871 Commits

Author SHA1 Message Date
dextmorgn
0d092c44f0 Merge pull request #191 from Ghraven/fix/fraudscore-aware-utc
fix: use aware timestamp for fraud score updates
v1.2.11
2026-07-01 10:50:59 +02:00
dextmorgn
e02d548578 Merge pull request #193 from Ghraven/fix/core-aware-utc-cutoffs
fix(core): use aware UTC timestamps
2026-06-24 09:29:32 +02:00
Ghraven
d049cb1e3e fix(core): use aware UTC timestamps 2026-06-24 15:03:31 +08:00
dextmorgn
db4ab1b5ca Merge pull request #178 from aaronjmars/security/host-header-allowlist-dns-rebinding
fix(security): Host-header allowlist + restore dropped security headers
2026-06-22 17:10:22 +02:00
dextmorgn
0c5a6bfabc fix(tools): align test fixtures with current GraphNode shape
Also fix root .gitignore accidentally shadowing flowsint-app/src/lib/
via Python venv lib/ rule — add negation to unblock tracking.
2026-06-21 16:58:21 +02:00
dextmorgn
c84b96cced chore(husky): remove deprecated shell shim from commit-msg hook 2026-06-21 16:40:57 +02:00
dextmorgn
1f57cb0904 fix(security): bump dompurify and cryptography to patched versions
- dompurify 3.3.0 → 3.4.11 (XSS bypass CVEs via tiptap)
- cryptography 46.0.7 → 48.0.1 (vulnerable OpenSSL in wheels)
2026-06-21 16:39:21 +02:00
dextmorgn
65c7ba2c01 style(vault): simplify empty state and keys table UI
Replace over-designed empty state (gradient card, badge row, clip-text)
with plain centered layout matching app empty-state pattern.
Strip table of gradient hovers, animated icon boxes, and decorative
clock pills — plain rows, plain header.
2026-06-21 16:27:13 +02:00
dextmorgn
f06989447e fix(graph): wrap clip in save/restore to prevent canvas state leak
ctx.clip() without save/restore was permanently mutating the clipping
region across all subsequent canvas draw calls, causing uncontrollable
scaling on nodes and background when a node had an imageUrl.
2026-06-21 16:13:23 +02:00
dextmorgn
2a378954ae fix(types): make username not required for SocialAccount 2026-06-21 16:02:21 +02:00
Ghraven
0485fc1746 fix: use aware timestamp for fraud score updates 2026-06-21 19:38:07 +08:00
dextmorgn
ee66f8e0fc Merge pull request #182 from rachit367/feat/domain-to-dns-enricher
feat(enrichers): add domain_to_dns enricher using dnsx
2026-06-20 18:03:09 +02:00
dextmorgn
7ea36bb9af Merge pull request #183 from rachit367/feat/technology-type-and-tech-detect
feat(types,enrichers): add Technology type and tech_detect transformer
2026-06-20 17:57:53 +02:00
dextmorgn
9218948b35 Merge pull request #181 from zurtix/main
feat(custom types): added category to custom types for organization
2026-06-20 17:54:26 +02:00
dextmorgn
48d1df13d6 Merge pull request #185 from rachit367/feat/detect-file-hashes
feat(types): detect MD5/SHA1/SHA256 file hashes on import
2026-06-20 17:50:13 +02:00
dextmorgn
fe8a4a3210 fix: make nginx resolver Podman-compatible
Remove Docker-specific resolver (127.0.0.11) in favor of direct
proxy_pass, which falls back to the system resolver (/etc/resolv.conf).
Mount local nginx.conf into the prod image to override the baked-in config.
2026-06-20 17:44:57 +02:00
dextmorgn
ddc943790b Merge pull request #187 from localzet/main
fix: "exec /docker-entrypoint.sh: exec format error" in flowsint-app
2026-06-18 08:49:08 +02:00
dextmorgn
80969367e6 Merge pull request #189 from Ghraven/feat/export-selected-json
feat: export selected graph nodes as JSON
2026-06-18 08:45:40 +02:00
dextmorgn
67c7c4a833 Merge pull request #190 from Ghraven/fix/yaml-loader-utf8
fix: read YAML templates as UTF-8
2026-06-18 08:44:27 +02:00
Ghraven
38c7a72cb1 fix: read YAML templates as UTF-8 2026-06-13 22:47:15 +08:00
Ghraven
cf2bc1ec07 feat: export selected graph nodes as JSON 2026-06-12 04:24:00 +08:00
dextmorgn
3885f8b4d1 Merge pull request #188 from Ghraven/fix/remove-frontend-debug-logs
fix(ui): remove frontend debug console logs
2026-06-11 12:37:11 +02:00
Ghraven
8de27796b0 fix(ui): remove frontend debug console logs 2026-06-11 13:55:17 +08:00
Ivan Zorin
eedbeb4013 chore: update nginx base image to version 1.29-alpine 2026-06-09 14:05:54 +03:00
rachit367
2e12e42bba feat(types): detect MD5/SHA1/SHA256 file hashes on import
TXT imports of file hashes were detected as Username, because File.detect
always returned False and Username.detect matches any 3-80 char
alphanumeric string. Hashes therefore couldn't be used as File entities
to pivot from (VirusTotal, MalwareBazaar, sandboxes), per #45.

- File.detect now recognizes 32/40/64-char hex strings (MD5/SHA1/SHA256),
  and File.from_string stores the value in the matching hash_* field
  (normalized to lowercase) while keeping it as the filename/label.
- Username.detect now explicitly rejects hash-shaped strings, so hash
  detection is correct regardless of type-registration order (File is
  already registered before Username, but this removes the implicit
  dependency).

Tests cover detection of each hash type (case/whitespace), rejection of
non-hashes, from_string field population, the Username regression, and
end-to-end detect_type() resolution to File.

Closes #45
2026-06-09 11:30:37 +05:30
rachit367
63a97a76f7 feat(types,enrichers): add Technology type and tech_detect transformer
Adds application-level technology fingerprinting, extending coverage
beyond ip/port/website/ssl_certificate as requested in #59.

- New `Technology` type (name, version, category, source) registered in
  the type registry, the package exports, and TYPE_TO_MODEL. Its
  from_string accepts both bare names ("nginx") and wappalyzer-style
  "name:version" pairs ("PHP:8.1").
- New `tech_detect` enricher: Website -> Technology, using the existing
  httpx tool with -td (wappalyzer dataset). Each detected technology
  becomes a Technology node linked to the website with a
  USES_TECHNOLOGY relationship; results are de-duplicated per probe.

Tests cover the Technology type (label, from_string, registry), the
tech entry parser, enricher registration/metadata, and scan() with the
httpx Docker tool mocked, so no Docker daemon is required.

Closes #59
2026-06-09 10:45:43 +05:30
rachit367
b4e5102592 feat(enrichers): add domain_to_dns enricher using dnsx
Adds a `domain_to_dns` enricher that resolves a domain's A (IPv4) and
AAAA (IPv6) records through ProjectDiscovery's dnsx, emitting each
resolved IP as an `Ip` node linked to the domain with a `RESOLVES_TO`
relationship.

This complements the existing `domain_to_ip` enricher (which uses
Python's socket.gethostbyname and is limited to a single IPv4 result)
by leveraging the dnsx toolkit for full A/AAAA resolution.

Implementation:
- Extend DnsxTool with `resolve_domain()` that runs
  `dnsx -d <domain> -a [-aaaa] -json -silent` and parses the JSONL
  output (a/aaaa fields per retryabledns.DNSData) into a de-duplicated
  IP list. The existing CIDR `launch()` path is left untouched.
- New DomainToDnsEnricher (auto-registered via @flowsint_enricher) with
  an optional `ipv6` toggle and optional PDCP_API_KEY vault secret.
- Unit tests covering registry wiring, JSONL parsing (A/AAAA, dedup,
  blank/malformed lines, empty output) and scan() with the Docker tool
  mocked, so no Docker daemon is required to run them.

Closes #79
2026-06-09 10:28:32 +05:30
Eric
25b735b2a2 Merge branch 'main' of github.com:zurtix/flowsint 2026-06-07 08:57:04 -04:00
Eric
a7d5861d5b Fixed type for custom type in type_registry_service to revert back to using name as to not break graph 2026-06-07 08:54:20 -04:00
Eric Howard
86b254bbf9 Custom types replaced with proper custom_types_category value 2026-06-06 18:48:05 -04:00
Eric
fc9208865d Custom types replaced with proper custom_types_category value 2026-06-06 18:44:21 -04:00
Eric
f0b0b9bf82 Added category to custom types to reorginize into desired categories 2026-06-06 18:38:35 -04:00
aeonframework
0a3567af96 fix(security): Host-header allowlist + restore dropped security headers
Detected by Aeon + semgrep.
Severity: medium
CWE-350 (reverse-DNS trust) / CWE-352 (CSRF via DNS rebinding) / CWE-1021 (UI layering / dropped X-Frame-Options).

- Add `map $http_host $is_flowsint_host` allowlist + default-deny `if` at
  the top of the server block. Default permits localhost / 127.0.0.1 /
  ::1 (any port, case-insensitive); two commented-out template lines show
  LAN operators how to add their server hostname/IP.
- Re-declare the four `add_header` security headers in the static-assets
  and `/index.html` location blocks, which previously dropped them due to
  nginx`s replace-all add_header inheritance.
- README: one paragraph under "Deploy on a network" naming the new
  operator step alongside the existing `.env` rotation.
2026-06-05 20:45:38 +00:00
dextmorgn
12bf2937c1 Merge pull request #176 from reconurge/ci/python-tests
ci: run python tests on pull requests and main
v1.2.10
2026-06-05 15:47:32 +02:00
dextmorgn
612d39eadf test: provide dummy Neo4j credentials in conftest
Any code path reaching the Neo4jConnection singleton requires NEO4J_*
env vars at construction — tests only passed thanks to developers'
local .env files. Driver creation is lazy, nothing connects.

Verified by running all four suites with every .env removed:
458 passed.
2026-06-05 15:34:58 +02:00
dextmorgn
dc36ef633e test(core): factor out env-independent no-connection repo setup
Previous fix covered one occurrence; 17 other tests built
Neo4jGraphRepository(neo4j_connection=None), hitting the singleton
fallback that requires NEO4J_* env vars. Single helper, no env
dependency left.
2026-06-05 15:26:08 +02:00
dextmorgn
22c6908a0e test(core): stop relying on env credentials in no-connection test
Neo4jGraphRepository(neo4j_connection=None) falls back to the
Neo4jConnection singleton, which requires NEO4J_* env vars — the test
only passed locally thanks to .env. Pass a mock instead; the test
nulls _connection right after anyway.
2026-06-05 15:17:37 +02:00
dextmorgn
71e3a68830 fix(core): declare pyyaml dependency
flowsint_core imports yaml (template_generator_service, yaml_loader)
but never declared it — present locally only as a leftover in the
shared venv. CI's clean resolve exposed the missing declaration.
2026-06-05 15:10:18 +02:00
dextmorgn
a24551ed55 ci: provide REDIS_URL, also import-time required by flowsint_core 2026-06-05 14:43:37 +02:00
dextmorgn
17e36c9162 ci: provide AUTH_SECRET required at flowsint_core import 2026-06-05 14:32:12 +02:00
dextmorgn
07584ebc4a ci: run python tests on pull requests and main
Single entrypoint: CI calls `make test`, same as local development,
so the two can't drift. uv handles Python (.python-version) and
dependency sync; cache keyed on uv.lock.

Also add flowsint-api to `make test` — its suite existed but was
never wired in.
2026-06-05 14:24:34 +02:00
dextmorgn
db9f50d914 Merge pull request #175 from reconurge/fix/prebuilt-images-compose
fix(deploy): serve prod from pre-built images
2026-06-05 14:11:29 +02:00
dextmorgn
82925bec38 fix(deploy): serve prod from pre-built images
Frontend baked VITE_API_URL into the bundle at build time, so
published images pointed at whatever URL CI had — "fail to fetch"
for every other deployment. Bundle now defaults to same-origin
relative URLs and the frontend nginx proxies /api/ to the api
service over the Docker network; CORS becomes irrelevant.

- docker-compose.prod.yml: use ghcr images (FLOWSINT_VERSION,
  default latest), drop build sections; bind postgres/redis/neo4j/
  api ports to 127.0.0.1 — only 5173 faces the network
- nginx: /api/ reverse proxy, request-time DNS resolution, SSE
  support (proxy_buffering off)
- Makefile: prod pulls instead of building; remove dead deploy
  targets referencing nonexistent docker-compose.deploy.yml
- README: network/server deployment section (secrets checklist,
  version pinning, TLS via reverse proxy)
2026-06-05 14:04:16 +02:00
dextmorgn
f38d5d500d Merge pull request #174 from reconurge/chore/security-dependency-upgrades
fix(deps): upgrade Python dependencies to patch 27 known vulnerabilities
2026-06-05 13:21:03 +02:00
dextmorgn
9fcc60ca63 fix(deps): upgrade Python dependencies to patch 27 known vulnerabilities
pip-audit reported 27 vulnerabilities across 12 packages, including
cryptography PYSEC-2026-36 (CVSS 9.8) used by the vault, a starlette
Host-header path bypass, and python-multipart arbitrary file write.

- cryptography 45.0.7 -> 46.0.7 (pin was capped at <46)
- fastapi 0.115 -> 0.136, pulling starlette 0.46 -> 1.2
- python-multipart 0.0.20 -> 0.0.32
- pyjwt, urllib3, aiohttp, lxml, idna, mako and transitive bumps
- dev tools: pytest 8 -> 9 (requires pytest-httpx >=0.36), black 25 -> 26

All four module test suites pass (458 tests). pip-audit now reports
no known vulnerabilities.
2026-06-05 08:57:19 +02:00
dextmorgn
5cdfe727b4 Merge pull request #172 from melihdaskiran/fix/zip-and-vault-bugs
Fix zip alignment mismatch, phone validation return value, and vault …
2026-06-05 08:24:39 +02:00
Melih Daskiran
25eb3a0400 Fix zip alignment mismatch, phone validation return value, and vault owner_id type matching 2026-06-04 21:46:44 +03:00
dextmorgn
259019f23c fix(build): force LF on container files via .gitattributes
Windows checkouts with core.autocrlf=true convert entrypoint.sh to
CRLF, which Docker copies into the image. The shebang then reads
#!/bin/sh\r and exec fails with 'no such file or directory'.
Also covers .env.example (trailing \r in env values) and Makefile.
2026-06-04 18:23:53 +02:00
dextmorgn
7c082d733e docs(readme): make Windows install commands cmd-compatible
PowerShell foreach/Test-Path loop fails when pasted into cmd.exe.
Plain copy commands work in both shells.
2026-06-04 18:05:19 +02:00
dextmorgn
de93ae3059 docs(readme): add Windows install path without Make
Windows users hit failures with make-based install. Replicate
check-env + build + up targets as plain PowerShell/docker compose
commands for prod and dev.
2026-06-04 18:00:35 +02:00