b3e8a9a058
Major additions: - Community Next.js app (port 18187) for browsing claims with API docs - stemedb-chaos crate: Fault injection, chaos testing, CRDT properties - Latent ingestion system: Reddit/FDA ingesters with ADK-Go agents - Disputed claims handling: Manual review workflows and validation - Aphoria security scanner: New extractors (SQL injection, command injection, weak crypto, TLS version), policy-based ignores, UAT reports - Docker infrastructure: Dockerfile, docker-compose.yml for full stack - VulnBank demo: Intentionally vulnerable multi-language test corpus SDK & API enhancements: - Source registry handlers for tracking data provenance - Metrics endpoint - Skeptic filtering improvements Code quality: - Split 14 large files (>500 lines) into focused modules - All files now under 500-line limit per project guidelines Documentation: - Chaos testing guide, circuit breakers, observability docs - Phase 7 UAT documentation updates - Martin Kleppmann technical writer agent Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
56 lines
1.5 KiB
Rust
56 lines
1.5 KiB
Rust
//! TLS Configuration - Contains intentional vulnerabilities
|
|
//!
|
|
//! Vulnerabilities:
|
|
//! - Certificate verification disabled
|
|
//! - Insecure TLS versions allowed
|
|
|
|
use reqwest::ClientBuilder;
|
|
|
|
/// VULNERABILITY: TLS certificate verification disabled
|
|
/// Allows man-in-the-middle attacks
|
|
pub async fn fetch_insecure(url: &str) -> Result<String, String> {
|
|
let client = ClientBuilder::new()
|
|
// BLOCK: danger_accept_invalid_certs disables certificate verification
|
|
.danger_accept_invalid_certs(true)
|
|
.build()
|
|
.map_err(|e| e.to_string())?;
|
|
|
|
client.get(url)
|
|
.send()
|
|
.await
|
|
.map_err(|e| e.to_string())?
|
|
.text()
|
|
.await
|
|
.map_err(|e| e.to_string())
|
|
}
|
|
|
|
/// VULNERABILITY: Invalid hostnames accepted
|
|
/// Combined with invalid certs, completely breaks TLS security
|
|
pub async fn fetch_no_hostname_check(url: &str) -> Result<String, String> {
|
|
let client = ClientBuilder::new()
|
|
// BLOCK: danger_accept_invalid_hostnames allows hostname mismatch
|
|
.danger_accept_invalid_hostnames(true)
|
|
.danger_accept_invalid_certs(true)
|
|
.build()
|
|
.map_err(|e| e.to_string())?;
|
|
|
|
client.get(url)
|
|
.send()
|
|
.await
|
|
.map_err(|e| e.to_string())?
|
|
.text()
|
|
.await
|
|
.map_err(|e| e.to_string())
|
|
}
|
|
|
|
#[cfg(test)]
|
|
mod tests {
|
|
use super::*;
|
|
|
|
#[tokio::test]
|
|
async fn test_insecure_tls_patterns() {
|
|
// These patterns should be detected by Aphoria
|
|
// Don't actually run - just verify code compiles
|
|
}
|
|
}
|