Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Once upon a time, you managed your Github repositories,
the pull requests and the commits... didn't yoooou?
botdylan
: Automate your Github processes with js scripts.botdylan
runs as a daemon. It's configured by writing a config.json
file
that describes cron
and hooks
scripts. cron
scripts execute periodically
and hook
scripts execute on github hook
events.
$ ls /etc/botdylan
scripts/hooks
scripts/crons
config.json
$ botdylan --dir /etc/botdylan
botdylan
was initially built and used internally at Teambox.
We use Github heavily. There are some repetitive tasks that were taking away our time to hack on a better product. Since we are in the productivity space we decided to stop doing things manually and start to have a more productive environment to work with.
The project is heavily inspired by hubot.
You can automatize any process in GitHub. Some of the things we are currently doing:
botdylan
has just one CLI option:
--dir [current_path]
: Location of your scripts
folder and config.json
.Configuring botdylan is damn simple! Just populate your config.json
file on your
configuration directory with the following options:
username
: Bot usernamepassword
: Bot password or oauth tokenauth [basic]
: Auth type to use when connecting to GitHub. Can be basic
(username/password) or oauth
(username/token)repositories
: Hash of repositories (owner/repository) with the cron
and hooks
setted upport [80]
: Port to listen github webhookssilent [false]
: Flag to disable outputsecret
: (Optional) String with high entropy to secure your webhookgithub_api
: (Optional) Object with options directly to GitHubApi
constructor, see npm's github docs{
"username": "botdylan"
, "password": "blood-on-the-tracks"
, "secret": "myhashsecret"
, "url": "http://example.com:5000"
, "port": 5000
, "repositories": {
"botdylan/test": {
"crons": {
"0 0 0 * * *": ["ping"]
}
, "hooks": {
"issue_comment": ["pong"]
, "push" : ["cowboys"]
}
}
}
, "github_api": {
"host": "my-enterprise-github-instance.mycompany.com" // if you're using GitHub Enterprise,
"timeout": 2000
}
}
Scripts under scripts/hooks
will run on any given hook event,
botdylan
will create the hooks automatically if they don't exist.
Scripts under scripts/crons
use the cron
syntax.
Sometimes you might not want to store your GitHub credentials inside repository. In order to prevent this you can use three environment variables: GITHUB_USERNAME
, GITHUB_PASSWORD
, GITHUB_WEBHOOK_SECRET
- when set they will overwrite username
, password
, secret
config options.
Example:
GITHUB_USERNAME=johndoe GITHUB_PASSWORD=qwerty GITHUB_WEBHOOK_SECRET=bazinga botdylan --dir /etc/botdylan
botdylan
scripts?The scripts have to export a single function that will be executed by
botdylan
.
Cron scripts receive:
bot
repo_info
Hooks scripts receive:
bot
repo_info
payload
You will find plenty of examples under the scripts
folder.
bot
helper objectThis object represents our beloved bot. It has some methods to help you write your scripts:
trace
: Write a message to the console unless the silent
option is sentoptions
: Options from your config.json
filehandleError
: Function applicator that handles showing errors if anygithub
: Authenticated GitHubApi
instance of
node-githubhttp
: A request instanceevents
: Contains a on
and an emit
message. Ideal to communicate between scriptsstore
: A getter/setter memory storage.There are plenty of things that we would like to have soon done:
scripts/events
to be able to create scripts that are invoked from custom events(The MIT License)
Copyright (c) 2013 Pau Ramon masylum@gmail.com
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
FAQs
github bot
The npm package botdylan receives a total of 0 weekly downloads. As such, botdylan popularity was classified as not popular.
We found that botdylan demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.