First off, thank you for considering contributing to Awesome-RCE-techniques. It's people like you that make Awesome-RCE-techniques such a great ressource.
Please take a moment to review this document in order to make the contribution process easy and effective for everyone involved. Awesome-RCE-techniques is a compilation of code exectution techniques that aims to be the most comprehansive and beginner friendly.
Documentating all the RCE techniques is a time consuming process, you can help by :
- Reporting a technique or an application that isn't covered yet. Consider adding all the informations you got to help the team (github page, version, screenshot, documentation, walkthrough ...)
- Writing a step-by-step process of how to achieve Remote Code Execution on this application.
- Providing test environnment (docker) to allow everyone to try these Remote Code Execution (RCE) techniques locally.
Please, don't use the issue tracker for support questions. If you can't figure out how to RCE an application, feel free to check this ressources:
- The Hacker Recipes (https://www.thehacker.recipes/)
- HackTricks (https://book.hacktricks.xyz/welcome/readme)
- Payloads All The Things (https://github.com/swisskyrepo/PayloadsAllTheThings)
This community and its members treat one another with respect. Everyone can make a valuable contribution to Awesome-RCE-techniques. We may not always agree, but disagreement is no excuse for poor behavior and poor manners. We might all experience some frustration now and then, but we cannot allow that frustration to turn into a personal attack. It's important to remember that a community where people feel uncomfortable or threatened isn't a productive one. We expect members of the community to be respectful when dealing with other contributors as well as with people outside the Awesome-RCE-techniques project and with users of this documentation.
Collaboration is central to the free software community. We should always be open to collaboration. Your work should be done transparently and patches should be given back to the community when they're made, not just when the distribution releases. If you wish to work on new code for existing upstream projects, at least keep those projects informed of your ideas and progress. It many not be possible to get consensus from upstream, or even from your colleagues about the correct implementation for an idea, so don't feel obliged to have that agreement before you begin, but at least keep the outside world informed of your work, and publish your work in a way that allows outsiders to test, discuss, and contribute to your efforts.
Disagreements, both political and technical, happen all the time and the Celery community is no exception. It's important that we resolve disagreements and differing views constructively and with the help of the community and community process. If you really want to go a different way, then we encourage you to make a derivative distribution or alternate set of packages that still build on the work we've done to utilize as common of a core as possible.
Nobody knows everything, and nobody is expected to be perfect. Asking questions avoids many problems down the road, and so questions are encouraged. Those who are asked questions should be responsive and helpful. However, when asking a question, care must be taken to do so in an appropriate forum.
Developers on every project come and go and here is no different. When you leave or disengage from the project, in whole or in part, we ask that you do so in a way that minimizes disruption to the project. This means you should tell people you're leaving and take the proper steps to ensure that others can pick up where you left off.
[source: Celery
Unsure where to begin contributing to Awesome-RCE-techniques? You can start by looking through these beginner and help-wanted issues: Beginner issues - issues which should only require a few lines of code, and a test or two. Help wanted issues - issues which should be a bit more involved than beginner issues. Both issue lists are sorted by total number of comments. While not perfect, number of comments is a reasonable proxy for impact a given change will have.
[source: Atom] Need more inspiration? [1] Read the Docs [2] Django (scroll down to "Guidelines" as well)
Here are a couple of friendly tutorials: http://makeapullrequest.com/ and http://www.firsttimersonly.com/
Working on your first Pull Request? You can learn how from this free series, How to Contribute to an Open Source Project on GitHub.
[source: React]
As a side note, it helps to use newcomer-friendly language throughout the rest of your document. Here are a couple of examples from Active Admin:
At this point, you're ready to make your changes! Feel free to ask for help; everyone is a beginner at first 😸
If a maintainer asks you to "rebase" your PR, they're saying that a lot of code has changed, and that you need to update your branch so it's easier to merge.
How you write this is up to you, but some things you may want to include:
For something that is bigger than a one or two line fix:
- Create your own fork of the code
- Do the changes in your fork
- If you like the change and think the project could use it: * Be sure you have followed the code style for the project. * Sign the Contributor License Agreement, CLA, with the jQuery Foundation. * Note the jQuery Foundation Code of Conduct. * Send a pull request indicating that you have a CLA on file.
[source: Requirejs] Need more inspiration? [1] Active Admin [2] Node.js [3] Ember.js
Small contributions such as fixing spelling errors, where the content is small enough to not be considered intellectual property, can be submitted by a contributor as a patch, without a CLA.
As a rule of thumb, changes are obvious fixes if they do not introduce any new functionality or creative thinking. As long as the change does not affect functionality, some likely examples include the following:
- Spelling / grammar fixes
- Typo correction, white space and formatting changes
- Comment clean up
- Bug fixes that change default return values or error codes stored in constants
- Adding logging messages or debugging output
- Changes to ‘metadata’ files like Gemfile, .gitignore, build scripts, etc.
- Moving source files from one directory or package to another
[source: Chef] Need more inspiration? [1] Puppet
At bare minimum, include this sentence:
If you find a security vulnerability, do NOT open an issue. Email XXXX instead.
If you don’t want to use your personal contact information, set up a “security@” email address. Larger projects might have more formal processes for disclosing security, including encrypted communication. (Disclosure: I am not a security expert.)
Any security issues should be submitted directly to [email protected] In order to determine whether you are dealing with a security issue, ask yourself these two questions:
- Can I access something that's not mine, or something I shouldn't have access to?
- Can I disable something for other people?
If the answer to either of those two questions are "yes", then you're probably dealing with a security issue. Note that even if you answer "no" to both questions, you may still be dealing with a security issue, so if you're unsure, just email us at [email protected].
[source: Travis CI] Need more inspiration? [1] Celery [2] Express.js
You can even include a template so people can just copy-paste (again, less work for you).
When filing an issue, make sure to answer these questions:
- What operating system and processor architecture are you using?
- What did you do?
- What did you expect to see?
- What did you see instead?
[source: Go] Need more inspiration? [1] Celery [2] Atom (includes template)
This information will give contributors context before they make suggestions that may not align with the project’s needs.
The Express philosophy is to provide small, robust tooling for HTTP servers, making it a great solution for single page applications, web sites, hybrids, or public HTTP APIs.
Express does not force you to use any specific ORM or template engine. With support for over 14 template engines via Consolidate.js, you can quickly craft your perfect framework.
[source: Express] Need more inspiration? Active Admin
If there is back-and-forth or signoff required, say so. Ask them to scope the feature, thinking through why it’s needed and how it might work.
If you find yourself wishing for a feature that doesn't exist in Elasticsearch, you are probably not alone. There are bound to be others out there with similar needs. Many of the features that Elasticsearch has today have been added because our users saw the need. Open an issue on our issues list on GitHub which describes the feature you would like to see, why you need it, and how it should work.
[source: Elasticsearch] Need more inspiration? [1] Hoodie [2] Ember.js
Who reviews it? Who needs to sign off before it’s accepted? When should a contributor expect to hear from you? How can contributors get commit access, if at all?
The core team looks at Pull Requests on a regular basis in a weekly triage meeting that we hold in a public Google Hangout. The hangout is announced in the weekly status updates that are sent to the puppet-dev list. Notes are posted to the Puppet Community community-triage repo and include a link to a YouTube recording of the hangout. After feedback has been given we expect responses within two weeks. After two weeks we may close the pull request if it isn't showing any activity.
[source: Puppet] Need more inspiration? [1] Meteor [2] Express.js