Skip to content

Instantly share code, notes, and snippets.

Avatar

Prabhu Subramanian prabhu

View GitHub Profile
@prabhu
prabhu / bidi-check.py
Last active Nov 2, 2021
Python: Look for Bi-directional unicode characters in a file or directory. CVE-2021-42574 / https://trojansource.codes/
View bidi-check.py
# /usr/bin/env python3
# python3 bidi-check.py <file or directory>
# This script looks for bi-directional unicode characters. Useful to look for CVE-2021-42574 / https://trojansource.codes/
import argparse
import codecs
import os
import sys
import unicodedata
bidi_dict = {}
@prabhu
prabhu / Bidi_Control.txt
Created Nov 2, 2021
Bidi Control characters
View Bidi_Control.txt
# grep -w Bidi_Control /usr/share/unicode/PropList.txt
061C ; Bidi_Control # Cf ARABIC LETTER MARK
200E..200F ; Bidi_Control # Cf [2] LEFT-TO-RIGHT MARK..RIGHT-TO-LEFT MARK
202A..202E ; Bidi_Control # Cf [5] LEFT-TO-RIGHT EMBEDDING..RIGHT-TO-LEFT OVERRIDE
2066..2069 ; Bidi_Control # Cf [4] LEFT-TO-RIGHT ISOLATE..POP DIRECTIONAL ISOLATE
# Check your files for U+061C, U+200E, U+200F, U+202A, U+202B, U+202C, U+202D, U+202E, U+2066, U+2067, U+2068, U+2069
@prabhu
prabhu / BidiBrackets.txt
Last active Nov 2, 2021
Unicode Bi-directional Bracket pairs
View BidiBrackets.txt
# apt install unicode-data
# Copied from /usr/share/unicode/BidiBrackets.txt
# BidiBrackets-13.0.0.txt
# Date: 2019-09-09, 19:31:00 GMT [AG, LI, KW]
# © 2019 Unicode®, Inc.
# Unicode and the Unicode Logo are registered trademarks of Unicode, Inc. in the U.S. and other countries.
# For terms of use, see http://www.unicode.org/terms_of_use.html
#
# Unicode Character Database
# For documentation, see http://www.unicode.org/reports/tr44/
@prabhu
prabhu / recent-xstream.md
Created Jul 12, 2021
Known vulnerabilities in Xstream library
View recent-xstream.md
CVE Description CVSS 3 Base score
CVE-2021-29505 XStream is vulnerable to a Remote Command Execution attack. 8.8
CVE-2021-21341 XStream can cause a Denial of Service. 7.5
CVE-2021-21342 A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host. 9.1
CVE-2021-21343 XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights. 7.5
CVE-2021-21344 XStream is vulnerable to an Arbitrary Code Execution attack. 9.8
CVE-2021-21345 XStream is vulnerable to a Remote Command Execution attack. 9.9
CVE-2021-21346 XStream is vulnerable to an Arbitrary Code Execution attack. 9.8
CVE-2021-21347 XStream is vulnerable to an Arbitrary Code Execution attack. 9.8
@prabhu
prabhu / shiftleft-branch.rego
Created Apr 3, 2021
OPA rego policy for branch specific ShiftLeft policy
View shiftleft-branch.rego
package shiftleft
default allow = true
runtime := opa.runtime()
sl_app_name := runtime.env.SHIFTLEFT_APP
sl_access_token := runtime.env.SHIFTLEFT_ACCESS_TOKEN
payload := io.jwt.decode(sl_access_token)
sl_org_id := payload[1].orgID
headers := {"Content-Type": "application/json", "Authorization": sprintf("Bearer %s", [sl_access_token])}
@prabhu
prabhu / shiftleft.rego
Created Apr 3, 2021
OPA rego policy with ShiftLeft API integration
View shiftleft.rego
package shiftleft
default allow = true
runtime := opa.runtime()
sl_app_name := runtime.env.SHIFTLEFT_APP
sl_access_token := runtime.env.SHIFTLEFT_ACCESS_TOKEN
payload := io.jwt.decode(sl_access_token)
sl_org_id := payload[1].orgID
headers := {"Content-Type": "application/json", "Authorization": sprintf("Bearer %s", [sl_access_token])}
@prabhu
prabhu / bitbucket-pipelines.yml
Last active Jul 26, 2020
Bitbucket pipeline step to integrate ShiftLeft Insights script
View bitbucket-pipelines.yml
- step:
name: ShiftLeft NextGen Analysis
script:
- curl https://cdn.shiftleft.io/download/sl > $HOME/sl && chmod a+rx $HOME/sl
- $HOME/sl analyze --no-diagnostic --force --app ${BITBUCKET_REPO_SLUG} --tag branch=${BITBUCKET_BRANCH} --go --cpg $(pwd)
- step:
image: python:3.7-slim
name: ShiftLeft NG SAST Code Insights
script:
- pip install requests
@prabhu
prabhu / shiftleft-bitbucket-insights.py
Created Jul 26, 2020
Python script to present ShiftLeft NG SAST findings as Bitbucket code insights
View shiftleft-bitbucket-insights.py
#!/usr/bin/python
# pip install requests
import os
import sys
import requests
# Collect the required variables
APP_ID = os.getenv("BITBUCKET_REPO_SLUG")
SHIFTLEFT_ORG_ID = os.getenv("SHIFTLEFT_ORG_ID")
@prabhu
prabhu / bitbucket-proxy-api.py
Created Jul 26, 2020
Example for making Bitbucket api calls from pipelines using the local proxy
View bitbucket-proxy-api.py
import requests
# Use local bitbucket proxy to avoid the need for app password
proxies = {
"http": "http://localhost:29418",
"https": "http://localhost:29418",
}
# Use the proxies object in requests for making
# authenticated calls without app passwords
@prabhu
prabhu / bitbucket-reusable-pipelines.yml
Created Jul 26, 2020
Reusable Bitbucket pipelines configuration with YAML anchors
View bitbucket-reusable-pipelines.yml
definitions:
steps:
- step: &build
name: Build microservices jar
script:
- mvn package
artifacts:
- target/**
- step: &build-react
name: Build React app