Joshua Tauberer JoshData

## commonmark-tests.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                JoshData
                / commonmark-tests.md
            
            
              Last active
              February 9, 2017 15:59
            
              
                Is your CommonMark renderer safe?
              
          
    Potential CommonMark Exploits

This CommonMark file demonstrates some potential exploits if untrusted input is rendered with a compliant renderer. The point of this file isn't to say that CommonMark is unsafe --- the features below are very useful in many situations and are worth having in the CommonMark spec --- but that it is not safe to give untrusted input to CommonMark renderers without taking precautions.
Github doesn't render gists using CommonMark, so they won't appear as exploits below. Look at the source of this gist for the actual CommonMark.
Exploits

This link will execute a script.

  
## usps-state-abbrevs.txt
# All state abbreviations for U.S. mail, from the USPS
# Postal Addressing Standards "Publication 28," May 2015,
# page 55.
#
# This list includes the 50 States, the District of Columbia,
# Puerto Rico, island territories, and overseas military addresses.
#
# source:
#
# http://pe.usps.gov/text/pub28/28apb.htm

## gist:7651336
Server Error in '/ConsumerPortal' Application.

Child actions are not allowed to perform redirect actions.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.InvalidOperationException: Child actions are not allowed to perform redirect actions.

Source Error:

## gist:7651123
message: undefined

exceptionName: NullPointerException

exceptionClass: java.lang.NullPointerException

exceptionStack: java.lang.NullPointerException
 at com.connecture.stateadvantage.process.ConfigurationProcess.findIndividualSaveAndExitURLsForPermission(ConfigurationProcess.java:129)
 at com.connecture.stateadvantage.ui.SaveAndLoadAction.setCustomPropertiesBasedOnFlow(SaveAndLoadAction.java:760)
 at com.connecture.stateadvantage.ui.SaveAndLoadAction.loadApplicationData(SaveAndLoadAction.java:188)

## gist:5212696
# Spin up an Ubuntu 12.04 LTS (64bit) server.

# The following are based on the source install of CKAN....
# http://ckan.readthedocs.org/en/latest/install-from-source.html

# install dependencies
sudo apt-get update
sudo apt-get install python-dev postgresql libpq-dev python-pip python-virtualenv git-core

# We'll install in the ubuntu user's home directory, i.e.

## gist:48db3364802deac4348f
Hello and welcome to the Mail-in-a-Box setup guide. Mail-in-a-Box
helps you take control of your email with an easy to deploy mail
server in a box. This video tutorial will walk you through the same
instructions that are found in the setup guide on the Mail-in-a-Box
website. This will take you about two hours.

Let’s say I want a new email address for myself, say, me@joshmail.xyz.
I’m going to need a domain name --- that’s joshmail.xyz. And a server.
Mail-in-a-Box configures that servers to that it provides mail server
functionality, including support for mobile devices, webmail, spam

## gist:48c0d083df05696db65c
### Keybase proof

I hereby claim:

  * I am JoshData on github.
  * I am joshdata (https://keybase.io/joshdata) on keybase.
  * I have a public key whose fingerprint is 5F4C 0E73 13CC D744 693B  2AEA B920 41F4 C10B DD81

To claim this, I am signing this object:

## Hagström.py
import subprocess, binascii

chars = ("Ö", "ö")
print("     ", chars[0], chars[1], sep="\t")

charsets = subprocess.check_output("iconv -l", shell=True).decode("ascii").split("\n")
for charset in charsets:
	try:
		encoded = []
		for c in chars:

## wtp.py
#!/usr/bin/python3

# Gets a dump of all of the data in the We The People (read) API.
# See https://petitions.whitehouse.gov/developers.
#################################################################

import json, urllib.request, datetime, sys

def fetch(uri):
	print(uri, file=sys.stderr)

## DChenge.py
#!/usr/bin/python3

#Get the Census's TIGER/Line roads database for the District of Columbia and convert it into GeoJSON:
#
#	wget ftp://ftp2.census.gov/geo/tiger/TIGER2013/ROADS/tl_2013_11001_roads.zip
#	unzip tl_2013_11001_roads.zip
#	ogr2ogr -f geojson dcroads2.geojson tl_2013_11001_roads.shp

import sys, json, datetime, math
	# All state abbreviations for U.S. mail, from the USPS
	# Postal Addressing Standards "Publication 28," May 2015,
	# page 55.
	#
	# This list includes the 50 States, the District of Columbia,
	# Puerto Rico, island territories, and overseas military addresses.
	#
	# source:
	#
	# http://pe.usps.gov/text/pub28/28apb.htm
	Server Error in '/ConsumerPortal' Application.

	Child actions are not allowed to perform redirect actions.

	Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

	Exception Details: System.InvalidOperationException: Child actions are not allowed to perform redirect actions.

	Source Error:
	message: undefined

	exceptionName: NullPointerException

	exceptionClass: java.lang.NullPointerException

	exceptionStack: java.lang.NullPointerException
	at com.connecture.stateadvantage.process.ConfigurationProcess.findIndividualSaveAndExitURLsForPermission(ConfigurationProcess.java:129)
	at com.connecture.stateadvantage.ui.SaveAndLoadAction.setCustomPropertiesBasedOnFlow(SaveAndLoadAction.java:760)
	at com.connecture.stateadvantage.ui.SaveAndLoadAction.loadApplicationData(SaveAndLoadAction.java:188)
	# Spin up an Ubuntu 12.04 LTS (64bit) server.

	# The following are based on the source install of CKAN....
	# http://ckan.readthedocs.org/en/latest/install-from-source.html

	# install dependencies
	sudo apt-get update
	sudo apt-get install python-dev postgresql libpq-dev python-pip python-virtualenv git-core

	# We'll install in the ubuntu user's home directory, i.e.
	Hello and welcome to the Mail-in-a-Box setup guide. Mail-in-a-Box
	helps you take control of your email with an easy to deploy mail
	server in a box. This video tutorial will walk you through the same
	instructions that are found in the setup guide on the Mail-in-a-Box
	website. This will take you about two hours.

	Let’s say I want a new email address for myself, say, me@joshmail.xyz.
	I’m going to need a domain name --- that’s joshmail.xyz. And a server.
	Mail-in-a-Box configures that servers to that it provides mail server
	functionality, including support for mobile devices, webmail, spam
	### Keybase proof

	I hereby claim:

	* I am JoshData on github.
	* I am joshdata (https://keybase.io/joshdata) on keybase.
	* I have a public key whose fingerprint is 5F4C 0E73 13CC D744 693B 2AEA B920 41F4 C10B DD81

	To claim this, I am signing this object:
	import subprocess, binascii

	chars = ("Ö", "ö")
	print(" ", chars[0], chars[1], sep="\t")

	charsets = subprocess.check_output("iconv -l", shell=True).decode("ascii").split("\n")
	for charset in charsets:
	try:
	encoded = []
	for c in chars:
	#!/usr/bin/python3

	# Gets a dump of all of the data in the We The People (read) API.
	# See https://petitions.whitehouse.gov/developers.
	#################################################################

	import json, urllib.request, datetime, sys

	def fetch(uri):
	print(uri, file=sys.stderr)
	#!/usr/bin/python3

	#Get the Census's TIGER/Line roads database for the District of Columbia and convert it into GeoJSON:
	#
	# wget ftp://ftp2.census.gov/geo/tiger/TIGER2013/ROADS/tl_2013_11001_roads.zip
	# unzip tl_2013_11001_roads.zip
	# ogr2ogr -f geojson dcroads2.geojson tl_2013_11001_roads.shp

	import sys, json, datetime, math