search

josubg / django_navbar_client

Django app to manage user using navbar and oauth
Other
0 stars 1 forks source link

code execution backdoor #1

Open di1l0o opened 2 years ago

di1l0o commented 2 years ago

We found a malicious backdoor in versions 0.9.50~1.0.1 of this project, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip install django-navbar-client==1.0.1 -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.

image

Repair suggestion: delete version 0.9.50~1.0.1 in PyPI

okuuva commented 2 years ago

Looking at the commit that added the request package it really seems like it's always been the goal to distribute the backdoor. Not saying it was, just saying it really looks like it.

josubg commented 2 years ago

Thanks @duxinglin1 for the advice. As it is an abandoned project and I doubt nobody ever used it, I will delete the pypi packages and push a blank state to the repo to avoid any unintentional install. I will keep it, not full erase it , for sentimental reasons. Feel free to grab any code if it is of interest to you.

Dear @okuuva, I do not understand how you come to the conclusions that this project is some kind of trojan, only from the fact that I added a 50k stars pypi package, namely request. I don't even fix the package versions in the dependencies. Your assumption has left me, for lack of a better term, speechless.

okuuva commented 2 years ago

Dear @okuuva, I do not understand how you come to the conclusions that this project is some kind of trojan, only from the fact that I added a 50k stars pypi package, namely request. I don't even fix the package versions in the dependencies. Your assumption has left me, for lack of a better term, speechless.

I didn't come to any conclusions or didn't make any assumptions, just said the that the activity seems odd. Yes, requests is a package with 50k stars. request without the trailing "s" is/was a malicious package with similar name to trick people installing it instead of the popular requests package. The fact that request package was added to the requirements without it ever being used (requests was added later and is used) seems odd. It's also odd that this repo still hosts a version with that malicious package in the install_requires even though there are newer versions in PyPI that do not include it and older versions with the malicious package have been removed from PyPI (thank you very much for that).

Again, I'm not accusing you of anything. I'm just saying there's a lot of odd activity around this package both in PyPI and this repo.

okuuva commented 2 years ago

@josubg I took better look at the commit history and it seems that it could've been an honest mistake. You had a typo in a few requests calls when you migrated from urllib3 to requests. You then added request to dependencies in a separate commit and then fixed the typos and added the right package to dependencies after that and probably forgot to remove the wrong package from the dependencies. I'm sorry but the odd commit history and the version mismatch between the repo and PyPI made it seem really fishy. Thank you again for removing the infected packages from PyPI!