Init

Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>

.github/plugins_example/inject_header.lua

@@ -0,0 +1,26 @@
+-- Inject a custom header into every request.
+-- Config format (one per line): Header-Name: value
+
+Plugin = {
+  name       = "Inject Header",
+  on_request = { sync = true },
+}
+
+local headers = {}
+
+function on_start(config_text)
+  for line in config_text:gmatch("[^\n]+") do
+    local name, value = line:match("^([^:]+):%s*(.+)$")
+    if name and value then
+      table.insert(headers, { name = name, value = value })
+    end
+  end
+  log("loaded " .. #headers .. " header(s)")
+end
+
+function on_request(req)
+  for _, h in ipairs(headers) do
+    req:set_header(h.name, h.value)
+  end
+  return "forward"
+end

.github/plugins_example/ip_whitelist.lua

@@ -0,0 +1,48 @@
+-- Check that the proxy's outbound IP is in the whitelist before starting.
+-- Config: one allowed IP per line. Leave empty to disable the check.
+
+Plugin = {
+  name     = "IP Whitelist",
+  on_start = {},
+}
+
+function on_start(config_text)
+  local allowed = {}
+  for line in config_text:gmatch("[^\n]+") do
+    local ip = line:match("^%s*(.-)%s*$")
+    if ip ~= "" then
+      table.insert(allowed, ip)
+    end
+  end
+
+  if #allowed == 0 then
+    log("no IPs configured, skipping check")
+    return
+  end
+
+  -- Fetch the current outbound IP via a public API.
+  local ok, result = pcall(function()
+    local handle = io.popen("curl -sf https://api.ipify.org 2>/dev/null")
+    if not handle then return nil end
+    local ip = handle:read("*a")
+    handle:close()
+    return ip and ip:match("^%s*(.-)%s*$") or nil
+  end)
+
+  if not ok or not result or result == "" then
+    log("could not determine outbound IP, skipping check")
+    return
+  end
+
+  log("outbound IP: " .. result)
+
+  for _, ip in ipairs(allowed) do
+    if result == ip then
+      log("IP " .. result .. " is whitelisted")
+      return
+    end
+  end
+
+  notif("IP Whitelist", "Outbound IP " .. result .. " is NOT in the whitelist!")
+  quit("outbound IP " .. result .. " not whitelisted")
+end

.github/plugins_example/secret_finder.lua

@@ -0,0 +1,35 @@
+-- Scan response bodies for common API key / secret patterns.
+-- Runs asynchronously so it never delays traffic.
+
+Plugin = {
+  name        = "Secret Finder",
+  on_response = { sync = false },
+}
+
+local PATTERNS = {
+  { pattern = "AIza[0-9A-Za-z%-_]{35}",                label = "Google API Key" },
+  { pattern = "AKIA[0-9A-Z]{16}",                      label = "AWS Access Key" },
+  { pattern = "sk%-[a-zA-Z0-9]{20,}",                  label = "OpenAI API Key" },
+  { pattern = "ghp_[a-zA-Z0-9]{36}",                   label = "GitHub Personal Token" },
+  { pattern = "Bearer%s+[a-zA-Z0-9%-_%.]+%.[a-zA-Z0-9%-_%.]+%.[a-zA-Z0-9%-_%.]+",
+                                                         label = "JWT Bearer Token" },
+}
+
+function on_response(req, res)
+  local body = res:get_body()
+  if body == "" then return end
+
+  for _, p in ipairs(PATTERNS) do
+    if body:find(p.pattern) then
+      local key = p.label .. ":" .. req.host
+      create_finding({
+        title       = p.label .. " in response",
+        description = "**Host:** `" .. req.host .. "`\n\n" ..
+                      "**Path:** `" .. req.path .. "`\n\n" ..
+                      "Pattern `" .. p.pattern .. "` matched in the response body.",
+        key         = key,
+        severity    = "high",
+      })
+    end
+  end
+end