Tool to check for dependency confusion vulnerabilities in multiple package management systems

Related tags

Build Tools confused
Overview

Confused

A tool for checking for lingering free namespaces for private package names referenced in dependency configuration for Python (pypi) requirements.txt, JavaScript (npm) package.json or PHP (composer) composer.json.

What is this all about?

On 9th of February 2021, a security researcher Alex Birsan published an article that touched different resolve order flaws in dependency management tools present in multiple programming language ecosystems.

Microsoft released a whitepaper describing ways to mitigate the impact, while the root cause still remains.

Interpreting the tool output

confused simply reads through a dependency definition file of an application and checks the public package repositories for each dependency entry in that file. It will proceed to report all the package names that are not found in the public repositories - a state that implies that a package might be vulnerable to this kind of attack, while this vector has not yet been exploited.

This however doesn't mean that an application isn't already being actively exploited. If you know your software is using private package repositories, you should ensure that the namespaces for your private packages have been claimed by a trusted party (typically yourself or your company).

Known false positives

Some packaging ecosystems like npm have a concept called "scopes" that can be either private or public. In short it means a namespace that has an upper level - the scope. The scopes are not inherently visible publicly, which means that confused cannot reliably detect if it has been claimed. If your application uses scoped package names, you should ensure that a trusted party has claimed the scope name in the public repositories.

Installation

Usage

Usage:
 ./confused [-l LANGUAGENAME] depfilename.ext

Usage of ./confused:
  -l string
        Package repository system. Possible values: "pip", "npm", "composer" (default "npm")
  -s string
        Comma-separated list of known-secure namespaces. Supports wildcards
  -v    Verbose output

Example

Python (PyPI)

./confused -l pip requirements.txt

Issues found, the following packages are not available in public package repositories:
 [!] internal_package1

JavaScript (npm)

./confused -l npm package.json

Issues found, the following packages are not available in public package repositories:
 [!] internal_package1
 [!] @mycompany/internal_package1
 [!] @mycompany/internal_package2

# Example when @mycompany private scope has been registered in npm, using -s
./confused -l npm -s '@mycompany/*' package.json

Issues found, the following packages are not available in public package repositories:
 [!] internal_package1
Comments
  • Output is actively misrepresenting the vulnerability.

    Output is actively misrepresenting the vulnerability.

    Type II error, False negative.

    Lets say my company has a private package, iconic-spoon-collection this package is not supposed to be public. This tool would say everything is probably fine if iconic-spoon-collection existed in the public repository.

    If the tool knew that iconic-spoon-collection was a private only package it would know it should not public, and the fact that this package is public is a sign that you have been breached.

    enhancement 
    opened by ghost 13
  •  json: cannot unmarshal bool into Go struct field error

    json: cannot unmarshal bool into Go struct field error

    Hi there

    Thanks for a great tool!

    We have checked a large number of package.json files. Sometimes the tool fails with this message: Encountered an error while trying to read packages from file: json: cannot unmarshal bool into Go struct field PackageJSON.bundleDependencies of type []string

    For instance when running against this file npm\node_modules\decamelize\package.json

    I don't know if it's a general bug or something at our end.

    Thanks!

    opened by visma-henriklarsen 8
  • Fixes #1 npm unmarshalling

    Fixes #1 npm unmarshalling

    Fixes #1 by adding omitempty tags to the PackageJSON struct as not all package.json files contain every field in this struct.

    Also satisfies golint by adding godoc comments to exported types, methods, and interfaces, as well as adding package level documentation.

    Finally, simplifies the range statements in npm.go by removing the unnessary _ empty variable

    opened by n0ncetonic 5
  • False Positive NPM detection

    False Positive NPM detection

    Summary

    Hello Team

    Thank you for this awesome tool, I wanted to point out that while I was automating my process I came across a certain package.json that gave me all false positive results and I can't figure out why this certain one is giving such a results

    Located here https://assets.vimeo.com/package.json

    Screenshot

    Image

    I tested all of these and all of them are already registered

    Best regards

    bug 
    opened by Sicks3c 2
  • npm false negative.

    npm false negative.

    Hi guys! thanks for this great tool!.

    If someone has created an npm package but later was Unpublished, the tool returns a status code 200 but the takeover for this package is still possible.

    I have found this testing the package console-shim

    imagen

    imagen

    imagen

    imagen

    thanks!

    bug 
    opened by bp0lr 2
  • support continuations in pip requirements files

    support continuations in pip requirements files

    pip requirements files can look like this:

    appdirs==1.4.4 \
        --hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \
        --hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128 \
        # via black
    

    That has the package pinned to a specific version plus hashes of the package download files. When pip is used to install packages specified like this, it downloads the file and verifies it against the hash in the requirements file. The continuations (\) are used to keep the file readable.

    Given a requirements file like that, confused produces output like this:

    Issues found, the following packages are not available in public package repositories:
     [!] --hash
     [!] --hash
    

    Seems like confused doesn't support continuations (the \):

    https://github.com/visma-prodsec/confused/blob/d0cafe92dca8bcacf76b3d8f36f37da679a9ca77/pip.go#L24-L35

    bug 
    opened by willkg 2
  • pip filter with tilde = gives incorrect false-positive package name.

    pip filter with tilde = gives incorrect false-positive package name.

    A requirements.txt entry with tilde = is not parsed correctly.

    boto3~=2.3.4

    it is parsed as package name boto3~ but it should be boto3.

    Tilde = is a valid syntax. https://www.python.org/dev/peps/pep-0440/#compatible-release

    bug 
    opened by bjhulst 1
  • [NPM] Dependencies set as URLs are not takeovereable

    [NPM] Dependencies set as URLs are not takeovereable

    Hi again!

    AFAIK dependencies specified as a URL are not takeovereable, as it'll override the normal lookup mechanism and it will instruct NPM to download the dependency from a specific location:

    https://docs.npmjs.com/cli/v7/configuring-npm/package-json#dependencies

    Some examples

    "dep_name": "github_org_name/repo_name#2.2.0"
    "dep_name": "https://github.com/github_org_name/repo_name#2.2.0"
    "dep_name": "file:/test/path"
    

    confused still flag these as vulnerable

    Maybe the best way to fix this is by checking if the version part is valid semver, but there might be some edge cases ("tag"?)

    opened by lean0x2F 1
  • Update README.md

    Update README.md

    installing executables with 'go get' in module mode is deprecated. Use 'go install [email protected]' instead. For more information, see https://golang.org/doc/go-get-install-deprecation

    opened by Sm4rty-1 0
  • Fix npm module parsing issues caused by broken spec

    Fix npm module parsing issues caused by broken spec

    Some packages are breaking the npm package.json spec. An example was provided with published package that presented this issue.

    This PR makes confused to continue processing while ignoring the broken values.

    It is based on #5

    Fixes: #1

    opened by joohoi 0
  • Add PHP (composer) support

    Add PHP (composer) support

    This PR adds support for PHP checking based on Composer dependency manager.

    The dependencies are checked against Composer's official package repository Packagist.

    Please note that the way composer handles dependencies is quite different from pip and npm, the developer can define[1]:

    1. Different source repositories for a package
    2. Different package repository without disabling Packagist
    3. Different package repository disabling Packagist

    The current implementation does not check for those configuration changes.

    There is also a very thorough blog post[2] that explains why PHP/Composer is not susceptive to this attack.

    [1] https://getcomposer.org/doc/05-repositories.md [2] https://blog.packagist.com/preventing-dependency-hijacking/

    opened by flavioheleno 0
  • Added Dockerfile

    Added Dockerfile

    Hi folks,

    Awesome work on this tool. I noticed some people could not get it to work and decided to include a simple Dockerfile and instructions to build and run the container easily. Feel free to do with it as you like.

    Cheers, 0xbad53c

    opened by 0xbad53c 0
  • Update README.md fix install method

    Update README.md fix install method

    Update install method as go get -u is outdated and not working anymore.

    go get -u repuURL will no longer work. See error message below.

    go install [email protected] works..

    Old error:

    % go get -u github.com/visma-prodsec/confused
    go: go.mod file not found in current directory or any parent directory.
    	'go get' is no longer supported outside a module.
    	To build and install a command, use 'go install' with a version,
    	like 'go install example.com/[email protected]'
    	For more information, see https://golang.org/doc/go-get-install-deprecation
    	or run 'go help get' or 'go help install'.
    
    opened by zrthstr 0
  • Getting json unmarshall erro go cant handle it

    Getting json unmarshall erro go cant handle it

    [W] Non-fatal issue encountered while reading package-lock.json : json: cannot unmarshal object into Go struct field PackageJSON.dependencies of type string

    opened by balook 2
  • Inaccurate results

    Inaccurate results

    Now there is a package.json file content as follows image Let's go search: https://www.npmjs.com/search?q=prepack-fuzzer image Now, we start to run the tool to test: confused -l npm package.json image He said that there is no testcheck, so let's search again image Hey bro, please tell me is this normal or a bug

    opened by Oldman19 0
Releases(v0.5)
Owner
Visma Product Security
Visma Product Security works towards a safer world, by helping development teams in Visma and beyond to develop more secure applications.
Visma Product Security
Build systems with Go examples

What is this? This is a repository containing all the examples from the book BUILD SYSTEMS with GO (and save the world). This book is written to help

Juan M. Tirado 99 Nov 20, 2022
A zero dependency asset embedder for Go

Mewn A zero dependency asset embedder for Go. About Mewn is perhaps the easiest way to embed assets in a Go program. Here is an example: package main

Lea Anthony 86 Oct 23, 2022
Example-go-install - A package aims to demonstrate how libraries / commands should be organized in a go package

Example-go-install - A package aims to demonstrate how libraries / commands should be organized in a go package

Nathan Fiscaletti 0 Jan 27, 2022
Various tools for usage with Golang like installer, github tool and cloud features.

Gopei2 (Go Programming Environment Installer) Gopei shell install Go compiler, LiteIDE and configure for you the entire environment, variables, paths,

George Calianu 100 Nov 9, 2022
a build tool for Go, with a focus on cross-compiling, packaging and deployment

goxc NOTE: goxc has long been in maintenance mode. Ever since Go1.5 supported simple cross-compilation, this tool lost much of its value. There are st

Am Laher 1.7k Nov 11, 2022
An extremely opinionated TypeScript monorepo tool.

Unirepo is an extremely opinionated TypeScript build tool. Typical monorepo management tools in the Node.js ecosystem provide automation aroun

Brandon Bloom 221 Oct 27, 2022
a Make/rake-like dev tool using Go

About Mage is a make-like build tool using Go. You write plain-old go functions, and Mage automatically uses them as Makefile-like runnable targets. I

Mage 3.3k Nov 21, 2022
πŸš€ gowatch is a command line tool that builds and (re)starts your go project everytime you save a Go or template file.

gowatch δΈ­ζ–‡ζ–‡ζ‘£ gowatch is a command line tool that builds and (re)starts your go project everytime you save a Go or template file. Installation To insta

silenceper 732 Nov 28, 2022
🌍 Earthly is a build automation tool for the container era

?? Earthly is a build automation tool for the container era. It allows you to execute all your builds in containers. This makes them self-contained, repeatable, portable and parallel. You can use Earthly to create Docker images and artifacts (eg binaries, packages, arbitrary files).

Earthly 8.4k Nov 27, 2022
A simple tool to help WoW repack administrators manipulate the repack database(s)

WoW Repack Manipulator This tool makes it easier for an administrator of a WoW Repack (private WoW server, basically) to manipulate the database that

Michael Crilly 2 Feb 7, 2022
two scripts written in golang that will help you recognize dependency confusion.

two scripts written in golang that will help you recognize dependency confusion.

gv1_ 6 Mar 3, 2022
A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Nancy nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index, and as well, works with Nexus IQ Server

Sonatype Community 467 Nov 24, 2022
Scan systems and docker images for potential spring4shell vulnerabilities.

Scan systems and docker images for potential spring4shell vulnerabilities. Will detect in-depth (layered archives jar/zip/tar/war and scans for vulnerable Spring4shell versions. Binaries for Windows, Linux and OsX, but can be build on each platform supported by supported Golang.

null 10 Nov 9, 2022
Get any cryptocurrencies ticker and trade data in real time from multiple exchanges and then save it in multiple storage systems.

Cryptogalaxy is an app which will get any cryptocurrencies ticker and trade data in real time from multiple exchanges and then saves it in multiple storage systems.

Pavan Shetty 108 Nov 21, 2022
PolarDB Cluster Manager is the cluster management component of PolarDB for PostgreSQL, responsible for topology management, high availability, configuration management, and plugin extensions.

What is PolarDB Cluster Manager PolarDB Cluster Manager is the cluster management component of PolarDB for PostgreSQL, responsible for topology manage

null 7 Nov 9, 2022
Go dependency management tool experiment (deprecated)

Dep dep is a dependency management tool for Go. It requires Go 1.9 or newer to compile. NOTE: Dep was an official experiment to implement a package ma

Go 13k Nov 20, 2022
check-cert: Go-based tooling to check/verify certs

check-cert: Go-based tooling to check/verify certs

Adam Chalkley 14 Sep 23, 2022
Check-location - A golang service to check user location using their IP address

this is a golang service to check user location using their IP address. The purp

Abdessamad Bensaad 1 Aug 29, 2022
Check-load - Simple cross-platform load average check

Sensu load average check Table of Contents Overview Usage examples Configuration

KOHMURA Jin 0 Jun 16, 2022
SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities

SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities Why?

Ryan D'Amour 141 Nov 20, 2022