RyotaK's Blog 技術的な話とか
タグ PyPI を持つ記事:

Potential remote code execution in PyPI

Preface (日本語版も公開されています。) While PyPI has a security page, they don’t have a clear policy for vulnerability assessments.1 This article describes the vulnerabilities that were reported as potential vulnerabilities, using publicly available information. This was done without actually exploiting / demonstrating the vulnerabilities. This article is not intended to encourage you to perform an unauthorized vulnerability assessment. If you find any vulnerabilities in PyPI, please report them to [email protected] TL;DR There was a vulnerability in GitHub Actions of PyPI’s repository, which allowed a malicious pull request


はじめに (English version is also available.) PyPIは、セキュリティページ自体は公開しているものの、脆弱性診断行為に対する明確なポリシーを設けていません。1 本記事は、公開されている情報を元に脆弱性の存在を推測し、実際に検証する