Skip to content

Instantly share code, notes, and snippets.

View lirantal's full-sized avatar
💟
Writing a book on Node.js Secure Coding

Liran Tal lirantal

💟
Writing a book on Node.js Secure Coding
View GitHub Profile
@lirantal
lirantal / fetch-updates-snyk-io-website.js
Created April 14, 2024 09:21
Fetch the contents of RSS feed updates on https://updates.snyk.io website into an array of objects
// This function will find all elements with the class "changelogItem published"
// and extract the desired information, including preserving only links in the content body.
function extractNewsItems() {
// Get all elements with the class "changelogItem published"
const items = document.querySelectorAll('.changelogItem.published');
// Initialize an empty array to hold the news items
const newsItems = [];
// Function to process content to keep only text and anchor tags
@lirantal
lirantal / chatgpt-generated-fastify-app-for-file-uploads.js
Created September 12, 2023 11:32
ChatGPT-generated Fastify Node.js app for file uploads
const fastify = require("fastify")();
const fs = require("fs");
const path = require("path");
// Set the directory where uploaded files will be saved
const UPLOADS_DIRECTORY = "uploads/";
// Create the uploads directory if it doesn't exist
if (!fs.existsSync(UPLOADS_DIRECTORY)) {
fs.mkdirSync(UPLOADS_DIRECTORY);
@lirantal
lirantal / node-sandbox.md
Last active August 28, 2023 11:06
node-sandbox

The following creates a container with a mounted volume so it can be used as a sandbox that doesn't expose your local development environment incase of any rogue npm packages that steal your .npmrc token, environment variables and others

Run the following:

@lirantal
lirantal / ctf101-instructions.md
Created October 3, 2022 10:42
CTF 101 - Node.js vulnerable app

Read all chat messages

curl --request GET --url "http://localhost/chat"

Send a chat message

curl --request PUT \
  --url "http://localhost/chat" \
 --header 'content-type: application/json' \
@lirantal
lirantal / git-clone-or-pull-command-injection.md
Last active August 10, 2022 09:38
Command Injection vulnerability in [email protected]
@lirantal
lirantal / snyk-frontend-vulns-convert-to-wpt-format.js
Created July 12, 2020 06:04
Transform Snyk's frontend vulns snapshot to WebPageTest DB
/* eslint-disable security/detect-non-literal-fs-filename */
/* eslint-disable security/detect-object-injection */
'use strict'
const fs = require('fs')
// const
const filePath = process.argv[2]
console.log('Input file is: ', filePath)
@lirantal
lirantal / why-absence-of-lockfiles-doesnt-help-consumers.md
Created December 30, 2019 12:53
why-absence-of-lockfiles-doesnt-help-consumers.md

Why the absence of lockfiles doesn't help consumers

  1. you build a library: thewesley
  2. it has no lockfile
  3. it has a prod dep: baby-yoda@~1.0.0
  4. you published [email protected] and tested it works well with [email protected]
  5. it’s Dec 30: you’re on your honeymoon
  6. it’s Dec 31: baby-yoda published incompatible [email protected]
  7. it’s Jan 1st: I install [email protected]
@lirantal
lirantal / README.md
Created December 23, 2019 22:51
lockfile-lint concerns with package.lock

How to reproduce

  1. Use only the package.json manifest
  2. Run npm install
  3. Check /tmp/world.txt (should be empty)
  4. Update the package-lock.json file with the one provided in this gist
  5. Run rm -rf node_modules/ && npm install (notice how it's necessary in this vector to remove the node_modules/ folder)
  6. Confirm /tmp/world.txt is now created on the filesystem

References

@lirantal
lirantal / README.md
Last active December 23, 2019 23:15
lockfile-lint concerns with yarn.lock

How to reproduce

  1. Use only the package.json manifest
  2. Run yarn install
  3. Check /tmp/world.txt (should be empty)
  4. Update the yarn.lock file with the one provided in this gist
  5. Run yarn install (or yarn install --frozen-lockfile which is also susceptible to this attack vector)
  6. Confirm /tmp/world.txt is now created on the filesystem
@lirantal
lirantal / making-the-terminal-great-again-jsheroes.md
Created April 20, 2018 15:42
making-the-terminal-great-again-jsheroes.md
What's the advantage of having a dashboard in the terminal instead of for example a webpage?

-> it’s mostly about context-switch for me. about dockly for example, it’s not just to open a webpage, you first need to run the container with the web ui, etc. I generally find it more comfortable just to say on the terminal if I can.

1. What shell do you use?
2. How did you make your terminal to look like that? :)
3.