secator 0.16.5__tar.gz → 0.17.0__tar.gz

{secator-0.16.5 → secator-0.17.0}/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.17.0](https://github.com/freelabz/secator/compare/v0.16.5...v0.17.0) (2025-09-06)
+
+
+### Features
+
+* enforceable memory limits ([#710](https://github.com/freelabz/secator/issues/710)) ([eaefa1f](https://github.com/freelabz/secator/commit/eaefa1f5497af4d6a6020e09d5f954ae4639f20c))
+
+
+### Bug Fixes
+
+* prod optimizations ([#708](https://github.com/freelabz/secator/issues/708)) ([efb5d3c](https://github.com/freelabz/secator/commit/efb5d3ce637a5de6e23ed157fd85d2a39bef360d))
+
 ## [0.16.5](https://github.com/freelabz/secator/compare/v0.16.4...v0.16.5) (2025-06-25)
 
 

{secator-0.16.5 → secator-0.17.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: secator
-Version: 0.16.5
+Version: 0.17.0
 Summary: The pentester's swiss knife.
 Project-URL: Homepage, https://github.com/freelabz/secator
 Project-URL: Issues, https://github.com/freelabz/secator/issues

{secator-0.16.5 → secator-0.17.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = 'hatchling.build'
 
 [project]
 name = 'secator'
-version = "0.16.5"
+version = "0.17.0"
 authors = [{ name = 'FreeLabz', email = 'sales@freelabz.com' }]
 readme = 'README.md'
 description = "The pentester's swiss knife."

{secator-0.16.5 → secator-0.17.0}/secator/celery.py

@@ -1,3 +1,4 @@
+import gc
 import json
 import logging
 import os
@@ -5,6 +6,7 @@ import os
 from time import time
 
 from celery import Celery, chord
+from celery.canvas import signature
 from celery.app import trace
 
 from rich.logging import RichHandler
@@ -61,9 +63,10 @@ app.conf.update({
 	'result_backend': CONFIG.celery.result_backend,
 	'result_expires': CONFIG.celery.result_expires,
 	'result_backend_transport_options': json.loads(CONFIG.celery.result_backend_transport_options) if CONFIG.celery.result_backend_transport_options else {},  # noqa: E501
-	'result_extended': True,
+	'result_extended': not CONFIG.addons.mongodb.enabled,
 	'result_backend_thread_safe': True,
 	'result_serializer': 'pickle',
+	'result_accept_content': ['application/x-python-serialize'],
 
 	# Task config
 	'task_acks_late': CONFIG.celery.task_acks_late,
@@ -81,6 +84,11 @@ app.conf.update({
 	'task_store_eager_result': True,
 	'task_send_sent_event': CONFIG.celery.task_send_sent_event,
 	'task_serializer': 'pickle',
+	'task_accept_content': ['application/x-python-serialize'],
+
+	# Event config
+	'event_serializer': 'pickle',
+	'event_accept_content': ['application/x-python-serialize'],
 
 	# Worker config
 	# 'worker_direct': True,  # TODO: consider enabling this to allow routing to specific workers
@@ -168,6 +176,12 @@ def run_scan(self, args=[], kwargs={}):
 
 @app.task(bind=True)
 def run_command(self, results, name, targets, opts={}):
+	# Set Celery request id in context
+	context = opts.get('context', {})
+	context['celery_id'] = self.request.id
+	context['worker_name'] = os.environ.get('WORKER_NAME', 'unknown')
+
+	# Set routing key in context
 	if IN_CELERY_WORKER_PROCESS:
 		quiet = not CONFIG.cli.worker_command_verbose
 		opts.update({
@@ -179,15 +193,13 @@ def run_command(self, results, name, targets, opts={}):
 			'quiet': quiet
 		})
 		routing_key = self.request.delivery_info['routing_key']
+		context['routing_key'] = routing_key
 		debug(f'Task "{name}" running with routing key "{routing_key}"', sub='celery.state')
 
 	# Flatten + dedupe + filter results
 	results = forward_results(results)
 
-	# Set Celery request id in context
-	context = opts.get('context', {})
-	context['celery_id'] = self.request.id
-	context['worker_name'] = os.environ.get('WORKER_NAME', 'unknown')
+	# Set task opts
 	opts['context'] = context
 	opts['results'] = results
 	opts['sync'] = True
@@ -204,10 +216,13 @@ def run_command(self, results, name, targets, opts={}):
 	# Chunk task if needed
 	if chunk_it:
 		if IN_CELERY_WORKER_PROCESS:
-			console.print(Info(message=f'Task {name} requires chunking, breaking into {len(targets)} tasks'))
-		tasks = break_task(task, opts, results=results)
+			console.print(Info(message=f'Task {name} requires chunking'))
+		workflow = break_task(task, opts, results=results)
+		if IN_CELERY_WORKER_PROCESS:
+			console.print(Info(message=f'Task {name} successfully broken into {len(workflow)} chunks'))
 		update_state(self, task, force=True)
-		return self.replace(tasks)
+		console.print(Info(message=f'Task {name} updated state, replacing task with Celery chord workflow'))
+		return replace(self, workflow)
 
 	# Update state live
 	for _ in task:
@@ -327,6 +342,52 @@ def is_celery_worker_alive():
 	return result
 
 
+def replace(task_instance, sig):
+	"""Replace this task, with a new task inheriting the task id.
+
+	Execution of the host task ends immediately and no subsequent statements
+	will be run.
+
+	.. versionadded:: 4.0
+
+	Arguments:
+		sig (Signature): signature to replace with.
+		visitor (StampingVisitor): Visitor API object.
+
+	Raises:
+		~@Ignore: This is always raised when called in asynchronous context.
+		It is best to always use ``return self.replace(...)`` to convey
+		to the reader that the task won't continue after being replaced.
+	"""
+	console.print('Replacing task')
+	chord = task_instance.request.chord
+	sig.freeze(task_instance.request.id)
+	replaced_task_nesting = task_instance.request.get('replaced_task_nesting', 0) + 1
+	sig.set(
+		chord=chord,
+		group_id=task_instance.request.group,
+		group_index=task_instance.request.group_index,
+		root_id=task_instance.request.root_id,
+		replaced_task_nesting=replaced_task_nesting
+	)
+	import psutil
+	import os
+	process = psutil.Process(os.getpid())
+	length = len(task_instance.request.chain) if task_instance.request.chain else 0
+	console.print(f'Adding {length} chain tasks from request chain')
+	for ix, t in enumerate(reversed(task_instance.request.chain or [])):
+		console.print(f'Adding chain task {t.name} from request chain ({ix + 1}/{length})')
+		chain_task = signature(t, app=task_instance.app)
+		chain_task.set(replaced_task_nesting=replaced_task_nesting)
+		sig |= chain_task
+		del chain_task
+		del t
+		memory_bytes = process.memory_info().rss
+		console.print(f'Memory usage: {memory_bytes / 1024 / 1024:.2f} MB (chain task {ix + 1}/{length})')
+	gc.collect()
+	return task_instance.on_replace(sig)
+
+
 def break_task(task, task_opts, results=[]):
 	"""Break a task into multiple of the same type."""
 	chunks = task.inputs
@@ -370,16 +431,21 @@ def break_task(task, task_opts, results=[]):
 		task_id = sig.freeze().task_id
 		full_name = f'{task.name}_{ix + 1}'
 		task.add_subtask(task_id, task.name, full_name)
-		info = Info(message=f'Celery chunked task created: {task_id}')
+		info = Info(message=f'Celery chunked task created ({ix + 1} / {len(chunks)}): {task_id}')
 		task.add_result(info)
 		sigs.append(sig)
 
 	# Mark main task as async since it's being chunked
 	task.sync = False
+	task.results = []
+	task.uuids = set()
+	console.print(Info(message=f'Task {task.unique_name} is now async, building chord with{len(sigs)} chunks'))
+	console.print(Info(message=f'Results: {results}'))
 
 	# Build Celery workflow
 	workflow = chord(
 		tuple(sigs),
 		mark_runner_completed.s(runner=task).set(queue='results')
 	)
+	console.print(Info(message=f'Task {task.unique_name} chord built with {len(sigs)} chunks, returning workflow'))
 	return workflow

{secator-0.16.5 → secator-0.17.0}/secator/celery_signals.py

@@ -92,8 +92,9 @@ def task_postrun_handler(**kwargs):
 
 	# Get sender name from kwargs
 	sender_name = kwargs['sender'].name
+	# console.print(Info(message=f'Task postrun handler --> Sender name: {sender_name}'))
 
-	if CONFIG.celery.worker_kill_after_task and sender_name.startswith('secator.'):
+	if CONFIG.celery.worker_kill_after_task and (sender_name.startswith('secator.') or sender_name.startswith('api.')):
 		worker_name = os.environ.get('WORKER_NAME', 'unknown')
 		console.print(Info(message=f'Shutdown worker {worker_name} since config celery.worker_kill_after_task is set.'))
 		kill_worker(parent=True)

{secator-0.16.5 → secator-0.17.0}/secator/cli.py

@@ -134,7 +134,10 @@ for config in SCANS:
 @click.option('--stop', is_flag=True, help='Stop a worker in dev mode (celery multi).')
 @click.option('--show', is_flag=True, help='Show command (celery multi).')
 @click.option('--use-command-runner', is_flag=True, default=False, help='Use command runner to run the command.')
-def worker(hostname, concurrency, reload, queue, pool, quiet, loglevel, check, dev, stop, show, use_command_runner):
+@click.option('--without-gossip', is_flag=True)
+@click.option('--without-mingle', is_flag=True)
+@click.option('--without-heartbeat', is_flag=True)
+def worker(hostname, concurrency, reload, queue, pool, quiet, loglevel, check, dev, stop, show, use_command_runner, without_gossip, without_mingle, without_heartbeat):  # noqa: E501
 	"""Run a worker."""
 
 	# Check Celery addon is installed
@@ -182,6 +185,9 @@ def worker(hostname, concurrency, reload, queue, pool, quiet, loglevel, check, d
 	cmd += f' -P {pool}' if pool else ''
 	cmd += f' -c {concurrency}' if concurrency else ''
 	cmd += f' -l {loglevel}' if loglevel else ''
+	cmd += ' --without-mingle' if without_mingle else ''
+	cmd += ' --without-gossip' if without_gossip else ''
+	cmd += ' --without-heartbeat' if without_heartbeat else ''
 
 	if reload:
 		patterns = "celery.py;tasks/*.py;runners/*.py;serializers/*.py;output_types/*.py;hooks/*.py;exporters/*.py"

{secator-0.16.5 → secator-0.17.0}/secator/config.py

@@ -100,6 +100,7 @@ class Security(StrictModel):
 	allow_local_file_access: bool = True
 	auto_install_commands: bool = True
 	force_source_install: bool = False
+	memory_limit_mb: int = -1
 
 
 class HTTP(StrictModel):

{secator-0.16.5 → secator-0.17.0}/secator/hooks/gcs.py

@@ -14,6 +14,16 @@ ITEMS_TO_SEND = {
 	'url': ['screenshot_path', 'stored_response_path']
 }
 
+_gcs_client = None
+
+
+def get_gcs_client():
+	"""Get or create GCS client"""
+	global _gcs_client
+	if _gcs_client is None:
+		_gcs_client = storage.Client()
+	return _gcs_client
+
 
 def process_item(self, item):
 	if item._type not in ITEMS_TO_SEND.keys():
@@ -39,7 +49,7 @@ def process_item(self, item):
 def upload_blob(bucket_name, source_file_name, destination_blob_name):
 	"""Uploads a file to the bucket."""
 	start_time = time()
-	storage_client = storage.Client()
+	storage_client = get_gcs_client()
 	bucket = storage_client.bucket(bucket_name)
 	blob = bucket.blob(destination_blob_name)
 	with open(source_file_name, 'rb') as f:

{secator-0.16.5 → secator-0.17.0}/secator/hooks/mongodb.py

@@ -166,85 +166,90 @@ def tag_duplicates(ws_id: str = None, full_scan: bool = False):
 		full_scan (bool): If True, scan all findings, otherwise only untagged findings.
 	"""
 	debug(f'running duplicate check on workspace {ws_id}', sub='hooks.mongodb')
+	init_time = time.time()
 	client = get_mongodb_client()
 	db = client.main
-	workspace_query = list(
-		db.findings.find({'_context.workspace_id': str(ws_id), '_tagged': True}).sort('_timestamp', -1))
-	untagged_query = {'_context.workspace_id': str(ws_id)}
-	if not full_scan:
-		untagged_query['_tagged'] = {'$ne': True}
-	untagged_query = list(
-		db.findings.find(untagged_query).sort('_timestamp', -1))
-	if not untagged_query:
-		debug('no untagged findings. Skipping.', id=ws_id, sub='hooks.mongodb')
-		return
-	debug(f'found {len(untagged_query)} untagged findings', id=ws_id, sub='hooks.mongodb')
+	start_time = time.time()
+	workspace_query = {'_context.workspace_id': str(ws_id), '_context.workspace_duplicate': False, '_tagged': True}
+	untagged_query = {'_context.workspace_id': str(ws_id), '_tagged': {'$ne': True}}
+	if full_scan:
+		del untagged_query['_tagged']
+	workspace_findings = load_findings(list(db.findings.find(workspace_query).sort('_timestamp', -1)))
+	untagged_findings = load_findings(list(db.findings.find(untagged_query).sort('_timestamp', -1)))
+	debug(
+		f'Workspace non-duplicates findings: {len(workspace_findings)}, '
+		f'Untagged findings: {len(untagged_findings)}. '
+		f'Query time: {time.time() - start_time}s',
+		sub='hooks.mongodb'
+	)
+	start_time = time.time()
+	seen = []
+	db_updates = {}
 
-	untagged_findings = load_findings(untagged_query)
-	workspace_findings = load_findings(workspace_query)
-	non_duplicates = []
-	duplicates = []
 	for item in untagged_findings:
-		# If already seen in duplicates
-		seen = [f for f in duplicates if f._uuid == item._uuid]
-		if seen:
+		if item._uuid in seen:
 			continue
 
-		# Check for duplicates
-		tmp_duplicates = []
+		debug(
+			f'Processing: {repr(item)} ({item._timestamp}) [{item._uuid}]',
+			sub='hooks.mongodb',
+			verbose=True
+		)
+
+		duplicate_ids = [
+			_._uuid
+			for _ in untagged_findings
+			if _ == item and _._uuid != item._uuid
+		]
+		seen.extend(duplicate_ids)
 
-		# Check if already present in list of workspace_findings findings, list of duplicates, or untagged_findings
-		workspace_dupes = [f for f in workspace_findings if f == item and f._uuid != item._uuid]
-		untagged_dupes = [f for f in untagged_findings if f == item and f._uuid != item._uuid]
-		seen_dupes = [f for f in duplicates if f == item and f._uuid != item._uuid]
-		tmp_duplicates.extend(workspace_dupes)
-		tmp_duplicates.extend(untagged_dupes)
-		tmp_duplicates.extend(seen_dupes)
 		debug(
-			f'for item {item._uuid}',
-			obj={
-				'workspace dupes': len(workspace_dupes),
-				'untagged dupes': len(untagged_dupes),
-				'seen dupes': len(seen_dupes)
-			},
-			id=ws_id,
+			f'Found {len(duplicate_ids)} duplicates for item',
 			sub='hooks.mongodb',
-			verbose=True)
-		tmp_duplicates_ids = list(dict.fromkeys([i._uuid for i in tmp_duplicates]))
-		debug(f'duplicate ids: {tmp_duplicates_ids}', id=ws_id, sub='hooks.mongodb', verbose=True)
-
-		# Update latest object as non-duplicate
-		if tmp_duplicates:
-			duplicates.extend([f for f in tmp_duplicates])
-			db.findings.update_one({'_id': ObjectId(item._uuid)}, {'$set': {'_related': tmp_duplicates_ids}})
-			debug(f'adding {item._uuid} as non-duplicate', id=ws_id, sub='hooks.mongodb', verbose=True)
-			non_duplicates.append(item)
-		else:
-			debug(f'adding {item._uuid} as non-duplicate', id=ws_id, sub='hooks.mongodb', verbose=True)
-			non_duplicates.append(item)
+			verbose=True
+		)
 
-	# debug(f'found {len(duplicates)} total duplicates')
+		duplicate_ws = [
+			_ for _ in workspace_findings
+			if _ == item and _._uuid != item._uuid
+		]
+		debug(f' --> Found {len(duplicate_ws)} workspace duplicates for item', sub='hooks.mongodb', verbose=True)
+
+		related_ids = []
+		if duplicate_ws:
+			duplicate_ws_ids = [_._uuid for _ in duplicate_ws]
+			duplicate_ids.extend(duplicate_ws_ids)
+			for related in duplicate_ws:
+				related_ids.extend(related._related)
+
+		debug(f' --> Found {len(duplicate_ids)} total duplicates for item', sub='hooks.mongodb', verbose=True)
+
+		db_updates[item._uuid] = {
+			'_related': duplicate_ids + related_ids,
+			'_context.workspace_duplicate': False,
+			'_tagged': True
+		}
+		for uuid in duplicate_ids:
+			db_updates[uuid] = {
+				'_context.workspace_duplicate': True,
+				'_tagged': True
+			}
+	debug(f'Finished processing untagged findings in {time.time() - start_time}s', sub='hooks.mongodb')
+	start_time = time.time()
 
-	# Update objects with _tagged and _duplicate fields
-	duplicates_ids = list(dict.fromkeys([n._uuid for n in duplicates]))
-	non_duplicates_ids = list(dict.fromkeys([n._uuid for n in non_duplicates]))
+	debug(f'Executing {len(db_updates)} database updates', sub='hooks.mongodb')
 
-	search = {'_id': {'$in': [ObjectId(d) for d in duplicates_ids]}}
-	update = {'$set': {'_context.workspace_duplicate': True, '_tagged': True}}
-	db.findings.update_many(search, update)
+	from pymongo import UpdateOne
+	if not db_updates:
+		debug('no db updates to execute', sub='hooks.mongodb')
+		return
 
-	search = {'_id': {'$in': [ObjectId(d) for d in non_duplicates_ids]}}
-	update = {'$set': {'_context.workspace_duplicate': False, '_tagged': True}}
-	db.findings.update_many(search, update)
-	debug(
-		'completed duplicates check for workspace.',
-		id=ws_id,
-		obj={
-			'processed': len(untagged_findings),
-			'duplicates': len(duplicates_ids),
-			'non-duplicates': len(non_duplicates_ids)
-		},
-		sub='hooks.mongodb')
+	result = db.findings.bulk_write(
+		[UpdateOne({'_id': ObjectId(uuid)}, {'$set': update}) for uuid, update in db_updates.items()]
+	)
+	debug(result, sub='hooks.mongodb')
+	debug(f'Finished running db update in {time.time() - start_time}s', sub='hooks.mongodb')
+	debug(f'Finished running tag duplicates in {time.time() - init_time}s', sub='hooks.mongodb')
 
 
 HOOKS = {

{secator-0.16.5 → secator-0.17.0}/secator/installer.py

@@ -395,7 +395,7 @@ class GithubInstaller:
 		for root, _, files in os.walk(directory):
 			for file in files:
 				# Match the file name exactly with the repository name
-				if file == binary_name:
+				if file.startswith(binary_name):
 					return os.path.join(root, file)
 		return None
 

{secator-0.16.5 → secator-0.17.0}/secator/output_types/certificate.py

@@ -26,7 +26,7 @@ class Certificate(OutputType):
 	serial_number: str = field(default='', compare=False)
 	ciphers: list[str] = field(default_factory=list, compare=False)
 	# parent_certificate: 'Certificate' = None  # noqa: F821
-	_source: str = field(default='', repr=True)
+	_source: str = field(default='', repr=True, compare=False)
 	_type: str = field(default='certificate', repr=True)
 	_timestamp: int = field(default_factory=lambda: time.time(), compare=False)
 	_uuid: str = field(default='', repr=True, compare=False)

{secator-0.16.5 → secator-0.17.0}/secator/output_types/exploit.py

@@ -18,7 +18,7 @@ class Exploit(OutputType):
 	cves: list = field(default_factory=list, compare=False)
 	tags: list = field(default_factory=list, compare=False)
 	extra_data: dict = field(default_factory=dict, compare=False)
-	_source: str = field(default='', repr=True)
+	_source: str = field(default='', repr=True, compare=False)
 	_type: str = field(default='exploit', repr=True)
 	_timestamp: int = field(default_factory=lambda: time.time(), compare=False)
 	_uuid: str = field(default='', repr=True, compare=False)

{secator-0.16.5 → secator-0.17.0}/secator/output_types/ip.py

@@ -18,7 +18,7 @@ class Ip(OutputType):
 	host: str = field(default='', repr=True, compare=False)
 	alive: bool = False
 	protocol: str = field(default=IpProtocol.IPv4)
-	_source: str = field(default='', repr=True)
+	_source: str = field(default='', repr=True, compare=False)
 	_type: str = field(default='ip', repr=True)
 	_timestamp: int = field(default_factory=lambda: time.time(), compare=False)
 	_uuid: str = field(default='', repr=True, compare=False)

{secator-0.16.5 → secator-0.17.0}/secator/output_types/progress.py

@@ -9,7 +9,7 @@ from secator.utils import rich_to_ansi, format_object
 class Progress(OutputType):
 	percent: int = 0
 	extra_data: dict = field(default_factory=dict)
-	_source: str = field(default='', repr=True)
+	_source: str = field(default='', repr=True, compare=False)
 	_type: str = field(default='progress', repr=True)
 	_timestamp: int = field(default_factory=lambda: time.time(), compare=False)
 	_uuid: str = field(default='', repr=True, compare=False)

{secator-0.16.5 → secator-0.17.0}/secator/output_types/record.py

@@ -12,7 +12,7 @@ class Record(OutputType):
 	type: str
 	host: str = ''
 	extra_data: dict = field(default_factory=dict, compare=False)
-	_source: str = field(default='', repr=True)
+	_source: str = field(default='', repr=True, compare=False)
 	_type: str = field(default='record', repr=True)
 	_timestamp: int = field(default_factory=lambda: time.time(), compare=False)
 	_uuid: str = field(default='', repr=True, compare=False)

{secator-0.16.5 → secator-0.17.0}/secator/output_types/stat.py

@@ -13,7 +13,7 @@ class Stat(OutputType):
 	memory: int
 	net_conns: int = field(default=None, repr=True)
 	extra_data: dict = field(default_factory=dict)
-	_source: str = field(default='', repr=True)
+	_source: str = field(default='', repr=True, compare=False)
 	_type: str = field(default='stat', repr=True)
 	_timestamp: int = field(default_factory=lambda: time.time(), compare=False)
 	_uuid: str = field(default='', repr=True, compare=False)

{secator-0.16.5 → secator-0.17.0}/secator/output_types/state.py

@@ -12,7 +12,7 @@ class State(OutputType):
 	task_id: str
 	state: str
 	_type: str = field(default='state', repr=True)
-	_source: str = field(default='', repr=True)
+	_source: str = field(default='', repr=True, compare=False)
 	_timestamp: int = field(default_factory=lambda: time.time(), compare=False)
 	_uuid: str = field(default='', repr=True, compare=False)
 	_context: dict = field(default_factory=dict, repr=True, compare=False)

{secator-0.16.5 → secator-0.17.0}/secator/output_types/subdomain.py

@@ -13,7 +13,7 @@ class Subdomain(OutputType):
 	domain: str
 	sources: List[str] = field(default_factory=list, compare=False)
 	extra_data: dict = field(default_factory=dict, compare=False)
-	_source: str = field(default='', repr=True)
+	_source: str = field(default='', repr=True, compare=False)
 	_type: str = field(default='subdomain', repr=True)
 	_timestamp: int = field(default_factory=lambda: time.time(), compare=False)
 	_uuid: str = field(default='', repr=True, compare=False)

{secator-0.16.5 → secator-0.17.0}/secator/output_types/tag.py

@@ -11,7 +11,7 @@ class Tag(OutputType):
 	match: str
 	extra_data: dict = field(default_factory=dict, repr=True, compare=False)
 	stored_response_path: str = field(default='', compare=False)
-	_source: str = field(default='', repr=True)
+	_source: str = field(default='', repr=True, compare=False)
 	_type: str = field(default='tag', repr=True)
 	_timestamp: int = field(default_factory=lambda: time.time(), compare=False)
 	_uuid: str = field(default='', repr=True, compare=False)

{secator-0.16.5 → secator-0.17.0}/secator/output_types/target.py

@@ -9,7 +9,7 @@ from secator.utils import autodetect_type, rich_to_ansi, rich_escape as _s
 class Target(OutputType):
 	name: str
 	type: str = ''
-	_source: str = field(default='', repr=True)
+	_source: str = field(default='', repr=True, compare=False)
 	_type: str = field(default='target', repr=True)
 	_timestamp: int = field(default_factory=lambda: time.time(), compare=False)
 	_uuid: str = field(default='', repr=True, compare=False)

{secator-0.16.5 → secator-0.17.0}/secator/output_types/user_account.py

@@ -13,7 +13,7 @@ class UserAccount(OutputType):
 	email: str = ''
 	site_name: str = ''
 	extra_data: dict = field(default_factory=dict, compare=False)
-	_source: str = field(default='', repr=True)
+	_source: str = field(default='', repr=True, compare=False)
 	_type: str = field(default='user_account', repr=True)
 	_timestamp: int = field(default_factory=lambda: time.time(), compare=False)
 	_uuid: str = field(default='', repr=True, compare=False)

{secator-0.16.5 → secator-0.17.0}/secator/output_types/vulnerability.py

@@ -25,7 +25,7 @@ class Vulnerability(OutputType):
 	reference: str = field(default='', compare=False)
 	confidence_nb: int = 0
 	severity_nb: int = 0
-	_source: str = field(default='', repr=True)
+	_source: str = field(default='', repr=True, compare=False)
 	_type: str = field(default='vulnerability', repr=True)
 	_timestamp: int = field(default_factory=lambda: time.time(), compare=False)
 	_uuid: str = field(default='', repr=True, compare=False)

{secator-0.16.5 → secator-0.17.0}/secator/runners/command.py

@@ -18,7 +18,7 @@ from secator.config import CONFIG
 from secator.output_types import Info, Warning, Error, Stat
 from secator.runners import Runner
 from secator.template import TemplateLoader
-from secator.utils import debug, rich_escape as _s
+from secator.utils import debug, rich_escape as _s, signal_to_name
 
 
 logger = logging.getLogger(__name__)
@@ -440,6 +440,7 @@ class Command(Runner):
 			# Output and results
 			self.return_code = 0
 			self.killed = False
+			self.memory_limit_mb = CONFIG.security.memory_limit_mb
 
 			# Run the command using subprocess
 			env = os.environ
@@ -449,6 +450,7 @@ class Command(Runner):
 				stdout=subprocess.PIPE,
 				stderr=subprocess.STDOUT,
 				universal_newlines=True,
+				preexec_fn=os.setsid,
 				shell=self.shell,
 				env=env,
 				cwd=self.cwd)
@@ -473,6 +475,11 @@ class Command(Runner):
 		except FileNotFoundError as e:
 			yield from self.handle_file_not_found(e)
 
+		except MemoryError as e:
+			self.debug(f'{self.unique_name}: {type(e).__name__}.', sub='end')
+			self.stop_process(exit_ok=True, sig=signal.SIGTERM)
+			yield Warning(message=f'Memory limit {self.memory_limit_mb}MB reached for {self.unique_name}')
+
 		except BaseException as e:
 			self.debug(f'{self.unique_name}: {type(e).__name__}.', sub='end')
 			self.stop_process()
@@ -527,7 +534,7 @@ class Command(Runner):
 		if self.last_updated_stat and (time() - self.last_updated_stat) < CONFIG.runners.stat_update_frequency:
 			return
 
-		yield from self.stats()
+		yield from self.stats(self.memory_limit_mb)
 		self.last_updated_stat = time()
 
 	def print_description(self):
@@ -565,26 +572,31 @@ class Command(Runner):
 			error = Error.from_exception(exc)
 		yield error
 
-	def stop_process(self, exit_ok=False):
+	def stop_process(self, exit_ok=False, sig=signal.SIGINT):
 		"""Sends SIGINT to running process, if any."""
 		if not self.process:
 			return
-		self.debug(f'Sending SIGINT to process {self.process.pid}.', sub='error')
-		self.process.send_signal(signal.SIGINT)
+		self.debug(f'Sending signal {signal_to_name(sig)} to process {self.process.pid}.', sub='error')
+		if self.process and self.process.pid:
+			os.killpg(os.getpgid(self.process.pid), sig)
 		if exit_ok:
 			self.exit_ok = True
 
-	def stats(self):
+	def stats(self, memory_limit_mb=None):
 		"""Gather stats about the current running process, if any."""
 		if not self.process or not self.process.pid:
 			return
 		proc = psutil.Process(self.process.pid)
 		stats = Command.get_process_info(proc, children=True)
+		total_mem = 0
 		for info in stats:
 			name = info['name']
 			pid = info['pid']
 			cpu_percent = info['cpu_percent']
 			mem_percent = info['memory_percent']
+			mem_rss = round(info['memory_info']['rss'] / 1024 / 1024, 2)
+			total_mem += mem_rss
+			self.debug(f'{name} {pid} {mem_rss}MB', sub='stats')
 			net_conns = info.get('net_connections') or []
 			extra_data = {k: v for k, v in info.items() if k not in ['cpu_percent', 'memory_percent', 'net_connections']}
 			yield Stat(
@@ -595,6 +607,9 @@ class Command(Runner):
 				net_conns=len(net_conns),
 				extra_data=extra_data
 			)
+		self.debug(f'Total mem: {total_mem}MB, memory limit: {memory_limit_mb}', sub='stats')
+		if memory_limit_mb and memory_limit_mb != -1 and total_mem > memory_limit_mb:
+			raise MemoryError(f'Memory limit {memory_limit_mb}MB reached for {self.unique_name}')
 
 	@staticmethod
 	def get_process_info(process, children=False):