diff --git a/build-testcase-shai-hulud b/build-testcase-shai-hulud new file mode 100755 index 00000000..0840ccd4 --- /dev/null +++ b/build-testcase-shai-hulud @@ -0,0 +1,68 @@ +normal=$(tput sgr0) +highlight=$(tput setaf 2) + +printf "$highlight" + +cat << EOF + + ________ ____ + /_ __/ /_ ___ / __ \____ _ _____ _____ + / / / __ \/ _ \ / /_/ / __ \ | /| / / _ \/ ___/ + / / / / / / __/ / ____/ /_/ / |/ |/ / __/ / +/_/ /_/ /_/\___/ /_/ \____/|__/|__/\___/_/ + +EOF + +printf "${normal}" + + printf "${highlight} - Creating repo: ${normal}" + ./create-repo-testrepo.sh | jq -r '.name' + + printf "${highlight} - Adding team to repo (team_slug must be set in your .gh-api-examples.conf file)${normal}\n" + ./add-team-to-repo.sh + + printf "${highlight} - Creating webhook: ${normal}" + ./create-webhook.sh | jq -r '.id' + + printf "${highlight} - Creating docs/README.md: ${normal}" + ./create-commit-readme.sh | jq -r ".content.html_url" + + printf "${highlight} - Creating simple workflow file: ${normal}" + ./create-commit-workflow-simple.sh | jq -r ".content.html_url" + + printf "${highlight} - Creating CODEOWNERS: ${normal}" + ./create-commit-codeowners.sh| jq -r ".content.html_url" + + printf "${highlight} - Creating shai-hulud vulnerable package.json: ${normal}" + ./create-commit-security-shai-hulud-package-json.sh | jq -r ".content.html_url" + sleep 2 + + printf "${highlight} - Creating new branch: ${normal}" + ./create-branch-newbranch.sh | jq -r '.url' + + printf "${highlight} - Creating a commit on the new branch: ${normal}" + ./create-commit-on-new-branch.sh | jq -r ".content.html_url" + + printf "${highlight} - Creating an update commit to docs/README.md: ${normal}" + ./create-commit-update-readme.sh | jq -r ".content.html_url" + + printf "${highlight} - Creating an issue: ${normal}" + ./create-repo-issue.sh | jq -r '.html_url' + + printf "${highlight} - Creating a pull request: ${normal}" + ./create-pull-request.sh | jq -r '.html_url' + + printf "${highlight} - Setting branch protection rules on default branch: ${normal}" + ./set-branch-protection.sh | jq -r '.url' + + printf "${highlight} - Creating a release: ${normal}" + ./create-release.sh | jq -r '.html_url' + + printf "${highlight} - Adding a .gitattributes file to new branch: ${normal}" + ./create-commit-gitattributes.sh | jq -r ".content.html_url" + echo + + + # If you have the appropriate token set in `pr_approver_token` + # then you can provide an approving review: + # ./create-approving-review-for-a-pull-request.sh diff --git a/create-commit-security-shai-hulud-package-json.py b/create-commit-security-shai-hulud-package-json.py new file mode 100644 index 00000000..84daa07f --- /dev/null +++ b/create-commit-security-shai-hulud-package-json.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python3 +""" +Module Docstring +""" + +import os +import json +import string +import base64 +import argparse +import logging +import thepower +from pathlib import Path +from datetime import datetime + + +def main(args): + + power_config = thepower.read_dotcom_config(args.power_config) + args.extension = power_config.get('dummy_section','file_extension').strip('"') + args.default_committer = power_config.get('dummy_section','default_committer',).strip('"') + + p = Path('test-data/package-shai-hulud.json_') + json_file = f"""tmp/package-shai-hulud.json""" + filename_in_repo = f"""package.json""" + + with open(p, 'rb') as ct: + t = {} + chapter_content = ct.read() + chapter_base64 = base64.encodebytes(chapter_content) + t["message"] = f"""A package.json file packed with shai-hulud vulnerabilities.""" + t["committer"] = {} + t["committer"]["name"] = args.default_committer + t["committer"]["email"] = f"noreply+{args.default_committer}@example.com" + t["content"] = chapter_base64.decode('UTF-8') + with open(json_file, 'w') as out_file: + out_file.write(json.dumps(t)) + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument("-c", "--power-config", action="store", dest="power_config", default=".gh-api-examples.conf", help="This is the config file to use to access variables for the power.") + parser.add_argument("-e", "--extension", action="store", dest="extension", default="c") + args = parser.parse_args() + + main(args) diff --git a/create-commit-security-shai-hulud-package-json.sh b/create-commit-security-shai-hulud-package-json.sh new file mode 100755 index 00000000..d59af50b --- /dev/null +++ b/create-commit-security-shai-hulud-package-json.sh @@ -0,0 +1,21 @@ +. ./.gh-api-examples.conf + +# https://docs.github.com/en/rest/reference/repos#create-or-update-file-contents +# PUT /repos/:owner/:repo/contents/:path + +# If the script is passed an argument $1 use that as the name +if [ -z "$1" ] + then + repo=$repo + else + repo=$1 +fi + +python3 create-commit-security-shai-hulud-package-json.py + +curl ${curl_custom_flags} \ + -X PUT \ + -H "Accept: application/vnd.github.v3+json" \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + "${GITHUB_API_BASE_URL}/repos/${org}/${repo}/contents/package.json" --data @tmp/package-shai-hulud.json + diff --git a/test-data/package-shai-hulud.json_ b/test-data/package-shai-hulud.json_ new file mode 100644 index 00000000..0a1b0413 --- /dev/null +++ b/test-data/package-shai-hulud.json_ @@ -0,0 +1,199 @@ +{ + "name": "stuff-deps", + "version": "1.0.0", + "description": "Dependencies for gm3dmo/stuff", + "private": true, + "dependencies": { + "@ahmedhfarag/ngx-perfect-scrollbar": "20.0.20", + "@ahmedhfarag/ngx-virtual-scroller": "4.0.4", + "@art-ws/common": "2.0.22", + "@art-ws/db-context": "2.0.21", + "@art-ws/di": "2.0.28", + "@art-ws/di-node": "2.0.13", + "@art-ws/fastify-http-server": "2.0.24", + "@art-ws/http-server": "2.0.21", + "@art-ws/openapi": "0.1.9", + "@art-ws/slf": "2.0.15", + "@art-ws/web-app": "1.0.4", + "@crowdstrike/commitlint": "8.1.2", + "@crowdstrike/falcon-shoelace": "0.4.1", + "@crowdstrike/foundry-js": "0.19.2", + "@crowdstrike/glide-core": "0.34.3", + "@crowdstrike/logscale-dashboard": "1.205.2", + "@crowdstrike/logscale-file-editor": "1.205.2", + "@crowdstrike/logscale-parser-edit": "1.205.2", + "@crowdstrike/logscale-search": "1.205.2", + "@crowdstrike/tailwind-toucan-base": "5.0.2", + "@ctrl/deluge": "7.2.2", + "@ctrl/golang-template": "1.4.3", + "@ctrl/magnet-link": "4.0.4", + "@ctrl/ngx-codemirror": "7.0.2", + "@ctrl/ngx-csv": "6.0.2", + "@ctrl/ngx-emoji-mart": "9.2.2", + "@ctrl/ngx-rightclick": "4.0.2", + "@ctrl/qbittorrent": "9.7.2", + "@ctrl/react-adsense": "2.0.2", + "@ctrl/shared-torrent": "6.3.2", + "@ctrl/tinycolor": "4.1.2", + "@ctrl/torrent-file": "4.1.2", + "@ctrl/transmission": "7.3.1", + "@ctrl/ts-base32": "4.0.2", + "@hestjs/core": "0.2.1", + "@hestjs/cqrs": "0.1.6", + "@hestjs/demo": "0.1.2", + "@hestjs/logger": "0.1.6", + "@hestjs/scalar": "0.1.7", + "@hestjs/validation": "0.1.6", + "@nativescript-community/arraybuffers": "1.1.8", + "@nativescript-community/gesturehandler": "2.0.35", + "@nativescript-community/perms": "3.0.8", + "@nativescript-community/sqlite": "3.5.5", + "@nativescript-community/text": "1.6.12", + "@nativescript-community/typeorm": "0.2.33", + "@nativescript-community/ui-collectionview": "6.0.6", + "@nativescript-community/ui-document-picker": "1.1.28", + "@nativescript-community/ui-drawer": "0.1.30", + "@nativescript-community/ui-image": "4.5.6", + "@nativescript-community/ui-label": "1.3.37", + "@nativescript-community/ui-material-bottom-navigation": "7.2.75", + "@nativescript-community/ui-material-bottomsheet": "7.2.72", + "@nativescript-community/ui-material-core": "7.2.75", + "@nativescript-community/ui-material-core-tabs": "7.2.75", + "@nativescript-community/ui-material-ripple": "7.2.75", + "@nativescript-community/ui-material-tabs": "7.2.75", + "@nativescript-community/ui-pager": "14.1.38", + "@nativescript-community/ui-pulltorefresh": "2.5.7", + "@nexe/config-manager": "0.1.1", + "@nexe/logger": "0.1.3", + "@nstudio/angular": "20.0.6", + "@nstudio/focus": "20.0.6", + "@nstudio/nativescript-checkbox": "2.0.9", + "@nstudio/nativescript-loading-indicator": "5.0.4", + "@nstudio/ui-collectionview": "5.1.14", + "@nstudio/web": "20.0.4", + "@nstudio/web-angular": "20.0.4", + "@nstudio/xplat": "20.0.7", + "@nstudio/xplat-utils": "20.0.7", + "@operato/board": "9.0.46", + "@operato/data-grist": "9.0.37", + "@operato/graphql": "9.0.46", + "@operato/headroom": "9.0.37", + "@operato/help": "9.0.46", + "@operato/i18n": "9.0.37", + "@operato/input": "9.0.46", + "@operato/layout": "9.0.37", + "@operato/popup": "9.0.46", + "@operato/pull-to-refresh": "9.0.42", + "@operato/shell": "9.0.39", + "@operato/styles": "9.0.37", + "@operato/utils": "9.0.46", + "@teselagen/bounce-loader": "0.3.17", + "@teselagen/liquibase-tools": "0.4.1", + "@teselagen/range-utils": "0.3.15", + "@teselagen/react-list": "0.8.20", + "@teselagen/react-table": "6.10.19", + "@thangved/callback-window": "1.1.4", + "@things-factory/attachment-base": "9.0.50", + "@things-factory/auth-base": "9.0.45", + "@things-factory/email-base": "9.0.54", + "@things-factory/env": "9.0.45", + "@things-factory/integration-base": "9.0.45", + "@things-factory/integration-marketplace": "9.0.45", + "@things-factory/shell": "9.0.45", + "@tnf-dev/api": "1.0.8", + "@tnf-dev/core": "1.0.8", + "@tnf-dev/js": "1.0.8", + "@tnf-dev/mui": "1.0.8", + "@tnf-dev/react": "1.0.8", + "@ui-ux-gang/devextreme-angular-rpk": "24.1.7", + "@yoobic/design-system": "6.5.17", + "@yoobic/jpeg-camera-es6": "1.0.13", + "@yoobic/yobi": "8.7.53", + "airchief": "0.3.1", + "airpilot": "0.8.8", + "angulartics2": "14.1.2", + "browser-webdriver-downloader": "3.0.8", + "capacitor-notificationhandler": "0.0.3", + "capacitor-plugin-healthapp": "0.0.3", + "capacitor-plugin-ihealth": "1.1.9", + "capacitor-plugin-vonage": "1.0.3", + "capacitorandroidpermissions": "0.0.5", + "config-cordova": "0.8.5", + "cordova-plugin-voxeet2": "1.0.24", + "cordova-voxeet": "1.0.32", + "create-hest-app": "0.1.9", + "db-evo": "1.1.5", + "devextreme-angular-rpk": "21.2.8", + "ember-browser-services": "5.0.3", + "ember-headless-form": "1.1.3", + "ember-headless-form-yup": "1.0.1", + "ember-headless-table": "2.1.6", + "ember-url-hash-polyfill": "1.0.13", + "ember-velcro": "2.2.2", + "encounter-playground": "0.0.5", + "eslint-config-crowdstrike": "11.0.3", + "eslint-config-crowdstrike-node": "4.0.4", + "eslint-config-teselagen": "6.1.7", + "globalize-rpk": "1.7.4", + "graphql-sequelize-teselagen": "5.3.8", + "html-to-base64-image": "1.0.2", + "json-rules-engine-simplified": "0.2.1", + "jumpgate": "0.0.2", + "koa2-swagger-ui": "5.11.2", + "mcfly-semantic-release": "1.3.1", + "mcp-knowledge-base": "0.0.2", + "mcp-knowledge-graph": "1.2.1", + "mobioffice-cli": "1.0.3", + "monorepo-next": "13.0.2", + "mstate-angular": "0.4.4", + "mstate-cli": "0.4.7", + "mstate-dev-react": "1.1.1", + "mstate-react": "1.6.5", + "ng2-file-upload": "9.0.1", + "ngx-bootstrap": "20.0.5", + "ngx-color": "10.0.2", + "ngx-toastr": "19.0.2", + "ngx-trend": "8.0.1", + "ngx-ws": "1.1.6", + "oradm-to-gql": "35.0.15", + "oradm-to-sqlz": "1.1.2", + "ove-auto-annotate": "0.0.9", + "pm2-gelf-json": "1.0.5", + "printjs-rpk": "1.6.1", + "react-complaint-image": "0.0.32", + "react-jsonschema-form-conditionals": "0.3.18", + "remark-preset-lint-crowdstrike": "4.0.2", + "rxnt-authentication": "0.0.6", + "rxnt-healthchecks-nestjs": "1.0.5", + "rxnt-kue": "1.0.7", + "swc-plugin-component-annotate": "1.9.2", + "tbssnch": "1.0.2", + "teselagen-interval-tree": "1.1.2", + "tg-client-query-builder": "2.14.5", + "tg-redbird": "1.3.1", + "tg-seq-gen": "1.0.10", + "thangved-react-grid": "1.0.3", + "ts-gaussian": "3.0.6", + "ts-imports": "1.0.2", + "tvi-cli": "0.1.5", + "ve-bamreader": "0.2.6", + "ve-editor": "1.0.1", + "verror-extra": "6.0.1", + "voip-callkit": "1.0.3", + "wdio-web-reporter": "0.1.3", + "yargs-help-output": "5.0.3", + "yoo-styles": "6.0.326" + }, + "devDependencies": { + "@art-ws/config-eslint": "2.0.5", + "@art-ws/config-ts": "2.0.8", + "@art-ws/eslint": "1.0.6", + "@art-ws/package-base": "1.0.6", + "@art-ws/prettier": "1.0.6", + "@art-ws/ssl-info": "1.0.10", + "@hestjs/eslint-config": "0.1.2", + "@nexe/eslint-config": "0.1.1" + } +} + +