archisgore

cargo license --json | jq -r '.[] | "Zerotect,\"" +  .name + "\",\"" + .version + "\",\"https://crates.io/crates/" + .name + "\",\"" + .license + "\",\"" + .repository + "/blob/master/LICENSE\",\"" + .description + "\",Production (Distributed),Static link,No,No,No"' > dependencies.csv

archisgore

#!/bin/bash


# This command clones all repos in a GitHub org and counts lines of code in each
# It can be re-run to collect new repos and pull the latest changes

set -euo pipefail

USAGE="Usage: $0 <user|org> [depth]"

archisgore

#!/bin/bash

install_version() {
	# This would be: NetworkManager.x86_64         1:1.14.0-14.el8            rhel-8-baseos-rhui-rpms
	local -r version_entry="$1"
	# What yum operation do you want?
	local -r operation="$2" 

	echo "    Attempting to install version entry: $version_entry"

archisgore

#!/bin/bash

install_version() {
	# This would be: NetworkManager.x86_64         1:1.14.0-14.el8            rhel-8-baseos-rhui-rpms
	version_entry="$1"
	echo "    Attempting to install version entry: $version_entry"

	# This would be: NetworkManager.x86_64
	package_arch="$(echo $version_entry | awk -F" " '{print $1}')"
	# This would be: NetworkManager (we remove the .x86_64 or any architecture)

archisgore

How to SSH into server:

ssh administrator@ec2-34-213-41-89.us-west-2.compute.amazonaws.com 
#Password: admin

archisgore

NPM/Node.js recently had a clever, yet simple, code injection attack using "dependency confusion" as the vulnerability. I describe the attack as conducted (simulated, really), and a systemic solution Polyverse has been building for the past two years designed to solve specifically this problem.

A recap of the attack, for baseline:

Node dependencies are specified by name and version but not address/location, i.e., {“sorter”: “1.0”, “binary-search”: “2.0”, “polyverse-billing”: 1.0}.

Notice the last one? It’s intended to be Polyverse internal and contains our proprietary (and sensitive) billing code. Obviously it does not exist on npmjs.com, the public upstream node package repository. It instead comes from a private repository hosted by Polyverse.

In a Sequence Diagram, this is how the flow worked before the attack. Pretty straight-forward.

archisgore

SOURCE:
https://polyverse-downloads.s3.amazonaws.com/firefox/mozilla-unified.tar.bz2


BUILDS:
https://polyverse-downloads.s3.amazonaws.com/firefox/plain-firefox-85.0a1.en-US.linux-x86_64.tar.bz2

https://polyverse-downloads.s3.amazonaws.com/firefox/gcc-firefox-85.0a1.en-US.linux-x86_64.tar.bz2

https://polyverse-downloads.s3.amazonaws.com/firefox/debug-new-static-firefox-85.0a1.en-US.linux-x86_64.tar.bz2

archisgore

ssh 107.180.100.242

archisgore

import request from 'sync-request';
import * as glue from '@aws-cdk/aws-glue';

export function polytectJsonSchemaToGlue(): glue.Type {
    console.log("Getting Polytect reference schema...")
    const res = request('GET', 'https://raw.githubusercontent.com/polyverse/polytect/master/reference/schema.json');
    const body = res.getBody();
    const schema = JSON.parse(body.toString());
    return recursiveGlueColumns(schema, schema.definitions);
}

archisgore

import * as cr from '@aws-cdk/custom-resources';
import * as logs from '@aws-cdk/aws-logs';
import * as s3 from '@aws-cdk/aws-s3';
import * as sqs from '@aws-cdk/aws-sqs';
import * as iam from '@aws-cdk/aws-iam';
import {Construct} from '@aws-cdk/core';

// You can drop this construct anywhere, and in your stack, invoke it like this:
// const s3ToSQSNotification = new S3NotificationToSQSCustomResource(this, 's3ToSQSNotification', existingBucket, queue);