Skip to content

deps: bump the chainreactors group across 1 directory with 2 updates#155

Closed
dependabot[bot] wants to merge 424 commits into
masterfrom
dependabot/go_modules/chainreactors-90a910988b
Closed

deps: bump the chainreactors group across 1 directory with 2 updates#155
dependabot[bot] wants to merge 424 commits into
masterfrom
dependabot/go_modules/chainreactors-90a910988b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 14, 2026
edited
Loading

Copy link
Copy Markdown

Bumps the chainreactors group with 2 updates in the / directory: github.com/chainreactors/fingers and github.com/chainreactors/proton.

Updates github.com/chainreactors/fingers from 1.2.1-0.20260608084741-385e7d586d6f to 1.2.1

Release notes

Sourced from github.com/chainreactors/fingers's releases.

v1.2.1

Features

  • xray: 新增 xray 指纹引擎,基于转换后的 xray POC 进行指纹识别
  • xray: 通过 templates.Load 加载模板,支持 xray POC 格式自动适配(opt-in)
  • fingerprinthub: 统一 AC matcher 预测 + 共享工具函数重构
  • fingers: AC 关键词预过滤 + RE2 作为默认正则引擎
  • fingers: 简单指纹快速路径 AC 解析
  • fingers: 1MB 基准测试覆盖全指纹和 regex-only 场景
  • TinyGo 模板清理器与 sender 兼容支持
  • 新增 fingerverify 命令

Bug Fixes

  • active-match: 修复共享模板变更问题,改为按执行线程分配 client
  • active-match: HTTPActiveMatch callback 返回错误的 framework 及模板编译选项丢失(PR #26
  • 多请求模板 extractor 结果跨请求链传递修复
  • 模板变量在 ExecuteWithResults 前求值,避免变量未解析
  • 防止 nil-map panic(ExecuteWithResults 传入非空 map)
  • AC 快速路径保留匹配详情
  • fingerprinthub: DSL/regex matcher 在 body 和 headers 中保留原始大小写
  • 使用 per-template ExecuterOptions 防止变量覆盖

Refactor

  • 引擎级 CaseInsensitive 开关统一大小写匹配策略
  • xray 引擎改用 Template.Execute,fingerprinthub 保留快速路径
  • 移除 xray 引擎中的 hasUnresolvedVars
  • 不再 embed fingerprinthub_xray_web(内部数据改由 Provider 加载)

CI

  • 新增测试工作流 + Go 1.17/1.11 兼容性构建
  • 启用 Dependabot 自动依赖更新

Dependencies

  • neutron → c816917(converter registry + 变量系统重构)
  • utils → 6465cb8
Commits

Updates github.com/chainreactors/proton from 0.2.1-0.20260608085216-03df34ba928d to 0.3.0

Release notes

Sourced from github.com/chainreactors/proton's releases.

v0.3.0

proton v0.3.0

proton 从文件扫描工具重构为纯匹配引擎 SDK。所有数据采集、CLI、Runner 等高级功能已迁移至 found

Breaking Changes

  • 移除 Scanner.Scan() — 不再内置目录遍历
  • 移除 ProcessFile() — 替换为 ReadFile() + ScanData()
  • 移除 CLI 入口、pkg/runner/sysinfo/(迁移至 found)
  • FFI 移除内置模板,ProtonNewScanner 改为 path-based
  • template.Execute 切换到 Scanner 后端

SDK API

接口 模式 用途
ScanData([]byte, label, group) 一次性,按行 文本匹配
ScanBlock([]byte, label, group) 一次性,滑动窗口 二进制匹配
NewLineWriter(label, cb) 流式 io.WriteCloser 持续文本流
NewBlockWriter(label, cb) 流式 io.WriteCloser 持续二进制流
ReadFile(path, group) 文件读取 返回 []FileContent

三层匹配管线

prefilter (bytes.Contains) → Aho-Corasick DFA → RE2 regex

FFI (C ABI)

int    ProtonNewScanner(const char* templatePath);
char*  ProtonScanData(int handle, const void* data, int len, const char* label);
char*  ProtonScanBlock(int handle, const void* data, int len, const char* label);
void   ProtonFreeScanner(int handle);
void   ProtonFreeString(char* s);

支持 Python/Rust/C/C++ 等任何 C FFI 语言集成。

Template API

tmpl.Compile(opts)
tmpl.Execute(path)          // 文件扫描
tmpl.ScanData(data, label)  // 文本匹配
tmpl.ScanBlock(data, label) // 二进制匹配
Commits

M09Ic added 30 commits January 28, 2023 15:43
@M09Ic
新增--recon命令, 打开自动信息提取, 用来提取各种敏感信息
9213c29
@M09Ic
适配新版本gogo
5aaf062
@M09Ic
update README.md
8152ae1
@M09Ic
修复在优化stat时一个线程安全问题导致程序阻塞的bug
940c5b9
@M09Ic
spray输出相关的代码整合到spray中
02f6010
@M09Ic
update words
9f35b4d
@M09Ic
多处性能与代码优化, 能更好的支持不同的fuzz了
c3993fc
@M09Ic
修复默认status配置错误的bug
645487e
@M09Ic
去重策略不再作用于word, 防止内存中维护一个过大的map
fea6ac7
@M09Ic
添加一个常见的waf状态码1020
f185dd8
@M09Ic
优化location的处理, 某些应用可能会使用小写
ae746b9
@M09Ic
优化无效重定向页面的过滤
c263c11
@M09Ic
--fuzzy-status添加特殊情况 "all", 所有类型的状态码都会启用对应的模糊匹配
6287a8e
@M09Ic
新增一种特殊的过滤模式--unique 或指定状态码的--unique-status 200
b3589db
@M09Ic
调整extract格式
5ace378
@M09Ic
-F新增从stdin中读, 并添加颜色参数
25188b2
@M09Ic
跳过二进制的返回数据读取
680d18a
@M09Ic
修复check-only失效的bug
296bea9
@M09Ic
调整指纹收集的逻辑
d62bbdf
@M09Ic
修复部分情况下url不合法导致出现报错的bug
58913ca
@M09Ic
优化log输出
7879d55
@M09Ic
修复-m host 场景下字典与redirect生成错误的bug
bdc793c
@M09Ic
实装random useragent
4a12286
@M09Ic
修复部分情况下过滤不生效的bug
30506b1
@M09Ic
新增-c cidr与 -p port-range的支持
f44a01e
@M09Ic
适配gogo v2.11.0
9eb55eb
@M09Ic
修复多个可能导致报错的bug.
8ec00ab 
checkonly支持upgrade与redirect
@M09Ic
关闭check-only的kepp-alive.
77b92b4 
新增checkonly的--match指定过滤器
@M09Ic
修复task count算错误的bug
ccc9ca3
@M09Ic
修复url解析错误的bug
1bcf2f2 
修复redirect的wg计算错误的bug
M09Ic and others added 21 commits May 8, 2026 10:12
@M09Ic @claude
fix: null pointer guards and idempotency for embedded/SDK usage
d6ecf41 
- FingerEngine nil 检查防止未初始化时 panic (baseline.go, fingers.go)
- 日志/颜色/指纹引擎/Extractor 注册增加状态检查, 防止 SDK 多次调用时重复设置

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@M09Ic @claude
chore: normalize line endings (CRLF → LF)
e55ab50 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@M09Ic
spray: fix adaptive filtering and stats
c7466eb
@M09Ic
Use core fingers engine by default
f3f41e0
@M09Ic @claude
feat: switch templates from base64 to go:embed for smaller source and…
c1b8450 
… faster startup

- go:generate now uses -embed flag to produce //go:embed binary data
- templates.go reduced from 125KB base64 source to 0.9KB + 93KB .bin files
- binary saves ~28KB (removes base64 decode overhead at runtime)
- templates submodule updated with embed-aware generator

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@M09Ic @claude
fix: resolve deadlock/panic risks and add comprehensive test coverage
df03f33 
Bug fixes:
- Defer scopeLocker.Unlock in doScopeCrawl (deadlock on panic)
- Defer statsMu.Unlock in recordStat (deadlock on panic)
- Defer RUnlock in resource_provider.LoadConfig via inline func
- Fix data race in invoke(): move bl field writes before doRedirect
- Close response body on ReadAll error (connection leak)
- Add defer raw.Close() for raw file parsing (fd leak)
- Safe type assertion in load.go keyword parsing (panic on bad YAML)
- Check ants pool creation errors in NewBrutePool/NewCheckPool

New tests (15 test functions):
- pool_test.go: scopeLocker panic recovery, cancel mid-processing,
  single-threaded map access, valid pool creation
- runner_test.go: concurrent recordStat safety, nil stat handling
- load_test.go: malformed YAML tolerance, valid YAML loading
- e2e_test.go: normal brute scan, context cancellation, server errors,
  WAF behavior, multi-target check mode, mixed status codes

CI hardening:
- Add -race detector (Linux, -short mode)
- Add -timeout 300s to prevent deadlock hangs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@M09Ic @claude
fix: eliminate monitor goroutine race and simplify concurrency
ee3a408 
Root cause: the atomic.Bool + polling monitor goroutine pattern had a
race between wg.Wait() in the monitor and wg.Add(1) in the main loop.
When the monitor observed done=true and started Wait, the main loop
could still dispatch new work, causing Close().wg.Wait() to hang.

Fix: replace with nil-channel + sync.Once pattern. When the word stream
exhausts or limit is hit, worderCh is set to nil (disabling that select
branch permanently), then a single goroutine waits for wg to reach zero.
Since wg.Add(1) only occurs in the worderCh branch, nil-ing it before
Wait guarantees no new Add after Wait starts — no race possible.

Other fixes:
- Task feeder goroutine now ctx-aware (prevents leak on cancel)
- AddPool checks Invoke error (prevents poolwg counter mismatch)
- Revert resource_provider IIFE (reading a struct field cannot panic)
- Remove E2E -short skip (race is fixed, full coverage in CI)
- Fix Go 1.24+ vet: non-constant format strings in Init()

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@M09Ic @claude
fix: resolve Handler-reqPool deadlock in doCheck and add CIDR E2E tests
482ea7d 
Root cause: doCheck() called reqPool.Invoke() from the Handler goroutine.
When all reqPool workers blocked on sendProcess waiting for Handler to
drain processCh, and Handler blocked on Invoke waiting for a free worker,
a circular wait formed.

Fix: doCheck now uses addAddition() to submit check requests via
additionCh consumed by the Run loop, breaking the circular dependency.

Before: 16 targets x 500 words = HANG (>130s)
After:  16 targets x 500 words = 1.8s

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@M09Ic @claude
feat: add --poc plugin for neutron-based vulnerability verification a…
78daf21 
…fter fingerprint detection

Supports check mode (exploit verification via finger field) and brute mode
(default credential testing via zombie/tags field). POC templates are only
executed against targets whose fingerprints match, avoiding blind scanning.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@M09Ic @claude
fix: drain additionCh in Close() to prevent wg.Wait hang after ctx ca…
2b8681c 
…ncel

When ctx is cancelled (e.g. IsFailed threshold), the Run loop breaks
and stops reading additionCh. But doCheck (now via addAddition) may
have queued items with wg.Add(1) that no one consumes. Close().wg.Wait()
hangs forever.

Fix: spawn a drain goroutine in Close() before wg.Wait() that consumes
and Done()s remaining additionCh items, then close the channel after
Wait returns.

Verified: 16 IPs x 2 ports x 1000 words completes with EXIT 0.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@M09Ic @claude
chore: update fingers/proton/utils deps, remove local proton replace
e945556 
Fingers now defaults to RE2 regex engine with AC pre-filtering.
No build tag changes needed — RE2 is the new default.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@M09Ic @claude
fix: add missing embedded resource proton_rules.bin
5611d4c 
The file was referenced by //go:embed but never committed,
causing build failures when consumed as a remote Go module.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@M09Ic
fix: add proton template loader
95dc85a
@M09Ic
fix: preserve pool outputs during close
546e8ab
@M09Ic @claude
chore: update templates submodule to latest upstream master
d238a8b 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@M09Ic @claude
ci: upgrade Go version to 1.25 for goreleaser workflow
e24b44f 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@M09Ic @claude
fix: regenerate templates and fix logs API for updated submodule
40a95b8 
go generate with the updated templates submodule (7d5675c) produces
different embedded data and code. Key changes:
- cmd/cmd.go: logs.Info/Important → logs.InfoLevel/ImportantLevel
- pkg/templates.go: remove proton_rules.bin/neutron.bin embeds (no longer needed)
- core/baseline: use ProtonExtract instead of Extractors.Extract
- core/format: list proton extractor names
- Update embedded binary data files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@M09Ic @claude
deps: use proxyclient v1.1.0 directly, drop replace
7c33a1a 
The replace pinned a pre-v1.0.3 pseudo-version up to the v1.0.3 release.
proxyclient v1.1.0 is now published, so require it directly and remove
the replace. Core schemes (SOCKS/SOCKS5/HTTP/HTTPS) cover spray's proxy
use; the extra protocols (trojan/vmess/ssh/...) are split into separate
modules in v1.1.0 but spray doesn't use them. go build ./... passes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@M09Ic @claude
ci(dependabot): enable automated dependency updates
9caf4ee 
gomod (grouped golang.org/x/* and chainreactors/*) plus github-actions where present. No ignore on chainreactors/* so inter-repo deps are auto-updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@M09Ic @claude
feat: enhance extract system with severity, context capture, matchers…
7faa2de 
…, and new rules

- parsers.Extracted: add Severity and Items (ExtractItem with ctx/line/offset)
- ProtonExtract: preserve severity from templates, capture N-char context around matches
- Add --extract-context CLI flag (default 0, e.g. --extract-context 50)
- Add word matchers pre-filtering to 14 existing templates for performance
- Add 9 new HaE-inspired rules: lfi-indicator, upload-form, url-as-value,
  location-redirect, mac-address, sensitive-field, linkfinder, url-schemes,
  authorization-header
- Total proton templates: 45 (was 35)
- Update ColorString/TreeString to render severity and context
- Comprehensive tests for severity, context, new templates, tag mappings

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@M09Ic @claude
chore(deps): update chainreactors dependencies to latest
66dafe7 
Fix proton import path change: protocols/file -> proton/file
Remove local replace directive for parsers

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 14, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies, go. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

M09Ic and others added 2 commits June 16, 2026 03:17
@M09Ic @claude
feat: add ResourceLoader for controllable resource loading
a52580b 
Mirrors gogo's ResourceLoader pattern. SDK spray engine sets it to
no-op after init, preventing RunWithArgs from reloading ports/fingers/templates.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dependabot
deps: bump the chainreactors group across 1 directory with 2 updates
8db6762 
Bumps the chainreactors group with 2 updates in the / directory: [github.com/chainreactors/fingers](https://github.com/chainreactors/fingers) and [github.com/chainreactors/proton](https://github.com/chainreactors/proton).


Updates `github.com/chainreactors/fingers` from 1.2.1-0.20260608084741-385e7d586d6f to 1.2.1
- [Release notes](https://github.com/chainreactors/fingers/releases)
- [Commits](https://github.com/chainreactors/fingers/commits/v1.2.1)

Updates `github.com/chainreactors/proton` from 0.2.1-0.20260608085216-03df34ba928d to 0.3.0
- [Release notes](https://github.com/chainreactors/proton/releases)
- [Commits](https://github.com/chainreactors/proton/commits/v0.3.0)

---
updated-dependencies:
- dependency-name: github.com/chainreactors/fingers
  dependency-version: 1.2.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: chainreactors
- dependency-name: github.com/chainreactors/proton
  dependency-version: 0.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: chainreactors
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title deps: bump the chainreactors group with 2 updates deps: bump the chainreactors group across 1 directory with 2 updates Jun 21, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/chainreactors-90a910988b branch from d49d0e2 to 8db6762 Compare June 21, 2026 20:03
@M09Ic M09Ic closed this Jun 23, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/go_modules/chainreactors-90a910988b branch June 23, 2026 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@M09Ic