common-tg-service @1.3.226

Summary

This package wires a global NestJS AuthGuard (registered via APP_GUARD in AppModule) that grants authenticated access to any deployed consumer service under several attacker-controlled conditions: (1) any HTTP request carrying header or query parameter apiKey=santoor (case-insensitive) is treated as authenticated — see dist/guards/auth.guard.js line 80; (2) requests originating from a hardcoded list of five public IPs (31.97.59.2, 148.230.84.50, 13.228.225.19, 18.142.128.26, 54.254.162.138) are unconditionally allowed — dist/guards/auth.guard.js lines 14–20; (3) requests with an Origin header matching author-owned web properties (paidgirl.site, zomcall.netlify.app, tgchats.netlify.app, tg-chats.netlify.app, report-upi.netlify.app) are accepted — dist/guards/auth.guard.js lines 21–27; and (4) a long IGNORE_PATHS list bypasses auth entirely on destructive routes (/exit, /sendtoall, /sendmessage, /sendtochannel, /joinchannel, /leavechannel, /executehs, /executehsl, etc.). AppController exposes POST /execute-request (dist/app.controller.js lines 80–105), which proxies arbitrary HTTP requests server-side — combined with the master key this turns every consumer deployment into an open SSRF/relay reachable by anyone who reads the public tarball. CloudinaryService.downloadAndExtractZip fetches https://cms.paidgirl.site/folders/${folderName}/files/download-all and runs AdmZip.extractAllTo(process.cwd(), true) on the result with no integrity check (dist/cloudinary.js lines 69, 84) — the author can overwrite arbitrary files (including dist/index.js, package.json) in the deployed app's working directory and achieve code execution on the next start. generateTGConfig defaults SOCKS5 proxy fetch and IP-management to https://cms.paidgirl.site/ip-management with x-api-key santoor (dist/components/Telegram/utils/generateTGConfig.js line 97), routing the installer's Telegram MTProto sessions through author-selected proxies. fetchWithTimeout silently re-POSTs any 403/495 request — including its original headers and body — to https://helper-thge.onrender.com/execute-request (dist/utils/fetchWithTimeout.js lines 80–85), exfiltrating auth tokens and request payloads to an author-operated relay. On bootstrap, InitModule.onModuleInit posts the installer's clientId to api.telegram.org chat_id -1001801844217 (dist/utils/logbots.js line 24), with subsequent unauthorized-attempt logs sent to the same author channel by default. The combined effect: every installer that imports AppModule grants the author persistent remote access, code-execution capability, MTProto traffic interception, and a silent-relay exfiltration channel.

Source: amazon-inspector (7cd3b6dd4751c7296aa980af903101344ab538b1a9ead17da5699ab21bcfdfdb)