first public commit

.gitignore

@@ -0,0 +1,127 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+.vscode/
+output/

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 rarecoil.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,59 @@
+# unwebpack-sourcemap
+
+### Recover uncompiled TypeScript sources, JSX, and more from Webpack sourcemaps.
+
+As single-page applications take over the world, more and more is being asked of the browser as a client. It is common for SPAs to use [Webpack](https://webpack.js.org/) to handle browser script build processes. Usually, Webpack will transpile React/Vue/TypeScript/etc. to JavaScript, minify/compress it, and then serve it as a single bundle to the application.
+
+However, Webpack also produces [JavaScript source maps](https://www.html5rocks.com/en/tutorials/developertools/sourcemaps/) to assist in the debugging and development process; when things go wrong, the browser's debugger can use the SourceMap to point to a line in the code that contains the issue at hand. Most developers do not adequately protect the source maps and ship them to production environments.
+
+When the browser was simply handling an array of JavaScript files concatenated and (maybe) packed, this wasn't so much of an issue. However, developers of SPAs assume the use of JavaScript as an **intermediate representation**. Developers often expect production to contain obfuscated and/or otherwise-processed scripts, and do not understand just what the sourcemaps contain in many cases. This model aligns closely with shipping binaries: source is compiled and you ship the interpretable version. If this is the case, the sourcemap is akin to leaking your source alongside the "binary" (bundle) you have made. The bundle can be reverse engineered just as a binary can, but sourcemaps make this far easier.
+
+
+## Usage 
+
+The script requires Python3, `BeautifulSoup4` and `requests`. Install dependencies with `pip3 install -r requirements.txt`. The script can handle downloaded sourcemaps, or attempt to parse them from remote sources for you. In all of these cases, we will assume that you have a directory you have created called `output` alongside the script:
+
+```
+\$ mkdir output
+```
+
+In order of increasing noisiness, to unpack a local sourcemap:
+
+```
+\$ ./unwebpack_sourcemap.py --local /path/to/source.map output
+```
+
+To unpack a remote sourcemap:
+
+```
+\$ ./unwebpack_sourcemap.py https://pathto.example.com/source.map output
+```
+
+To attempt to read all `<script src>` on an HTML page, fetch JS assets, look for `sourceMappingURI`, and pull sourcemaps from remote sources:
+
+```
+\$ ./unwebpack_sourcemap.py --detect https://pathto.example.com/spa_root/ output
+```
+
+## I'm a developer and this scares me. What do?
+
+You have a few options:
+
+1. Turn off sourcemaps in production entirely.
+1. Push sourcemaps to a private server, and ACL sourcemap URIs to developers only.
+1. Load sourcemaps from local sources only and do not push them to production.
+
+
+## Example Vulnerable Application
+
+An example TypeScript+React application is included in `example-react-ts-app`. You can run this locally and run the script against it.
+
+
+## Contributions
+
+This is an alpha-level script built for a series of engagements I was working on in which sourcemaps are disclosed in production environments. It currently is only meant to work with TypeScript+React and TypeScript+Vue templates. Pull requests to harden the script, make it read more sourcemaps, et cetera are greatly appreciated.
+
+
+## License
+
+MIT.

example-react-ts-app/.babelrc

@@ -0,0 +1,17 @@
+{
+  "presets": [
+    ["@babel/preset-env", {"modules": false}],
+    "@babel/preset-react"
+  ],
+  "plugins": [
+    "react-hot-loader/babel"
+  ],
+  "env": {
+    "production": {
+      "presets": ["minify"]
+    },
+    "test": {
+      "presets": ["@babel/preset-env", "@babel/preset-react"]
+    }
+  }
+}

example-react-ts-app/.gitignore

@@ -0,0 +1,6 @@
+.idea/
+dist/
+node_modules/
+src/**/*.jsx
+tests/__coverage__/
+tests/**/*.jsx

example-react-ts-app/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Viktor Persson
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

example-react-ts-app/README.md

@@ -0,0 +1,52 @@
+# React Webpack Typescript Starter
+> Minimal starter with hot module replacement (HMR) for rapid development.
+
+* **[React](https://facebook.github.io/react/)** (16.x)
+* **[Webpack](https://webpack.js.org/)** (4.x)
+* **[Typescript](https://www.typescriptlang.org/)** (3.x)
+* **[Hot Module Replacement (HMR)](https://webpack.js.org/concepts/hot-module-replacement/)** using [React Hot Loader](https://github.com/gaearon/react-hot-loader) (4.x)
+* [Babel](http://babeljs.io/) (7.x)
+* [SASS](http://sass-lang.com/)
+* [Jest](https://facebook.github.io/jest/) - Testing framework for React applications
+* Production build script
+* Image loading/minification using [Image Webpack Loader](https://github.com/tcoopman/image-webpack-loader)
+* Typescript compiling using [Awesome Typescript Loader](https://github.com/s-panferov/awesome-typescript-loader) (5.x)
+* Code quality (linting) for Typescript.
+
+## Installation
+1. Clone/download repo
+2. `yarn install` (or `npm install` for npm)
+
+## Usage
+**Development**
+
+`yarn run start-dev`
+
+* Build app continuously (HMR enabled)
+* App served @ `http://localhost:8080`
+
+**Production**
+
+`yarn run start-prod`
+
+* Build app once (HMR disabled) to `/dist/`
+* App served @ `http://localhost:3000`
+
+---
+
+**All commands**
+
+Command | Description
+--- | ---
+`yarn run start-dev` | Build app continuously (HMR enabled) and serve @ `http://localhost:8080`
+`yarn run start-prod` | Build app once (HMR disabled) to `/dist/` and serve @ `http://localhost:3000`
+`yarn run build` | Build app to `/dist/`
+`yarn run test` | Run tests
+`yarn run lint` | Run Typescript linter
+`yarn run start` | (alias of `yarn run start-dev`)
+
+**Note**: replace `yarn` with `npm` if you use npm.
+
+## See also
+* [React Webpack Babel Starter](https://github.com/vikpe/react-webpack-babel-starter)
+* [Isomorphic Webapp Starter](https://github.com/vikpe/isomorphic-webapp-starter)

example-react-ts-app/configs/jest.json

@@ -0,0 +1,30 @@
+{
+  "rootDir": "..",
+  "coverageDirectory": "<rootDir>/tests/__coverage__/",
+  "setupFiles": [
+    "<rootDir>/tests/__mocks__/shim.js"
+  ],
+  "roots": [
+    "<rootDir>/src/",
+    "<rootDir>/tests/"
+  ],
+  "moduleNameMapper": {
+    "\\.(jpg|jpeg|png|gif|eot|otf|webp|svg|ttf|woff|woff2|mp4|webm|wav|mp3|m4a|aac|oga)$": "<rootDir>/tests/__mocks__/fileMock.js",
+    "\\.(css|scss|less)$": "<rootDir>/tests/__mocks__/styleMock.js"
+  },
+  "moduleFileExtensions": ["ts", "tsx", "js", "jsx"],
+  "transform": {
+    "^.+\\.(ts|tsx)$": "<rootDir>/configs/jest.preprocessor.js"
+  },
+  "transformIgnorePatterns": [
+    "/node_modules/"
+  ],
+  "testRegex": "/tests/.*\\.(ts|tsx)$",
+  "moduleDirectories": [
+    "node_modules"
+  ],
+  "globals": {
+    "DEVELOPMENT": false,
+    "FAKE_SERVER": false
+  }
+}

example-react-ts-app/configs/jest.preprocessor.js

@@ -0,0 +1,22 @@
+const tsc       = require('typescript');
+const tsConfig  = require('./../tsconfig.json');
+
+module.exports = {
+    process(src, path) {
+        const isTs             = path.endsWith('.ts');
+        const isTsx            = path.endsWith('.tsx');
+        const isTypescriptFile = (isTs || isTsx);
+
+        if ( isTypescriptFile ) {
+            return tsc.transpileModule(
+                src,
+                {
+                    compilerOptions: tsConfig.compilerOptions,
+                    fileName:        path
+                }
+            ).outputText;
+        }
+
+        return src;
+    },
+};