The current version of d8s-urls is 0.1.6 and the democritus-networking package is 0.9.16.
An analysis of d8s-urls revealed a potential code execution backdoor. The d8s-urls distributed by PyPI has two commands: d8s_install() and d8s_uninstall(). One of the functions that d8s-urls calls is get_packages_from_pypi(). get_packages_from_pypi() downloads the package source files from PyPI and installs or uninstalls them. The source code for get_packages_from_pypi() reveals a potential code execution backdoor. The function gets the package information from PyPI and parses the package description. The code that gets the package information from PyPI is vulnerable to code execution. The vulnerable code is as follows: Python code: def get_packages_from_pypi(self, url): """Parse PEPPI package information. Args: url: The package URL. Returns: The parsed package information. """ package_source = urllib2.urlopen(url).read().decode() package_source = package_source.replace(‘’, ‘%20’) The vulnerability is due to the fact that the code that gets the package information from PyPI is vulnerable to code execution. If a user
d8s-urls: Install and uninstall commands
If a user runs d8s_install() then the program will check for the presence of d8s-urls. If the command is found, it will install it and execute code.
The good news is that this package is not distributed from PyPI but from a private repository on Github. Therefore, you should avoid installing it and use another package instead.
d8s-urls: PyPI package that can be used to inject different URLs into the web browser .
The d8s-urls package is a popular way to inject different URLs into the web browser for any website. It is distributed by PyPI and installed with pip. An analysis of the d8s-urls revealed that it can be used for malicious purposes, such as injecting JavaScript code into a website that will execute a function on it.
Timeline
Published on: 09/19/2022 15:15:00 UTC
Last modified on: 09/21/2022 15:35:00 UTC