visma-prodsec / confused Goto Github PK
View Code? Open in Web Editor NEWTool to check for dependency confusion vulnerabilities in multiple package management systems
License: MIT License
Tool to check for dependency confusion vulnerabilities in multiple package management systems
License: MIT License
Hello Team,
I tried to install this tool and it looks like it's not working please check this out!
Hi again!
AFAIK dependencies specified as a URL are not takeovereable, as it'll override the normal lookup mechanism and it will instruct NPM to download the dependency from a specific location:
https://docs.npmjs.com/cli/v7/configuring-npm/package-json#dependencies
Some examples
"dep_name": "github_org_name/repo_name#2.2.0"
"dep_name": "https://github.com/github_org_name/repo_name#2.2.0"
"dep_name": "file:/test/path"
confused still flag these as vulnerable
Maybe the best way to fix this is by checking if the version part is valid semver, but there might be some edge cases ("tag
"?)
Hi there
Thanks for a great tool!
We have checked a large number of package.json files. Sometimes the tool fails with this message:
Encountered an error while trying to read packages from file: json: cannot unmarshal bool into Go struct field PackageJSON.bundleDependencies of type []string
For instance when running against this file npm\node_modules\decamelize\package.json
I don't know if it's a general bug or something at our end.
Thanks!
In his paper, Alex BIRSAN talked about dependency confusion in Ruby (index: Rubygems, package manager: gem) with an example with shopify-cloud
gem.
Would it be possible to support gems too (Gemfile, Gemfile.lock, *.gemspec)?
Can you give the option to check all packages that are currently installed.
This is possible to do this with pip by running:
pip3 list
pip list
A requirements.txt entry with tilde = is not parsed correctly.
boto3~=2.3.4
it is parsed as package name boto3~ but it should be boto3.
Tilde = is a valid syntax.
https://www.python.org/dev/peps/pep-0440/#compatible-release
Now there is a package.json file content as follows
Let's go search:
https://www.npmjs.com/search?q=prepack-fuzzer
Now, we start to run the tool to test: confused -l npm package.json
He said that there is no testcheck, so let's search again
Hey bro, please tell me is this normal or a bug
i was doing all ways of installation. I installed and reinstalled Go and etc. Pleaseeeeeeeeeeee,help :( :(
pip requirements files can look like this:
appdirs==1.4.4 \
--hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \
--hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128 \
# via black
That has the package pinned to a specific version plus hashes of the package download files. When pip is used to install packages specified like this, it downloads the file and verifies it against the hash in the requirements file. The continuations (\
) are used to keep the file readable.
Given a requirements file like that, confused produces output like this:
Issues found, the following packages are not available in public package repositories:
[!] --hash
[!] --hash
Seems like confused doesn't support continuations (the \
):
Lines 24 to 35 in d0cafe9
[W] Non-fatal issue encountered while reading package-lock.json : json: cannot unmarshal object into Go struct field PackageJSON.dependencies of type string
Hi! Currently confused outputs "ext-*" as unsafe packages. You may probably want to filter them out. You may want to check "lib-*" prefix or "hhvm" as well: https://getcomposer.org/doc/01-basic-usage.md#platform-packages
Example output:
Issues found, the following packages are not available in public package repositories:
[!] ext-readline
[!] ext-zip
[!] ext-redis
[!] ext-mongodb
[!] ext-zlib
[!] ext-mysqli
[!] ext-json
[!] ext-curl
[!] ext-libxml
[!] ext-zend-opcache
[!] ext-amqp
[!] ext-iconv
[!] ext-simplexml
[!] ext-ast
[!] ext-openssl
[!] ext-apcu
[!] ext-pdo
[!] ext-calendar
Type II error, False negative.
Lets say my company has a private package, iconic-spoon-collection this package is not supposed to be public.
This tool would say everything is probably fine if iconic-spoon-collection existed in the public repository.
If the tool knew that iconic-spoon-collection was a private only package it would know it should not public, and the fact that this package is public is a sign that you have been breached.
Hello and thank you for a great research project. I have found that if a requirements.txt
includes a package followed by a ;
, it will alert on said package even if said package does exist.
Example:
affine~=2.3.0
attrs>=19.2.0
boto3>=1.2.4
click~=7.1.0
click-plugins
cligj>=0.5
enum34; python_version < "3.4"
matplotlib
numpy>=1.10
snuggs~=1.4.0
setuptools>=20.0
Result:
confused -l pip requirements.txt
Issues found, the following packages are not available in public package repositories:
[!] enum34;
Hello Team
Thank you for this awesome tool, I wanted to point out that while I was automating my process I came across a certain package.json
that gave me all false positive results and I can't figure out why this certain one is giving such a results
Located here
https://assets.vimeo.com/package.json
I tested all of these and all of them are already registered
Best regards
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.