This project focuses on vulnerability research and exploit development in the PyPI ecosystem. The goal is to identify and document command injection vulnerabilities in Python packages through systematic security auditing.
This project was completed as part of CSC199 coursework at California State University, Sacramento under Professor Daniel Hammon.
- Identify and document command injection vulnerabilities in PyPI packages
- Develop proof-of-concept exploits for discovered vulnerabilities
- Practice responsible disclosure to package maintainers
- Contribute to software supply chain security
- Find candidate packages using https://hugovk.github.io/top-pypi-packages/
- Focus on packages that wrap command-line tools
- Review documentation and analyze dependencies
- Search for dangerous patterns:
subprocess,shell=True,os.system - Check for input validation:
sanitize,whitelist,blacklist - Review the wrapped tool's documentation for dangerous options
- Craft malicious inputs
- Test exploitation in isolated environment
- Create proof-of-concept if vulnerability is confirmed
- Document reproduction steps
Go to https://hugovk.github.io/top-pypi-packages/
On GitHub, search the repo for:
subprocess
shell=True
os.system
os.popen
sanitize
whitelist
blacklist
├── README.md
├── RECON.md # Reconnaissance process guide
├── findings/
│ └── [package_name].md # Documented findings
└── poc/
└── [package_name]_poc.py # Proof of concept exploits
- Static Analysis: Manual code review, GitHub search
- Package Discovery: https://hugovk.github.io/top-pypi-packages/
| Package | Status | Type | Details |
|---|---|---|---|
| pdfkit | Investigating | Option Injection | Link |
All vulnerabilities will be reported following responsible disclosure practices:
- Contact package maintainers privately
- Provide technical details and reproduction steps
- Allow time for fix before public disclosure
- Submit CVE request if applicable
Marcos Pantoja
Computer Science, California State University, Sacramento
Professor Daniel Hammon - Project Advisor