kw-json 0.0.1__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- kw_json-0.0.1/PKG-INFO +28 -0
- kw_json-0.0.1/README.md +15 -0
- kw_json-0.0.1/pyproject.toml +25 -0
- kw_json-0.0.1/setup.cfg +4 -0
- kw_json-0.0.1/src/kw_json/__init__.py +22 -0
- kw_json-0.0.1/src/kw_json.egg-info/PKG-INFO +28 -0
- kw_json-0.0.1/src/kw_json.egg-info/SOURCES.txt +7 -0
- kw_json-0.0.1/src/kw_json.egg-info/dependency_links.txt +1 -0
- kw_json-0.0.1/src/kw_json.egg-info/top_level.txt +1 -0
kw_json-0.0.1/PKG-INFO
ADDED
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: kw-json
|
|
3
|
+
Version: 0.0.1
|
|
4
|
+
Summary: Security research PoC - dependency confusion demonstration for HackerOne bug bounty (ferox0101)
|
|
5
|
+
Author-email: ferox0101 <ferox0101@wearehackerone.com>
|
|
6
|
+
License: MIT
|
|
7
|
+
Project-URL: Homepage, https://hackerone.com/ferox0101
|
|
8
|
+
Classifier: Development Status :: 1 - Planning
|
|
9
|
+
Classifier: License :: OSI Approved :: MIT License
|
|
10
|
+
Classifier: Programming Language :: Python :: 3
|
|
11
|
+
Requires-Python: >=3.7
|
|
12
|
+
Description-Content-Type: text/markdown
|
|
13
|
+
|
|
14
|
+
# kw-json — Security Research PoC
|
|
15
|
+
|
|
16
|
+
**This package is a proof-of-concept for a HackerOne bug bounty report.**
|
|
17
|
+
|
|
18
|
+
**Researcher:** [ferox0101](https://hackerone.com/ferox0101)
|
|
19
|
+
|
|
20
|
+
This package demonstrates a dependency confusion / typosquatting vulnerability
|
|
21
|
+
affecting Kiwi.com's `kiwi-json` library (which imports as `kw.json`).
|
|
22
|
+
|
|
23
|
+
A developer typing `pip install kw-json` instead of `pip install kiwi-json`
|
|
24
|
+
would install this package instead of the intended Kiwi.com library.
|
|
25
|
+
|
|
26
|
+
**This package is intentionally empty and harmless.**
|
|
27
|
+
|
|
28
|
+
It will be transferred to Kiwi.com or removed upon resolution of the security report.
|
kw_json-0.0.1/README.md
ADDED
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
# kw-json — Security Research PoC
|
|
2
|
+
|
|
3
|
+
**This package is a proof-of-concept for a HackerOne bug bounty report.**
|
|
4
|
+
|
|
5
|
+
**Researcher:** [ferox0101](https://hackerone.com/ferox0101)
|
|
6
|
+
|
|
7
|
+
This package demonstrates a dependency confusion / typosquatting vulnerability
|
|
8
|
+
affecting Kiwi.com's `kiwi-json` library (which imports as `kw.json`).
|
|
9
|
+
|
|
10
|
+
A developer typing `pip install kw-json` instead of `pip install kiwi-json`
|
|
11
|
+
would install this package instead of the intended Kiwi.com library.
|
|
12
|
+
|
|
13
|
+
**This package is intentionally empty and harmless.**
|
|
14
|
+
|
|
15
|
+
It will be transferred to Kiwi.com or removed upon resolution of the security report.
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
[build-system]
|
|
2
|
+
requires = ["setuptools>=68.0", "wheel"]
|
|
3
|
+
build-backend = "setuptools.build_meta"
|
|
4
|
+
|
|
5
|
+
[project]
|
|
6
|
+
name = "kw-json"
|
|
7
|
+
version = "0.0.1"
|
|
8
|
+
description = "Security research PoC - dependency confusion demonstration for HackerOne bug bounty (ferox0101)"
|
|
9
|
+
readme = "README.md"
|
|
10
|
+
license = {text = "MIT"}
|
|
11
|
+
authors = [
|
|
12
|
+
{name = "ferox0101", email = "ferox0101@wearehackerone.com"}
|
|
13
|
+
]
|
|
14
|
+
requires-python = ">=3.7"
|
|
15
|
+
classifiers = [
|
|
16
|
+
"Development Status :: 1 - Planning",
|
|
17
|
+
"License :: OSI Approved :: MIT License",
|
|
18
|
+
"Programming Language :: Python :: 3",
|
|
19
|
+
]
|
|
20
|
+
|
|
21
|
+
[project.urls]
|
|
22
|
+
Homepage = "https://hackerone.com/ferox0101"
|
|
23
|
+
|
|
24
|
+
[tool.setuptools.packages.find]
|
|
25
|
+
where = ["src"]
|
kw_json-0.0.1/setup.cfg
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
"""
|
|
2
|
+
kw-json — Security Research PoC (ferox0101)
|
|
3
|
+
|
|
4
|
+
This package is a proof-of-concept demonstrating a dependency confusion
|
|
5
|
+
vulnerability affecting Kiwi.com's kiwi-json library.
|
|
6
|
+
|
|
7
|
+
This is NOT the official Kiwi.com package. The real package is 'kiwi-json'.
|
|
8
|
+
Report: HackerOne bug bounty program 'kiwicom'
|
|
9
|
+
Researcher: ferox0101 (https://hackerone.com/ferox0101)
|
|
10
|
+
"""
|
|
11
|
+
|
|
12
|
+
__version__ = "0.0.1"
|
|
13
|
+
__author__ = "ferox0101"
|
|
14
|
+
__poc__ = "HackerOne dependency confusion PoC - kiwicom program"
|
|
15
|
+
|
|
16
|
+
|
|
17
|
+
def poc():
|
|
18
|
+
print("[SECURITY PoC] This package (kw-json) was registered by ferox0101")
|
|
19
|
+
print("[SECURITY PoC] as proof of a dependency confusion vulnerability.")
|
|
20
|
+
print("[SECURITY PoC] The real Kiwi.com package is 'kiwi-json'.")
|
|
21
|
+
print("[SECURITY PoC] Report: HackerOne kiwicom program")
|
|
22
|
+
return True
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: kw-json
|
|
3
|
+
Version: 0.0.1
|
|
4
|
+
Summary: Security research PoC - dependency confusion demonstration for HackerOne bug bounty (ferox0101)
|
|
5
|
+
Author-email: ferox0101 <ferox0101@wearehackerone.com>
|
|
6
|
+
License: MIT
|
|
7
|
+
Project-URL: Homepage, https://hackerone.com/ferox0101
|
|
8
|
+
Classifier: Development Status :: 1 - Planning
|
|
9
|
+
Classifier: License :: OSI Approved :: MIT License
|
|
10
|
+
Classifier: Programming Language :: Python :: 3
|
|
11
|
+
Requires-Python: >=3.7
|
|
12
|
+
Description-Content-Type: text/markdown
|
|
13
|
+
|
|
14
|
+
# kw-json — Security Research PoC
|
|
15
|
+
|
|
16
|
+
**This package is a proof-of-concept for a HackerOne bug bounty report.**
|
|
17
|
+
|
|
18
|
+
**Researcher:** [ferox0101](https://hackerone.com/ferox0101)
|
|
19
|
+
|
|
20
|
+
This package demonstrates a dependency confusion / typosquatting vulnerability
|
|
21
|
+
affecting Kiwi.com's `kiwi-json` library (which imports as `kw.json`).
|
|
22
|
+
|
|
23
|
+
A developer typing `pip install kw-json` instead of `pip install kiwi-json`
|
|
24
|
+
would install this package instead of the intended Kiwi.com library.
|
|
25
|
+
|
|
26
|
+
**This package is intentionally empty and harmless.**
|
|
27
|
+
|
|
28
|
+
It will be transferred to Kiwi.com or removed upon resolution of the security report.
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
kw_json
|