@oxlayer/capabilities-testing
Shared testing infrastructure for OxLayer apps
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Package is a security testing library; /etc/passwd references are test fixture strings, not credential harvesting code. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 0.1.0 | 0 / 2 |
v0.1.0
7 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/src/patterns/security.ts#L123 121 | */ 122 | export const PATH_TRAVERSAL_PATTERNS: SecurityPattern[] = [ > 123 | { input: '../../../etc/passwd', description: 'traversal with ../' }, 124 | { input: '..\\..\\..\\windows\\system32\\config\\sam', description: 'Windows traversal' }, 125 | { input: '%2e%2e%2f%2e%2e%2fetc%2fpasswd', description: 'URL-encoded traversal' },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/src/patterns/security.ts#L126 124 | { input: '..\\..\\..\\windows\\system32\\config\\sam', description: 'Windows traversal' }, 125 | { input: '%2e%2e%2f%2e%2e%2fetc%2fpasswd', description: 'URL-encoded traversal' }, > 126 | { input: '....//....//....//etc/passwd', description: 'double-dot traversal' }, 127 | { input: '/var/www/../../etc/passwd', description: 'absolute path traversal' }, 128 | { input: '..%252f..%252f..%252fetc/passwd', description: 'double-encoded traversal' },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/src/patterns/security.ts#L127 125 | { input: '%2e%2e%2f%2e%2e%2fetc%2fpasswd', description: 'URL-encoded traversal' }, 126 | { input: '....//....//....//etc/passwd', description: 'double-dot traversal' }, > 127 | { input: '/var/www/../../etc/passwd', description: 'absolute path traversal' }, 128 | { input: '..%252f..%252f..%252fetc/passwd', description: 'double-encoded traversal' }, 129 | ];
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/src/patterns/security.ts#L136 134 | export const COMMAND_INJECTION_PATTERNS: SecurityPattern[] = [ 135 | { input: '; ls -la', description: 'semicolon command' }, > 136 | { input: '| cat /etc/passwd', description: 'pipe command' }, 137 | { input: '`whoami`', description: 'backtick command' }, 138 | { input: '$(cat /etc/passwd)', description: 'command substitution' },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/src/patterns/security.ts#L138 136 | { input: '| cat /etc/passwd', description: 'pipe command' }, 137 | { input: '`whoami`', description: 'backtick command' }, > 138 | { input: '$(cat /etc/passwd)', description: 'command substitution' }, 139 | { input: '&& rm -rf /', description: 'AND command' }, 140 | { input: '|| reboot', description: 'OR command' },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/src/patterns/security.ts#L141 139 | { input: '&& rm -rf /', description: 'AND command' }, 140 | { input: '|| reboot', description: 'OR command' }, > 141 | { input: '; cat /etc/passwd #', description: 'comment after command' }, 142 | { input: '\nls -la', description: 'newline command' }, 143 | { input: '\rwhoami', description: 'carriage return command' },
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.