thuban 0.4.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (183) hide show
  1. package/dist/packages/scanner/executive-report.js +1 -1
  2. package/dist/packages/scanner/hallucination-detector.js +1 -1
  3. package/dist/packages/scanner/secret-scanner.js +1 -1
  4. package/package.json +4 -3
  5. package/dist/packages/crucible/seeds/python/seed-021 3.py +0 -37
  6. package/dist/packages/crucible/seeds/python/seed-022 3.py +0 -34
  7. package/dist/packages/crucible/seeds/python/seed-023 3.py +0 -37
  8. package/dist/packages/crucible/seeds/python/seed-024 3.py +0 -38
  9. package/dist/packages/crucible/seeds/python/seed-025 3.py +0 -40
  10. package/dist/packages/crucible/seeds/python/seed-026 3.py +0 -35
  11. package/dist/packages/crucible/seeds/python/seed-027 3.py +0 -35
  12. package/dist/packages/crucible/seeds/python/seed-028 3.py +0 -42
  13. package/dist/packages/crucible/seeds/python/seed-030 3.py +0 -37
  14. package/dist/packages/crucible/seeds/python/seed-031 3.py +0 -34
  15. package/dist/packages/crucible/seeds/python/seed-036 3.py +0 -33
  16. package/dist/packages/crucible/seeds/python/seed-037 3.py +0 -41
  17. package/dist/packages/crucible/seeds/python/seed-038 3.py +0 -33
  18. package/dist/packages/crucible/seeds/python/seed-039 3.py +0 -39
  19. package/dist/packages/crucible/seeds/python/seed-040 3.py +0 -39
  20. package/dist/packages/crucible/seeds/python/seed-041 3.py +0 -37
  21. package/dist/packages/crucible/seeds/python/seed-042 3.py +0 -38
  22. package/dist/packages/crucible/seeds/python/seed-043 3.py +0 -32
  23. package/dist/packages/crucible/seeds/python/seed-044 3.py +0 -38
  24. package/dist/packages/crucible/seeds/python/seed-045 3.py +0 -36
  25. package/dist/packages/crucible/seeds/python/seed-046 3.py +0 -33
  26. package/dist/packages/crucible/seeds/python/seed-047 3.py +0 -44
  27. package/dist/packages/crucible/seeds/python/seed-048 3.py +0 -35
  28. package/dist/packages/crucible/seeds/python/seed-049 3.py +0 -39
  29. package/dist/packages/crucible/seeds/python/seed-050 3.py +0 -39
  30. package/dist/packages/crucible/seeds/python/seed-051 3.py +0 -38
  31. package/dist/packages/crucible/seeds/python/seed-052 3.py +0 -41
  32. package/dist/packages/crucible/seeds/ruby/seed-001 3.rb +0 -15
  33. package/dist/packages/crucible/seeds/ruby/seed-002 3.rb +0 -22
  34. package/dist/packages/crucible/seeds/ruby/seed-003 3.rb +0 -25
  35. package/dist/packages/crucible/seeds/ruby/seed-004 3.rb +0 -17
  36. package/dist/packages/crucible/seeds/ruby/seed-005 3.rb +0 -21
  37. package/dist/packages/crucible/seeds/ruby/seed-006 3.rb +0 -17
  38. package/dist/packages/crucible/seeds/ruby/seed-007 3.rb +0 -16
  39. package/dist/packages/crucible/seeds/ruby/seed-008 3.rb +0 -18
  40. package/dist/packages/crucible/seeds/ruby/seed-009 3.rb +0 -20
  41. package/dist/packages/crucible/seeds/ruby/seed-010 3.rb +0 -24
  42. package/dist/packages/crucible/seeds/ruby/seed-011 3.rb +0 -21
  43. package/dist/packages/crucible/seeds/ruby/seed-012 3.rb +0 -22
  44. package/dist/packages/crucible/seeds/ruby/seed-013 3.rb +0 -21
  45. package/dist/packages/crucible/seeds/ruby/seed-014 3.rb +0 -16
  46. package/dist/packages/crucible/seeds/ruby/seed-015 3.rb +0 -18
  47. package/dist/packages/crucible/seeds/ruby/seed-016 3.rb +0 -17
  48. package/dist/packages/crucible/seeds/ruby/seed-017 3.rb +0 -25
  49. package/dist/packages/crucible/seeds/ruby/seed-018 3.rb +0 -23
  50. package/dist/packages/crucible/seeds/ruby/seed-019 3.rb +0 -20
  51. package/dist/packages/crucible/seeds/ruby/seed-020 3.rb +0 -17
  52. package/dist/packages/crucible/seeds/ruby/seed-021 3.rb +0 -20
  53. package/dist/packages/crucible/seeds/ruby/seed-022 3.rb +0 -21
  54. package/dist/packages/crucible/seeds/ruby/seed-023 3.rb +0 -19
  55. package/dist/packages/crucible/seeds/ruby/seed-024 3.rb +0 -17
  56. package/dist/packages/crucible/seeds/ruby/seed-025 3.rb +0 -17
  57. package/dist/packages/crucible/seeds/ruby/seed-026 3.rb +0 -18
  58. package/dist/packages/crucible/seeds/ruby/seed-027 3.rb +0 -21
  59. package/dist/packages/crucible/seeds/ruby/seed-028 3.rb +0 -22
  60. package/dist/packages/crucible/seeds/ruby/seed-029 3.rb +0 -19
  61. package/dist/packages/crucible/seeds/ruby/seed-030 3.rb +0 -20
  62. package/dist/packages/crucible/seeds/ruby/seed-031 3.rb +0 -17
  63. package/dist/packages/crucible/seeds/ruby/seed-032 3.rb +0 -22
  64. package/dist/packages/crucible/seeds/ruby/seed-033 3.rb +0 -18
  65. package/dist/packages/crucible/seeds/ruby/seed-034 3.rb +0 -19
  66. package/dist/packages/crucible/seeds/ruby/seed-035 3.rb +0 -19
  67. package/dist/packages/crucible/seeds/ruby/seed-036 3.rb +0 -18
  68. package/dist/packages/crucible/seeds/ruby/seed-037 3.rb +0 -21
  69. package/dist/packages/crucible/seeds/ruby/seed-038 3.rb +0 -24
  70. package/dist/packages/crucible/seeds/ruby/seed-039 3.rb +0 -24
  71. package/dist/packages/crucible/seeds/ruby/seed-040 3.rb +0 -22
  72. package/dist/packages/crucible/seeds/ruby/seed-041 3.rb +0 -23
  73. package/dist/packages/crucible/seeds/ruby/seed-042 3.rb +0 -25
  74. package/dist/packages/crucible/seeds/ruby/seed-043 3.rb +0 -23
  75. package/dist/packages/crucible/seeds/ruby/seed-044 3.rb +0 -16
  76. package/dist/packages/crucible/seeds/ruby/seed-045 3.rb +0 -22
  77. package/dist/packages/crucible/seeds/ruby/seed-046 3.rb +0 -27
  78. package/dist/packages/crucible/seeds/ruby/seed-047 3.rb +0 -26
  79. package/dist/packages/crucible/seeds/ruby/seed-048 3.rb +0 -24
  80. package/dist/packages/crucible/seeds/ruby/seed-049 3.rb +0 -20
  81. package/dist/packages/crucible/seeds/ruby/seed-050 3.rb +0 -27
  82. package/dist/packages/crucible/seeds/rust/seed-001 3.rs +0 -25
  83. package/dist/packages/crucible/seeds/rust/seed-002 3.rs +0 -20
  84. package/dist/packages/crucible/seeds/rust/seed-003 3.rs +0 -23
  85. package/dist/packages/crucible/seeds/rust/seed-004 3.rs +0 -21
  86. package/dist/packages/crucible/seeds/rust/seed-005 3.rs +0 -21
  87. package/dist/packages/crucible/seeds/rust/seed-006 3.rs +0 -24
  88. package/dist/packages/crucible/seeds/rust/seed-007 3.rs +0 -20
  89. package/dist/packages/crucible/seeds/rust/seed-008 3.rs +0 -19
  90. package/dist/packages/crucible/seeds/rust/seed-009 3.rs +0 -28
  91. package/dist/packages/crucible/seeds/rust/seed-010 3.rs +0 -28
  92. package/dist/packages/crucible/seeds/rust/seed-011 3.rs +0 -25
  93. package/dist/packages/crucible/seeds/rust/seed-012 3.rs +0 -31
  94. package/dist/packages/crucible/seeds/rust/seed-013 3.rs +0 -27
  95. package/dist/packages/crucible/seeds/rust/seed-014 3.rs +0 -30
  96. package/dist/packages/crucible/seeds/rust/seed-015 3.rs +0 -33
  97. package/dist/packages/crucible/seeds/rust/seed-016 3.rs +0 -22
  98. package/dist/packages/crucible/seeds/rust/seed-017 3.rs +0 -28
  99. package/dist/packages/crucible/seeds/rust/seed-018 3.rs +0 -21
  100. package/dist/packages/crucible/seeds/rust/seed-019 3.rs +0 -36
  101. package/dist/packages/crucible/seeds/rust/seed-020 3.rs +0 -27
  102. package/dist/packages/crucible/seeds/rust/seed-021 3.rs +0 -26
  103. package/dist/packages/crucible/seeds/rust/seed-022 3.rs +0 -23
  104. package/dist/packages/crucible/seeds/rust/seed-023 3.rs +0 -22
  105. package/dist/packages/crucible/seeds/rust/seed-024 3.rs +0 -24
  106. package/dist/packages/crucible/seeds/rust/seed-025 3.rs +0 -29
  107. package/dist/packages/crucible/seeds/rust/seed-026 3.rs +0 -23
  108. package/dist/packages/crucible/seeds/rust/seed-027 3.rs +0 -24
  109. package/dist/packages/crucible/seeds/rust/seed-028 3.rs +0 -25
  110. package/dist/packages/crucible/seeds/rust/seed-029 3.rs +0 -25
  111. package/dist/packages/crucible/seeds/rust/seed-030 3.rs +0 -30
  112. package/dist/packages/crucible/seeds/rust/seed-031 3.rs +0 -22
  113. package/dist/packages/crucible/seeds/rust/seed-032 3.rs +0 -25
  114. package/dist/packages/crucible/seeds/rust/seed-033 3.rs +0 -25
  115. package/dist/packages/crucible/seeds/rust/seed-034 3.rs +0 -20
  116. package/dist/packages/crucible/seeds/rust/seed-035 3.rs +0 -28
  117. package/dist/packages/crucible/seeds/rust/seed-036 3.rs +0 -26
  118. package/dist/packages/crucible/seeds/rust/seed-037 3.rs +0 -31
  119. package/dist/packages/crucible/seeds/rust/seed-038 3.rs +0 -25
  120. package/dist/packages/crucible/seeds/rust/seed-039 3.rs +0 -28
  121. package/dist/packages/crucible/seeds/rust/seed-040 3.rs +0 -27
  122. package/dist/packages/crucible/seeds/rust/seed-041 3.rs +0 -32
  123. package/dist/packages/crucible/seeds/rust/seed-042 3.rs +0 -27
  124. package/dist/packages/crucible/seeds/rust/seed-043 3.rs +0 -29
  125. package/dist/packages/crucible/seeds/rust/seed-044 3.rs +0 -25
  126. package/dist/packages/crucible/seeds/rust/seed-045 3.rs +0 -28
  127. package/dist/packages/crucible/seeds/rust/seed-046 3.rs +0 -25
  128. package/dist/packages/crucible/seeds/rust/seed-047 3.rs +0 -34
  129. package/dist/packages/crucible/seeds/rust/seed-048 3.rs +0 -21
  130. package/dist/packages/crucible/seeds/rust/seed-049 3.rs +0 -26
  131. package/dist/packages/crucible/seeds/rust/seed-050 3.rs +0 -23
  132. package/dist/packages/crucible/seeds/ts/seed-001 3.ts +0 -32
  133. package/dist/packages/crucible/seeds/ts/seed-002 3.ts +0 -34
  134. package/dist/packages/crucible/seeds/ts/seed-003 3.ts +0 -28
  135. package/dist/packages/crucible/seeds/ts/seed-004 3.ts +0 -34
  136. package/dist/packages/crucible/seeds/ts/seed-005 3.ts +0 -32
  137. package/dist/packages/crucible/seeds/ts/seed-006 3.ts +0 -31
  138. package/dist/packages/crucible/seeds/ts/seed-007 3.ts +0 -28
  139. package/dist/packages/crucible/seeds/ts/seed-008 3.ts +0 -40
  140. package/dist/packages/crucible/seeds/ts/seed-009 3.ts +0 -31
  141. package/dist/packages/crucible/seeds/ts/seed-010 3.ts +0 -33
  142. package/dist/packages/crucible/seeds/ts/seed-011 3.ts +0 -29
  143. package/dist/packages/crucible/seeds/ts/seed-012 3.ts +0 -34
  144. package/dist/packages/crucible/seeds/ts/seed-013 3.ts +0 -31
  145. package/dist/packages/crucible/seeds/ts/seed-014 3.ts +0 -36
  146. package/dist/packages/crucible/seeds/ts/seed-015 3.ts +0 -31
  147. package/dist/packages/crucible/seeds/ts/seed-016 3.ts +0 -37
  148. package/dist/packages/crucible/seeds/ts/seed-017 3.ts +0 -44
  149. package/dist/packages/crucible/seeds/ts/seed-018 3.ts +0 -33
  150. package/dist/packages/crucible/seeds/ts/seed-019 3.ts +0 -32
  151. package/dist/packages/crucible/seeds/ts/seed-020 3.ts +0 -33
  152. package/dist/packages/crucible/seeds/ts/seed-021 3.ts +0 -33
  153. package/dist/packages/crucible/seeds/ts/seed-022 3.ts +0 -34
  154. package/dist/packages/crucible/seeds/ts/seed-023 3.ts +0 -33
  155. package/dist/packages/crucible/seeds/ts/seed-024 3.ts +0 -35
  156. package/dist/packages/crucible/seeds/ts/seed-025 3.ts +0 -29
  157. package/dist/packages/crucible/seeds/ts/seed-026 3.ts +0 -36
  158. package/dist/packages/crucible/seeds/ts/seed-027 3.ts +0 -30
  159. package/dist/packages/crucible/seeds/ts/seed-028 3.ts +0 -32
  160. package/dist/packages/crucible/seeds/ts/seed-029 3.ts +0 -34
  161. package/dist/packages/crucible/seeds/ts/seed-030 3.ts +0 -37
  162. package/dist/packages/crucible/seeds/ts/seed-031 3.ts +0 -31
  163. package/dist/packages/crucible/seeds/ts/seed-032 3.ts +0 -32
  164. package/dist/packages/crucible/seeds/ts/seed-033 3.ts +0 -32
  165. package/dist/packages/crucible/seeds/ts/seed-034 3.ts +0 -34
  166. package/dist/packages/crucible/seeds/ts/seed-035 3.ts +0 -29
  167. package/dist/packages/crucible/seeds/ts/seed-036 3.ts +0 -34
  168. package/dist/packages/crucible/seeds/ts/seed-037 3.ts +0 -33
  169. package/dist/packages/crucible/seeds/ts/seed-038 3.ts +0 -29
  170. package/dist/packages/crucible/seeds/ts/seed-039 3.ts +0 -35
  171. package/dist/packages/crucible/seeds/ts/seed-040 3.ts +0 -31
  172. package/dist/packages/crucible/seeds/ts/seed-041 3.ts +0 -29
  173. package/dist/packages/crucible/seeds/ts/seed-042 3.ts +0 -33
  174. package/dist/packages/crucible/seeds/ts/seed-043 3.ts +0 -32
  175. package/dist/packages/crucible/seeds/ts/seed-044 3.ts +0 -36
  176. package/dist/packages/crucible/seeds/ts/seed-045 3.ts +0 -39
  177. package/dist/packages/crucible/seeds/ts/seed-046 3.ts +0 -41
  178. package/dist/packages/crucible/seeds/ts/seed-047 3.ts +0 -33
  179. package/dist/packages/crucible/seeds/ts/seed-048 3.ts +0 -33
  180. package/dist/packages/crucible/seeds/ts/seed-049 3.ts +0 -34
  181. package/dist/packages/crucible/seeds/ts/seed-050 3.ts +0 -41
  182. package/dist/packages/crucible/seeds/ts/seed-051 3.ts +0 -34
  183. package/dist/packages/crucible/seeds/ts/seed-052 3.ts +0 -36
@@ -1,33 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: xss
3
- // severity: medium
4
- // language: typescript
5
- // expected: XSS via Next.js page that renders query param directly into dangerouslySetInnerHTML
6
-
7
- import { GetServerSideProps, NextPage } from 'next';
8
-
9
- interface PageProps {
10
- name: string;
11
- description: string;
12
- }
13
-
14
- const ProfilePage: NextPage<PageProps> = ({ name, description }) => {
15
- return (
16
- <div>
17
- <h1>Profile: {name}</h1>
18
- {/* description from query string — dangerouslySetInnerHTML without sanitization */}
19
- <div dangerouslySetInnerHTML={{ __html: description }} />
20
- </div>
21
- );
22
- };
23
-
24
- export const getServerSideProps: GetServerSideProps = async ({ query }) => {
25
- return {
26
- props: {
27
- name: query.name as string ?? 'Unknown',
28
- description: query.description as string ?? '',
29
- },
30
- };
31
- };
32
-
33
- export default ProfilePage;
@@ -1,33 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: xss
3
- // severity: high
4
- // language: typescript
5
- // expected: XSS via Vue.js v-html directive with user-supplied content
6
-
7
- import { defineComponent, ref, onMounted } from 'vue';
8
- import axios from 'axios';
9
-
10
- export default defineComponent({
11
- name: 'ArticleViewer',
12
- props: {
13
- articleId: { type: String, required: true },
14
- },
15
- setup(props) {
16
- const article = ref<{ title: string; content: string; authorBio: string } | null>(null);
17
-
18
- onMounted(async () => {
19
- const { data } = await axios.get(`/api/articles/${props.articleId}`);
20
- article.value = data;
21
- });
22
-
23
- return { article };
24
- },
25
- // v-html renders raw HTML — XSS if content contains malicious script tags
26
- template: `
27
- <div class="article" v-if="article">
28
- <h1>{{ article.title }}</h1>
29
- <div class="content" v-html="article.content"></div>
30
- <aside class="author-bio" v-html="article.authorBio"></aside>
31
- </div>
32
- `,
33
- });
@@ -1,34 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: xss
3
- // severity: high
4
- // language: typescript
5
- // expected: XSS via Marked.js rendering user markdown without sanitization
6
-
7
- import marked from 'marked';
8
- import { Request, Response, Router } from 'express';
9
-
10
- const router = Router();
11
-
12
- interface MarkdownRequest {
13
- markdown: string;
14
- title?: string;
15
- }
16
-
17
- router.post('/preview', (req: Request, res: Response) => {
18
- const { markdown, title } = req.body as MarkdownRequest;
19
-
20
- // marked() renders to HTML without XSS protection — <script> tags in markdown execute
21
- const renderedHtml = marked(markdown);
22
-
23
- res.send(`
24
- <html>
25
- <head><title>${title ?? 'Preview'}</title></head>
26
- <body>
27
- <h1>${title}</h1>
28
- <div class="content">${renderedHtml}</div>
29
- </body>
30
- </html>
31
- `);
32
- });
33
-
34
- export default router;
@@ -1,33 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: command_injection
3
- // severity: critical
4
- // language: typescript
5
- // expected: command injection via child_process.exec with typed but unsanitized user input
6
-
7
- import { exec } from 'child_process';
8
- import { promisify } from 'util';
9
- import { Request, Response, Router } from 'express';
10
-
11
- const execAsync = promisify(exec);
12
- const router = Router();
13
-
14
- interface PingRequest {
15
- host: string;
16
- count?: number;
17
- }
18
-
19
- router.post('/tools/ping', async (req: Request, res: Response) => {
20
- const { host, count = 4 } = req.body as PingRequest;
21
- // TypeScript types don't prevent injection — host can be "8.8.8.8; id"
22
- const cmd = `ping -c ${count} ${host}`;
23
- const { stdout, stderr } = await execAsync(cmd);
24
- res.json({ output: stdout, errors: stderr });
25
- });
26
-
27
- router.post('/tools/traceroute', async (req: Request, res: Response) => {
28
- const target: string = req.body.target;
29
- const { stdout } = await execAsync(`traceroute ${target}`);
30
- res.json({ hops: stdout });
31
- });
32
-
33
- export default router;
@@ -1,35 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: command_injection
3
- // severity: critical
4
- // language: typescript
5
- // expected: command injection via execSync in typed file processing service
6
-
7
- import { execSync } from 'child_process';
8
- import * as path from 'path';
9
-
10
- interface ConversionOptions {
11
- inputPath: string; // user-controlled filename
12
- outputFormat: 'pdf' | 'png' | 'jpg' | 'webp';
13
- quality?: number;
14
- }
15
-
16
- export class FileConverter {
17
- private readonly outputDir: string;
18
-
19
- constructor(outputDir: string) {
20
- this.outputDir = outputDir;
21
- }
22
-
23
- convert(opts: ConversionOptions): string {
24
- const outputName = path.basename(opts.inputPath, path.extname(opts.inputPath));
25
- const outputPath = path.join(this.outputDir, `${outputName}.${opts.outputFormat}`);
26
- // opts.inputPath is user-controlled — no sanitization before execSync
27
- const cmd = `convert "${opts.inputPath}" -quality ${opts.quality ?? 85} "${outputPath}"`;
28
- execSync(cmd, { timeout: 30000 });
29
- return outputPath;
30
- }
31
-
32
- extractText(pdfPath: string): string {
33
- return execSync(`pdftotext ${pdfPath} -`, { encoding: 'utf8' });
34
- }
35
- }
@@ -1,29 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: command_injection
3
- // severity: critical
4
- // language: typescript
5
- // expected: command injection via spawn with shell:true and user-controlled arguments
6
-
7
- import { spawn } from 'child_process';
8
- import { Request, Response, Router } from 'express';
9
-
10
- const router = Router();
11
-
12
- function runCommand(cmd: string, args: string[]): Promise<string> {
13
- return new Promise((resolve, reject) => {
14
- // shell: true means the full command string is interpreted by /bin/sh
15
- const proc = spawn(`${cmd} ${args.join(' ')}`, { shell: true, timeout: 15000 });
16
- let output = '';
17
- proc.stdout.on('data', (d: Buffer) => (output += d.toString()));
18
- proc.stderr.on('data', (d: Buffer) => (output += d.toString()));
19
- proc.on('close', (code: number) => (code === 0 ? resolve(output) : reject(new Error(output))));
20
- });
21
- }
22
-
23
- router.post('/scripts/run', async (req: Request, res: Response) => {
24
- const { script, params }: { script: string; params: string[] } = req.body;
25
- const result = await runCommand(`node scripts/${script}`, params);
26
- res.json({ output: result });
27
- });
28
-
29
- export default router;
@@ -1,36 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: command_injection
3
- // severity: high
4
- // language: typescript
5
- // expected: command injection via git operations with user-controlled branch/tag names
6
-
7
- import { execSync } from 'child_process';
8
-
9
- interface GitOptions {
10
- repoPath: string;
11
- branch: string; // user-controlled
12
- remote?: string;
13
- }
14
-
15
- export class GitService {
16
- clone(repoUrl: string, targetDir: string): void {
17
- // repoUrl from user — can include shell metacharacters
18
- execSync(`git clone ${repoUrl} ${targetDir}`, { encoding: 'utf8', stdio: 'pipe' });
19
- }
20
-
21
- checkout(opts: GitOptions): string {
22
- // opts.branch may be "main; cat /etc/shadow"
23
- return execSync(`git -C ${opts.repoPath} checkout ${opts.branch}`, { encoding: 'utf8' });
24
- }
25
-
26
- createBranch(repoPath: string, branchName: string, fromBranch: string): string {
27
- return execSync(
28
- `git -C ${repoPath} checkout -b ${branchName} origin/${fromBranch}`,
29
- { encoding: 'utf8' }
30
- );
31
- }
32
-
33
- tag(repoPath: string, tagName: string, message: string): string {
34
- return execSync(`git -C ${repoPath} tag -a ${tagName} -m "${message}"`, { encoding: 'utf8' });
35
- }
36
- }
@@ -1,30 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: command_injection
3
- // severity: high
4
- // language: typescript
5
- // expected: command injection in NestJS service using exec with user-provided report parameters
6
-
7
- import { Injectable } from '@nestjs/common';
8
- import { exec } from 'child_process';
9
- import { promisify } from 'util';
10
-
11
- const execAsync = promisify(exec);
12
-
13
- interface ReportParams {
14
- format: string; // user-controlled
15
- dateRange: string; // user-controlled
16
- recipient: string; // user-controlled email
17
- }
18
-
19
- @Injectable()
20
- export class ReportingService {
21
- async generateAndSendReport(params: ReportParams): Promise<void> {
22
- const { format, dateRange, recipient } = params;
23
- // All three params go directly into shell command
24
- const generateCmd = `python3 /scripts/gen_report.py --format ${format} --range ${dateRange}`;
25
- const { stdout: reportPath } = await execAsync(generateCmd);
26
-
27
- const sendCmd = `sendmail -s "Your Report" ${recipient.trim()} < ${reportPath.trim()}`;
28
- await execAsync(sendCmd);
29
- }
30
- }
@@ -1,32 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: command_injection
3
- // severity: critical
4
- // language: typescript
5
- // expected: command injection via execa with shell:true and template literal from user data
6
-
7
- import execa from 'execa';
8
- import { Request, Response, Router } from 'express';
9
-
10
- const router = Router();
11
-
12
- interface ScanRequest {
13
- target: string; // IP or hostname — user-controlled
14
- ports?: string; // port range — user-controlled
15
- flags?: string; // nmap flags — user-controlled
16
- }
17
-
18
- router.post('/security/scan', async (req: Request, res: Response) => {
19
- const { target, ports = '1-1000', flags = '' } = req.body as ScanRequest;
20
- try {
21
- // All fields from user body — injection via shell metacharacters
22
- const { stdout } = await execa.command(
23
- `nmap ${flags} -p ${ports} ${target}`,
24
- { shell: true, timeout: 60000 }
25
- );
26
- res.json({ results: stdout });
27
- } catch (err: any) {
28
- res.status(500).json({ error: err.message });
29
- }
30
- });
31
-
32
- export default router;
@@ -1,34 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: path_traversal
3
- // severity: high
4
- // language: typescript
5
- // expected: path traversal via unvalidated user path in fs.readFile
6
-
7
- import * as fs from 'fs/promises';
8
- import * as path from 'path';
9
- import { Request, Response, Router } from 'express';
10
-
11
- const router = Router();
12
- const PUBLIC_DIR = path.resolve(__dirname, '..', 'public');
13
-
14
- router.get('/static/:file', async (req: Request, res: Response) => {
15
- const requestedFile: string = req.params.file;
16
- // path.join does NOT prevent traversal — "../../etc/passwd" resolves outside PUBLIC_DIR
17
- const filePath = path.join(PUBLIC_DIR, requestedFile);
18
-
19
- try {
20
- const data = await fs.readFile(filePath, 'utf-8');
21
- res.type('text/plain').send(data);
22
- } catch {
23
- res.status(404).send('Not found');
24
- }
25
- });
26
-
27
- router.get('/download', async (req: Request, res: Response) => {
28
- const file = req.query.file as string;
29
- // Completely unvalidated — reads arbitrary path on filesystem
30
- const content = await fs.readFile(file);
31
- res.send(content);
32
- });
33
-
34
- export default router;
@@ -1,37 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: path_traversal
3
- // severity: high
4
- // language: typescript
5
- // expected: path traversal via typed file service with user-controlled subdirectory
6
-
7
- import * as fs from 'fs';
8
- import * as path from 'path';
9
-
10
- interface FileServiceConfig {
11
- baseDir: string;
12
- }
13
-
14
- export class FileService {
15
- private readonly baseDir: string;
16
-
17
- constructor(config: FileServiceConfig) {
18
- this.baseDir = config.baseDir;
19
- }
20
-
21
- readUserFile(userId: string, fileName: string): string {
22
- // No normalization check — fileName can be "../../../etc/passwd"
23
- const filePath = path.join(this.baseDir, userId, fileName);
24
- return fs.readFileSync(filePath, 'utf-8');
25
- }
26
-
27
- listDirectory(userId: string, subDir: string): string[] {
28
- // subDir from user — directory traversal possible
29
- const dirPath = path.join(this.baseDir, userId, subDir);
30
- return fs.readdirSync(dirPath);
31
- }
32
-
33
- deleteFile(userId: string, fileName: string): void {
34
- const filePath = path.join(this.baseDir, userId, fileName);
35
- fs.unlinkSync(filePath);
36
- }
37
- }
@@ -1,31 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: path_traversal
3
- // severity: high
4
- // language: typescript
5
- // expected: path traversal in NestJS controller via user-controlled template name
6
-
7
- import { Controller, Get, Query, Res } from '@nestjs/common';
8
- import { Response } from 'express';
9
- import * as fs from 'fs';
10
- import * as path from 'path';
11
-
12
- const TEMPLATES_DIR = path.resolve(__dirname, '..', 'templates');
13
-
14
- @Controller('email')
15
- export class EmailController {
16
- @Get('preview')
17
- previewTemplate(
18
- @Query('name') templateName: string,
19
- @Query('locale') locale: string,
20
- @Res() res: Response
21
- ): void {
22
- // templateName from query — attacker sends "../../config/database"
23
- const templatePath = path.join(TEMPLATES_DIR, locale, `${templateName}.html`);
24
- try {
25
- const html = fs.readFileSync(templatePath, 'utf-8');
26
- res.type('text/html').send(html);
27
- } catch {
28
- res.status(404).send('Template not found');
29
- }
30
- }
31
- }
@@ -1,32 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: path_traversal
3
- // severity: high
4
- // language: typescript
5
- // expected: zip-slip path traversal via user-uploaded archive with unvalidated entry names
6
-
7
- import AdmZip from 'adm-zip';
8
- import * as fs from 'fs';
9
- import * as path from 'path';
10
-
11
- const EXTRACT_BASE = '/var/app/uploads/extracted';
12
-
13
- export function extractArchive(zipBuffer: Buffer, userId: string): string[] {
14
- const zip = new AdmZip(zipBuffer);
15
- const entries = zip.getEntries();
16
- const extractedPaths: string[] = [];
17
-
18
- for (const entry of entries) {
19
- // entry.entryName can contain "../" — writes outside EXTRACT_BASE (zip-slip)
20
- const outputPath = path.join(EXTRACT_BASE, userId, entry.entryName);
21
-
22
- if (entry.isDirectory) {
23
- fs.mkdirSync(outputPath, { recursive: true });
24
- } else {
25
- fs.mkdirSync(path.dirname(outputPath), { recursive: true });
26
- fs.writeFileSync(outputPath, entry.getData());
27
- extractedPaths.push(outputPath);
28
- }
29
- }
30
-
31
- return extractedPaths;
32
- }
@@ -1,32 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: path_traversal
3
- // severity: medium
4
- // language: typescript
5
- // expected: path traversal via multer upload with user-controlled destination folder
6
-
7
- import multer, { StorageEngine } from 'multer';
8
- import * as path from 'path';
9
- import * as fs from 'fs';
10
- import { Request } from 'express';
11
-
12
- const UPLOADS_ROOT = '/var/uploads';
13
-
14
- const storage: StorageEngine = multer.diskStorage({
15
- destination: (req: Request, file, cb) => {
16
- const folder = req.body.folder as string || 'default';
17
- // folder from request body — allows writing to arbitrary locations
18
- const destPath = path.join(UPLOADS_ROOT, req.user?.id ?? 'anon', folder);
19
- fs.mkdirSync(destPath, { recursive: true });
20
- cb(null, destPath);
21
- },
22
- filename: (req: Request, file, cb) => {
23
- const prefix = req.body.prefix as string || '';
24
- // prefix + originalname — originalname may include path separators
25
- cb(null, `${prefix}_${file.originalname}`);
26
- },
27
- });
28
-
29
- export const upload = multer({
30
- storage,
31
- limits: { fileSize: 50 * 1024 * 1024 },
32
- });
@@ -1,34 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: insecure_crypto
3
- // severity: high
4
- // language: typescript
5
- // expected: MD5 used for password hashing in typed auth service
6
-
7
- import * as crypto from 'crypto';
8
- import { Pool } from 'pg';
9
-
10
- const pool = new Pool({ connectionString: process.env.DATABASE_URL });
11
-
12
- export class AuthService {
13
- private hashPassword(password: string): string {
14
- // MD5 is cryptographically broken — should use bcrypt/argon2
15
- return crypto.createHash('md5').update(password).digest('hex');
16
- }
17
-
18
- async register(email: string, password: string): Promise<void> {
19
- const hash = this.hashPassword(password);
20
- await pool.query(
21
- 'INSERT INTO users (email, password_hash) VALUES ($1, $2)',
22
- [email, hash]
23
- );
24
- }
25
-
26
- async login(email: string, password: string): Promise<boolean> {
27
- const hash = this.hashPassword(password);
28
- const { rows } = await pool.query(
29
- 'SELECT id FROM users WHERE email = $1 AND password_hash = $2',
30
- [email, hash]
31
- );
32
- return rows.length > 0;
33
- }
34
- }
@@ -1,29 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: insecure_crypto
3
- // severity: high
4
- // language: typescript
5
- // expected: Math.random() used for security tokens, SHA1 for HMAC
6
-
7
- import * as crypto from 'crypto';
8
-
9
- export function generateSessionId(): string {
10
- // Math.random() is not cryptographically secure
11
- return Math.random().toString(36).slice(2) + Date.now().toString(36);
12
- }
13
-
14
- export function generateCsrfToken(): string {
15
- // Predictable timestamp-based token
16
- return Buffer.from(`csrf_${Date.now()}_${Math.random()}`).toString('base64');
17
- }
18
-
19
- export function generatePasswordResetToken(userId: string): string {
20
- // SHA1 HMAC with weak source of randomness
21
- const rand = Math.floor(Math.random() * Number.MAX_SAFE_INTEGER).toString();
22
- return crypto.createHmac('sha1', 'static-hmac-secret').update(userId + rand).digest('hex');
23
- }
24
-
25
- export function generateApiKey(): string {
26
- // Only 32 bits of entropy — trivially brute-forceable
27
- const rand = Math.floor(Math.random() * 0xffffffff).toString(16).padStart(8, '0');
28
- return `key_${rand}`;
29
- }
@@ -1,34 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: insecure_crypto
3
- // severity: high
4
- // language: typescript
5
- // expected: AES-ECB mode with no IV and RC4 weak cipher usage
6
-
7
- import * as crypto from 'crypto';
8
-
9
- type CipherAlgorithm = 'aes-128-ecb' | 'aes-256-ecb' | 'rc4';
10
-
11
- export class LegacyCrypto {
12
- private key: Buffer;
13
-
14
- constructor(hexKey: string) {
15
- this.key = Buffer.from(hexKey, 'hex');
16
- }
17
-
18
- // ECB mode: identical plaintext blocks produce identical ciphertext
19
- encryptECB(data: string): string {
20
- const cipher = crypto.createCipheriv('aes-128-ecb', this.key.slice(0, 16), null);
21
- return cipher.update(data, 'utf8', 'hex') + cipher.final('hex');
22
- }
23
-
24
- decryptECB(data: string): string {
25
- const decipher = crypto.createDecipheriv('aes-128-ecb', this.key.slice(0, 16), null);
26
- return decipher.update(data, 'hex', 'utf8') + decipher.final('utf8');
27
- }
28
-
29
- // RC4 is broken — key reuse leads to plaintext recovery
30
- encryptRC4(data: string): string {
31
- const cipher = crypto.createCipheriv('rc4', this.key.slice(0, 16), null);
32
- return cipher.update(data, 'utf8', 'hex') + cipher.final('hex');
33
- }
34
- }
@@ -1,33 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: insecure_crypto
3
- // severity: medium
4
- // language: typescript
5
- // expected: timing attack via string comparison of HMAC signatures
6
-
7
- import * as crypto from 'crypto';
8
-
9
- const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET ?? 'fallback-secret';
10
-
11
- export function computeSignature(payload: string): string {
12
- return crypto.createHmac('sha256', WEBHOOK_SECRET).update(payload).digest('hex');
13
- }
14
-
15
- export function verifyWebhookSignature(payload: string, receivedSig: string): boolean {
16
- const expectedSig = computeSignature(payload);
17
- // Timing attack: early exit on first mismatch leaks signature length/prefix
18
- return expectedSig === receivedSig;
19
- }
20
-
21
- export function verifyApiKey(providedKey: string, storedKey: string): boolean {
22
- // Direct string comparison — vulnerable to timing oracle attack
23
- return providedKey === storedKey;
24
- }
25
-
26
- export function checkTokenMatch(a: string, b: string): boolean {
27
- if (a.length !== b.length) return false;
28
- // Character-by-character comparison — timing side-channel
29
- for (let i = 0; i < a.length; i++) {
30
- if (a[i] !== b[i]) return false;
31
- }
32
- return true;
33
- }
@@ -1,29 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: insecure_crypto
3
- // severity: high
4
- // language: typescript
5
- // expected: PBKDF2 with low iteration count and SHA1, plus MD5 data integrity check
6
-
7
- import * as crypto from 'crypto';
8
-
9
- interface DerivedKey {
10
- key: Buffer;
11
- salt: string;
12
- }
13
-
14
- export function deriveEncryptionKey(password: string): DerivedKey {
15
- const salt = 'static-application-salt-2024'; // Should be random and stored per-key
16
- // Only 1000 iterations — NIST recommends 600,000+ for SHA-1
17
- const key = crypto.pbkdf2Sync(password, salt, 1000, 32, 'sha1');
18
- return { key, salt };
19
- }
20
-
21
- export function checksumFile(data: Buffer): string {
22
- // MD5 is collision-prone — not suitable for integrity checks
23
- return crypto.createHash('md5').update(data).digest('hex');
24
- }
25
-
26
- export function fingerprintUser(userId: string, email: string): string {
27
- // SHA1 fingerprint — deprecated for new security applications
28
- return crypto.createHash('sha1').update(`${userId}:${email}`).digest('hex');
29
- }
@@ -1,35 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: prototype_pollution
3
- // severity: high
4
- // language: typescript
5
- // expected: prototype pollution via typed recursive merge accepting user object
6
-
7
- interface DeepObject {
8
- [key: string]: unknown;
9
- }
10
-
11
- function deepMerge<T extends DeepObject>(target: T, source: DeepObject): T {
12
- for (const key of Object.keys(source)) {
13
- const srcVal = source[key];
14
- // TypeScript types don't prevent __proto__ key at runtime
15
- if (srcVal !== null && typeof srcVal === 'object' && !Array.isArray(srcVal)) {
16
- if (!(target as DeepObject)[key]) (target as DeepObject)[key] = {};
17
- deepMerge((target as DeepObject)[key] as DeepObject, srcVal as DeepObject);
18
- } else {
19
- (target as DeepObject)[key] = srcVal;
20
- }
21
- }
22
- return target;
23
- }
24
-
25
- import { Request, Response, Router } from 'express';
26
- const router = Router();
27
-
28
- router.post('/settings', (req: Request, res: Response) => {
29
- const defaults = { theme: 'light', language: 'en', notifications: true };
30
- // req.body directly passed — attacker sends {"__proto__": {"isAdmin": true}}
31
- const merged = deepMerge(defaults, req.body as DeepObject);
32
- res.json({ settings: merged });
33
- });
34
-
35
- export default router;