@oxlayer/capabilities
Core capabilities staples for backend
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Findings are in a security test patterns file containing intentional path traversal test vectors, not production credential access. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decode is used for data URI parsing in an object storage uploader — standard, benign pattern. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 0.1.0 | 0 / 3 |
v0.1.0
7 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/testing/src/patterns/security.ts#L123 121 | */ 122 | export const PATH_TRAVERSAL_PATTERNS: SecurityPattern[] = [ > 123 | { input: '../../../etc/passwd', description: 'traversal with ../' }, 124 | { input: '..\\..\\..\\windows\\system32\\config\\sam', description: 'Windows traversal' }, 125 | { input: '%2e%2e%2f%2e%2e%2fetc%2fpasswd', description: 'URL-encoded traversal' },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/testing/src/patterns/security.ts#L126 124 | { input: '..\\..\\..\\windows\\system32\\config\\sam', description: 'Windows traversal' }, 125 | { input: '%2e%2e%2f%2e%2e%2fetc%2fpasswd', description: 'URL-encoded traversal' }, > 126 | { input: '....//....//....//etc/passwd', description: 'double-dot traversal' }, 127 | { input: '/var/www/../../etc/passwd', description: 'absolute path traversal' }, 128 | { input: '..%252f..%252f..%252fetc/passwd', description: 'double-encoded traversal' },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/testing/src/patterns/security.ts#L127 125 | { input: '%2e%2e%2f%2e%2e%2fetc%2fpasswd', description: 'URL-encoded traversal' }, 126 | { input: '....//....//....//etc/passwd', description: 'double-dot traversal' }, > 127 | { input: '/var/www/../../etc/passwd', description: 'absolute path traversal' }, 128 | { input: '..%252f..%252f..%252fetc/passwd', description: 'double-encoded traversal' }, 129 | ];
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/testing/src/patterns/security.ts#L136 134 | export const COMMAND_INJECTION_PATTERNS: SecurityPattern[] = [ 135 | { input: '; ls -la', description: 'semicolon command' }, > 136 | { input: '| cat /etc/passwd', description: 'pipe command' }, 137 | { input: '`whoami`', description: 'backtick command' }, 138 | { input: '$(cat /etc/passwd)', description: 'command substitution' },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/testing/src/patterns/security.ts#L138 136 | { input: '| cat /etc/passwd', description: 'pipe command' }, 137 | { input: '`whoami`', description: 'backtick command' }, > 138 | { input: '$(cat /etc/passwd)', description: 'command substitution' }, 139 | { input: '&& rm -rf /', description: 'AND command' }, 140 | { input: '|| reboot', description: 'OR command' },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/testing/src/patterns/security.ts#L141 139 | { input: '&& rm -rf /', description: 'AND command' }, 140 | { input: '|| reboot', description: 'OR command' }, > 141 | { input: '; cat /etc/passwd #', description: 'comment after command' }, 142 | { input: '\nls -la', description: 'newline command' }, 143 | { input: '\rwhoami', description: 'carriage return command' },
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.