Jack Sullivan SafeEval

## 000001_init_schema.down.sql
-- file: migrations/00001_init_schema.down.sql

DROP TABLE users;

## CVE-2024-3094.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                SafeEval
                / CVE-2024-3094.md
            
            
              Last active
              March 30, 2024 19:49
            
              
                Cleanup backdoored `xz` 5.6.0-5.61 (CVE-2024-3094)
              
          
    Backdoored xz and liblzma 5.6.0 - 5.6.1 (CVE-2024-3094)

CVSS 10.0 (critical) backdoor in xz and liblzma 5.6.0-5.6.1 that targets SSH service authentication.
Filed as CVE-2024-3094
$ xz --version
xz (XZ Utils) 5.6.1
liblzma 5.6.1


## git-clone-org.sh
#!/bin/bash

export GITHUB_TOKEN=""
export GITHUB_ORG=""

gh repo list "$GITHUB_ORG" --no-archived --limit 1000 > repo-list.txt
for repo_path in $(cat repo-list.txt | cut -f1); do
  org="$(echo $repo_path | cut -f1 -d'/')"
  repo="$(echo $repo_path | cut -f2 -d'/')"

## ecr-docker-login.sh
# #!/bin/bash

# Tired of looking this up.
# Assumes a properly configured AWS CLI profile/credentials and AWS_REGION is set.

aws ecr get-login-password | docker login -u AWS --password-stdin "https://$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.$AWS_REGION.amazonaws.com"

## httpd-env-headers.conf
# Using Apache (httpd), demonstrate returning string literals and environment variables in response headers.
#
# Useful for simple containerized web service PoC.
#
# docker run -it --rm -p 80:80 -v "$(pwd)/httpd.conf":"/usr/local/apache2/conf/httpd.conf" httpd
#
# https://httpd.apache.org/docs/current/mod/mod_headers.html
# https://serverfault.com/questions/901459/apache-custom-header-with-an-environment-variable

# ... snip config file contents ....

## terraform-github-repo-creation-poc.tf
###############################################################################
# Workaround for Terraform repository creation with Github Advanced Security
# feature configuration in dynamic blocks.
#
# This works, but you have to run Terraform twice for GHAS settings to apply.
# - Can switch between public and private visibility.
# - Can switch between archived and unarchived.
# - Fails when modifying visibility and archived setting simultaneously.
#
# GHAS API settings depend on existing repository state. Simultaneously modifying

## export-keycloak-realm.sh
#!/bin/bash

# https://stackoverflow.com/questions/65200310/export-users-and-roles-from-keycloak

# define the variables: url, credentials to access REST API, and the realm to export
KEYCLOAK_URL="http://keycloak.localhost"
KEYCLOAK_REALM="master"
KEYCLOAK_ADMIN="admin"
KEYCLOAK_ADMIN_PASSWORD="password"
REALM_NAME="demo"

## oidc-claim-at_hash.py
#!/usr/bin/env python3

"""
Pure Python3 example of using a OIDC ID token's `at_hash` claim to verify
an opaque OIDC access token.

Required for Authelia, which doesn't issue JWT access tokens.

If the OIDC implementation uses an /introspection endpoint to verify an opaque
access token, that's another HTTP call that "violates stateless purity."

## postman-generate-jwt.js
/*
References:
- https://stackoverflow.com/questions/67432096/generating-jwt-tokens
- https://faun.pub/auto-generating-jwt-tokens-with-postman-2b6dd4e29897
*/
const duration = 3600  // 1 hour
const issuedAtOffest = 5

const HMACSHA256 = (stringToSign, secret) => "not_implemented"

## pyca-aesgcm-example.py
#!/usr/bin/env python3
"""
pyca-aesgcm-example.py

Author: Jack Sullivan

Example of using PyCA cryptography's high level AESGCM interface
to encrypt and decrypt data. Also demonstrates how modifying ciphertext
data or the auth tag (MAC) invalidates decryption.
	-- file: migrations/00001_init_schema.down.sql

	DROP TABLE users;
	#!/bin/bash

	export GITHUB_TOKEN=""
	export GITHUB_ORG=""

	gh repo list "$GITHUB_ORG" --no-archived --limit 1000 > repo-list.txt
	for repo_path in $(cat repo-list.txt \| cut -f1); do
	org="$(echo $repo_path \| cut -f1 -d'/')"
	repo="$(echo $repo_path \| cut -f2 -d'/')"
	# #!/bin/bash

	# Tired of looking this up.
	# Assumes a properly configured AWS CLI profile/credentials and AWS_REGION is set.

	aws ecr get-login-password \| docker login -u AWS --password-stdin "https://$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.$AWS_REGION.amazonaws.com"
	# Using Apache (httpd), demonstrate returning string literals and environment variables in response headers.
	#
	# Useful for simple containerized web service PoC.
	#
	# docker run -it --rm -p 80:80 -v "$(pwd)/httpd.conf":"/usr/local/apache2/conf/httpd.conf" httpd
	#
	# https://httpd.apache.org/docs/current/mod/mod_headers.html
	# https://serverfault.com/questions/901459/apache-custom-header-with-an-environment-variable

	# ... snip config file contents ....
	###############################################################################
	# Workaround for Terraform repository creation with Github Advanced Security
	# feature configuration in dynamic blocks.
	#
	# This works, but you have to run Terraform twice for GHAS settings to apply.
	# - Can switch between public and private visibility.
	# - Can switch between archived and unarchived.
	# - Fails when modifying visibility and archived setting simultaneously.
	#
	# GHAS API settings depend on existing repository state. Simultaneously modifying
	#!/bin/bash

	# https://stackoverflow.com/questions/65200310/export-users-and-roles-from-keycloak

	# define the variables: url, credentials to access REST API, and the realm to export
	KEYCLOAK_URL="http://keycloak.localhost"
	KEYCLOAK_REALM="master"
	KEYCLOAK_ADMIN="admin"
	KEYCLOAK_ADMIN_PASSWORD="password"
	REALM_NAME="demo"
	#!/usr/bin/env python3

	"""
	Pure Python3 example of using a OIDC ID token's `at_hash` claim to verify
	an opaque OIDC access token.

	Required for Authelia, which doesn't issue JWT access tokens.

	If the OIDC implementation uses an /introspection endpoint to verify an opaque
	access token, that's another HTTP call that "violates stateless purity."
	/*
	References:
	- https://stackoverflow.com/questions/67432096/generating-jwt-tokens
	- https://faun.pub/auto-generating-jwt-tokens-with-postman-2b6dd4e29897
	*/
	const duration = 3600 // 1 hour
	const issuedAtOffest = 5

	const HMACSHA256 = (stringToSign, secret) => "not_implemented"
	#!/usr/bin/env python3
	"""
	pyca-aesgcm-example.py

	Author: Jack Sullivan

	Example of using PyCA cryptography's high level AESGCM interface
	to encrypt and decrypt data. Also demonstrates how modifying ciphertext
	data or the auth tag (MAC) invalidates decryption.