Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent typo squatting #533

Open
danielcompton opened this issue Jun 9, 2016 · 1 comment
Open

Prevent typo squatting #533

danielcompton opened this issue Jun 9, 2016 · 1 comment
Labels
security

Comments

@danielcompton
Copy link
Member

danielcompton commented Jun 9, 2016
edited
Loading

http://incolumitas.com/2016/06/08/typosquatting-package-managers/
http://incolumitas.com/data/thesis.pdf

There is a thesis written about achieving RCE through typo squatting on popular package managers. The situation isn't quite so bad in Clojars as people can't copy someone else's group name, and Leiningen doesn't execute arbitrary code when JARs are downloaded (we do it at runtime 😄). Nonetheless, we should look at the paper, identify what our risks are, and mitigate them.

c.f. http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/, https://www.pytosquatting.org
@glts glts mentioned this issue May 25, 2019
Closed
@danielcompton
Copy link
Member Author

I haven't looked to see how they do it, but RubyGems has yanked gems where the names were invalid according to Levenshtein distance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@danielcompton