Merge pull request #983 from ctflearner/dependency-CofusionMinorchange

Update dependency-confusion.md
This commit is contained in:
SirBroccoli 2024-12-26 19:47:52 +01:00 committed by GitHub
commit c3c1f69519

View File

@ -40,7 +40,7 @@ If your company is trying to **import a library that isn't internal**, highly pr
### Unspecified Version
It's very common for developers to **not specify any version** of the library used, or specify just a **mayor version**. Then, the interpreter will try to download the **latest version** fitting those requirements.\
It's very common for developers to **not specify any version** of the library used, or specify just a **major version**. Then, the interpreter will try to download the **latest version** fitting those requirements.\
If the library is a **known external library** (like python `requests`), an **attacker cannot do much**, as he won't be able to create a library called `requests` (unless he is the original author).\
However, if the library is **internal**, like `requests-company` in this example, if the **library repo** allows to **check for new versions also externally**, it will search for a newer version publicly available.\
So if an **attacker knows** that the company is using the `requests-company` library **version 1.0.1** (allow minor updates). He can **publish** the library `requests-company` **version 1.0.2** and the company will **use that library instead** of the internal one.