Skip to content

Check per-network UPnP binding in security audit #169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tvancott42 merged 2 commits into from
Jan 29, 2026
Merged

Check per-network UPnP binding in security audit #169

tvancott42 merged 2 commits into from
Jan 29, 2026

Conversation

@tvancott42
Copy link
Collaborator

@tvancott42 tvancott42 commented Jan 29, 2026
edited
Loading

Summary

  • UPnP audit now checks per-network upnp_lan_enabled bindings instead of just the global upnp_enabled flag
  • Raises Critical warning when UPnP is enabled on non-Home networks (IoT, Corporate, Guest, etc.)
  • Raises Recommended warning when UPnP is enabled on multiple Home networks (suggests consolidating)
  • Reports Informational when UPnP is enabled on a single Home network (acceptable for gaming/streaming)
  • Removes flaky Decrypt_TamperedCiphertext_ReturnsEmpty test

Test plan

  • All 40 UPnP security analyzer tests pass
  • Full test suite passes (except removed flaky test)
  • Run audit on UCG-Fiber test network to verify IoT/Work networks with UPnP show Critical warnings

@tvancott42
Check per-network UPnP binding in security audit
817d924 
Previously the UPnP audit only checked the global upnp_enabled flag and
assumed UPnP was bound to Home networks if they existed. Now it checks
the upnp_lan_enabled field on each network to determine exactly which
networks have UPnP enabled.

Severity levels:
- Critical: UPnP enabled on non-Home networks (IoT, Corporate, Guest, etc.)
- Recommended: UPnP enabled on multiple Home networks (suggests consolidating)
- Informational: UPnP enabled on single Home network (acceptable for gaming)

Added Enabled and UpnpLanEnabled properties to NetworkInfo model and
updated VlanAnalyzer to extract these from the UniFi API response.
@tvancott42
Remove flaky tampered ciphertext test
97d54a8
@tvancott42 tvancott42 merged commit c5d8cd7 into main Jan 29, 2026
1 check passed
@tvancott42 tvancott42 deleted the feature/upnp-network-binding branch January 29, 2026 19:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tvancott42