90f8141cfc
Code-review BLOCKER B1. Reaffirms D-011: a `re` stdlib fallback defeats the OPSEC-safe-regex guarantee because hostile C2 output can trigger catastrophic backtracking. The `[:1MB]` slice cap does not mitigate that — re-evaluating a malicious pattern over 1 MB of attacker-controlled text is still a worker freeze. - `mimic.templating.filters` now imports `re2` unconditionally and raises `RuntimeError` at module load if the binding is absent. No `re` import, no `_HAS_RE2` branch, no `_FALLBACK_MAX_INPUT`. - `pyproject.toml` already pinned `google-re2 >= 1.1, < 2.0`; this commit hardens the import path to actually enforce it. - New test `test_re2_is_required` asserts the binding is wired in.
Mimic — backend
Sprint 0 skeleton. Python 3.12+ / Flask / SQLAlchemy 2 / Alembic / Pydantic 2.
Layout
backend/
├── src/mimic/
│ ├── app.py # Flask app factory + SocketIO init
│ ├── config.py # Pydantic Settings
│ ├── extensions.py # db, migrate, socketio, login_manager
│ ├── db/
│ │ ├── models/ # SQLAlchemy 2 typed models
│ │ ├── repositories/ # data access per aggregate
│ │ └── migrations/ # Alembic
│ ├── schemas/ # Pydantic 2 DTOs
│ ├── api/ # Flask blueprints (REST)
│ ├── ws/ # Flask-SocketIO namespaces
│ ├── connectors/ # C2Connector ABC + payload mapping
│ ├── orchestrator/ # run state machine (stub in sprint 0)
│ ├── templating/ # Jinja2 sandbox + regex_extract
│ ├── audit/ # append-only writer + rotation
│ ├── reporting/ # WeasyPrint builder (stub in sprint 0)
│ ├── rbac/ # group-based permission matrix (F11)
│ ├── importers/ # ATR + C2 journal (stub in sprint 0)
│ └── cli/ # mimic-cli (click)
└── tests/
├── unit/ # SQLite, pure logic
└── integration/ # testcontainers Postgres
Local dev
make install # uv venv + pip install -e .[dev]
make db-up # docker compose up -d postgres
make db-migrate # alembic upgrade head
make run # flask run (debug)
make test # pytest unit
make test-int # pytest integration (testcontainers)
make lint # ruff + mypy strict
What sprint 0 ships
- Full §8 data model + Alembic initial migration (Postgres-specific constraints: audit_log write-only role, soc_session hash, c2_credential Fernet column).
C2ConnectorABC + dataclasses +payload_typeenum + factory. No real Mythic/Home implementation (blocked on PR1/PR2).- Jinja2 SandboxedEnvironment +
regex_extractfilter (re2). - Local auth (bcrypt + Flask session) + group-based RBAC matching the F11 permission matrix.
- Flat CRUD on engagements / hosts / TTPs / scenarios.
- pytest baseline + testcontainers Postgres scaffolding.
Out of sprint 0
Orchestrator, WebSocket cockpit, real connectors, report generation, audit rotation.