9/5/2023 0 Comments Typo crates![]() If hooks are implemented, they should be immediately reverted and deprecated. Bower is going to have publish command so pre-publish hook will be ok. A lot of people are depending on branches which can change in any moment (as well as tags btw.).Īs pointed out postinstall is also useless to post-process files as user environment is unknown and unpredictable. This is especially dangerous in case of bower as it doesn't use any checksums, or packaging. That's why it's impossible in tools like git to commit any hooks to repository. With them anyone is able to run arbitrary code on your computer and on your production machines. Allowing postinstall raises serious security issues. Sheerun commented on in a github issues discussion: There is a long discussion on github whether to allow pre- and post-install hooks similiar to the ones used in npm. In my thesis, I initially wanted to also attack the repositoriesĪnd found good reasons and obstacles to not include them in my attack. The critical differences that makes one package manager attackable and the other not. Plus: Flat learning curve to quickly develop a demo program in the target programming language.Ī good approach seems to be studying package managers that were found to be not vulnerable to typosquatting attacks and identify ![]() Accessibility and presence of good documentation for uploading and distributing packages.This requirement is not absolutely needed since code may also be executed when the typo package is finally imported. The feasibility to achieve code execution upon package installation on the host system.The possibility of registering any package name and uploading code without any hard costs such as providing a real identity or registering a domain name.I stated three mandatory requirements that need to be fulfilled in order for those package repositories to be vulnerable for typosquatting attacks. The obvious question now is: How many of those package managers are vulnerable to typosquatting attacks. A very good overview of some of the most recent package managers gives the github showcase page about package managers which is summarized in the table below: Package Manager Name During the time I wrote my thesis, I encountered some other package managers. Might also be vulnerable to this hybrid attack (typosquatting involves a technical and psychological attack vector). This blog contribution generated quite some interest and people subsequently asked themselves whether other package managers In my last blog post about typosquatting package managers I discussed my findings about attacking the programming language package managers from, PyPi and.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |