[pull] master from kevoreilly:master#461
Merged
pull[bot] merged 2 commits intothreatcode:masterfrom May 1, 2026
Merged
Conversation
…bulk archives
CAPE supports several TLS-interception pipelines that each produce
different on-disk artifacts — PolarProxy writes polarproxy/tls.pcap and
its processor mergecaps it into dump.pcap; SSLproxy writes a synthetic
sslproxy/sslproxy.pcap plus an NSS keylog; the tlsdump / sslkeylogfile
hooks produce in-guest keylogs that decryptpcap feeds through GoGoRoboCap
to yield dump_decrypted.pcap and dump_mixed.pcap. The web UI
file-download view already surfaces all of these, but the REST API only
served dump.pcap plus a legacy tasks_tlspcap endpoint hard-coded to
polarproxy/tls.pcap — fine for PolarProxy operators, 404s for everyone
else. The new ETW / AMSI telemetry and the three in-guest keylogs have
no download path at all.
This brings apiv2 to parity with the web UI and wires up the newer
artifacts. Endpoints are parameterised rather than split per-artifact so
operators see four route shapes instead of sixteen:
tasks/get/pcap/<id>/ dump.pcap (existing, unchanged)
tasks/get/pcap/<id>/<variant>/ variant ∈ {decrypted, mixed,
sslproxy, zip, pcapng}
tasks/get/keys/<id>/<kind>/ kind ∈ {tls, ssl, master} —
NSS-format keylogs from the three
hook sources (tls: MockSSL;
ssl: bcrypt+ncrypt; master:
SSLproxy)
tasks/get/etw/<id>/<kind>/ kind ∈ {dns, network, wmi} NDJSON
streams; kind == amsi zips the
AMSI script buffers
tasks/get/bulkzip/<id>/<folder>/ folder ∈ {logs, network, memory,
selfextracted} — AES-zipped with
ZIP_PWD for parity with
tasks_dropped / tasks_payloadfiles
/ tasks_procdumpfiles
tasks/get/tlspcap/<id>/ existing endpoint; now prefers
dump_decrypted.pcap and falls
back to polarproxy/tls.pcap, so
both TLS pipelines serve from the
same URL
Three new apiconf sections gate the sensitive / bulk categories
separately:
[tasktlskeys] TLS key material (decrypts captured flows)
[tasketw] ETW JSON logs
[taskbulkzip] whole-directory archives
PCAP variants reuse [taskpcap] since operators who opted into pcap access
already implicitly trust the caller with packet-capture data.
create_zip gains a recursive os.walk (replacing os.listdir) with
relative-path preservation, so bulk archives of nested directories —
notably logs/filestore/<bucket>/* — now include their contents instead
of silently dropping everything below the top level. A new temp_file=True
option routes the archive through a disk-backed NamedTemporaryFile so
large folders stream without loading the full archive into RAM; the
bulkzip handler uses this mode.
The pcapng variant generates into a per-request NamedTemporaryFile and
unlinks it as soon as the fd is handed to FileWrapper. Writing the
pcapng to a shared path inside the analysis dir raced: two concurrent
callers could stream each other truncated or partially-overwritten
output.
Variant / kind / folder inputs are matched against a static whitelist
before any path is built, so the URL parameter can't be used to probe
paths outside the analysis dir.
Implementation uses shared helpers — _resolve_task_id,
_serve_analysis_file, _zip_paths, _serve_folder_zip, _pcapng_response,
_pcapzip_response — so each of the four new handlers reduces to a small
dispatch table.
apiv2: add download endpoints for pcap variants, TLS keys, ETW logs, bulk archives
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )