65 行
1.7 KiB
YAML
65 行
1.7 KiB
YAML
profile_id: gitea-proxy-boundary
|
|
system_id: gitea
|
|
match_rules:
|
|
keywords:
|
|
- proxy
|
|
- header trust
|
|
vuln_family: proxy-boundary
|
|
provisioning_mode: real
|
|
verification_mode: real
|
|
artifact_mode: local-fixture
|
|
artifact_source:
|
|
strategy: local-minimal-fixture
|
|
runner_id: gitea.proxy-boundary
|
|
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/gitea/proxy-boundary
|
|
required_services:
|
|
- app
|
|
seed_actions:
|
|
- kind: note
|
|
message: Seed forwarded-header boundary fixture with clean state.
|
|
baseline_actions:
|
|
- kind: http-get
|
|
path: /
|
|
attack_actions:
|
|
- kind: note
|
|
message: Runner performs local forwarded-header trust proof only inside the fixture.
|
|
browser_assertions:
|
|
required: true
|
|
success_criteria:
|
|
- Local fixture proves trusted proxy headers cross the admin boundary.
|
|
success_assertions:
|
|
- name: baseline-ok
|
|
type: baseline-ok
|
|
- name: runner-success
|
|
type: runner-success
|
|
- name: browser-present
|
|
type: browser-present
|
|
services:
|
|
app:
|
|
image: python:3.12-alpine
|
|
working_dir: /workspace
|
|
command:
|
|
- python
|
|
- /workspace/00-environments/templates/fixtures/shared/python_fixture.py
|
|
environment:
|
|
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/proxy-boundary/scenario.json
|
|
PORT: "3000"
|
|
ports:
|
|
- 18101:3000
|
|
volumes:
|
|
- /Users/x/websafe:/workspace:ro
|
|
healthcheck:
|
|
test:
|
|
- CMD-SHELL
|
|
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
|
|
interval: 2s
|
|
timeout: 2s
|
|
retries: 20
|
|
baseline_urls:
|
|
- http://127.0.0.1:18101/
|
|
ready_timeout_seconds: 45
|
|
cleanup_policy: destroy
|
|
destructive_risk: low
|
|
allowed_target_types:
|
|
- lab-local
|