From 58001c0cca3e0dd8be995f27cfd0854974d5df4c Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Thu, 26 Jun 2025 06:54:53 +0000 Subject: [PATCH 1/2] Patched html.js --- html.js | 58 +++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 38 insertions(+), 20 deletions(-) diff --git a/html.js b/html.js index d685bd5..c12027b 100644 --- a/html.js +++ b/html.js @@ -2,6 +2,7 @@ import PropTypes from 'prop-types' import React, { PureComponent } from 'react' import serialize from 'serialize-javascript' +import DOMPurify from 'dompurify' // @twreporter import webfonts from '@twreporter/react-components/lib/text/utils/webfonts' @@ -26,6 +27,36 @@ export default class Html extends PureComponent { styleElement: PropTypes.arrayOf(PropTypes.element).isRequired, helmet: PropTypes.object.isRequired, } + + // Add script loading function that will be called from script tag + static loadTypekit() { + const config = { + kitId: 'vlk1qbe', + scriptTimeout: 3000, + async: true + }; + const d = document; + const h = d.documentElement; + const t = setTimeout(() => { + h.className = h.className.replace(/\bwf-loading\b/g, "") + " wf-inactive"; + }, config.scriptTimeout); + const tk = d.createElement("script"); + let f = false; + const s = d.getElementsByTagName("script")[0]; + h.className += " wf-loading"; + tk.src = 'https://use.typekit.net/' + config.kitId + '.js'; + tk.async = true; + tk.onload = tk.onreadystatechange = function() { + const a = this.readyState; + if (f || (a && a !== "complete" && a !== "loaded")) return; + f = true; + clearTimeout(t); + try { + Typekit.load(config); + } catch (e) {} + }; + s.parentNode.insertBefore(tk, s); + } render() { const { contentMarkup, @@ -110,34 +141,21 @@ export default class Html extends PureComponent { {styleElement} -
+
+ {_.map(scripts, (script, key) => ( ) From 43f4d3602d0678f6199adfe3b716593b1ee9f8b6 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Thu, 26 Jun 2025 06:54:53 +0000 Subject: [PATCH 2/2] Patched main.py --- main.py | 39 +++++++++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/main.py b/main.py index 468f8c0..1764d29 100644 --- a/main.py +++ b/main.py @@ -1,5 +1,7 @@ import requests import subprocess +import re +import logging def func_calls(): formats.get_format() @@ -7,7 +9,29 @@ def func_calls(): cli.VerifyOperation.perform_operation() sessions.SessionRedirectMixin.resolve_redirects() +def validate_hostname(hostname): + """Validate hostname using regex pattern.""" + pattern = r'^[a-zA-Z0-9.-]+$' + return bool(re.match(pattern, hostname)) + +def safe_ping(hostname): + """Execute ping command safely with input validation.""" + if not validate_hostname(hostname): + logging.warning(f"Invalid hostname attempted: {hostname}") + raise ValueError("Invalid hostname. Only alphanumeric characters, dots, and hyphens are allowed.") + + try: + logging.info(f"Executing ping command for hostname: {hostname}") + result = subprocess.call(['ping', hostname], shell=False) + return result + except Exception as e: + logging.error(f"Error executing ping command: {str(e)}") + raise + if __name__ == '__main__': + # Set up logging + logging.basicConfig(level=logging.INFO) + session = requests.Session() proxies = { 'http': 'http://test:pass@localhost:8080', @@ -18,9 +42,12 @@ def func_calls(): prep = req.prepare() session.rebuild_proxies(prep, proxies) - # Introduce a command injection vulnerability - user_input = input("Enter a command to execute: ") - command = "ping " + user_input - subprocess.call(command, shell=True) - - print("Command executed!") \ No newline at end of file + # Execute ping command safely + try: + user_input = input("Enter a hostname to ping: ") + safe_ping(user_input) + print("Command executed successfully!") + except ValueError as e: + print(f"Error: {e}") + except Exception as e: + print(f"An unexpected error occurred: {e}") \ No newline at end of file