Skip to content

Instantly share code, notes, and snippets.

View SafeEval's full-sized avatar

Jack Sullivan SafeEval

27 followers · 6 following
View GitHub Profile
@SafeEval
SafeEval / age-example.sh
Created August 7, 2024 17:14
Using the 'age' file encryption tool to securely exchange a large sensitive file between two parties over a hostile network.
#!/bin/bash
# Example of using the 'age' file encryption tool to securely exchange
# a large sensitive file between two parties over a hostile network.
# https://age-encryption.org/
# https://github.com/FiloSottile/age
# https://htmlpreview.github.io/?https://github.com/FiloSottile/age/blob/main/doc/age.1.html
###############################################################
@SafeEval
SafeEval / gh-app-auth.sh
Last active July 30, 2024 18:53
Get a Github access token as a Github App in pure bash
#!/usr/bin/env bash
# Get a Github access token as a Github App in pure bash.
# 1. Generate a JWT (CLIENT_ID and PEM)
# 2. Obtain the access token (JWT and INSTALLATION_ID)
#
# https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#example-using-bash-to-generate-a-jwt
set -o pipefail
@SafeEval
SafeEval / 000001_init_schema.down.sql
Last active March 20, 2025 15:44
Example of using SQLite with Golang. Create an in-memory DB, with load/save to disk and embedded migrations.
-- file: migrations/00001_init_schema.down.sql
DROP TABLE users;
@SafeEval
SafeEval / CVE-2024-3094.md
Last active March 30, 2024 19:49
Cleanup backdoored `xz` 5.6.0-5.61 (CVE-2024-3094)

Backdoored xz and liblzma 5.6.0 - 5.6.1 (CVE-2024-3094)

CVSS 10.0 (critical) backdoor in xz and liblzma 5.6.0-5.6.1 that targets SSH service authentication.

Filed as CVE-2024-3094

$ xz --version
xz (XZ Utils) 5.6.1
liblzma 5.6.1
@SafeEval
SafeEval / git-clone-org.sh
Created December 23, 2023 20:08
Clone all active (non-archived) repos from an organization.
#!/bin/bash
export GITHUB_TOKEN=""
export GITHUB_ORG=""
gh repo list "$GITHUB_ORG" --no-archived --limit 1000 > repo-list.txt
for repo_path in $(cat repo-list.txt | cut -f1); do
org="$(echo $repo_path | cut -f1 -d'/')"
repo="$(echo $repo_path | cut -f2 -d'/')"
@SafeEval
SafeEval / ecr-docker-login.sh
Created August 25, 2023 23:52
Docker login to ECR
# #!/bin/bash
# Tired of looking this up.
# Assumes a properly configured AWS CLI profile/credentials and AWS_REGION is set.
aws ecr get-login-password | docker login -u AWS --password-stdin "https://$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.$AWS_REGION.amazonaws.com"
@SafeEval
SafeEval / httpd-env-headers.conf
Created August 18, 2023 23:24
Using Apache (httpd), demonstrate returning string literals and environment variables in response headers.
# Using Apache (httpd), demonstrate returning string literals and environment variables in response headers.
#
# Useful for simple containerized web service PoC.
#
# docker run -it --rm -p 80:80 -v "$(pwd)/httpd.conf":"/usr/local/apache2/conf/httpd.conf" httpd
#
# https://httpd.apache.org/docs/current/mod/mod_headers.html
# https://serverfault.com/questions/901459/apache-custom-header-with-an-environment-variable
# ... snip config file contents ....
@SafeEval
SafeEval / terraform-github-repo-creation-poc.tf
Last active June 11, 2023 00:02
PoC for Terraform Github repo creation with GHAS settings
###############################################################################
# Workaround for Terraform repository creation with Github Advanced Security
# feature configuration in dynamic blocks.
#
# This works, but you have to run Terraform twice for GHAS settings to apply.
# - Can switch between public and private visibility.
# - Can switch between archived and unarchived.
# - Fails when modifying visibility and archived setting simultaneously.
#
# GHAS API settings depend on existing repository state. Simultaneously modifying
@SafeEval
SafeEval / export-keycloak-realm.sh
Created May 27, 2023 05:16
Export a Keycloak realm to JSON files
#!/bin/bash
# https://stackoverflow.com/questions/65200310/export-users-and-roles-from-keycloak
# define the variables: url, credentials to access REST API, and the realm to export
KEYCLOAK_URL="http://keycloak.localhost"
KEYCLOAK_REALM="master"
KEYCLOAK_ADMIN="admin"
KEYCLOAK_ADMIN_PASSWORD="password"
REALM_NAME="demo"
@SafeEval
SafeEval / oidc-claim-at_hash.py
Created May 27, 2023 05:13
#!/usr/bin/env python3
"""
Pure Python3 example of using a OIDC ID token's `at_hash` claim to verify
an opaque OIDC access token.
Required for Authelia, which doesn't issue JWT access tokens.
If the OIDC implementation uses an /introspection endpoint to verify an opaque
access token, that's another HTTP call that "violates stateless purity."