@oxlayer/backend
<p align="center"> <img src="docs/website/img/logo.png" alt="OxLayer Logo" width="200" /> </p>
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Fires on PATH_TRAVERSAL_PATTERNS test fixture strings, not live credential access code. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP is a malicious-input test case in security-tests.template.ts, not an outbound request. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decoding base64 data URIs for object storage upload is standard and benign. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 0.1.0 | 0 / 1 |
v0.1.0
11 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/capabilities/testing/src/patterns/security.ts#L123 121 | */ 122 | export const PATH_TRAVERSAL_PATTERNS: SecurityPattern[] = [ > 123 | { input: '../../../etc/passwd', description: 'traversal with ../' }, 124 | { input: '..\\..\\..\\windows\\system32\\config\\sam', description: 'Windows traversal' }, 125 | { input: '%2e%2e%2f%2e%2e%2fetc%2fpasswd', description: 'URL-encoded traversal' },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/capabilities/testing/src/patterns/security.ts#L126 124 | { input: '..\\..\\..\\windows\\system32\\config\\sam', description: 'Windows traversal' }, 125 | { input: '%2e%2e%2f%2e%2e%2fetc%2fpasswd', description: 'URL-encoded traversal' }, > 126 | { input: '....//....//....//etc/passwd', description: 'double-dot traversal' }, 127 | { input: '/var/www/../../etc/passwd', description: 'absolute path traversal' }, 128 | { input: '..%252f..%252f..%252fetc/passwd', description: 'double-encoded traversal' },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/capabilities/testing/src/patterns/security.ts#L127 125 | { input: '%2e%2e%2f%2e%2e%2fetc%2fpasswd', description: 'URL-encoded traversal' }, 126 | { input: '....//....//....//etc/passwd', description: 'double-dot traversal' }, > 127 | { input: '/var/www/../../etc/passwd', description: 'absolute path traversal' }, 128 | { input: '..%252f..%252f..%252fetc/passwd', description: 'double-encoded traversal' }, 129 | ];
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/capabilities/testing/src/patterns/security.ts#L136 134 | export const COMMAND_INJECTION_PATTERNS: SecurityPattern[] = [ 135 | { input: '; ls -la', description: 'semicolon command' }, > 136 | { input: '| cat /etc/passwd', description: 'pipe command' }, 137 | { input: '`whoami`', description: 'backtick command' }, 138 | { input: '$(cat /etc/passwd)', description: 'command substitution' },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/capabilities/testing/src/patterns/security.ts#L138 136 | { input: '| cat /etc/passwd', description: 'pipe command' }, 137 | { input: '`whoami`', description: 'backtick command' }, > 138 | { input: '$(cat /etc/passwd)', description: 'command substitution' }, 139 | { input: '&& rm -rf /', description: 'AND command' }, 140 | { input: '|| reboot', description: 'OR command' },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/capabilities/testing/src/patterns/security.ts#L141 139 | { input: '&& rm -rf /', description: 'AND command' }, 140 | { input: '|| reboot', description: 'OR command' }, > 141 | { input: '; cat /etc/passwd #', description: 'comment after command' }, 142 | { input: '\nls -la', description: 'newline command' }, 143 | { input: '\rwhoami', description: 'carriage return command' },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/snippets/src/testing/security-tests.template.ts#L162 160 | setupMocks(); 161 | > 162 | const maliciousInput = '../../../etc/passwd'; 163 | const result = await ${useCase}.execute({ 164 | filePath: maliciousInput,
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/snippets/src/testing/security-tests.template.ts#L186 184 | setupMocks(); 185 | > 186 | const maliciousInput = '/etc/passwd'; 187 | const result = await ${useCase}.execute({ 188 | filePath: maliciousInput,
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/snippets/src/testing/security-tests.template.ts#L239 237 | setupMocks(); 238 | > 239 | const maliciousInput = 'file.txt | cat /etc/passwd'; 240 | const result = await ${useCase}.execute({ 241 | fileName: maliciousInput,
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/snippets/src/testing/security-tests.template.ts#L251 249 | setupMocks(); 250 | > 251 | const maliciousInput = 'file`cat /etc/passwd`'; 252 | const result = await ${useCase}.execute({ 253 | fileName: maliciousInput,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.