visma-prodsec / confused Goto Github PK

Hello Team,

I tried to install this tool and it looks like it's not working please check this out!

Hi again!

AFAIK dependencies specified as a URL are not takeovereable, as it'll override the normal lookup mechanism and it will instruct NPM to download the dependency from a specific location:

https://docs.npmjs.com/cli/v7/configuring-npm/package-json#dependencies

Some examples

"dep_name": "github_org_name/repo_name#2.2.0"
"dep_name": "https://github.com/github_org_name/repo_name#2.2.0"
"dep_name": "file:/test/path"

confused still flag these as vulnerable

Maybe the best way to fix this is by checking if the version part is valid semver, but there might be some edge cases ("tag"?)

Hi there

Thanks for a great tool!

We have checked a large number of package.json files. Sometimes the tool fails with this message:
Encountered an error while trying to read packages from file: json: cannot unmarshal bool into Go struct field PackageJSON.bundleDependencies of type []string

For instance when running against this file npm\node_modules\decamelize\package.json

I don't know if it's a general bug or something at our end.

Thanks!

In his paper, Alex BIRSAN talked about dependency confusion in Ruby (index: Rubygems, package manager: gem) with an example with shopify-cloud gem.
Would it be possible to support gems too (Gemfile, Gemfile.lock, *.gemspec)?

Can you give the option to check all packages that are currently installed.

This is possible to do this with pip by running:
pip3 list
pip list

A requirements.txt entry with tilde = is not parsed correctly.

boto3~=2.3.4

it is parsed as package name boto3~ but it should be boto3.

Tilde = is a valid syntax.
https://www.python.org/dev/peps/pep-0440/#compatible-release

Now there is a package.json file content as follows

Let's go search:
https://www.npmjs.com/search?q=prepack-fuzzer

Now, we start to run the tool to test: confused -l npm package.json

He said that there is no testcheck, so let's search again

Hey bro, please tell me is this normal or a bug

i was doing all ways of installation. I installed and reinstalled Go and etc. Pleaseeeeeeeeeeee,help :( :(

pip requirements files can look like this:

appdirs==1.4.4 \
    --hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \
    --hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128 \
    # via black

That has the package pinned to a specific version plus hashes of the package download files. When pip is used to install packages specified like this, it downloads the file and verifies it against the hash in the requirements file. The continuations (\) are used to keep the file readable.

Given a requirements file like that, confused produces output like this:

Issues found, the following packages are not available in public package repositories:
 [!] --hash
 [!] --hash

Seems like confused doesn't support continuations (the \):

[W] Non-fatal issue encountered while reading package-lock.json : json: cannot unmarshal object into Go struct field PackageJSON.dependencies of type string

Hi! Currently confused outputs "ext-*" as unsafe packages. You may probably want to filter them out. You may want to check "lib-*" prefix or "hhvm" as well: https://getcomposer.org/doc/01-basic-usage.md#platform-packages

Example output:

Issues found, the following packages are not available in public package repositories:
 [!] ext-readline
 [!] ext-zip
 [!] ext-redis
 [!] ext-mongodb
 [!] ext-zlib
 [!] ext-mysqli
 [!] ext-json
 [!] ext-curl
 [!] ext-libxml
 [!] ext-zend-opcache
 [!] ext-amqp
 [!] ext-iconv
 [!] ext-simplexml
 [!] ext-ast
 [!] ext-openssl
 [!] ext-apcu
 [!] ext-pdo
 [!] ext-calendar

Type II error, False negative.

Lets say my company has a private package, iconic-spoon-collection this package is not supposed to be public.
This tool would say everything is probably fine if iconic-spoon-collection existed in the public repository.

If the tool knew that iconic-spoon-collection was a private only package it would know it should not public, and the fact that this package is public is a sign that you have been breached.

Hello and thank you for a great research project. I have found that if a requirements.txt includes a package followed by a ;, it will alert on said package even if said package does exist.

Example:

affine~=2.3.0
attrs>=19.2.0
boto3>=1.2.4
click~=7.1.0
click-plugins
cligj>=0.5
enum34; python_version < "3.4"
matplotlib
numpy>=1.10
snuggs~=1.4.0
setuptools>=20.0

Result:

confused -l pip requirements.txt
Issues found, the following packages are not available in public package repositories:
 [!] enum34;

Summary

Hello Team

Thank you for this awesome tool, I wanted to point out that while I was automating my process I came across a certain package.json that gave me all false positive results and I can't figure out why this certain one is giving such a results

Located here
https://assets.vimeo.com/package.json

Screenshot

I tested all of these and all of them are already registered

Best regards

Hi guys!
thanks for this great tool!.

If someone has created an npm package but later was Unpublished, the tool returns a status code 200 but the takeover for this package is still possible.

I have found this testing the package console-shim

thanks!