Skip to content

docs(protect): end-to-end demo + seed demo rules (public CVE)#61

Merged
patchstackdave merged 2 commits into
mainfrom
feat/protect-demo
Jul 14, 2026
Merged

docs(protect): end-to-end demo + seed demo rules (public CVE)#61
patchstackdave merged 2 commits into
mainfrom
feat/protect-demo

Conversation

@patchstackdave

Copy link
Copy Markdown
Contributor

examples/protect/ — a runnable Verified Vulnerability Shielding demo against a real, unmodified vulnerable dependency (lodash@4.17.11, CVE-2019-10744), on top of @patchstack/connect/protect.

cd examples/protect && npm install && npm run demo

Six steps, all ✓:

  1. unprotected — the exploit pollutes Object.prototype via lodash.defaultsDeep
  2. dry-run — the vPatch detects + logs, still serves (safe onramp)
  3. block — request rejected (403) before the sink runs; prototype clean
  4. benign request still served (no false positive)
  5. a response that leaks an AWS key is redacted, page still served
  6. an outbound SSRF to 169.254.169.254 is blocked; external allowed

…then prints the proof line — "blocked here, right now, by rule demo-CVE-2019-10744, until you upgrade to 4.17.12. No app redeploy required."

IP / secrets

rules.demo.json is example rules for public CVEs only, clearly labeled — not the Patchstack production corpus (that's fetched per-site from the API at runtime). No token/secret in-repo; the demo uses a local bundle. Not shipped in the npm package (files unchanged; node_modules/lockfile gitignored).

🤖 Generated with Claude Code

examples/protect/ — a runnable Verified Vulnerability Shielding demo against a REAL
vulnerable dependency (lodash@4.17.11, CVE-2019-10744): exploit works unprotected →
dry-run detects → block rejects the request before the sink → benign still served →
response AWS-key redaction → egress SSRF block → proof line. No app redeploy, no token.

rules.demo.json holds EXAMPLE rules for public CVEs only (clearly labeled) — NOT the
production corpus, which is fetched per-site from the API at runtime. No secrets in-repo.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderbuds

coderbuds Bot commented Jul 14, 2026

Copy link
Copy Markdown

Cohesive end-to-end demo illustrating live shielding of lodash prototype pollution (CVE-2019-10744).

🎯 Quality: 100% Elite · 📦 Size: Medium

📈 This month: Your 25th PR — above team average · Averaging Excellent

See how your team is trending →

@patchstackdave

Copy link
Copy Markdown
Contributor Author

/review

@patchstackdave patchstackdave merged commit a0c40e7 into main Jul 14, 2026
4 checks passed
@patchstackdave patchstackdave deleted the feat/protect-demo branch July 14, 2026 12:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants