fix(recon): support FOFA key-only auth in passive recon#42
Merged
Conversation
FOFA simplified API auth (2023): only the API key is required and the email never appears in the request URL. The engine required both FofaEmail and FofaKey to register fofa, so accounts holding only a single API key could not use `passive -s fofa`. - NewUncoverEngine: register fofa on FofaKey presence (email optional); legacy "email:key" still accepted. - Backfill FofaKey after uncover's GetKeys (which only populates the pair for two-segment "email:key" credentials). - detectSources / richFofaAgent: gate on FofaKey only. - Add key-only and legacy regression tests. Refs #41 Co-Authored-By: Claude <noreply@anthropic.com>
wuchulonly
force-pushed
the
fix/fofa-key-only-auth
branch
from
0108b02 to
3ca0bb1
Compare
Contributor
Author
关于
|
Master did not compile, masked by the CI tidy gate blocking test/build. 1. commands.Deps.Model was removed in b59e32e (refactor: simplify scanner tool infrastructure) but two call sites still set it: - core/runner/app.go - cmd/aiscan/setup.go Nothing reads deps.Model, so drop the dead assignments. 2. telemetry.SDKRecover / SDKCapRecover were removed in 5821bee (unified panic recovery, replaced by SafeGo/SafeRun) but pkg/tools/scan/engine/ sdk_e2e_test.go still exercised them. These functions are gone and have zero production callers, so remove the stale tests (keep the TestSDKGoRecoverDoesNotCrash test, which targets the still-present SDKGoRecover). Co-Authored-By: Claude <noreply@anthropic.com>
go.mod was not tidy under the Go version mandated by CI (go-version-file: go.mod = go 1.25.7, actions/go-versions build, GOTOOLCHAIN=local): sigs.k8s.io/yaml was listed in both the direct and indirect require blocks. Regenerate go.mod/go.sum so the tidy gate passes. Note: local Go toolchains (go.dev/dl and golang.org/toolchain builds of 1.25.7) resolve the go.yaml.in/yaml graph differently than the actions/go-versions 1.25.7 build, so this tidy output was generated inside CI to match the project's authoritative toolchain. Co-Authored-By: Claude <noreply@anthropic.com>
wuchulonly
force-pushed
the
fix/fofa-key-only-auth
branch
from
0f6ae1d to
2192709
Compare
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
passive -s fofa ...is unavailable for FOFA accounts that only hold a single API key (the norm since FOFA simplified auth in 2023 — "Just need API KEY, no email anymore!", the legacyemail&keyformat stays compatible).UncoverEnginerequired bothFofaEmailandFofaKeyto be non-empty to register the fofa source, so a key-only account could never satisfy it → fofa never appeared in available sources.Refs #41.
Root cause
pkg/tools/scan/engine/uncover.go:NewUncoverEngine:if opts.FofaEmail != "" && opts.FofaKey != ""detectSources:{"fofa", e.keys.FofaEmail != "" && e.keys.FofaKey != ""}richFofaAgent.Query:if session.Keys.FofaEmail == "" || session.Keys.FofaKey == ""But the actual FOFA request URL (
fofaURL) only ever sends?key=<key>— the email is never used, so requiring it is purely restrictive.Fix
NewUncoverEngine: register fofa whenFofaKeyis present;emailoptional. Legacyemail:keystill accepted.FofaKeyafterGetKeys()— uncover only populates the pair when the stored credential splits into twoemail:keysegments, so key-only credentials need manual backfill (coversconfig.yaml,--fofa-key, andFOFA_KEYwithout an email).detectSources/richFofaAgent: gate onFofaKeyonly.Verification
go build -tags full ./...✅go test -tags full ./pkg/tools/scan/engine/ -run 'Fofa|Recon'✅ (existing + 2 new: key-only, legacy)passive -s fofa 'domain="..."'returns real results.Note
passive/recon is behind thefullbuild tag, so it requires./build.sh --profile full(orgo build -tags full). The defaultminiprofile doesn't compile it in.🤖 Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com