A while back I made a tool to scratch my own itch, a debian packager. Probably nothing special, but FPM didn’t do exactly what I wanted.
For Devember I want to make this accessible via an API where you can upload a zip or a tar.gz and it will build and return to you a Debian package.
There’s lots of avenues for exploitation here so security is probably going to be the hardest part.
I may also make a cookbook or debian package to configure a VPS for this sole purpose, which I hope to include a way to operate it over SSH port forwarding so the API never touches the public internet.
Here’s the tool I made:
Here’s the Devember project repo:
6 Likes
Alright this is pretty cool. I got a POC working OK.
../bin/go-ian-api 130 ↵
2020/11/13 02:01:55 found uploads path at uploads
2020/11/13 02:01:55 found extracts path at extracts
2020/11/13 02:01:55 found downloads path at downloads
[GIN-debug] [WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached.
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
- using env: export GIN_MODE=release
- using code: gin.SetMode(gin.ReleaseMode)
[GIN-debug] POST /upload --> main.(*server).UploadFile-fm (3 handlers)
[GIN-debug] GET /download/:id/:filename --> main.(*server).DownloadFile-fm (3 handlers)
2020/11/13 02:01:55 Server started on localhost:8080, use /upload for uploading files and /files/{fileName} for downloading files.
[GIN-debug] Listening and serving HTTP on :8080
v^[[B[GIN] 2020/11/13 - 02:02:02 | 200 | 2.157754ms | 127.0.0.1 | GET "/download/4c1717a9-1266-4ce3-b307-271a24c9cbc5/example_0.0.1_all.deb"
So I got it to take a tar.gz with a debian package filesystem inside (read, control and data archives together but unzipped) and it builds the deb file and redirects you to a place to download it.
So I took this directory:
example
├── DEBIAN
│ ├── build
│ ├── control
│ ├── postinst
│ ├── postrm
│ ├── preinst
│ └── prerm
└── etc
└── testfile
Tarred it up and sent the tar via curl:
curl http://localhost:8080/upload -F "[email protected]" -H "Content-Type: multipart/form-data" -LJO
The LJO ensures that curl will accept the redirect and save the file with the name that was generated. Here’s the curl output:
* Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> POST /upload HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 751
> Content-Type: multipart/form-data; boundary=------------------------aa86d76b6571ac6d
>
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 303 See Other
< Location: /download/98cad0e1-4250-48f4-b230-65f62cb200ad/example_0.0.1_all.deb
< Date: Thu, 12 Nov 2020 13:02:12 GMT
< Content-Length: 0
<
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost:8080/download/98cad0e1-4250-48f4-b230-65f62cb200ad/example_0.0.1_all.deb'
* Disables POST, goes with GET
* Found bundle for host localhost: 0x5643eab64bf0 [serially]
* Can not multiplex, even if we wanted to!
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /download/98cad0e1-4250-48f4-b230-65f62cb200ad/example_0.0.1_all.deb HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Type: multipart/form-data
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Disposition: attachment; filename="example_0.0.1_all.deb"
< Content-Length: 1076
< Content-Type: application/x-debian-package
< Last-Modified: Thu, 12 Nov 2020 13:02:12 GMT
< Date: Thu, 12 Nov 2020 13:02:12 GMT
<
Pretty happy. A few things left to do though. There is no security right now for instance.
3 Likes