Skip to content

Instantly share code, notes, and snippets.

prabhu /
Created July 18, 2020 13:52
Protect github branches, mandate status checks with Terraform
# Protect the master branch. Enforce that ci/tests and shiftleft should pass to allow merges
# Allow PR to be dismissed by sem-user and managers team
resource "github_branch_protection" "protect_master" {
repository = "${github_repository_name}"
branch = "master"
enforce_admins = true
require_signed_commits = false
required_status_checks {
strict = false
"reachables" : [
"flows" : [
"id" : 44,
"name" : "this",
"fullName" : "",
"signature" : "",
prabhu / bitbucket-reusable-pipelines.yml
Created July 26, 2020 13:56
Reusable Bitbucket pipelines configuration with YAML anchors
- step: &build
name: Build microservices jar
- mvn package
- target/**
- step: &build-react
name: Build React app
prabhu / bom.xslt
Created June 4, 2020 02:04
XSLT to transform CycloneDX SBoM xml to Markdown
<xsl:stylesheet version="1.0" xmlns:bom="" xmlns:xsl="">
<xsl:output method="text" />
<xsl:template match="/">
<xsl:text>## Project dependencies</xsl:text>
<xsl:text>| Vendor | Name | Version | License Id | </xsl:text>
<xsl:text>| -------|------|---------|------------|</xsl:text>
prabhu /
Created December 23, 2022 21:18
Analyze NodeGoat using joern
// git clone
// Install joern
// importCode("NodeGoat")
val requestPattern =
val taintSourcePattern = "(?s)(?i).*" + requestPattern + ".*"
val responsePattern =
prabhu /
Created June 26, 2020 09:31
Script to perform security scan of top repos on GitHub using ShiftLeft Scan. Use it to produce your own state of the opensource security reports.
#!/usr/bin/env bash
# Script to clone top repos on github based on language and invoke ShiftLeft Scan against the repos to find vulnerabilities
# Use case 1: Scan the top repos on GitHub and write a state of opensource report to criticize opensource!
# Use case 2: Scan the top repos on GitHub and sell your magical security product to guard organizations against opensource vulnerabilities!
mkdir -p reports_dir
mkdir -p work_dir && cd work_dir
# Get the latest scan image
docker pull shiftleft/scan
prabhu /
Last active November 2, 2021 15:54
Python: Look for Bi-directional unicode characters in a file or directory. CVE-2021-42574 /
# /usr/bin/env python3
# python3 <file or directory>
# This script looks for bi-directional unicode characters. Useful to look for CVE-2021-42574 /
import argparse
import codecs
import os
import sys
import unicodedata
bidi_dict = {}
prabhu / Bidi_Control.txt
Created November 2, 2021 14:01
Bidi Control characters
# grep -w Bidi_Control /usr/share/unicode/PropList.txt
061C ; Bidi_Control # Cf ARABIC LETTER MARK
200E..200F ; Bidi_Control # Cf [2] LEFT-TO-RIGHT MARK..RIGHT-TO-LEFT MARK
# Check your files for U+061C, U+200E, U+200F, U+202A, U+202B, U+202C, U+202D, U+202E, U+2066, U+2067, U+2068, U+2069
prabhu / BidiBrackets.txt
Last active November 2, 2021 13:57
Unicode Bi-directional Bracket pairs
# apt install unicode-data
# Copied from /usr/share/unicode/BidiBrackets.txt
# BidiBrackets-13.0.0.txt
# Date: 2019-09-09, 19:31:00 GMT [AG, LI, KW]
# © 2019 Unicode®, Inc.
# Unicode and the Unicode Logo are registered trademarks of Unicode, Inc. in the U.S. and other countries.
# For terms of use, see
# Unicode Character Database
# For documentation, see
prabhu /
Created July 12, 2021 09:52
Known vulnerabilities in Xstream library
CVE Description CVSS 3 Base score
CVE-2021-29505 XStream is vulnerable to a Remote Command Execution attack. 8.8
CVE-2021-21341 XStream can cause a Denial of Service. 7.5
CVE-2021-21342 A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host. 9.1
CVE-2021-21343 XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights. 7.5
CVE-2021-21344 XStream is vulnerable to an Arbitrary Code Execution attack. 9.8
CVE-2021-21345 XStream is vulnerable to a Remote Command Execution attack. 9.9
CVE-2021-21346 XStream is vulnerable to an Arbitrary Code Execution attack. 9.8
CVE-2021-21347 XStream is vulnerable to an Arbitrary Code Execution attack. 9.8