sbidoul
commented
6 years ago Thanks for opening this topic.
Well, this is a general issue with pypi: users must manually verify they trust the "package index owner" for each package they install. It is true that the problem is made slightly worse by the naming structure we are obliged to use for odoo addons, in the scenario you describe.
Unless pip grows some features to whitelist package index owners or something similar, the only approach I could imagine is to pre-register names for different Odoo series. This sounds cumbersome.
I think for now we'll put in place a monitoring of distributions named odoo*-addon* on pypi and warn the community if anything suspicious happen.
Hi,
Let's say odoo11-addon_mis_builder is not currently in OCA/account-financial-reporting. So it's not on pypi. An attacker register odoo11-addon_mis_builder on pypi (name is free, she can do it) and upload a working but compromised version of the module.
A random developer starts a project on v11. He tries to install from pip odoo11-addon_mis_builder module. Module is found on pypi, he gets the attacker's payload. He may even not notice and upload it to his server.
What can we do in order to protect ourselves from this kind of attacks ?