Skip to content

Instantly share code, notes, and snippets.

@tannerli

tannerli/check_compromised.sh

Last active November 12, 2021 12:38
Show Gist options
  • Save tannerli/b579ecf29e9dbed9cb333af7f32e54e1 to your computer and use it in GitHub Desktop.
Save tannerli/b579ecf29e9dbed9cb333af7f32e54e1 to your computer and use it in GitHub Desktop.
Download ZIP
Check for compromised versions of npm packages 'rc' and 'coa'
Raw
check_compromised.sh
#!/bin/bash
echo "Searching for rc packages..."
matches=$(find / -type d -path "*/node_modules/rc" 2>/dev/null)
echo -e "Checking for compromised versions...\\n"
for match in $matches
do
egrep 'version\":\s*\"((1.2.9)|(1.3.9)|(2.3.9))' "$match/package.json" && echo -e $match\\n
done
echo "Searching for coa packages..."
matches=$(find / -type d -path "*/node_modules/coa" 2>/dev/null)
echo -e "Checking for compromised versions...\\n"
for match in $matches
do
egrep 'version\":\s*\"((2.0.3)|(2.0.4)|(2.1.1)|(2.1.3)|(3.0.1)|(3.1.3))' "$match/package.json" && echo -e $match\\n
done
echo "Searching for ua-parser-js packages..."
matches=$(find / -type d -path "*/node_modules/ua-parser-js" 2>/dev/null)
echo -e "Checking for compromised versions...\\n"
for match in $matches
do
egrep 'version\":\s*\"((0.7.29)|(0.8.0)|(1.0.0))' "$match/package.json" && echo -e $match\\n
done
@kagahd
Copy link

kagahd commented Nov 12, 2021
edited
Loading

It seems that the above script check_compromised.sh is not able to search paths containing spaces. To fix it, I used the following script:

#!/bin/bash

pkg=("rc" "coa" "ua-parser-js")
vrs=("((1.2.9)|(1.3.9)|(2.3.9))" "((2.0.3)|(2.0.4)|(2.1.1)|(2.1.3)|(3.0.1)|(3.1.3))" "((0.7.29)|(0.8.0)|(1.0.0))")

for i in {0..3}
do
 find / -path "*/node_modules/${pkg[$i]}/*" -name "package.json" 2>/dev/null | sed 's/ /\\ /g' | xargs egrep "version\":\s*\"${vrs[$i]}"
done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment