Closed tian000 closed 1 year ago
Base: 97.74% // Head: 97.75% // Increases project coverage by +0.01%
:tada:
Coverage data is based on head (
5a54fa6
) compared to base (579bef2
). Patch coverage: 100.00% of modified lines in pull request are covered.
:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.
Thanks for bringing this up @tian000
A concern I have is that if we merge this pull request then it essentially allows attackers to bypass it because to satisfy the logic the matches https://github.com/Bundlr-Network/avsc#a730cc8018b79e114b6a3381bbb57760a24c6cef'
I can just create my own user/org name instead of Bundlr-Network
and spoof the source. Correct?
Thanks for bringing this up @tian000
A concern I have is that if we merge this pull request then it essentially allows attackers to bypass it because to satisfy the logic the matches
https://github.com/Bundlr-Network/avsc#a730cc8018b79e114b6a3381bbb57760a24c6cef'
I can just create my own user/org name instead ofBundlr-Network
and spoof the source. Correct?
Yes that is correct. However, if you are able to compromise the host you can spoof a package regardless. Do you recommend that I just disable the --validatePackageNames check?
Not exactly though because the package name is checked to match between the one actually used in the dependency and the one used in the sourced URL. The only occurrence of the --validPackageNames
check not being helpful is if you also don't enforce a registry source.
I'm re-reading this and not confident there's a clear decision to make here. I'll close for now but if you still want to raise this as a significant requirement and can add more context and reference use-cases I'm happy to re-consider.
Description
Some packages come from directly github - these packages fail the validate package name check
Types of changes
Related Issue
Motivation and Context
How Has This Been Tested?
Unit tested
Screenshots (if appropriate):
Checklist: