lirantal

// This function will find all elements with the class "changelogItem published"
// and extract the desired information, including preserving only links in the content body.
function extractNewsItems() {
    // Get all elements with the class "changelogItem published"
    const items = document.querySelectorAll('.changelogItem.published');

    // Initialize an empty array to hold the news items
    const newsItems = [];

    // Function to process content to keep only text and anchor tags

lirantal

const fastify = require("fastify")();
const fs = require("fs");
const path = require("path");

// Set the directory where uploaded files will be saved
const UPLOADS_DIRECTORY = "uploads/";

// Create the uploads directory if it doesn't exist
if (!fs.existsSync(UPLOADS_DIRECTORY)) {
  fs.mkdirSync(UPLOADS_DIRECTORY);

lirantal

The following creates a container with a mounted volume so it can be used as a sandbox that doesn't expose your local development environment incase of any rogue npm packages that steal your .npmrc token, environment variables and others

Run the following:

lirantal

# Use hyper.is or iTerm2 as terminal emulators

# Install ohmyzsh 
# https://github.com/robbyrussell/oh-my-zsh

# Copy over configs from ~/.bash_profile
# For example, it may have the nvm setup or any aliases like exa=ls and cat=bat

# ~/.hyper.js configuration:
copyOnSelect: true

lirantal

Read all chat messages

curl --request GET --url "http://localhost/chat"

Send a chat message

curl --request PUT \
  --url "http://localhost/chat" \
 --header 'content-type: application/json' \

lirantal

Command Injection vulnerability in git-clone-or-pull@2.0.1

git-clone-or-pull describes itself as a tool to ensure a git repo exists on disk and that it's up-to-date.

Resources:

• Project's GitHub source code: https://github.com/feross/git-pull-or-clone
• Project's npm package: https://npmjs.org/package/git-pull-or-clone

Background on exploitation

lirantal

/* eslint-disable security/detect-non-literal-fs-filename */
/* eslint-disable security/detect-object-injection */
'use strict'

const fs = require('fs')

// const

const filePath = process.argv[2]
console.log('Input file is: ', filePath)

lirantal

Why the absence of lockfiles doesn't help consumers

1. you build a library: thewesley
2. it has no lockfile
3. it has a prod dep: baby-yoda@~1.0.0
4. you published thewesley@1.0.0 and tested it works well with baby-yoda@1.0.0
5. it’s Dec 30: you’re on your honeymoon
6. it’s Dec 31: baby-yoda published incompatible version@1.0.1
7. it’s Jan 1st: I install thewesley@1.0.0

lirantal

How to reproduce

1. Use only the package.json manifest
2. Run yarn install
3. Check /tmp/world.txt (should be empty)
4. Update the yarn.lock file with the one provided in this gist
5. Run yarn install (or yarn install --frozen-lockfile which is also susceptible to this attack vector)
6. Confirm /tmp/world.txt is now created on the filesystem

lirantal

How to reproduce

1. Use only the package.json manifest
2. Run npm install
3. Check /tmp/world.txt (should be empty)
4. Update the package-lock.json file with the one provided in this gist
5. Run rm -rf node_modules/ && npm install (notice how it's necessary in this vector to remove the node_modules/ folder)
6. Confirm /tmp/world.txt is now created on the filesystem

References