Seth Michael Larson sethmlarson
🛡️
sethmlarson
/ mitigation.py
Last active
June 3, 2025 13:38
Mitigation for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, and CVE-2024-12718
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pathlib | |
| # Avoid insecure segments in link names. | |
| # 'tar' is a tarfile open for reading. | |
| for member in tar.getmembers(): | |
| if member.linkname and '..' in pathlib.Path(member.linkname).parts: | |
| raise OSError("Tarfile with insecure segment ('..') in linkname") | |
| # Now safe to extract members with the data filter. | |
| tar.extractall(filter="data") |
sethmlarson
/ source-and-docs-dependencies.csv
Created
May 1, 2024 20:54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Package | Version | Ecosystem | |
|---|---|---|---|
| python | 3.10.12 | binary | |
| adduser | 3.118ubuntu5 | deb | |
| apt | 2.4.11 | deb | |
| asymptote | 2.78+ds-2 | deb | |
| base-files | 12ubuntu4.4 | deb | |
| base-passwd | 3.5.52build1 | deb | |
| bash | 5.1-6ubuntu1 | deb | |
| biber | 2.17-2 | deb | |
| bsdutils | 1:2.37.2-4ubuntu3 | deb |
sethmlarson
/ elasticsearch-orjson-serializer.py
Last active
March 11, 2024 10:08
JSON serializer for Elasticsearch Python client that uses the 'orjson' library for performance
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """JSON serializer for Elasticsearch Python client that | |
| uses the 'orjson' library for performance. | |
| https://github.com/ijl/orjson | |
| """ | |
| # Implement the Serializer.loads() and .dumps() APIs w/ orjson: | |
| import orjson | |
| from elasticsearch import SerializationError, JSONSerializer |
sethmlarson
/ xar-generator.py
Created
January 29, 2024 17:09
Simple script for constructing small XAR files (License: CC0-1.0)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Simple script for constructing small XAR files. | |
| License: CC0-1.0 | |
| """ | |
| import datetime | |
| import gzip | |
| import hashlib | |
| import io | |
| import struct |
sethmlarson
/ pycodeorg.py
Created
November 13, 2023 18:08
Simple module for querying data from py-code.org
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # MIT License | |
| # | |
| # Copyright (c) 2023 Seth Michael Larson | |
| # | |
| # Permission is hereby granted, free of charge, to any person obtaining a copy | |
| # of this software and associated documentation files (the "Software"), to deal | |
| # in the Software without restriction, including without limitation the rights | |
| # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
| # copies of the Software, and to permit persons to whom the Software is | |
| # furnished to do so, subject to the following conditions: |
Watch all the informational videos from the CNA onboarding documentation. Approximately an hour of content about the program, becoming a CNA, assigning CVE IDs, and creating CVE records. Slides are available on the website.
- CVE Program Overview (5 minutes)
- Becoming a CNA (15 minutes)
- Assigning CVE IDs (26 minutes)
sethmlarson
/ slsa-notes.md
Last active
January 28, 2023 23:20
Created example project: https://github.com/sethmlarson/python-slsa-release-test
Python doesn't have a specific builder yet. Only have source attestation using the generic builder. Used: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml
Attestation "subject.name" is taken as input from sha256sum, so check the output of that to ensure it's what you want (ie package.tar.gz vs dist/package.tar.gz) For this I had to include a cd dist/ && before the sha256sum * call. Not sure where this matters though?
Success:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "$id": "https://spec.openapis.org/oas/3.1/schema/2022-10-07", | |
| "$schema": "https://json-schema.org/draft/2020-12/schema", | |
| "description": "The description of OpenAPI v3.1.x documents without schema validation, as defined by https://spec.openapis.org/oas/v3.1.0", | |
| "type": "object", | |
| "properties": { | |
| "$schema": { | |
| "type": "string" | |
| }, | |
| "openapi": { |
sethmlarson
/ truststore-requests.py
Created
May 5, 2022 01:08
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ssl | |
| import requests | |
| from requests.adapters import HTTPAdapter | |
| import truststore | |
| class TruststoreAdapter(HTTPAdapter): | |
| def init_poolmanager( | |
| self, *args, **kwargs | |
| ): | |
| ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) |
NewerOlder