Open JamesFoxxx opened 3 months ago
JamesFoxxx
commented
2 months ago @maoning I found a way to execute RCE, it needs to deploy payload on an arbitrary path on any Git server like Github! I tried a simple HTTP and HTTPS server to serve the git repo but it doesn't work. what should I do, If I can put payloads in this repo we can validate the vulnerability with RCE.
maoning
commented
2 months ago @JamesFoxxx I'm testing out github payload hosting with this other plugin: https://github.com/google/tsunami-security-scanner-plugins/pull/449
You can also add your payload in the same /payloads directory, and open a separate PR for it, so that I can merge it in first.
maoning
commented
2 months ago https://github.com/google/tsunami-security-scanner-plugins/pull/467 for the payload (for tracking purpose)
JamesFoxxx
commented
2 months ago @maoning I'll improve this PR to check with a RCE callback instead of simple response checking this week.
JamesFoxxx
commented
1 month ago @maoning please merge these PRs first: https://github.com/google/security-testbeds/pull/43 https://github.com/google/security-testbeds/pull/42 This PR https://github.com/google/tsunami-security-scanner-plugins/pull/472 is important because after merge I should update the payload location in source code based on this repository URL.
PR is ready for review :) the test cases are not comprehensive yet, I'll add more test cases, please review the plugin first and till then I will find time to add more test cases.
JamesFoxxx
commented
1 month ago apologize for the delay, it was a hard journey for me, I had to analyze a CVE with no public PoC, plus I had to find a way to disable authentication. after that, I upgraded the plugin to get an OOB confirmation. (I'll be happy if you can consider a bonus for this submission because I'm comparing this to most of the other bounty submissions) Best regards, James.
@maoning @tooryx
JamesFoxxx
commented
1 month ago @lokiuox I wanted to apply one more update, I changed the phrase "argo cd instances" to "argo cd API server" in the namings and descriptions because the documentation explicitly says "Access The Argo CD API Server" in here. Also, the instances in argo cd should be related to application instances, so it was some kind of wrong naming that I did before.
JamesFoxxx
commented
1 month ago @lokiuox please note that the guice injection for sleep duration is completely copied from this recently merged PR https://github.com/google/tsunami-security-scanner-plugins/pull/456
JamesFoxxx
commented
1 month ago @lokiuox I'm sorry about this logging issue, I shoud've tested your last review before pushing it here.
JamesFoxxx
commented
1 week ago I'm curious to know if there is any particular priority system or logical method applied when sorting the pull requests for review and merging. this pull request was reviewed one month ago by the Dyonsec team and before that I waited nearly two months to start reviewing, I'm curious because some contributors merged more than 2 PRs during this time, is there any priority between the products? it is 4 months :)) that I've been waiting to merge this PR CC: @tooryx and @maoning
Hi, it is related to my PRP https://github.com/google/tsunami-security-scanner-plugins/issues/431.