Thank you for your detailed response and for clarifying the situation regarding the name in your documentation.
First of all, I sincerely apologize for addressing the public mailing list while reporting this. It was a mistake on my part, and I will ensure it does not happen again in future communications. I appreciate your understanding and the clarification that this is not a security issue. Regarding the two options you provided, I would be happy to proceed with option 1 and transfer the name to you but now I don't have control over that project because someone has reported that project and the project got removed from the pypi registry and now I am unable to claim it also. As for your invitation to collaborate on PEP, I am honored and grateful for the opportunity. Please let me know how I can get involved and what the next steps are On Fri, Dec 20, 2024 at 11:41 PM Jarek Potiuk <ja...@potiuk.com> wrote: > Hello Milan, > > First of all NEVER mix private and public mailing lists when you are > reporting a potential security vulnerability - which you did by addressing > dev@airflow.apache.org in this message. > Luckily this is not a security vulnerability - so your mistake has no bad > consequences, so I continue keeping dev@airflow.apache.org on the cc: > > This is just a proposed name that appeared in our docs in main that we > have not released it, and it's not a security issue - because - we have not > released it yet (and your reservation made it impossible for now to release > it). There are two options now: > > 1) Can you please transfer it to me (potiuk is my id in PyPI) and we will > continue developing the provider. That would be best. > 2) We will change the name > > I think it's best if you do 1). > > And since it's not the first time you send (undoubtedly automated) similar > email to secur...@apache.org which is (undoubtedly) result of automated > scanning of github repositories, I think it's a nice service for use - it's > the second time a name was accidentally added to unreleased documentation > in an Apache Project, you took that over, and then you transfer it to > rightful owner. This is a really nice "service" you provide. Thanks for > that. > > But on a more serious note - as you know - we cannot follow your > recommendation (not until https://peps.python.org/pep-0752/ gets > implemented and approved). Other than that your recommendation is cool - > but completely not practical, so it's not worth too much. > > But I know the author of the PEP (Ofek) is looking for people from the > community to join the PEP as co-authors and explain why it is needed. And > you seem one of the best people who can explain why, how you automated it > and what should be done to fix it - would you like to join us? I actually > offered Ofek that I will join the PEP, but having someone like you who is > not the user who needs it but someone who "actively exploited the weakness > of PyPI" might be a super-valuable addition to have you as co-author. Can > you please let me know if you would like to be added there. > > This way - if we manage to get the PEP through approval and get > implemented in PyPI - we will be able to solve the problem systemically. > > J. > > > On Fri, Dec 20, 2024 at 3:32 PM Milan Katwal <milankatwal2...@gmail.com> > wrote: > >> I have reported this vulnerability to hackerone ibb #2871958 they said to >> contact to the team so I am submitting again here >> Description >> I discovered and claimed the PyPI package apache-airflow-providers-edge, >> a package associated with the Apache Airflow project. This vulnerability >> enables supply chain attacks by allowing malicious actors to publish >> unauthorized packages under a trusted namespace. >> Steps for Reproduction >> >> 1. visit >> >> https://github.com/apache/airflow/blob/1b67b4386c91ddcb7dc80fcce4d0fe0b701efc78/docs/apache-airflow-providers-edge/index.rst?plain=1#L49 >> 2. click on the link >> 3. you will be redirected to my pypi package >> >> Exact Report >> https://hackerone.com/reports/925585 >> References >> https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 >> Recommendation >> Reserve all namespaces under apache-airflow for official maintainers >> POC >> { >> *Image F3803461*: Screenshot_2024-12-01_at_9.45.31_AM.png 515.27 KiB >> Zoom in >> <https://hackerone.com/bugs?subject=user&report_id=2871958&view=all&substates%5B%5D=editing&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&substates%5B%5D=resolved&substates%5B%5D=informative&substates%5B%5D=not-applicable&substates%5B%5D=duplicate&substates%5B%5D=spam&substates%5B%5D=retesting&substates%5B%5D=pending-program-review&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1#activity-31628130> >> Zoom >> out >> <https://hackerone.com/bugs?subject=user&report_id=2871958&view=all&substates%5B%5D=editing&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&substates%5B%5D=resolved&substates%5B%5D=informative&substates%5B%5D=not-applicable&substates%5B%5D=duplicate&substates%5B%5D=spam&substates%5B%5D=retesting&substates%5B%5D=pending-program-review&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1#activity-31628130> >> Copy >> <https://hackerone.com/bugs?subject=user&report_id=2871958&view=all&substates%5B%5D=editing&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&substates%5B%5D=resolved&substates%5B%5D=informative&substates%5B%5D=not-applicable&substates%5B%5D=duplicate&substates%5B%5D=spam&substates%5B%5D=retesting&substates%5B%5D=pending-program-review&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1#activity-31628130> >> Download >> <https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/0ohbn4sk5o4mmbbhzkwmndgnyiad?response-content-disposition=attachment%3B%20filename%3D%22Screenshot_2024-12-01_at_9.45.31_AM.png%22%3B%20filename%2A%3DUTF-8%27%27Screenshot_2024-12-01_at_9.45.31_AM.png&response-content-type=image%2Fpng&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQVM4XPYGL%2F20241220%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20241220T142518Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEMX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJHMEUCIQCPAOacNvn1yRbkMZOTMmwbe0jOZY7qSnAR1omlFA7bsQIgbmRtqA69zEJ%2FHNl3kuK7B%2B7P8aVFmGW6DJyIELRpd78quwUIjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARADGgwwMTM2MTkyNzQ4NDkiDFBHKLduc7IFPukkkyqPBe7xJVb6%2BsfK5F%2BBPPbGKMl8tUY%2Fx864KXUVSkuzJIE2lKgPJC0D25jv3zU2Z7PoWf9JKniGhvzeIko4JkXNAePTZqKQ6cTbi5E1oVeCQXnYvv2cD8vdym6rK2Iwz9p0uaS6UYPCTBDFeFWVe0bVZlEKJmZLc0OMbMani33DCHgZn5hLstAVYle3th0PcDX%2Bs65F5nhDMmHu7w8r7rG9VLzg40HSmMzL5H3h8zVteVs5KZNNOh3ZD1vlejsKsF7m9%2BBOgU8lJ8TSYH7IaeMiSrPTal%2Fvs680nTM5THfZdpru1V7KFNyA9MTrGVkaP1IYB77I1rZupClPu79Rr8RK67FoEtR2hcJxvSPBe0SwqEGf7ubLoylXnc358%2FLcY9pDvKCEMUdXqdsd2iuTNRenUfMJbSCFTffaDG55pAEhiF34oTZyJFeUu%2BatMdjtruzZ8kGNWX4EZHdqWu9ggoskjfE2AUgrdXE5YY%2Bdq8OxHa0c4ePLH45u3RTI74c3tvAkrPARkOnOlndupJq3Wqa%2By4s9uxQ2np5bF96dFNIBnLTrcduoffncXxMGnqmdgfB6QOzSH7yrRE234e8Mkk10TFa9ShURZqx%2B1WsvL%2BsCJCb%2BG7NdAnoGGE0Q1ZtKCuk4B72P4VKJJ2DVlU%2F%2BiKKwdCpO%2BaB9swx8pnPC0SgGwaAzOzO%2BTZHoKF8859mxvGf4SgyWEuGB%2BoHIYwsv6BIdVhSnsK0SbV2FpYL29uPOEkxIteYIYM7GGW%2Fw3edQzrmv%2FZ%2FUa10fIT2n7LHNSYgRPQYGA1EoMfa3UiAPPezI5zoERCNuayBqg39uLL%2BicaJ%2FHzDwNSktWttGOthi%2FRoZUgdgtZIzRIdj55ZlR9az%2FhgwocmVuwY6sQGxjOShaB4joBw%2FXf%2F2l%2BCC79kY7d5bwoe3vMBbNhnNUo1Qlq%2Bmpx7hKshc5a0w4OMPfwnlwiywI2yrQJ81D7B%2BZtk2hcB6%2B6IHoK1r8Lz74TTDar7CkS6HqGQhlMS%2F%2F%2BI%2FH%2BAUq9CNKEDwm0wLnOdsaqe59dzT0vjgbY3YkHtHA5UII%2Bc1yrR8GtMTsxlUg3gn%2FfX3BWR6J2Vouwx5VZduX2CcboeuAvloyx8HCBCAApY%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=8acf4bdf1f6a85db73c393e0c40b2074c9ba6be7d90546a0aec99ce28caedc7b> >> } { >> *Image F3803462*: Screenshot_2024-12-01_at_9.46.17_AM.png 390.67 KiB >> Zoom in >> <https://hackerone.com/bugs?subject=user&report_id=2871958&view=all&substates%5B%5D=editing&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&substates%5B%5D=resolved&substates%5B%5D=informative&substates%5B%5D=not-applicable&substates%5B%5D=duplicate&substates%5B%5D=spam&substates%5B%5D=retesting&substates%5B%5D=pending-program-review&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1#activity-31628130> >> Zoom >> out >> <https://hackerone.com/bugs?subject=user&report_id=2871958&view=all&substates%5B%5D=editing&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&substates%5B%5D=resolved&substates%5B%5D=informative&substates%5B%5D=not-applicable&substates%5B%5D=duplicate&substates%5B%5D=spam&substates%5B%5D=retesting&substates%5B%5D=pending-program-review&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1#activity-31628130> >> Copy >> <https://hackerone.com/bugs?subject=user&report_id=2871958&view=all&substates%5B%5D=editing&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&substates%5B%5D=resolved&substates%5B%5D=informative&substates%5B%5D=not-applicable&substates%5B%5D=duplicate&substates%5B%5D=spam&substates%5B%5D=retesting&substates%5B%5D=pending-program-review&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1#activity-31628130> >> Download >> <https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ys6e1cpi9b3rk12zex3u3uff6bg8?response-content-disposition=attachment%3B%20filename%3D%22Screenshot_2024-12-01_at_9.46.17_AM.png%22%3B%20filename%2A%3DUTF-8%27%27Screenshot_2024-12-01_at_9.46.17_AM.png&response-content-type=image%2Fpng&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQVM4XPYGL%2F20241220%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20241220T142518Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEMX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJHMEUCIQCPAOacNvn1yRbkMZOTMmwbe0jOZY7qSnAR1omlFA7bsQIgbmRtqA69zEJ%2FHNl3kuK7B%2B7P8aVFmGW6DJyIELRpd78quwUIjv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARADGgwwMTM2MTkyNzQ4NDkiDFBHKLduc7IFPukkkyqPBe7xJVb6%2BsfK5F%2BBPPbGKMl8tUY%2Fx864KXUVSkuzJIE2lKgPJC0D25jv3zU2Z7PoWf9JKniGhvzeIko4JkXNAePTZqKQ6cTbi5E1oVeCQXnYvv2cD8vdym6rK2Iwz9p0uaS6UYPCTBDFeFWVe0bVZlEKJmZLc0OMbMani33DCHgZn5hLstAVYle3th0PcDX%2Bs65F5nhDMmHu7w8r7rG9VLzg40HSmMzL5H3h8zVteVs5KZNNOh3ZD1vlejsKsF7m9%2BBOgU8lJ8TSYH7IaeMiSrPTal%2Fvs680nTM5THfZdpru1V7KFNyA9MTrGVkaP1IYB77I1rZupClPu79Rr8RK67FoEtR2hcJxvSPBe0SwqEGf7ubLoylXnc358%2FLcY9pDvKCEMUdXqdsd2iuTNRenUfMJbSCFTffaDG55pAEhiF34oTZyJFeUu%2BatMdjtruzZ8kGNWX4EZHdqWu9ggoskjfE2AUgrdXE5YY%2Bdq8OxHa0c4ePLH45u3RTI74c3tvAkrPARkOnOlndupJq3Wqa%2By4s9uxQ2np5bF96dFNIBnLTrcduoffncXxMGnqmdgfB6QOzSH7yrRE234e8Mkk10TFa9ShURZqx%2B1WsvL%2BsCJCb%2BG7NdAnoGGE0Q1ZtKCuk4B72P4VKJJ2DVlU%2F%2BiKKwdCpO%2BaB9swx8pnPC0SgGwaAzOzO%2BTZHoKF8859mxvGf4SgyWEuGB%2BoHIYwsv6BIdVhSnsK0SbV2FpYL29uPOEkxIteYIYM7GGW%2Fw3edQzrmv%2FZ%2FUa10fIT2n7LHNSYgRPQYGA1EoMfa3UiAPPezI5zoERCNuayBqg39uLL%2BicaJ%2FHzDwNSktWttGOthi%2FRoZUgdgtZIzRIdj55ZlR9az%2FhgwocmVuwY6sQGxjOShaB4joBw%2FXf%2F2l%2BCC79kY7d5bwoe3vMBbNhnNUo1Qlq%2Bmpx7hKshc5a0w4OMPfwnlwiywI2yrQJ81D7B%2BZtk2hcB6%2B6IHoK1r8Lz74TTDar7CkS6HqGQhlMS%2F%2F%2BI%2FH%2BAUq9CNKEDwm0wLnOdsaqe59dzT0vjgbY3YkHtHA5UII%2Bc1yrR8GtMTsxlUg3gn%2FfX3BWR6J2Vouwx5VZduX2CcboeuAvloyx8HCBCAApY%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=41e5bb97909011f2f74ea7d79c3919e4f70190c5996ec7b9d43c77d71c07698f> >> } >> Impact >> Perform supply chain attacks by uploading malicious packages under a >> trusted Apache namespace Distribute malware or steal sensitive data from >> users Remote code execution code injection >> >
