Skip to content

Instantly share code, notes, and snippets.

View dorosch's full-sized avatar
:octocat:

Andrey Doroschenko dorosch

:octocat:
11 followers · 0 following
View GitHub Profile
@dorosch
dorosch / path_traversal_leads_to_unsafe_deserialization.md
Created March 11, 2024 10:30
CVE-2024-2044 (Original: https://github.com/pgadmin-org/pgadmin4/issues/7258)

Path Traversal in Session Handling Leads to Unsafe Deserialization and Remote Code Execution (RCE)

Severity (CVSSv4)

9.2 CRITICAL - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Description

pgAdmin4 uses a file-based session management approach. The session files are saved on disk as pickle objects. When a user performs a request, the value of the session cookie pga4_session is used to retrieve the file, then it's content is deserialized, and finally its signature verified.

@dorosch
dorosch / pgadmin-brute-force.py
Created March 11, 2024 10:04
PgAdmin brute-force login with csrf-token
import re
import logging
import argparse
import aiohttp
from bs4 import BeautifulSoup
import asyncio
import string
import itertools
@dorosch
dorosch / impala-migration.py
Created June 1, 2023 07:51
Tool for manage migrations for impala
import os
import json
from glob import glob
from pathlib import Path
from datetime import datetime
from types import ModuleType
from typing import List, Type, Optional, Dict
from typing import Protocol
import importlib.util
@dorosch
dorosch / server.rs
Created March 2, 2022 17:35
use std::net::{TcpListener, TcpStream};
use std::thread;
use std::sync::mpsc;
use std::io::Write;
use std::io::BufReader;
use std::io::BufRead;
use std::io::BufWriter;
use std::io::ErrorKind;
@dorosch
dorosch / validator.py
Created February 23, 2022 15:08
Base validator class
import abc
from django.core.exceptions import ValidationError
class BaseValidator(abc.ABC):
"""
Base validator class for collect and run validations.
Every method starting with 'validate_' will be considered validation.
@dorosch
dorosch / routers.js
Created June 30, 2020 21:34
vue-router two views for one route
import VueRouter from 'vue-router'
import Index from './components/Index'
import Dashboard from './components/Dashboard'
import authentificate from './auth'
const routes = [
{ path: '/', name: 'index', component: Index, beforeEnter: check_if_auth },
{ path: '/', name: 'dashboard', component: Dashboard, beforeEnter: check_if_auth }
@dorosch
dorosch / canvas.py
Created June 4, 2020 07:37
Tkinter draw line pixel by pixel
from tkinter import Tk, Canvas, PhotoImage, mainloop
class Color:
BLACK = '#000000'
WHITE = '#ffffff'
class CustomCanvas(Canvas):
"""Class for drawing on canvas by pixels (simple as much as possible)
@dorosch
dorosch / apps.py
Created May 17, 2020 14:38
Dynamically create an additional list of databases for settings.py
from django import apps
from django import conf
from apps.database.models import Database
class DatabaseAppConfig(apps.AppConfig):
"""
You can only supplement the list of standard database settings
when loading the application, since during the first pass through
@dorosch
dorosch / services.py
Created May 17, 2020 08:23
Provide mapping model to json and back with custom fields
import abc
from django.forms.models import model_to_dict
class Mapping(abc.ABC):
model = None
fields = {}
@classmethod
@dorosch
dorosch / timestamp_field.py
Created April 27, 2020 13:35
DRF TimestampField for support unix-timestamp
from datetime import datetime
from rest_framework import serializers
from rest_framework.settings import api_settings
class TimestampField(serializers.Field):
def to_internal_value(self, value):
return datetime.utcfromtimestamp(
int(value)