thuban 0.4.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (183) hide show
  1. package/dist/packages/scanner/executive-report.js +1 -1
  2. package/dist/packages/scanner/hallucination-detector.js +1 -1
  3. package/dist/packages/scanner/secret-scanner.js +1 -1
  4. package/package.json +4 -3
  5. package/dist/packages/crucible/seeds/python/seed-021 3.py +0 -37
  6. package/dist/packages/crucible/seeds/python/seed-022 3.py +0 -34
  7. package/dist/packages/crucible/seeds/python/seed-023 3.py +0 -37
  8. package/dist/packages/crucible/seeds/python/seed-024 3.py +0 -38
  9. package/dist/packages/crucible/seeds/python/seed-025 3.py +0 -40
  10. package/dist/packages/crucible/seeds/python/seed-026 3.py +0 -35
  11. package/dist/packages/crucible/seeds/python/seed-027 3.py +0 -35
  12. package/dist/packages/crucible/seeds/python/seed-028 3.py +0 -42
  13. package/dist/packages/crucible/seeds/python/seed-030 3.py +0 -37
  14. package/dist/packages/crucible/seeds/python/seed-031 3.py +0 -34
  15. package/dist/packages/crucible/seeds/python/seed-036 3.py +0 -33
  16. package/dist/packages/crucible/seeds/python/seed-037 3.py +0 -41
  17. package/dist/packages/crucible/seeds/python/seed-038 3.py +0 -33
  18. package/dist/packages/crucible/seeds/python/seed-039 3.py +0 -39
  19. package/dist/packages/crucible/seeds/python/seed-040 3.py +0 -39
  20. package/dist/packages/crucible/seeds/python/seed-041 3.py +0 -37
  21. package/dist/packages/crucible/seeds/python/seed-042 3.py +0 -38
  22. package/dist/packages/crucible/seeds/python/seed-043 3.py +0 -32
  23. package/dist/packages/crucible/seeds/python/seed-044 3.py +0 -38
  24. package/dist/packages/crucible/seeds/python/seed-045 3.py +0 -36
  25. package/dist/packages/crucible/seeds/python/seed-046 3.py +0 -33
  26. package/dist/packages/crucible/seeds/python/seed-047 3.py +0 -44
  27. package/dist/packages/crucible/seeds/python/seed-048 3.py +0 -35
  28. package/dist/packages/crucible/seeds/python/seed-049 3.py +0 -39
  29. package/dist/packages/crucible/seeds/python/seed-050 3.py +0 -39
  30. package/dist/packages/crucible/seeds/python/seed-051 3.py +0 -38
  31. package/dist/packages/crucible/seeds/python/seed-052 3.py +0 -41
  32. package/dist/packages/crucible/seeds/ruby/seed-001 3.rb +0 -15
  33. package/dist/packages/crucible/seeds/ruby/seed-002 3.rb +0 -22
  34. package/dist/packages/crucible/seeds/ruby/seed-003 3.rb +0 -25
  35. package/dist/packages/crucible/seeds/ruby/seed-004 3.rb +0 -17
  36. package/dist/packages/crucible/seeds/ruby/seed-005 3.rb +0 -21
  37. package/dist/packages/crucible/seeds/ruby/seed-006 3.rb +0 -17
  38. package/dist/packages/crucible/seeds/ruby/seed-007 3.rb +0 -16
  39. package/dist/packages/crucible/seeds/ruby/seed-008 3.rb +0 -18
  40. package/dist/packages/crucible/seeds/ruby/seed-009 3.rb +0 -20
  41. package/dist/packages/crucible/seeds/ruby/seed-010 3.rb +0 -24
  42. package/dist/packages/crucible/seeds/ruby/seed-011 3.rb +0 -21
  43. package/dist/packages/crucible/seeds/ruby/seed-012 3.rb +0 -22
  44. package/dist/packages/crucible/seeds/ruby/seed-013 3.rb +0 -21
  45. package/dist/packages/crucible/seeds/ruby/seed-014 3.rb +0 -16
  46. package/dist/packages/crucible/seeds/ruby/seed-015 3.rb +0 -18
  47. package/dist/packages/crucible/seeds/ruby/seed-016 3.rb +0 -17
  48. package/dist/packages/crucible/seeds/ruby/seed-017 3.rb +0 -25
  49. package/dist/packages/crucible/seeds/ruby/seed-018 3.rb +0 -23
  50. package/dist/packages/crucible/seeds/ruby/seed-019 3.rb +0 -20
  51. package/dist/packages/crucible/seeds/ruby/seed-020 3.rb +0 -17
  52. package/dist/packages/crucible/seeds/ruby/seed-021 3.rb +0 -20
  53. package/dist/packages/crucible/seeds/ruby/seed-022 3.rb +0 -21
  54. package/dist/packages/crucible/seeds/ruby/seed-023 3.rb +0 -19
  55. package/dist/packages/crucible/seeds/ruby/seed-024 3.rb +0 -17
  56. package/dist/packages/crucible/seeds/ruby/seed-025 3.rb +0 -17
  57. package/dist/packages/crucible/seeds/ruby/seed-026 3.rb +0 -18
  58. package/dist/packages/crucible/seeds/ruby/seed-027 3.rb +0 -21
  59. package/dist/packages/crucible/seeds/ruby/seed-028 3.rb +0 -22
  60. package/dist/packages/crucible/seeds/ruby/seed-029 3.rb +0 -19
  61. package/dist/packages/crucible/seeds/ruby/seed-030 3.rb +0 -20
  62. package/dist/packages/crucible/seeds/ruby/seed-031 3.rb +0 -17
  63. package/dist/packages/crucible/seeds/ruby/seed-032 3.rb +0 -22
  64. package/dist/packages/crucible/seeds/ruby/seed-033 3.rb +0 -18
  65. package/dist/packages/crucible/seeds/ruby/seed-034 3.rb +0 -19
  66. package/dist/packages/crucible/seeds/ruby/seed-035 3.rb +0 -19
  67. package/dist/packages/crucible/seeds/ruby/seed-036 3.rb +0 -18
  68. package/dist/packages/crucible/seeds/ruby/seed-037 3.rb +0 -21
  69. package/dist/packages/crucible/seeds/ruby/seed-038 3.rb +0 -24
  70. package/dist/packages/crucible/seeds/ruby/seed-039 3.rb +0 -24
  71. package/dist/packages/crucible/seeds/ruby/seed-040 3.rb +0 -22
  72. package/dist/packages/crucible/seeds/ruby/seed-041 3.rb +0 -23
  73. package/dist/packages/crucible/seeds/ruby/seed-042 3.rb +0 -25
  74. package/dist/packages/crucible/seeds/ruby/seed-043 3.rb +0 -23
  75. package/dist/packages/crucible/seeds/ruby/seed-044 3.rb +0 -16
  76. package/dist/packages/crucible/seeds/ruby/seed-045 3.rb +0 -22
  77. package/dist/packages/crucible/seeds/ruby/seed-046 3.rb +0 -27
  78. package/dist/packages/crucible/seeds/ruby/seed-047 3.rb +0 -26
  79. package/dist/packages/crucible/seeds/ruby/seed-048 3.rb +0 -24
  80. package/dist/packages/crucible/seeds/ruby/seed-049 3.rb +0 -20
  81. package/dist/packages/crucible/seeds/ruby/seed-050 3.rb +0 -27
  82. package/dist/packages/crucible/seeds/rust/seed-001 3.rs +0 -25
  83. package/dist/packages/crucible/seeds/rust/seed-002 3.rs +0 -20
  84. package/dist/packages/crucible/seeds/rust/seed-003 3.rs +0 -23
  85. package/dist/packages/crucible/seeds/rust/seed-004 3.rs +0 -21
  86. package/dist/packages/crucible/seeds/rust/seed-005 3.rs +0 -21
  87. package/dist/packages/crucible/seeds/rust/seed-006 3.rs +0 -24
  88. package/dist/packages/crucible/seeds/rust/seed-007 3.rs +0 -20
  89. package/dist/packages/crucible/seeds/rust/seed-008 3.rs +0 -19
  90. package/dist/packages/crucible/seeds/rust/seed-009 3.rs +0 -28
  91. package/dist/packages/crucible/seeds/rust/seed-010 3.rs +0 -28
  92. package/dist/packages/crucible/seeds/rust/seed-011 3.rs +0 -25
  93. package/dist/packages/crucible/seeds/rust/seed-012 3.rs +0 -31
  94. package/dist/packages/crucible/seeds/rust/seed-013 3.rs +0 -27
  95. package/dist/packages/crucible/seeds/rust/seed-014 3.rs +0 -30
  96. package/dist/packages/crucible/seeds/rust/seed-015 3.rs +0 -33
  97. package/dist/packages/crucible/seeds/rust/seed-016 3.rs +0 -22
  98. package/dist/packages/crucible/seeds/rust/seed-017 3.rs +0 -28
  99. package/dist/packages/crucible/seeds/rust/seed-018 3.rs +0 -21
  100. package/dist/packages/crucible/seeds/rust/seed-019 3.rs +0 -36
  101. package/dist/packages/crucible/seeds/rust/seed-020 3.rs +0 -27
  102. package/dist/packages/crucible/seeds/rust/seed-021 3.rs +0 -26
  103. package/dist/packages/crucible/seeds/rust/seed-022 3.rs +0 -23
  104. package/dist/packages/crucible/seeds/rust/seed-023 3.rs +0 -22
  105. package/dist/packages/crucible/seeds/rust/seed-024 3.rs +0 -24
  106. package/dist/packages/crucible/seeds/rust/seed-025 3.rs +0 -29
  107. package/dist/packages/crucible/seeds/rust/seed-026 3.rs +0 -23
  108. package/dist/packages/crucible/seeds/rust/seed-027 3.rs +0 -24
  109. package/dist/packages/crucible/seeds/rust/seed-028 3.rs +0 -25
  110. package/dist/packages/crucible/seeds/rust/seed-029 3.rs +0 -25
  111. package/dist/packages/crucible/seeds/rust/seed-030 3.rs +0 -30
  112. package/dist/packages/crucible/seeds/rust/seed-031 3.rs +0 -22
  113. package/dist/packages/crucible/seeds/rust/seed-032 3.rs +0 -25
  114. package/dist/packages/crucible/seeds/rust/seed-033 3.rs +0 -25
  115. package/dist/packages/crucible/seeds/rust/seed-034 3.rs +0 -20
  116. package/dist/packages/crucible/seeds/rust/seed-035 3.rs +0 -28
  117. package/dist/packages/crucible/seeds/rust/seed-036 3.rs +0 -26
  118. package/dist/packages/crucible/seeds/rust/seed-037 3.rs +0 -31
  119. package/dist/packages/crucible/seeds/rust/seed-038 3.rs +0 -25
  120. package/dist/packages/crucible/seeds/rust/seed-039 3.rs +0 -28
  121. package/dist/packages/crucible/seeds/rust/seed-040 3.rs +0 -27
  122. package/dist/packages/crucible/seeds/rust/seed-041 3.rs +0 -32
  123. package/dist/packages/crucible/seeds/rust/seed-042 3.rs +0 -27
  124. package/dist/packages/crucible/seeds/rust/seed-043 3.rs +0 -29
  125. package/dist/packages/crucible/seeds/rust/seed-044 3.rs +0 -25
  126. package/dist/packages/crucible/seeds/rust/seed-045 3.rs +0 -28
  127. package/dist/packages/crucible/seeds/rust/seed-046 3.rs +0 -25
  128. package/dist/packages/crucible/seeds/rust/seed-047 3.rs +0 -34
  129. package/dist/packages/crucible/seeds/rust/seed-048 3.rs +0 -21
  130. package/dist/packages/crucible/seeds/rust/seed-049 3.rs +0 -26
  131. package/dist/packages/crucible/seeds/rust/seed-050 3.rs +0 -23
  132. package/dist/packages/crucible/seeds/ts/seed-001 3.ts +0 -32
  133. package/dist/packages/crucible/seeds/ts/seed-002 3.ts +0 -34
  134. package/dist/packages/crucible/seeds/ts/seed-003 3.ts +0 -28
  135. package/dist/packages/crucible/seeds/ts/seed-004 3.ts +0 -34
  136. package/dist/packages/crucible/seeds/ts/seed-005 3.ts +0 -32
  137. package/dist/packages/crucible/seeds/ts/seed-006 3.ts +0 -31
  138. package/dist/packages/crucible/seeds/ts/seed-007 3.ts +0 -28
  139. package/dist/packages/crucible/seeds/ts/seed-008 3.ts +0 -40
  140. package/dist/packages/crucible/seeds/ts/seed-009 3.ts +0 -31
  141. package/dist/packages/crucible/seeds/ts/seed-010 3.ts +0 -33
  142. package/dist/packages/crucible/seeds/ts/seed-011 3.ts +0 -29
  143. package/dist/packages/crucible/seeds/ts/seed-012 3.ts +0 -34
  144. package/dist/packages/crucible/seeds/ts/seed-013 3.ts +0 -31
  145. package/dist/packages/crucible/seeds/ts/seed-014 3.ts +0 -36
  146. package/dist/packages/crucible/seeds/ts/seed-015 3.ts +0 -31
  147. package/dist/packages/crucible/seeds/ts/seed-016 3.ts +0 -37
  148. package/dist/packages/crucible/seeds/ts/seed-017 3.ts +0 -44
  149. package/dist/packages/crucible/seeds/ts/seed-018 3.ts +0 -33
  150. package/dist/packages/crucible/seeds/ts/seed-019 3.ts +0 -32
  151. package/dist/packages/crucible/seeds/ts/seed-020 3.ts +0 -33
  152. package/dist/packages/crucible/seeds/ts/seed-021 3.ts +0 -33
  153. package/dist/packages/crucible/seeds/ts/seed-022 3.ts +0 -34
  154. package/dist/packages/crucible/seeds/ts/seed-023 3.ts +0 -33
  155. package/dist/packages/crucible/seeds/ts/seed-024 3.ts +0 -35
  156. package/dist/packages/crucible/seeds/ts/seed-025 3.ts +0 -29
  157. package/dist/packages/crucible/seeds/ts/seed-026 3.ts +0 -36
  158. package/dist/packages/crucible/seeds/ts/seed-027 3.ts +0 -30
  159. package/dist/packages/crucible/seeds/ts/seed-028 3.ts +0 -32
  160. package/dist/packages/crucible/seeds/ts/seed-029 3.ts +0 -34
  161. package/dist/packages/crucible/seeds/ts/seed-030 3.ts +0 -37
  162. package/dist/packages/crucible/seeds/ts/seed-031 3.ts +0 -31
  163. package/dist/packages/crucible/seeds/ts/seed-032 3.ts +0 -32
  164. package/dist/packages/crucible/seeds/ts/seed-033 3.ts +0 -32
  165. package/dist/packages/crucible/seeds/ts/seed-034 3.ts +0 -34
  166. package/dist/packages/crucible/seeds/ts/seed-035 3.ts +0 -29
  167. package/dist/packages/crucible/seeds/ts/seed-036 3.ts +0 -34
  168. package/dist/packages/crucible/seeds/ts/seed-037 3.ts +0 -33
  169. package/dist/packages/crucible/seeds/ts/seed-038 3.ts +0 -29
  170. package/dist/packages/crucible/seeds/ts/seed-039 3.ts +0 -35
  171. package/dist/packages/crucible/seeds/ts/seed-040 3.ts +0 -31
  172. package/dist/packages/crucible/seeds/ts/seed-041 3.ts +0 -29
  173. package/dist/packages/crucible/seeds/ts/seed-042 3.ts +0 -33
  174. package/dist/packages/crucible/seeds/ts/seed-043 3.ts +0 -32
  175. package/dist/packages/crucible/seeds/ts/seed-044 3.ts +0 -36
  176. package/dist/packages/crucible/seeds/ts/seed-045 3.ts +0 -39
  177. package/dist/packages/crucible/seeds/ts/seed-046 3.ts +0 -41
  178. package/dist/packages/crucible/seeds/ts/seed-047 3.ts +0 -33
  179. package/dist/packages/crucible/seeds/ts/seed-048 3.ts +0 -33
  180. package/dist/packages/crucible/seeds/ts/seed-049 3.ts +0 -34
  181. package/dist/packages/crucible/seeds/ts/seed-050 3.ts +0 -41
  182. package/dist/packages/crucible/seeds/ts/seed-051 3.ts +0 -34
  183. package/dist/packages/crucible/seeds/ts/seed-052 3.ts +0 -36
@@ -1,31 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: prototype_pollution
3
- // severity: high
4
- // language: typescript
5
- // expected: prototype pollution via bracket-notation assignment with user-controlled key path
6
-
7
- import { Request, Response, Router } from 'express';
8
-
9
- const router = Router();
10
-
11
- function setProperty(obj: Record<string, unknown>, keyPath: string, value: unknown): void {
12
- const parts = keyPath.split('.');
13
- let cursor: Record<string, unknown> = obj;
14
- for (let i = 0; i < parts.length - 1; i++) {
15
- const part = parts[i];
16
- // Allows "__proto__" or "constructor" as path segment
17
- if (typeof cursor[part] !== 'object') cursor[part] = {};
18
- cursor = cursor[part] as Record<string, unknown>;
19
- }
20
- cursor[parts[parts.length - 1]] = value;
21
- }
22
-
23
- router.patch('/user/preference', (req: Request, res: Response) => {
24
- const { key, value } = req.body as { key: string; value: unknown };
25
- const userPrefs: Record<string, unknown> = {};
26
- // key = "__proto__.admin" → Object.prototype.admin = value
27
- setProperty(userPrefs, key, value);
28
- res.json({ updated: true });
29
- });
30
-
31
- export default router;
@@ -1,29 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: prototype_pollution
3
- // severity: high
4
- // language: typescript
5
- // expected: prototype pollution via lodash _.merge or _.set with user-controlled path
6
-
7
- import _ from 'lodash';
8
- import { Request, Response, Router } from 'express';
9
-
10
- const router = Router();
11
- const globalAppConfig: Record<string, unknown> = {};
12
-
13
- router.post('/admin/config/set', (req: Request, res: Response) => {
14
- const { path, value } = req.body as { path: string; value: unknown };
15
- // _.set with user-controlled path — vulnerable to prototype pollution
16
- // e.g. path = "__proto__.isAdmin", value = true
17
- _.set(globalAppConfig, path, value);
18
- res.json({ ok: true });
19
- });
20
-
21
- router.post('/ui/theme', (req: Request, res: Response) => {
22
- const userTheme = req.body as Record<string, unknown>;
23
- const defaultTheme = { primary: '#007bff', background: '#fff', text: '#333' };
24
- // _.merge pollutes prototype when userTheme contains __proto__
25
- const merged = _.merge({}, defaultTheme, userTheme);
26
- res.json({ theme: merged });
27
- });
28
-
29
- export default router;
@@ -1,33 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: prototype_pollution
3
- // severity: medium
4
- // language: typescript
5
- // expected: prototype pollution via constructor.prototype path in Object.assign chain
6
-
7
- import { Request, Response, Router } from 'express';
8
-
9
- const router = Router();
10
-
11
- interface PluginConfig {
12
- [key: string]: unknown;
13
- }
14
-
15
- function applyPluginOptions(baseOptions: PluginConfig, userOptions: PluginConfig): PluginConfig {
16
- // Object.assign shallow-merges — __proto__ key from JSON payload pollutes Object.prototype
17
- return Object.assign({}, baseOptions, userOptions);
18
- }
19
-
20
- router.post('/plugins/:id/configure', (req: Request, res: Response) => {
21
- const base: PluginConfig = { enabled: true, maxRetries: 3, timeout: 5000 };
22
- // req.body passed directly — {"__proto__": {"polluted": true}}
23
- const config = applyPluginOptions(base, req.body as PluginConfig);
24
- res.json({ configured: true, config });
25
- });
26
-
27
- router.patch('/plugins/:id/update', (req: Request, res: Response) => {
28
- // Spread operator with user body — same pollution vector
29
- const updated = { ...{}, ...req.body };
30
- res.json({ updated });
31
- });
32
-
33
- export default router;
@@ -1,32 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: prototype_pollution
3
- // severity: high
4
- // language: typescript
5
- // expected: prototype pollution via qs-parsed query params passed to deep clone utility
6
-
7
- import * as qs from 'qs';
8
- import { Request, Response, Router } from 'express';
9
-
10
- const router = Router();
11
-
12
- function cloneDeep<T extends object>(obj: T): T {
13
- return JSON.parse(JSON.stringify(obj)) as T;
14
- }
15
-
16
- function applyFilter<T extends Record<string, unknown>>(base: T, filter: Record<string, unknown>): T {
17
- // Merges filter keys directly onto base — __proto__ pollution via qs deep parsing
18
- for (const [key, val] of Object.entries(filter)) {
19
- (base as Record<string, unknown>)[key] = val;
20
- }
21
- return base;
22
- }
23
-
24
- router.get('/items', (req: Request, res: Response) => {
25
- // qs.parse supports nested objects — ?__proto__[admin]=true becomes {__proto__: {admin:true}}
26
- const filter = qs.parse(req.query as Record<string, string>, { allowDots: true, allowPrototypes: true });
27
- const baseQuery = { page: 1, limit: 20, active: true };
28
- const merged = applyFilter(baseQuery, filter as Record<string, unknown>);
29
- res.json({ query: merged });
30
- });
31
-
32
- export default router;
@@ -1,36 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: eval_abuse
3
- // severity: critical
4
- // language: typescript
5
- // expected: eval() called with user-controlled expression in typed handler
6
-
7
- import { Request, Response, Router } from 'express';
8
-
9
- const router = Router();
10
-
11
- interface CalcRequest {
12
- expression: string;
13
- }
14
-
15
- router.post('/calc', (req: Request, res: Response) => {
16
- const { expression } = req.body as CalcRequest;
17
- try {
18
- // TypeScript types don't prevent runtime eval injection
19
- // Attacker: "process.mainModule.require('child_process').execSync('id').toString()"
20
- // eslint-disable-next-line no-eval
21
- const result = eval(expression);
22
- res.json({ result });
23
- } catch (err: any) {
24
- res.status(400).json({ error: err.message });
25
- }
26
- });
27
-
28
- router.get('/render-tpl', (req: Request, res: Response) => {
29
- const tpl = req.query.tpl as string;
30
- const user = req.session?.user ?? {};
31
- // eval of backtick template with user-controlled string
32
- const output = eval('`' + tpl + '`');
33
- res.send(output);
34
- });
35
-
36
- export default router;
@@ -1,39 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: eval_abuse
3
- // severity: critical
4
- // language: typescript
5
- // expected: new Function() constructor with user-supplied code string in typed scripting service
6
-
7
- import { Request, Response, Router } from 'express';
8
-
9
- const router = Router();
10
-
11
- interface ScriptRequest {
12
- code: string;
13
- context?: Record<string, unknown>;
14
- }
15
-
16
- function executeUserScript(code: string, context: Record<string, unknown>): unknown {
17
- // new Function() is not sandboxed — full access to global scope
18
- const fn = new Function('ctx', 'Math', 'JSON', `
19
- with (ctx) {
20
- ${code}
21
- }
22
- `);
23
- return fn(context, Math, JSON);
24
- }
25
-
26
- router.post('/scripting/execute', (req: Request, res: Response) => {
27
- const { code, context = {} } = req.body as ScriptRequest;
28
- const result = executeUserScript(code, context);
29
- res.json({ result });
30
- });
31
-
32
- router.post('/hooks/transform', (req: Request, res: Response) => {
33
- const { transformCode } = req.body;
34
- const transform = new Function('data', 'helpers', transformCode);
35
- const output = transform(req.body.data, { JSON, Math });
36
- res.json({ output });
37
- });
38
-
39
- export default router;
@@ -1,41 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: eval_abuse
3
- // severity: high
4
- // language: typescript
5
- // expected: eval() inside JSON reviver executing serialized function strings from DB
6
-
7
- interface SerializedConfig {
8
- [key: string]: unknown;
9
- }
10
-
11
- export function deserializeConfig(raw: string): SerializedConfig {
12
- return JSON.parse(raw, (key, value) => {
13
- if (typeof value === 'string' && value.startsWith('__function__:')) {
14
- const fnBody = value.slice(13);
15
- // eval executes arbitrary code stored in the config (from DB, user-uploaded file, etc.)
16
- // eslint-disable-next-line no-eval
17
- return eval(`(${fnBody})`);
18
- }
19
- return value;
20
- });
21
- }
22
-
23
- interface PipelineStep {
24
- name: string;
25
- handler: ((input: unknown) => unknown) | string;
26
- }
27
-
28
- export function loadPipeline(configJson: string): PipelineStep[] {
29
- const config = deserializeConfig(configJson);
30
- return config.steps as PipelineStep[];
31
- }
32
-
33
- export async function executePipeline(steps: PipelineStep[], input: unknown): Promise<unknown> {
34
- let result = input;
35
- for (const step of steps) {
36
- if (typeof step.handler === 'function') {
37
- result = await step.handler(result);
38
- }
39
- }
40
- return result;
41
- }
@@ -1,33 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: eval_abuse
3
- // severity: critical
4
- // language: typescript
5
- // expected: lodash template compilation with user-controlled template string (code execution)
6
-
7
- import _ from 'lodash';
8
- import { Request, Response, Router } from 'express';
9
-
10
- const router = Router();
11
-
12
- interface TemplateRequest {
13
- template: string;
14
- data: Record<string, unknown>;
15
- }
16
-
17
- router.post('/email/preview', async (req: Request, res: Response) => {
18
- const { template, data } = req.body as TemplateRequest;
19
- // _.template compiles and executes JS inside <%= %> delimiters
20
- // Attacker template: "<%= process.mainModule.require('child_process').execSync('id') %>"
21
- const compiled = _.template(template);
22
- const output = compiled(data);
23
- res.type('text/html').send(output);
24
- });
25
-
26
- router.get('/report/preview', (req: Request, res: Response) => {
27
- const tpl = req.query.template as string;
28
- const vars = JSON.parse(req.query.vars as string ?? '{}');
29
- const compiled = _.template(tpl);
30
- res.send(compiled(vars));
31
- });
32
-
33
- export default router;
@@ -1,33 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: ssrf
3
- // severity: high
4
- // language: typescript
5
- // expected: SSRF via fetch with unvalidated user-supplied URL
6
-
7
- import { Request, Response, Router } from 'express';
8
-
9
- const router = Router();
10
-
11
- interface ProxyRequest {
12
- url: string;
13
- method?: 'GET' | 'POST';
14
- headers?: Record<string, string>;
15
- }
16
-
17
- router.post('/proxy', async (req: Request, res: Response) => {
18
- const { url, method = 'GET', headers = {} } = req.body as ProxyRequest;
19
- // No URL validation — allows SSRF to internal services, cloud metadata, etc.
20
- const response = await fetch(url, { method, headers });
21
- const body = await response.text();
22
- res.status(response.status).send(body);
23
- });
24
-
25
- router.get('/preview', async (req: Request, res: Response) => {
26
- const targetUrl = req.query.url as string;
27
- // Attacker: ?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
28
- const resp = await fetch(targetUrl, { signal: AbortSignal.timeout(5000) });
29
- const data = await resp.text();
30
- res.json({ preview: data.slice(0, 500) });
31
- });
32
-
33
- export default router;
@@ -1,34 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: ssrf
3
- // severity: high
4
- // language: typescript
5
- // expected: SSRF via axios with user-controlled webhook URL and redirect following
6
-
7
- import axios from 'axios';
8
- import { Request, Response, Router } from 'express';
9
-
10
- const router = Router();
11
-
12
- interface WebhookConfig {
13
- url: string;
14
- secret?: string;
15
- }
16
-
17
- router.post('/webhooks/test', async (req: Request, res: Response) => {
18
- const { url, secret } = req.body as WebhookConfig;
19
- // url user-controlled — attacker probes internal network
20
- const response = await axios.post(url, { test: true, timestamp: Date.now() }, {
21
- headers: { 'X-Webhook-Secret': secret ?? '' },
22
- maxRedirects: 5, // follows redirects — can pivot to internal services
23
- timeout: 10000,
24
- });
25
- res.json({ status: response.status, data: response.data });
26
- });
27
-
28
- router.get('/import', async (req: Request, res: Response) => {
29
- const dataUrl = req.query.source as string;
30
- const { data } = await axios.get(dataUrl, { responseType: 'arraybuffer' });
31
- res.set('Content-Type', 'application/octet-stream').send(data);
32
- });
33
-
34
- export default router;
@@ -1,41 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: ssrf
3
- // severity: high
4
- // language: typescript
5
- // expected: SSRF via got library with user-controlled URL in oEmbed/link-preview feature
6
-
7
- import got from 'got';
8
- import { Request, Response, Router } from 'express';
9
-
10
- const router = Router();
11
-
12
- interface LinkPreviewResult {
13
- title: string;
14
- description: string;
15
- image?: string;
16
- url: string;
17
- }
18
-
19
- router.get('/link-preview', async (req: Request, res: Response) => {
20
- const url = req.query.url as string;
21
-
22
- // url is user-controlled — attacker can reach internal services
23
- const response = await got(url, {
24
- followRedirect: true,
25
- timeout: { request: 8000 },
26
- throwHttpErrors: false,
27
- });
28
-
29
- const titleMatch = response.body.match(/<title>(.*?)<\/title>/i);
30
- const descMatch = response.body.match(/<meta name="description" content="(.*?)"/i);
31
-
32
- const result: LinkPreviewResult = {
33
- title: titleMatch?.[1] ?? '',
34
- description: descMatch?.[1] ?? '',
35
- url,
36
- };
37
-
38
- res.json(result);
39
- });
40
-
41
- export default router;
@@ -1,34 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: deserialization
3
- // severity: critical
4
- // language: typescript
5
- // expected: unsafe deserialization via class-transformer plainToClass with user-controlled type
6
-
7
- import { plainToClass } from 'class-transformer';
8
- import { IsString, IsNumber } from 'class-validator';
9
- import { Request, Response, Router } from 'express';
10
-
11
- class UserDto {
12
- @IsString() username!: string;
13
- @IsString() email!: string;
14
- @IsNumber() role!: number;
15
- }
16
-
17
- class AdminDto extends UserDto {
18
- @IsString() adminToken!: string;
19
- canDeleteUsers: boolean = true;
20
- }
21
-
22
- const router = Router();
23
-
24
- router.post('/users/import', (req: Request, res: Response) => {
25
- const { type, data } = req.body;
26
-
27
- // User controls which class to deserialize into — can escalate to AdminDto
28
- const DtoClass = type === 'admin' ? AdminDto : UserDto;
29
- const instance = plainToClass(DtoClass, data);
30
- // No validation step — properties set without checking constraints
31
- res.json({ created: instance });
32
- });
33
-
34
- export default router;
@@ -1,36 +0,0 @@
1
- // [CRUCIBLE-SEED]
2
- // category: deserialization
3
- // severity: high
4
- // language: typescript
5
- // expected: unsafe deserialization via JSON.parse used to dynamically dispatch method calls
6
-
7
- import { Request, Response, Router } from 'express';
8
-
9
- interface TaskDescriptor {
10
- module: string;
11
- method: string;
12
- args: unknown[];
13
- }
14
-
15
- const allowedModules: Record<string, Record<string, (...args: unknown[]) => unknown>> = {
16
- reports: require('./reports'),
17
- notifications: require('./notifications'),
18
- };
19
-
20
- router.post('/task/run', (req: Request, res: Response) => {
21
- // task is JSON-parsed from user body without schema validation
22
- const task = JSON.parse(req.body.taskJson as string) as TaskDescriptor;
23
-
24
- const mod = allowedModules[task.module];
25
- if (!mod) return res.status(400).json({ error: 'Unknown module' });
26
-
27
- const fn = mod[task.method];
28
- if (typeof fn !== 'function') return res.status(400).json({ error: 'Unknown method' });
29
-
30
- // task.args passed directly — no sanitization or type validation
31
- const result = fn(...task.args);
32
- res.json({ result });
33
- });
34
-
35
- const router2 = Router();
36
- export default router2;