False positive: Typosquatting
See original GitHub issueHi there, first off all: awesome tools you guys made! 🎉
Second, I encountered the following output when scanning a requirements.txt
file:
Found 2 potentially malicious indicators in ruamel-yaml version 0.17.21
typosquatting: This package closely ressembles the following package names, and might be a typosquatting attempt: ruamel-yaml, ruamel-yaml
code-execution: found 1 source code matches
* setup.py file executing code at ruamel.yaml-0.17.21/setup.py:955
subprocess.check_output(cmd)
I do get why the second indicator is found, but the first one confuses me:
The package name (also installed on my machine) is ruamel.yaml
. There is no package named ruamel-yaml
in either my requirements nor on PyPi. Did something went from with the dots in the package name? Or is it because this package is listed in your typosquatting list as ruamel-yaml
?
Thanks!
Issue Analytics
- State:
- Created 10 months ago
- Comments:9 (5 by maintainers)
Top Results From Across the Web
Fixing False Positives and Duplicate Errors in the ... - GitHub
Problem. If a package has a dot in the name and it is a 'top package', then the typosquatting algorithm reports an error;...
Read more >What do you need to know about Typosquatting?
The typosquatters guess or track the mistakes people are likely to make while searching the legitimate website and reserve the domain to diversify...
Read more >What are Typosquatting attacks? - TEHTRIS
Typosquatting is a form of social engineering attack. This technique consists in imitating a legitimate site. It is also called URL hijacking or ......
Read more >Learning-based Typosquatting Detection at Deeper Domain ...
Typosquatting consists of registering Internet domain names ... monitor the DNS traffic of an ISP, due to a rather high false positive rate...
Read more >What is typosquatting? A simple but effective attack technique
A typosquatting attack, also known as a URL hijacking, a sting site, or a fake URL, is a type of social engineering where...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hi! I don’t think that should be an issue since PEP 503 states:
Additionally:
You’ll notice PyPi does redirect all of these to the same site:
But more importantly, PIP does not rely on this redirection and gets the normalized URL thanks to
pip._internal.utils.packaging
. These utilities can be reused by importingpackaging
and normalizing the name before running the typosquat algorithm.Great job @QuinceyJames , thanks for the detailed information!