Open data-sync-user opened 11 months ago
Thank you for reporting this!
The repo you site autopush-loadtester
is a very old test script for the original autopush repo which has been replaced by this repo. It was never meant to be installed by pip (and clearly so, because the setup.py would have created a different named repo anyway. 🤦🏻♂️ )
I've corrected the README on the autopush-loadtester repo to remove references to ap-loadtester
, as well as archived the repo.
Clearly, there are a lot of old bits and pieces lying around that have not yet been cleaned up properly. Thank you for helping us find one.
HackerOne Report: https://hackerone.com/reports/2097694 Report Date: 2023-08-05 17:06:15 UTC Reporter: anupamas01 Weakness: Code Injection
Initial Report: {panel}
Summary:
hello team, I found a pip package by which I can run malicious commands.
Steps To Reproduce:
[add details for how we can reproduce the issue]
$ pip install ap-loadtester
, you can see I have taken it over https://pypi.org/project/ap-loadtester/ (in Maintainers)\ when you install it, it will install my pip packagePOC
https://pypi.org/project/ap-loadtester/
( right now I am not uploading any code , if program allows i will upload )
POC
https://pypi.org/project/ap-loadtester/
Impact
code injection through the pip package
thanks AnupamAs01