mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Merge pull request #983 from ctflearner/dependency-CofusionMinorchange
Update dependency-confusion.md
This commit is contained in:
commit
c3c1f69519
@ -40,7 +40,7 @@ If your company is trying to **import a library that isn't internal**, highly pr
|
||||
|
||||
### Unspecified Version
|
||||
|
||||
It's very common for developers to **not specify any version** of the library used, or specify just a **mayor version**. Then, the interpreter will try to download the **latest version** fitting those requirements.\
|
||||
It's very common for developers to **not specify any version** of the library used, or specify just a **major version**. Then, the interpreter will try to download the **latest version** fitting those requirements.\
|
||||
If the library is a **known external library** (like python `requests`), an **attacker cannot do much**, as he won't be able to create a library called `requests` (unless he is the original author).\
|
||||
However, if the library is **internal**, like `requests-company` in this example, if the **library repo** allows to **check for new versions also externally**, it will search for a newer version publicly available.\
|
||||
So if an **attacker knows** that the company is using the `requests-company` library **version 1.0.1** (allow minor updates). He can **publish** the library `requests-company` **version 1.0.2** and the company will **use that library instead** of the internal one.
|
||||
|
Loading…
x
Reference in New Issue
Block a user