Skip to content

Instantly share code, notes, and snippets.

View not-an-aardvark's full-sized avatar

Teddy Katz not-an-aardvark

349 followers · 0 following
View GitHub Profile
@not-an-aardvark
not-an-aardvark / vandalism.yml
Last active June 23, 2023 21:48
Proof-of-concept GitHub Actions workflow exploit (CVE-2021-22862)
# This is a proof-of-concept for a security bug in GitHub Actions which has since been fixed.
# See https://blog.teddykatz.com/2021/03/17/github-actions-write-access.html for more information.
# The proof-of-concept was only ever used in a test environment to validate the existence of the
# vulnerability, and is shown here for educational purposes.
#
# The proof-of-concept would have the effect of creating a `vandalism.md` file, containing vandalism,
# on the default branch of a victim repository.
#
# To use the proof-of-concept, the steps would have been:
# 1. Fork the victim repository
@not-an-aardvark
not-an-aardvark / exploit.js
Last active October 29, 2021 04:22
See https://blog.teddykatz.com/2019/11/23/json-padding-oracles.html for more details.
"use strict";
const crypto = require("crypto");
const fetch = require("node-fetch");
const BLOCK_SIZE = 16;
const PADDING_ORACLE_PAYLOAD = '","user":"admin"}';
const padToBlockSize = text => {
const unpadded = Buffer.from(text, "binary");
@not-an-aardvark
not-an-aardvark / shareable-config-conflict-overview.md
Last active February 19, 2019 20:53

Overview of options and tradeoffs for throwing an error on duplicate plugin names

The main blocker for eslint/eslint#3458 (allowing shareable configs to manage their own plugin dependencies) has been a concern that two shareable configs could depend on two different versions of a plugin. Currently, ESLint's mechanism for referring to a rule from a config (with pluginName/ruleName) implicitly assumes plugin names are globally unique. This has led to proposals like eslint/rfcs#5 that attempt to remove the assumption that plugin names are globally unique, by giving config authors a way to disambiguate plugins with the same name.

The case where two plugins have the same name seems like it would be somewhat rare. As an alternative to a disambiguation mechanism, a few people have suggested simply raising an error when a name conflict happens (i.e. declaring that we don't support that case), which would avoid the complexi

@not-an-aardvark
not-an-aardvark / proof.md
Last active July 25, 2018 05:39

Keybase proof

I hereby claim:

  • I am not-an-aardvark on github.
  • I am not_an_aardvark (https://keybase.io/not_an_aardvark) on keybase.
  • I have a public key ASAIfVUSAjh_DpFTn6ysz8qjWkCSkJyC5E_2a3Tz2bK-HAo

To claim this, I am signing this object:

@not-an-aardvark
not-an-aardvark / eslint-fuzzer.js
Last active April 2, 2017 01:04
Fuzzer to detect ESLint crashes and autofixing errors
"use strict";
//------------------------------------------------------------------------------
// Requirements
//------------------------------------------------------------------------------
const assert = require("assert");
const lodash = require("lodash");
const eslump = require("eslump");
const SourceCodeFixer = require("eslint/lib/util/source-code-fixer");
@not-an-aardvark
not-an-aardvark / .eslintrc.js
Last active September 30, 2017 00:38
How to dogfood your own rules when writing an ESLint plugin. DEPRECATED in favor of https://github.com/not-an-aardvark/eslint-plugin-self
'use strict';
const fs = require('fs');
const path = require('path');
const PACKAGE_NAME = require('./package').name;
const SYMLINK_LOCATION = path.join(__dirname, 'node_modules', PACKAGE_NAME);
// Symlink node_modules/{package name} to this directory so that ESLint resolves this plugin name correctly.
if (!fs.existsSync(SYMLINK_LOCATION)) {
fs.symlinkSync(__dirname, SYMLINK_LOCATION);
@not-an-aardvark
not-an-aardvark / javascript-crash-course.md
Last active March 20, 2023 09:30

This is a crash course in JavaScript. It is intended for people who already have a bit of programming experience in other languages.

This will hopefully give a basic idea of the most-commonly-used language features, but it is not indended to be a comprehensive guide.

This guide was last updated in August 2016.

Basic syntax

To declare a variable called foo:

@not-an-aardvark
not-an-aardvark / throttle.js
Created May 15, 2016 06:13
/* Returns a wrapped version of `func` which calls `func` at most once every `delay` milliseconds.
** The wrapped function returns a Promise which resolves with the result of calling `func` after the delay has finished.
*/
module.exports = (func, delay) => {
var lastTimestamp = -Infinity;
return function (...args) {
var now = Date.now();
lastTimestamp = Math.max(now, lastTimestamp + delay);
return new Promise(resolve => setTimeout(resolve, lastTimestamp - now)).then(() => func.apply(this, args));
@not-an-aardvark
not-an-aardvark / async-without-babel.js
Last active March 24, 2017 18:43
async functions without a transpiler
var Promise = require('bluebird');
var examplePromise1 = Promise.delay(5000);
var examplePromise2 = Promise.delay(2000).return('myValue');
// the following two are equivalent:
// 1. Async function (ES7, only available with a transpiler)
var func = async function (arg1, arg2, arg3) {
await examplePromise1;
@not-an-aardvark
not-an-aardvark / losslessThrottle.js
Last active March 14, 2016 06:39
var _ = require('lodash');
function losslessThrottle(func, wait) {
var scheduledCalls = [];
return function() {
// Add a timestamp to `scheduledCalls` signifying when the current invocation will take place.
// The last element of `scheduledCalls` will be the timestamp of the latest scheduled invocation, so the current
// invocation should occur `wait` milliseconds after that.
var scheduledTimestamp = _.max([_.last(scheduledCalls) + wait, _.now()]);
scheduledCalls.push(scheduledTimestamp);