// npm 패키지
@zintrust/core
Production-grade TypeScript backend framework for JavaScript
버전
184
메인테이너
1
라이선스
MIT
최초 publish
2025-12-26
publisher
diadal
tarball
4,209,172 B
AUTO-PUBLISHED·2개 버전 인덱싱됨·최근 publish: 2026-05-21
// exfil path
what is read → where it shipssteals
- ● AWS keys
- ○ fs recursive read
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> "homepage": "https://zintrust.com",
> "url": "https://github.com/ZinTrust/ZinTrust.git"
> "url": "https://github.com/ZinTrust/ZinTrust/issues"
> const base64UrlEncode = (value) => {
> const base64 = Buffer.isBuffer(value)// offending code· @2.0.2· 3 files flagged
- @2.0.2··AUTO-PUBLISHED·publisher: diadalheuristic 64/100static flags 5llm skippednew-publisher:17dmature-packagepublisher-multi-name-burst:30publisher-version-pump:38public-github-pushchild-process-spawnbase64-decodereads-aws-credsfs-recursive-read
// offending code· 3 files flaggedpatterns: 5
--- package/package.json (excerpt) --- { "name": "@zintrust/core", "version": "2.0.2", "description": "Production-grade TypeScript backend framework for JavaScript", "homepage": "https://zintrust.com", "repository": { "type": "git", "url": "https://github.com/ZinTrust/ZinTrust.git" }, "bugs": { "url": "https://github.com/ZinTrust/ZinTrust/issues" }, "type": "module", "main": "src/index.js", "types": "src/index.d.ts", "exports": { ".": { "types": "./src/index.d.ts", "import": "./src/index.js" }, "./start": { "types": "./src/start.d.ts", "import": "./src/start.js" }, "./boot": { "types": "./src/boot.d.ts", "import": "./src/boot.js" }, "./cli": { "types": "./src/cli.d.ts", "import": "./src/cli.js" }, "./worker-commands": { "types": "./src/worker-commands.d.ts", "import": "./src/worker-commands.js" }, "./proxy": { "types": "./src/proxy.d.ts", "import": "./src/proxy.js" }, "./proxy/*": { "types": "./src/proxy/*.d.ts", "import": "./src/proxy/*.js" }, "./collections": { "types": "./src/collections/index.d.ts", "import": "./src/collections/index.js" }, "./helper": { "types": "./src/helper/index.d.ts", "import": "./src/helper/index.js" }, "./node": { "types": "./src/node.d.ts", "import": "./src/node.js" }, "./package.json": "./package.json" }, "dependencies": { "@cloudflare/conta --- package/src/tools/templates/MarkdownRenderer.js (excerpt) --- /** * MarkdownRenderer - Minimal, safe Markdown -> HTML renderer * - Plain functions only (no classes) * - Designed for emails and notifications * - Performs variable interpolation with HTML-escaping * - Basic markdown features: headings, bold, italic, lists, links, code blocks, inline code * - Safe link sanitization (only allow http(s), mailto, tel) */ import { ErrorFactory } from '../../exceptions/ZintrustError.js'; import { XssProtection } from '../../security/XssProtection.js'; const escapeHtml = (str) => XssProtection.escape(str); const sanitizeHref = (href) => { const trimmed = String(href ?? '').trim(); if (trimmed === '') return '#'; if (XssProtection.isSafeUrl(trimmed) === false) return '#'; const encoded = XssProtection.encodeHref(trimmed); if (encoded === '') return '#'; return encoded; }; const interpolate = (markdown, variables = {}) => { return markdown.replaceAll(/{{\s*([a-zA-Z0-9_.-]+)\s*}}/g, (_m, key) => { const val = variables[key]; if (val === undefined || val === null) return ''; return String(val); }); }; const renderInline = (text) => { const BACKTICK = '__ZINTRUST_MD_BACKTICK__'; // 1) Escape *all* user-provided text for safety, but preserve backticks so we can parse inline-code. // Backticks are not dangerous in HTML text context; they are only meaningful to our markdown parser. let out = String(text).replaceAll('`', BACKTICK); out = --- package/src/tools/storage/LocalSignedUrl.js (excerpt) --- import { ErrorFactory } from '../../exceptions/ZintrustError.js'; import { createHmac } from '../../node-singletons/crypto.js'; const base64UrlEncode = (value) => { const base64 = Buffer.isBuffer(value) ? value.toString('base64') : Buffer.from(value).toString('base64'); // replace characters used in regular base64 and remove any trailing '=' padding let result = base64.replaceAll('+', '-').replaceAll('/', '_'); // Remove trailing '=' characters without using a regex to avoid potential super-linear backtracking. while (result.endsWith('=')) { result = result.slice(0, -1); } return result; }; const base64UrlDecodeToString = (value) => { const padded = value + '==='.slice((value.length + 3) % 4); const base64 = padded.replaceAll('-', '+').replaceAll('_', '/'); return Buffer.from(base64, 'base64').toString('utf8'); }; const timingSafeEquals = (a, b) => { if (a.length !== b.length) return false; let result = 0; for (let i = 0; i < a.length; i++) { result |= (a.codePointAt(i) ?? 0) ^ (b.codePointAt(i) ?? 0); } return result === 0; }; const assertValidKey = (key) => { if (key.trim() === '') { throw ErrorFactory.createValidationError('Local signed url: key is required'); } // Hard fail on obvious traversal / absolute paths. // Keep this strict; keys should be relative like `uploads/a.png`. if (key.startsWith('/') || key.startsWith('\\')) { throw Erro
