Hello Milan, First of all NEVER mix private and public mailing lists when you are reporting a potential security vulnerability - which you did by addressing dev@airflow.apache.org in this message. Luckily this is not a security vulnerability - so your mistake has no bad consequences, so I continue keeping dev@airflow.apache.org on the cc:
This is just a proposed name that appeared in our docs in main that we have not released it, and it's not a security issue - because - we have not released it yet (and your reservation made it impossible for now to release it). There are two options now: 1) Can you please transfer it to me (potiuk is my id in PyPI) and we will continue developing the provider. That would be best. 2) We will change the name I think it's best if you do 1). And since it's not the first time you send (undoubtedly automated) similar email to secur...@apache.org which is (undoubtedly) result of automated scanning of github repositories, I think it's a nice service for use - it's the second time a name was accidentally added to unreleased documentation in an Apache Project, you took that over, and then you transfer it to rightful owner. This is a really nice "service" you provide. Thanks for that. But on a more serious note - as you know - we cannot follow your recommendation (not until https://peps.python.org/pep-0752/ gets implemented and approved). Other than that your recommendation is cool - but completely not practical, so it's not worth too much. But I know the author of the PEP (Ofek) is looking for people from the community to join the PEP as co-authors and explain why it is needed. And you seem one of the best people who can explain why, how you automated it and what should be done to fix it - would you like to join us? I actually offered Ofek that I will join the PEP, but having someone like you who is not the user who needs it but someone who "actively exploited the weakness of PyPI" might be a super-valuable addition to have you as co-author. Can you please let me know if you would like to be added there. This way - if we manage to get the PEP through approval and get implemented in PyPI - we will be able to solve the problem systemically. J. On Fri, Dec 20, 2024 at 3:32 PM Milan Katwal <milankatwal2...@gmail.com> wrote: > I have reported this vulnerability to hackerone ibb #2871958 they said to > contact to the team so I am submitting again here > Description > I discovered and claimed the PyPI package apache-airflow-providers-edge, a > package associated with the Apache Airflow project. This vulnerability > enables supply chain attacks by allowing malicious actors to publish > unauthorized packages under a trusted namespace. > Steps for Reproduction > > 1. visit > > https://github.com/apache/airflow/blob/1b67b4386c91ddcb7dc80fcce4d0fe0b701efc78/docs/apache-airflow-providers-edge/index.rst?plain=1#L49 > 2. click on the link > 3. you will be redirected to my pypi package > > Exact Report > https://hackerone.com/reports/925585 > References > https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 > Recommendation > Reserve all namespaces under apache-airflow for official maintainers > POC > { > *Image F3803461*: Screenshot_2024-12-01_at_9.45.31_AM.png 515.27 KiB > Zoom in > <https://hackerone.com/bugs?subject=user&report_id=2871958&view=all&substates%5B%5D=editing&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&substates%5B%5D=resolved&substates%5B%5D=informative&substates%5B%5D=not-applicable&substates%5B%5D=duplicate&substates%5B%5D=spam&substates%5B%5D=retesting&substates%5B%5D=pending-program-review&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1#activity-31628130> > Zoom > out > <https://hackerone.com/bugs?subject=user&report_id=2871958&view=all&substates%5B%5D=editing&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&substates%5B%5D=resolved&substates%5B%5D=informative&substates%5B%5D=not-applicable&substates%5B%5D=duplicate&substates%5B%5D=spam&substates%5B%5D=retesting&substates%5B%5D=pending-program-review&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1#activity-31628130> > Copy > <https://hackerone.com/bugs?subject=user&report_id=2871958&view=all&substates%5B%5D=editing&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&substates%5B%5D=resolved&substates%5B%5D=informative&substates%5B%5D=not-applicable&substates%5B%5D=duplicate&substates%5B%5D=spam&substates%5B%5D=retesting&substates%5B%5D=pending-program-review&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1#activity-31628130> > Download > <https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/0ohbn4sk5o4mmbbhzkwmndgnyiad?response-content-disposition=attachment%3B%20filename%3D%22Screenshot_2024-12-01_at_9.45.31_AM.png%22%3B%20filename%2A%3DUTF-8%27%27Screenshot_2024-12-01_at_9.45.31_AM.png&response-content-type=image%2Fpng&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQVM4XPYGL%2F20241220%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20241220T142518Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEMX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJHMEUCIQCPAOacNvn1yRbkMZOTMmwbe0jOZY7qSnAR1omlFA7bsQIgbmRtqA69zEJ%2FHNl3kuK7B%2B7P8aVFmGW6DJyIELRpd78quwUIjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARADGgwwMTM2MTkyNzQ4NDkiDFBHKLduc7IFPukkkyqPBe7xJVb6%2BsfK5F%2BBPPbGKMl8tUY%2Fx864KXUVSkuzJIE2lKgPJC0D25jv3zU2Z7PoWf9JKniGhvzeIko4JkXNAePTZqKQ6cTbi5E1oVeCQXnYvv2cD8vdym6rK2Iwz9p0uaS6UYPCTBDFeFWVe0bVZlEKJmZLc0OMbMani33DCHgZn5hLstAVYle3th0PcDX%2Bs65F5nhDMmHu7w8r7rG9VLzg40HSmMzL5H3h8zVteVs5KZNNOh3ZD1vlejsKsF7m9%2BBOgU8lJ8TSYH7IaeMiSrPTal%2Fvs680nTM5THfZdpru1V7KFNyA9MTrGVkaP1IYB77I1rZupClPu79Rr8RK67FoEtR2hcJxvSPBe0SwqEGf7ubLoylXnc358%2FLcY9pDvKCEMUdXqdsd2iuTNRenUfMJbSCFTffaDG55pAEhiF34oTZyJFeUu%2BatMdjtruzZ8kGNWX4EZHdqWu9ggoskjfE2AUgrdXE5YY%2Bdq8OxHa0c4ePLH45u3RTI74c3tvAkrPARkOnOlndupJq3Wqa%2By4s9uxQ2np5bF96dFNIBnLTrcduoffncXxMGnqmdgfB6QOzSH7yrRE234e8Mkk10TFa9ShURZqx%2B1WsvL%2BsCJCb%2BG7NdAnoGGE0Q1ZtKCuk4B72P4VKJJ2DVlU%2F%2BiKKwdCpO%2BaB9swx8pnPC0SgGwaAzOzO%2BTZHoKF8859mxvGf4SgyWEuGB%2BoHIYwsv6BIdVhSnsK0SbV2FpYL29uPOEkxIteYIYM7GGW%2Fw3edQzrmv%2FZ%2FUa10fIT2n7LHNSYgRPQYGA1EoMfa3UiAPPezI5zoERCNuayBqg39uLL%2BicaJ%2FHzDwNSktWttGOthi%2FRoZUgdgtZIzRIdj55ZlR9az%2FhgwocmVuwY6sQGxjOShaB4joBw%2FXf%2F2l%2BCC79kY7d5bwoe3vMBbNhnNUo1Qlq%2Bmpx7hKshc5a0w4OMPfwnlwiywI2yrQJ81D7B%2BZtk2hcB6%2B6IHoK1r8Lz74TTDar7CkS6HqGQhlMS%2F%2F%2BI%2FH%2BAUq9CNKEDwm0wLnOdsaqe59dzT0vjgbY3YkHtHA5UII%2Bc1yrR8GtMTsxlUg3gn%2FfX3BWR6J2Vouwx5VZduX2CcboeuAvloyx8HCBCAApY%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=8acf4bdf1f6a85db73c393e0c40b2074c9ba6be7d90546a0aec99ce28caedc7b> > } { > *Image F3803462*: Screenshot_2024-12-01_at_9.46.17_AM.png 390.67 KiB > Zoom in > <https://hackerone.com/bugs?subject=user&report_id=2871958&view=all&substates%5B%5D=editing&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&substates%5B%5D=resolved&substates%5B%5D=informative&substates%5B%5D=not-applicable&substates%5B%5D=duplicate&substates%5B%5D=spam&substates%5B%5D=retesting&substates%5B%5D=pending-program-review&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1#activity-31628130> > Zoom > out > <https://hackerone.com/bugs?subject=user&report_id=2871958&view=all&substates%5B%5D=editing&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&substates%5B%5D=resolved&substates%5B%5D=informative&substates%5B%5D=not-applicable&substates%5B%5D=duplicate&substates%5B%5D=spam&substates%5B%5D=retesting&substates%5B%5D=pending-program-review&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1#activity-31628130> > Copy > <https://hackerone.com/bugs?subject=user&report_id=2871958&view=all&substates%5B%5D=editing&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&substates%5B%5D=resolved&substates%5B%5D=informative&substates%5B%5D=not-applicable&substates%5B%5D=duplicate&substates%5B%5D=spam&substates%5B%5D=retesting&substates%5B%5D=pending-program-review&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1#activity-31628130> > Download > <https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ys6e1cpi9b3rk12zex3u3uff6bg8?response-content-disposition=attachment%3B%20filename%3D%22Screenshot_2024-12-01_at_9.46.17_AM.png%22%3B%20filename%2A%3DUTF-8%27%27Screenshot_2024-12-01_at_9.46.17_AM.png&response-content-type=image%2Fpng&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQVM4XPYGL%2F20241220%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20241220T142518Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEMX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJHMEUCIQCPAOacNvn1yRbkMZOTMmwbe0jOZY7qSnAR1omlFA7bsQIgbmRtqA69zEJ%2FHNl3kuK7B%2B7P8aVFmGW6DJyIELRpd78quwUIjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARADGgwwMTM2MTkyNzQ4NDkiDFBHKLduc7IFPukkkyqPBe7xJVb6%2BsfK5F%2BBPPbGKMl8tUY%2Fx864KXUVSkuzJIE2lKgPJC0D25jv3zU2Z7PoWf9JKniGhvzeIko4JkXNAePTZqKQ6cTbi5E1oVeCQXnYvv2cD8vdym6rK2Iwz9p0uaS6UYPCTBDFeFWVe0bVZlEKJmZLc0OMbMani33DCHgZn5hLstAVYle3th0PcDX%2Bs65F5nhDMmHu7w8r7rG9VLzg40HSmMzL5H3h8zVteVs5KZNNOh3ZD1vlejsKsF7m9%2BBOgU8lJ8TSYH7IaeMiSrPTal%2Fvs680nTM5THfZdpru1V7KFNyA9MTrGVkaP1IYB77I1rZupClPu79Rr8RK67FoEtR2hcJxvSPBe0SwqEGf7ubLoylXnc358%2FLcY9pDvKCEMUdXqdsd2iuTNRenUfMJbSCFTffaDG55pAEhiF34oTZyJFeUu%2BatMdjtruzZ8kGNWX4EZHdqWu9ggoskjfE2AUgrdXE5YY%2Bdq8OxHa0c4ePLH45u3RTI74c3tvAkrPARkOnOlndupJq3Wqa%2By4s9uxQ2np5bF96dFNIBnLTrcduoffncXxMGnqmdgfB6QOzSH7yrRE234e8Mkk10TFa9ShURZqx%2B1WsvL%2BsCJCb%2BG7NdAnoGGE0Q1ZtKCuk4B72P4VKJJ2DVlU%2F%2BiKKwdCpO%2BaB9swx8pnPC0SgGwaAzOzO%2BTZHoKF8859mxvGf4SgyWEuGB%2BoHIYwsv6BIdVhSnsK0SbV2FpYL29uPOEkxIteYIYM7GGW%2Fw3edQzrmv%2FZ%2FUa10fIT2n7LHNSYgRPQYGA1EoMfa3UiAPPezI5zoERCNuayBqg39uLL%2BicaJ%2FHzDwNSktWttGOthi%2FRoZUgdgtZIzRIdj55ZlR9az%2FhgwocmVuwY6sQGxjOShaB4joBw%2FXf%2F2l%2BCC79kY7d5bwoe3vMBbNhnNUo1Qlq%2Bmpx7hKshc5a0w4OMPfwnlwiywI2yrQJ81D7B%2BZtk2hcB6%2B6IHoK1r8Lz74TTDar7CkS6HqGQhlMS%2F%2F%2BI%2FH%2BAUq9CNKEDwm0wLnOdsaqe59dzT0vjgbY3YkHtHA5UII%2Bc1yrR8GtMTsxlUg3gn%2FfX3BWR6J2Vouwx5VZduX2CcboeuAvloyx8HCBCAApY%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=41e5bb97909011f2f74ea7d79c3919e4f70190c5996ec7b9d43c77d71c07698f> > } > Impact > Perform supply chain attacks by uploading malicious packages under a > trusted Apache namespace Distribute malware or steal sensitive data from > users Remote code execution code injection >
