dropbox / dropboxbusinessscripts Goto Github PK
View Code? Open in Web Editor NEWScripting resources to serve as a base for common Dropbox Business tasks
License: Apache License 2.0
Scripting resources to serve as a base for common Dropbox Business tasks
License: Apache License 2.0
Hey,
I wasn't able to report this security vulnerability via the only given channel on BugCrowd. The BugCrowd triage team said that Dropbox OOS isn't in scope and those projects are too old, so such vulnerabilities cannot be reported via that platform. The only place where I can report is here.
This project and dropbox/mypy-pycharm-plugin
are vulnerable to MavenGate supply chain attack. There are the following vulnerable dependencies:
Group ID: com.opencsv
, domain available for registration: opencsv.com
Group ID: org.ini4j
, domain available for registration: ini4j.org
(however, this project uses only Maven Central repository, so see comments below)
The attack looks as follows:
groupId
values on public repositories because they all require DNS TXT verification (this is verified for MavenCentral, JitPack, and Gradle). This verification is possible when an attacker can purchase the domain.groupId
value is registered in their system, they require manual verification, as they say: "Any future attempts to leverage current and future expired domains will undergo a thorough assessment by our team, ensuring evidence of ownership of not just the domain but also the underlying project".groupId
.I'm providing an attack example for this project that includes vulnerable com.opencsv:opencsv:3.4
. The opencsv.com
domain can be purchased:
To avoid purchasing the domain and breaking the CI/CDs of other developers, I created a local repository to demonstrate the attack. So to reproduce the attack using a local repository, do the following:
~/.m2/settings.xml
, in my case it looks as follows<?xml version="1.0" encoding="UTF-8"?>
<settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 http://maven.apache.org/xsd/settings-1.2.0.xsd" xmlns="http://maven.apache.org/SETTINGS/1.2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<servers>
</servers>
<localRepository>${user.home}/.m2/repository</localRepository>
<profiles>
<profile>
<id>mainProfile</id>
<repositories>
<repository>
<id>EVIL_REPO</id>
<name>EVIL_REPO</name>
<url>file:///Users/me/Downloads/EVIL_REPO/</url>
</repository>
<repository>
<id>central</id>
<name>central</name>
<url>https://repo.maven.apache.org/maven2/</url>
</repository>
</repositories>
</profile>
</profiles>
<activeProfiles>
<activeProfile>mainProfile</activeProfile>
</activeProfiles>
</settings>
git clone https://github.com/dropbox/DropboxBusinessScripts
cd DropboxBusinessScripts/Sharing
mvn clean compile assembly:single --file ListSharedFolders-pom.xml
. The build will generate the DropboxBusinessScripts/Sharing/target/ListSharedFolders-0.0.1-jar-with-dependencies.jar
runnable jar
which will be poisoned. To verify that, decompile the file or unzip it:So the conclusion things:
evil.Evil
class is an example, an attacker can modify sources of this library in any way too.~/.m2/settings.xml
in the case of Maven), it will lead to artifact poisoning when attacking dependencies.A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.