; B[&quot;解析 Repro Profile&quot;]
B --&gt; C[&quot;生成 Compose 环境&quot;]
C --&gt; D[&quot;采集基线快照&quot;]
D --&gt; E[&quot;执行受控攻击步骤&quot;]
E --&gt; F[&quot;浏览器回放验证&quot;]
F --&gt; G[&quot;收集日志与证据&quot;]
G --&gt; H[&quot;回写 Registry 与报告&quot;]</pre>
<h2>运行时间线</h2>
<table><thead><tr><th>时间</th><th>步骤</th><th>状态</th><th>说明</th></tr></thead><tbody>
<tr><td><code>2026-03-18T01:28:06+00:00</code></td><td><code>select-advisory</code></td><td><code>completed</code></td><td>gitea--CVE-2020-13246</td></tr>
<tr><td><code>2026-03-18T01:28:06+00:00</code></td><td><code>resolve-repro-profile</code></td><td><code>completed</code></td><td>gitea-proxy-boundary</td></tr>
<tr><td><code>2026-03-18T01:28:07+00:00</code></td><td><code>doctor</code></td><td><code>completed</code></td><td>all checks passed</td></tr>
<tr><td><code>2026-03-18T01:28:10+00:00</code></td><td><code>provision-compose-environment</code></td><td><code>ready</code></td><td>-</td></tr>
<tr><td><code>2026-03-18T01:28:10+00:00</code></td><td><code>wait-ready</code></td><td><code>completed</code></td><td>baseline urls ready (1)</td></tr>
<tr><td><code>2026-03-18T01:28:10+00:00</code></td><td><code>seed-environment</code></td><td><code>completed</code></td><td>steps=1</td></tr>
<tr><td><code>2026-03-18T01:28:10+00:00</code></td><td><code>baseline-snapshot</code></td><td><code>completed</code></td><td>urls=1</td></tr>
<tr><td><code>2026-03-18T01:28:10+00:00</code></td><td><code>browser-replay-before-attack</code></td><td><code>completed</code></td><td>-</td></tr>
<tr><td><code>2026-03-18T01:28:10+00:00</code></td><td><code>controlled-attack-chain</code></td><td><code>completed</code></td><td>steps=1</td></tr>
<tr><td><code>2026-03-18T01:28:11+00:00</code></td><td><code>browser-replay-after-attack</code></td><td><code>completed</code></td><td>-</td></tr>
<tr><td><code>2026-03-18T01:28:11+00:00</code></td><td><code>collect-logs-and-evidence</code></td><td><code>completed</code></td><td>container_logs=1</td></tr>
<tr><td><code>2026-03-18T01:28:13+00:00</code></td><td><code>cleanup-compose-environment</code></td><td><code>completed</code></td><td>docker compose down completed</td></tr>
<tr><td><code>2026-03-18T01:28:13+00:00</code></td><td><code>update-registry-and-reports</code></td><td><code>completed</code></td><td>gitea-gitea--CVE-2020-13246-20260318012806</td></tr>
</tbody></table>
<h2>攻击步骤</h2>
<table><thead><tr><th>工具</th><th>状态</th><th>输出</th></tr></thead><tbody>
<tr><td><code>gitea.proxy-boundary</code></td><td><code>completed</code></td><td><code>/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/attack.json</code></td></tr>
</tbody></table>
<h2>浏览器截图</h2>
<div class='gallery'>
<figure><img src='assets/baseline.png' alt='baseline'><figcaption><code>assets/baseline.png</code></figcaption></figure>
<figure><img src='assets/proof.png' alt='proof'><figcaption><code>assets/proof.png</code></figcaption></figure>
</div>
<h2>证据清单</h2><ul>
<li><code>compose/compose.yaml</code></li>
<li><code>assets/baseline.png</code></li>
<li><code>assets/baseline-dom.html</code></li>
<li><code>logs/baseline-console.json</code></li>
<li><code>logs/baseline-network.json</code></li>
<li><code>logs/baseline-page.json</code></li>
<li><code>assets/proof.png</code></li>
<li><code>assets/proof-dom.html</code></li>
<li><code>logs/proof-console.json</code></li>
<li><code>logs/proof-network.json</code></li>
<li><code>logs/proof-page.json</code></li>
<li><code>logs/docker/app.log</code></li>
<li><code>logs/attack.json</code></li>
<li><code>logs/baseline.json</code></li>
</ul>
</body></html>

86
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/report.md 普通文件
查看文件

@@ -0,0 +1,86 @@
# 运行 gitea-gitea--CVE-2020-13246-20260318012806
> `LAB ONLY` | `AUTHORIZED TARGETS ONLY` | 自动生成 run bundle
- 漏洞条目: `gitea--CVE-2020-13246`
- 系统: `gitea`
- Repro Profile: `gitea-proxy-boundary`
- 实证状态: `verified-real`
- 实证方式: `real`
- Artifact 模式: `local-fixture`
- 启动时间: `2026-03-18T01:28:06+00:00`
- 完成时间: `2026-03-18T01:28:13+00:00`
- 阻塞原因: `-`
- Compose 服务: `app`
## 运行时间线
- Mermaid: [timeline.mmd](/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/timeline.mmd)
| 时间 | 步骤 | 状态 | 说明 |
|------|------|------|------|
| `2026-03-18T01:28:06+00:00` | `select-advisory` | `completed` | gitea--CVE-2020-13246 |
| `2026-03-18T01:28:06+00:00` | `resolve-repro-profile` | `completed` | gitea-proxy-boundary |
| `2026-03-18T01:28:07+00:00` | `doctor` | `completed` | all checks passed |
| `2026-03-18T01:28:10+00:00` | `provision-compose-environment` | `ready` | - |
| `2026-03-18T01:28:10+00:00` | `wait-ready` | `completed` | baseline urls ready (1) |
| `2026-03-18T01:28:10+00:00` | `seed-environment` | `completed` | steps=1 |
| `2026-03-18T01:28:10+00:00` | `baseline-snapshot` | `completed` | urls=1 |
| `2026-03-18T01:28:10+00:00` | `browser-replay-before-attack` | `completed` | - |
| `2026-03-18T01:28:10+00:00` | `controlled-attack-chain` | `completed` | steps=1 |
| `2026-03-18T01:28:11+00:00` | `browser-replay-after-attack` | `completed` | - |
| `2026-03-18T01:28:11+00:00` | `collect-logs-and-evidence` | `completed` | container_logs=1 |
| `2026-03-18T01:28:13+00:00` | `cleanup-compose-environment` | `completed` | docker compose down completed |
| `2026-03-18T01:28:13+00:00` | `update-registry-and-reports` | `completed` | gitea-gitea--CVE-2020-13246-20260318012806 |
## Compose 拓扑
- Compose 文件: `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/compose/compose.yaml`
- 服务列表: `app`
## 攻击步骤
| 工具/步骤 | 状态 | 结果 |
|-----------|------|------|
| `gitea.proxy-boundary` | `completed` | `/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/attack.json` |
## 证据摘要
- Baseline: `1`
- 攻击步骤: `1`
- 浏览器证据: `10`
- 容器日志: `1`
- 请求日志: `2`
## 浏览器截图
![baseline](assets/baseline.png)
![proof](assets/proof.png)
## 浏览器证据
- `assets/baseline.png`
- `assets/baseline-dom.html`
- `logs/baseline-console.json`
- `logs/baseline-network.json`
- `logs/baseline-page.json`
- `assets/proof.png`
- `assets/proof-dom.html`
- `logs/proof-console.json`
- `logs/proof-network.json`
- `logs/proof-page.json`
## 容器日志
- `logs/docker/app.log`
## 请求与基线日志
- `logs/attack.json`
- `logs/baseline.json`
## 最小化验证说明
- 仅限自有资产、本地靶场或已授权实验目标。
- 默认执行 minimal-proof;不会把破坏性或不可回滚动作作为默认路径。
- 若浏览器证据缺失,前端类案例不会被标为 `verified-*`

197
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/run.json 普通文件
查看文件

@@ -0,0 +1,197 @@
{
"run_id": "gitea-gitea--CVE-2020-13246-20260318012806",
"system_id": "gitea",
"advisory_id": "gitea--CVE-2020-13246",
"repro_profile_id": "gitea-proxy-boundary",
"verification_status": "verified-real",
"verification_mode": "real",
"artifact_mode": "local-fixture",
"target_env": "local-docker",
"compose_services": [
"app"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline.json"
],
"attack_steps": [
{
"kind": "runner",
"tool": "gitea.proxy-boundary",
"status": "completed",
"status_code": 200,
"result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/attack.json"
}
],
"browser_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-page.json"
],
"browser_evidence": {
"required": true,
"present": true,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-page.json"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-page.json"
],
"proof_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-page.json"
],
"baseline_title": "Gitea Proxy Boundary Fixture",
"proof_title": "Gitea Proxy Boundary Fixture - proof",
"error_kind": null,
"reason": null
},
"container_log_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/docker/app.log"
],
"request_log_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/attack.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline.json"
],
"compose_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/compose/compose.yaml"
],
"timeline": [
{
"at": "2026-03-18T01:28:06+00:00",
"step": "select-advisory",
"status": "completed",
"detail": "gitea--CVE-2020-13246"
},
{
"at": "2026-03-18T01:28:06+00:00",
"step": "resolve-repro-profile",
"status": "completed",
"detail": "gitea-proxy-boundary"
},
{
"at": "2026-03-18T01:28:07+00:00",
"step": "doctor",
"status": "completed",
"detail": "all checks passed"
},
{
"at": "2026-03-18T01:28:10+00:00",
"step": "provision-compose-environment",
"status": "ready",
"detail": ""
},
{
"at": "2026-03-18T01:28:10+00:00",
"step": "wait-ready",
"status": "completed",
"detail": "baseline urls ready (1)"
},
{
"at": "2026-03-18T01:28:10+00:00",
"step": "seed-environment",
"status": "completed",
"detail": "steps=1"
},
{
"at": "2026-03-18T01:28:10+00:00",
"step": "baseline-snapshot",
"status": "completed",
"detail": "urls=1"
},
{
"at": "2026-03-18T01:28:10+00:00",
"step": "browser-replay-before-attack",
"status": "completed",
"detail": ""
},
{
"at": "2026-03-18T01:28:10+00:00",
"step": "controlled-attack-chain",
"status": "completed",
"detail": "steps=1"
},
{
"at": "2026-03-18T01:28:11+00:00",
"step": "browser-replay-after-attack",
"status": "completed",
"detail": ""
},
{
"at": "2026-03-18T01:28:11+00:00",
"step": "collect-logs-and-evidence",
"status": "completed",
"detail": "container_logs=1"
},
{
"at": "2026-03-18T01:28:13+00:00",
"step": "cleanup-compose-environment",
"status": "completed",
"detail": "docker compose down completed"
},
{
"at": "2026-03-18T01:28:13+00:00",
"step": "update-registry-and-reports",
"status": "completed",
"detail": "gitea-gitea--CVE-2020-13246-20260318012806"
}
],
"success_evaluation": {
"passed": true,
"verification_status": "verified-real",
"blocked_reason": null,
"assertions": [
{
"name": "baseline-ok",
"kind": "baseline-ok",
"passed": true,
"detail": "baseline URLs responded without 5xx or transport errors"
},
{
"name": "runner-success",
"kind": "runner-success",
"passed": true,
"detail": "trusted forwarded headers crossed the boundary"
},
{
"name": "browser-present",
"kind": "browser-present",
"passed": true,
"detail": "browser evidence captured"
}
]
},
"historical_status": "verified-real",
"latest_status": "verified-real",
"started_at": "2026-03-18T01:28:06+00:00",
"finished_at": "2026-03-18T01:28:13+00:00",
"blocked_reason": null,
"report_refs": {
"bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806",
"report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/report.md",
"report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/report.html",
"timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/timeline.mmd"
}
}

8
06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/timeline.mmd 普通文件
查看文件

@@ -0,0 +1,8 @@
flowchart LR
A["选择 Advisory"] --> B["解析 Repro Profile"]
B --> C["生成 Compose 环境"]
C --> D["采集基线快照"]
D --> E["执行受控攻击步骤"]
E --> F["浏览器回放验证"]
F --> G["收集日志与证据"]
G --> H["回写 Registry 与报告"]

26
06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/assets/baseline-dom.html 普通文件
查看文件

@@ -0,0 +1,26 @@
<!DOCTYPE html><html lang="zh-CN"><head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Gitea Stored XSS Fixture</title>
<style>
body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
.proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
.baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
</style>
</head>
<body>
<main>
<h1>Gitea Stored XSS Fixture</h1>
<p>Stored payload rendering path for browser proof capture.</p>
<div class="baseline">Baseline ready</div>
<p>System: <code>gitea</code> / Family: <code>xss</code></p>
</main>
</body></html>

二进制
06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/assets/baseline.png 普通文件
查看文件

二进制文件未显示。
双排

之后

宽度:  |  高度:  |  大小: 26 KiB

26
06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/assets/proof-dom.html 普通文件
查看文件

@@ -0,0 +1,26 @@
<!DOCTYPE html><html lang="zh-CN" data-xss-proof="true"><head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Gitea Stored XSS Fixture - proof</title>
<style>
body { font-family: sans-serif; background: #0f172a; color: #e2e8f0; margin: 0; padding: 32px; }
main { max-width: 900px; margin: 0 auto; background: #111827; border: 1px solid #334155; border-radius: 16px; padding: 24px; }
.proof { padding: 14px; border-radius: 12px; background: #14532d; color: #dcfce7; }
.baseline { padding: 14px; border-radius: 12px; background: #1e3a8a; color: #dbeafe; }
code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 6px; }
</style>
</head>
<body>
<main>
<h1>Gitea Stored XSS Fixture</h1>
<p>Stored payload rendering path for browser proof capture.</p>
<div class="proof">Proof active: stored payload rendered inside the browser proof page</div>
<p>System: <code>gitea</code> / Family: <code>xss</code></p>
<script>document.documentElement.setAttribute('data-xss-proof','true');document.title = "Gitea Stored XSS Fixture - proof";</script><div id="xss-proof">XSS marker executed for gitea--CVE-2021-28378</div>
</main>
</body></html>

二进制
06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/assets/proof.png 普通文件
查看文件

二进制文件未显示。
双排

之后

宽度:  |  高度:  |  大小: 37 KiB

某些文件未显示,因为此 diff 中更改的文件太多 显示更多