Description
settings.network_allowlist defaults to [] (empty list). When the allowlist is empty, _init_default_policies() automatically adds 0.0.0.0/0 and ::/0 as "Default allow all" rules. This means every network connection from any scanner (nuclei, nikto, nmap) to any public internet host is permitted unless the operator explicitly sets SECUSCAN_NETWORK_ALLOWLIST. The denylist only blocks RFC 1918 private addresses and cloud metadata IPs — it does nothing to restrict public egress. A compromised or misconfigured scan targeting an internal host would be blocked, but scanning arbitrary public hosts (including competitor infrastructure, malicious domains) is fully permitted.
Files Affected
secuscan/core/network_policy.py — _init_default_policies() (lines 402-407)secuscan/config.py — settings.network_allowlist default value (line 65)
Expected Behavior
With an empty allowlist and safe-mode enabled, all network egress should be blocked by default. The operator should explicitly opt-in to specific network destinations.
Actual Behavior
An empty allowlist causes _init_default_policies() to add 0.0.0.0/0 and ::/0 as default allow-all rules. Every public internet host is reachable. The denylist only blocks RFC 1918 private addresses, cloud metadata IPs, and known bad hosts.
Steps to Reproduce
- Start SecuScan with default configuration (no
SECUSCAN_NETWORK_ALLOWLIST set)
- Enable safe-mode
- Run a scan targeting any public website (e.g.,
example.com)
- Observe that the scan completes successfully — the network policy did not block it
- Check
_init_default_policies() — the empty allowlist triggered default allow-all
Impact
The entire enforce_network_policy security model is illusory. The tool is marketed as having network policy enforcement, but the default configuration permits all outbound scanning. This is a security product — such a misconfiguration defeats its core purpose.
Fix Required
Change _init_default_policies to default-deny instead of default-allow. The default should be that the allowlist blocks everything when empty, or at minimum log a loud startup warning that no allowlist is configured. The fix affects network_policy.py:402-407 and the initialization logic in config.py.
Description
settings.network_allowlistdefaults to[](empty list). When the allowlist is empty,_init_default_policies()automatically adds0.0.0.0/0and::/0as "Default allow all" rules. This means every network connection from any scanner (nuclei, nikto, nmap) to any public internet host is permitted unless the operator explicitly setsSECUSCAN_NETWORK_ALLOWLIST. The denylist only blocks RFC 1918 private addresses and cloud metadata IPs — it does nothing to restrict public egress. A compromised or misconfigured scan targeting an internal host would be blocked, but scanning arbitrary public hosts (including competitor infrastructure, malicious domains) is fully permitted.Files Affected
secuscan/core/network_policy.py—_init_default_policies()(lines 402-407)secuscan/config.py—settings.network_allowlistdefault value (line 65)Expected Behavior
With an empty allowlist and safe-mode enabled, all network egress should be blocked by default. The operator should explicitly opt-in to specific network destinations.
Actual Behavior
An empty allowlist causes
_init_default_policies()to add0.0.0.0/0and::/0as default allow-all rules. Every public internet host is reachable. The denylist only blocks RFC 1918 private addresses, cloud metadata IPs, and known bad hosts.Steps to Reproduce
SECUSCAN_NETWORK_ALLOWLISTset)example.com)_init_default_policies()— the empty allowlist triggered default allow-allImpact
The entire
enforce_network_policysecurity model is illusory. The tool is marketed as having network policy enforcement, but the default configuration permits all outbound scanning. This is a security product — such a misconfiguration defeats its core purpose.Fix Required
Change
_init_default_policiesto default-deny instead of default-allow. The default should be that the allowlist blocks everything when empty, or at minimum log a loud startup warning that no allowlist is configured. The fix affectsnetwork_policy.py:402-407and the initialization logic inconfig.py.