From 05c110ad08ba70a8c84aaf4d56bfcb446e1140c9 Mon Sep 17 00:00:00 2001
From: AliaksandrNazaruk <noreply@github.com>
Date: Tue, 24 Mar 2026 16:42:49 +0100
Subject: [PATCH 1/2] feat: BCOS Badge Generator web tool (#2292)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Static HTML/JS badge generator at web/bcos/badge-generator.html

- Enter repo URL or BCOS cert ID to generate badge
- Preview badge inline
- Copy markdown, HTML, or raw URL embed code
- Three badge styles: flat, flat-square, for-the-badge
- Vintage terminal aesthetic matching rustchain.org
- No backend needed — calls /bcos/verify API
- MIT licensed
---
 web/bcos/badge-generator.html | 240 ++++++++++++++++++++++++++++++++++
 1 file changed, 240 insertions(+)
 create mode 100644 web/bcos/badge-generator.html

diff --git a/web/bcos/badge-generator.html b/web/bcos/badge-generator.html
new file mode 100644
index 000000000..263a929c2
--- /dev/null
+++ b/web/bcos/badge-generator.html
@@ -0,0 +1,240 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width,initial-scale=1" />
+  <title>BCOS Badge Generator — RustChain</title>
+  <style>
+    :root {
+      --green: #33ff33;
+      --dim: #1a9f1a;
+      --bg: #0a0a0a;
+      --card-bg: #111;
+      --border: #2a2a2a;
+    }
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      font-family: 'Courier New', monospace;
+      background: var(--bg);
+      color: var(--green);
+      max-width: 720px;
+      margin: 0 auto;
+      padding: 2rem 1rem;
+      line-height: 1.6;
+    }
+    h1 { font-size: 1.4rem; margin-bottom: 0.25rem; }
+    .subtitle { color: var(--dim); font-size: 0.85rem; margin-bottom: 2rem; }
+    .card {
+      border: 1px solid var(--border);
+      background: var(--card-bg);
+      padding: 1.25rem;
+      margin-bottom: 1.5rem;
+      border-radius: 4px;
+    }
+    label { display: block; color: var(--dim); font-size: 0.8rem; margin-bottom: 0.25rem; }
+    input, select, textarea {
+      width: 100%;
+      background: var(--bg);
+      border: 1px solid var(--border);
+      color: var(--green);
+      font-family: 'Courier New', monospace;
+      padding: 0.5rem;
+      margin-bottom: 1rem;
+      font-size: 0.9rem;
+      border-radius: 2px;
+    }
+    input:focus, select:focus, textarea:focus {
+      outline: none;
+      border-color: var(--green);
+    }
+    textarea { resize: vertical; min-height: 60px; }
+    button {
+      background: var(--green);
+      color: var(--bg);
+      border: none;
+      padding: 0.6rem 1.5rem;
+      font-family: 'Courier New', monospace;
+      font-weight: bold;
+      font-size: 0.9rem;
+      cursor: pointer;
+      border-radius: 2px;
+    }
+    button:hover { background: #66ff66; }
+    .preview-area {
+      text-align: center;
+      padding: 1.5rem;
+      border: 1px dashed var(--border);
+      margin-bottom: 1rem;
+      min-height: 60px;
+    }
+    .preview-area img { max-width: 100%; }
+    .copy-btn {
+      background: transparent;
+      color: var(--dim);
+      border: 1px solid var(--border);
+      padding: 0.3rem 0.8rem;
+      font-size: 0.75rem;
+      margin-left: 0.5rem;
+    }
+    .copy-btn:hover { color: var(--green); border-color: var(--green); }
+    .copied { color: var(--green) !important; }
+    .code-block {
+      background: var(--bg);
+      border: 1px solid var(--border);
+      padding: 0.75rem;
+      margin-bottom: 0.75rem;
+      overflow-x: auto;
+      font-size: 0.8rem;
+      position: relative;
+      word-break: break-all;
+    }
+    .code-block .copy-btn { position: absolute; top: 0.25rem; right: 0.25rem; }
+    .error { color: #ff4444; font-size: 0.85rem; }
+    .muted { color: var(--dim); font-size: 0.8rem; }
+    a { color: var(--green); }
+    .tabs { display: flex; gap: 0; margin-bottom: 0; }
+    .tab {
+      background: transparent;
+      color: var(--dim);
+      border: 1px solid var(--border);
+      border-bottom: none;
+      padding: 0.4rem 1rem;
+      font-size: 0.8rem;
+      border-radius: 2px 2px 0 0;
+      cursor: pointer;
+    }
+    .tab.active { color: var(--green); background: var(--card-bg); border-color: var(--green); }
+  </style>
+</head>
+<body>
+  <h1>▸ BCOS Badge Generator</h1>
+  <p class="subtitle">Beacon Certified Open Source — embed your trust badge</p>
+
+  <div class="card">
+    <label>REPO URL or CERT ID</label>
+    <input type="text" id="input" placeholder="e.g. github.com/user/repo or BCOS-abc123" />
+
+    <label>BADGE STYLE</label>
+    <select id="style">
+      <option value="flat">flat</option>
+      <option value="flat-square">flat-square</option>
+      <option value="for-the-badge">for-the-badge</option>
+    </select>
+
+    <button onclick="generate()">GENERATE</button>
+    <p id="error" class="error" style="margin-top:0.5rem"></p>
+  </div>
+
+  <div class="card" id="result" style="display:none">
+    <label>PREVIEW</label>
+    <div class="preview-area" id="preview"></div>
+
+    <div class="tabs">
+      <span class="tab active" data-tab="md" onclick="switchTab(this)">Markdown</span>
+      <span class="tab" data-tab="html" onclick="switchTab(this)">HTML</span>
+      <span class="tab" data-tab="url" onclick="switchTab(this)">URL</span>
+    </div>
+
+    <div class="code-block" id="code-md"></div>
+    <div class="code-block" id="code-html" style="display:none"></div>
+    <div class="code-block" id="code-url" style="display:none"></div>
+  </div>
+
+  <p class="muted" style="margin-top:2rem">
+    Powered by <a href="https://rustchain.org/bcos/">RustChain BCOS</a> •
+    Verify at <a href="https://rustchain.org/bcos/">rustchain.org/bcos</a>
+  </p>
+
+  <script>
+    const API = 'https://50.28.86.131/bcos';
+    const VERIFY = 'https://rustchain.org/bcos/verify';
+
+    function extractCertId(input) {
+      input = input.trim();
+      // Direct cert ID
+      if (/^BCOS-/i.test(input)) return input;
+      // URL with cert id
+      const m = input.match(/BCOS-[a-zA-Z0-9]+/i);
+      if (m) return m[0];
+      return null;
+    }
+
+    async function lookupRepo(repoUrl) {
+      // Normalize to owner/repo
+      let repo = repoUrl.replace(/^https?:\/\/(www\.)?github\.com\/?/, '').replace(/\/$/, '');
+      if (!repo.includes('/')) return null;
+      try {
+        const res = await fetch(`${API}/verify?repo=${encodeURIComponent(repo)}`);
+        if (!res.ok) return null;
+        const data = await res.json();
+        return data.cert_id || null;
+      } catch { return null; }
+    }
+
+    async function generate() {
+      const input = document.getElementById('input').value.trim();
+      const style = document.getElementById('style').value;
+      const errEl = document.getElementById('error');
+      const resultEl = document.getElementById('result');
+      errEl.textContent = '';
+      resultEl.style.display = 'none';
+
+      if (!input) { errEl.textContent = 'Enter a repo URL or cert ID'; return; }
+
+      let certId = extractCertId(input);
+
+      if (!certId) {
+        // Try repo lookup
+        errEl.textContent = 'Looking up repo...';
+        certId = await lookupRepo(input);
+        errEl.textContent = '';
+        if (!certId) {
+          errEl.textContent = 'No BCOS certification found. Verify your repo is certified at rustchain.org/bcos/';
+          return;
+        }
+      }
+
+      const badgeUrl = `${API}/badge/${certId}.svg?style=${style}`;
+      const verifyUrl = `${VERIFY}/${certId}`;
+
+      // Markdown
+      const md = `[![BCOS Certified](${badgeUrl})](${verifyUrl})`;
+      // HTML
+      const html = `<a href="${verifyUrl}"><img src="${badgeUrl}" alt="BCOS Certified" /></a>`;
+
+      document.getElementById('preview').innerHTML =
+        `<a href="${verifyUrl}" target="_blank"><img src="${badgeUrl}" alt="BCOS Badge" onerror="this.alt='[badge loading — verify API may be offline]'" /></a>`;
+
+      setCode('code-md', md);
+      setCode('code-html', html);
+      setCode('code-url', badgeUrl);
+
+      resultEl.style.display = 'block';
+    }
+
+    function setCode(id, text) {
+      const el = document.getElementById(id);
+      el.textContent = text;
+      const btn = document.createElement('button');
+      btn.className = 'copy-btn';
+      btn.textContent = 'copy';
+      btn.onclick = () => {
+        navigator.clipboard.writeText(text).then(() => {
+          btn.textContent = 'copied!';
+          btn.classList.add('copied');
+          setTimeout(() => { btn.textContent = 'copy'; btn.classList.remove('copied'); }, 1500);
+        });
+      };
+      el.appendChild(btn);
+    }
+
+    function switchTab(el) {
+      document.querySelectorAll('.tab').forEach(t => t.classList.remove('active'));
+      el.classList.add('active');
+      ['md', 'html', 'url'].forEach(t => {
+        document.getElementById('code-' + t).style.display = (t === el.dataset.tab) ? 'block' : 'none';
+      });
+    }
+  </script>
+</body>
+</html>

From d1ee8150f6d2b70340d750dddcd387a1e2689ed9 Mon Sep 17 00:00:00 2001
From: AliaksandrNazaruk <noreply@github.com>
Date: Tue, 24 Mar 2026 18:52:42 +0100
Subject: [PATCH 2/2] fix: replace bare except clauses and shell=True injection
 risk

- Replace 'except:' with 'except Exception:' in fingerprint_checks.py,
  get_hardware_serial.py, rip_proof_of_antiquity_hardware.py, rip_node_sync.py
- Replace shell=True with shlex.split() in get_hardware_serial.py
- Fixes #1822 (bug bounty #305)
---
 node/fingerprint_checks.py              | 16 ++++++++--------
 node/get_hardware_serial.py             | 11 ++++++-----
 node/rip_node_sync.py                   |  2 +-
 node/rip_proof_of_antiquity_hardware.py |  2 +-
 4 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/node/fingerprint_checks.py b/node/fingerprint_checks.py
index 74d251ce4..e01084726 100644
--- a/node/fingerprint_checks.py
+++ b/node/fingerprint_checks.py
@@ -136,7 +136,7 @@ def check_simd_identity() -> Tuple[bool, Dict]:
                     if len(parts) > 1:
                         flags = parts[1].strip().split()
                         break
-    except:
+    except Exception:
         pass
 
     if not flags:
@@ -148,7 +148,7 @@ def check_simd_identity() -> Tuple[bool, Dict]:
             for line in result.stdout.split("\n"):
                 if "feature" in line.lower() or "altivec" in line.lower():
                     flags.append(line.split(":")[-1].strip())
-        except:
+        except Exception:
             pass
 
     has_sse = any("sse" in f.lower() for f in flags)
@@ -553,7 +553,7 @@ def check_anti_emulation() -> Tuple[bool, Dict]:
                 for vm in vm_strings:
                     if vm in content:
                         vm_indicators.append("{}:{}".format(path, vm))
-        except:
+        except Exception:
             pass
 
     # --- Environment variable checks ---
@@ -569,7 +569,7 @@ def check_anti_emulation() -> Tuple[bool, Dict]:
         with open("/proc/cpuinfo", "r") as f:
             if "hypervisor" in f.read().lower():
                 vm_indicators.append("cpuinfo:hypervisor")
-    except:
+    except Exception:
         pass
 
     # --- /sys/hypervisor check (Xen-based cloud VMs expose this) ---
@@ -579,7 +579,7 @@ def check_anti_emulation() -> Tuple[bool, Dict]:
                 hv_type = f.read().strip().lower()
                 if hv_type:
                     vm_indicators.append("sys_hypervisor:{}".format(hv_type))
-    except:
+    except Exception:
         pass
 
     # --- Cloud metadata endpoint check ---
@@ -598,7 +598,7 @@ def check_anti_emulation() -> Tuple[bool, Dict]:
         if "azure" in cloud_body or "microsoft" in cloud_body:
             cloud_provider = "azure"
         vm_indicators.append("cloud_metadata:{}".format(cloud_provider))
-    except:
+    except Exception:
         pass
 
     # --- AWS IMDSv2 check (token-based, t3/t4 Nitro instances) ---
@@ -612,7 +612,7 @@ def check_anti_emulation() -> Tuple[bool, Dict]:
         token_resp = urllib.request.urlopen(token_req, timeout=1)
         if token_resp.status == 200:
             vm_indicators.append("cloud_metadata:aws_imdsv2")
-    except:
+    except Exception:
         pass
 
     # --- systemd-detect-virt (if available) ---
@@ -623,7 +623,7 @@ def check_anti_emulation() -> Tuple[bool, Dict]:
         virt_type = result.stdout.strip().lower()
         if virt_type and virt_type != "none":
             vm_indicators.append("systemd_detect_virt:{}".format(virt_type))
-    except:
+    except Exception:
         pass
 
     data = {
diff --git a/node/get_hardware_serial.py b/node/get_hardware_serial.py
index 7f2d43ecb..472719e2c 100644
--- a/node/get_hardware_serial.py
+++ b/node/get_hardware_serial.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python3
+import shlex
 """
 Universal Hardware Serial Detection
 Works on: Mac (PPC/Intel/ARM), Linux, Windows
@@ -11,11 +12,11 @@
 def run_cmd(cmd):
     try:
         if isinstance(cmd, str):
-            result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=5)
+            result = subprocess.run(shlex.split(cmd) if isinstance(cmd, str) else cmd, capture_output=True, text=True, timeout=5)
         else:
             result = subprocess.run(cmd, capture_output=True, text=True, timeout=5)
         return result.stdout.strip()
-    except:
+    except Exception:
         return ''
 
 def get_mac_serial():
@@ -53,7 +54,7 @@ def get_linux_serial():
                     serial = f.read().strip()
                     if serial and serial not in ['', 'None', 'To Be Filled']:
                         return serial
-            except:
+            except Exception:
                 pass
     
     # Method 2: dmidecode (requires root)
@@ -68,7 +69,7 @@ def get_linux_serial():
                 serial = f.read().decode('utf-8', errors='ignore').strip('\x00')
                 if serial:
                     return serial
-        except:
+        except Exception:
             pass
     
     return None
@@ -131,7 +132,7 @@ def get_serial_with_fallback():
                         mac = parts[i+1]
                         if mac != '00:00:00:00:00:00':
                             macs.append(mac)
-    except:
+    except Exception:
         pass
     
     if macs:
diff --git a/node/rip_node_sync.py b/node/rip_node_sync.py
index 78355dcdb..9092a03bf 100644
--- a/node/rip_node_sync.py
+++ b/node/rip_node_sync.py
@@ -118,7 +118,7 @@ def get_local_hostname() -> str:
         ip = s.getsockname()[0]
         s.close()
         return ip
-    except:
+    except Exception:
         return "127.0.0.1"
 
 def sync_with_peers():
diff --git a/node/rip_proof_of_antiquity_hardware.py b/node/rip_proof_of_antiquity_hardware.py
index 4a1ff72c5..77a076c54 100644
--- a/node/rip_proof_of_antiquity_hardware.py
+++ b/node/rip_proof_of_antiquity_hardware.py
@@ -158,7 +158,7 @@ def calculate_entropy_score(signals: Dict) -> float:
                 entropy_data = bytes.fromhex(entropy_data.replace(":", ""))
             shannon = calculate_shannon_entropy(entropy_data)
             score += (shannon / 8.0) * 0.4
-        except:
+        except Exception:
             pass
 
     # 2. CPU timing profile match (30%)