Enhance ZARN to Detect Dependency Confusion Vulnerabilities

[htrgouvea]

Dependency confusion vulnerabilities have been identified across various ecosystems like PyPI, RubyGems, and NPM. This type of attack leverages misconfigurations or mixing of public and private module repositories to execute malicious code. The Perl ecosystem, due to its use of CPAN (Comprehensive Perl Archive Network) alongside private repositories like DarkPAN, is not immune to these risks.

The document "CPAN Dependency Confusion" highlights the specific challenges and scenarios in which dependency confusion can occur in Perl. These include:

Public modules overriding expected private/local versions due to higher version numbers.
Misconfigured CPAN clients prioritizing public repositories.
Namespace pollution or misuse of non-reserved namespaces.

To mitigate these risks and enhance ZARN's detection capabilities, we propose adding a rule to detect dependency confusion vulnerabilities.

Proposed Implementation:

Perform Static Analysis of cpanfile

ZARN should analyze cpanfile content to detect patterns and practices that could lead to dependency confusion. This includes:

Namespace Safety:

• Flagging non-reserved namespaces (e.g., Local::* without explicit protection).
• Recommending the use of reserved namespaces like _Underscore::Trick.

Version Control:

• Checking for dependencies without explicit version constraints (e.g., requires 'ModuleName').
• Highlighting modules with ambiguous version specifications, which could default to higher versions from public CPAN repositories.

Source Specification:

• Identifying dependencies without a clearly defined source repository (e.g., public vs. private).
• Checking for proper use of mirror directives to avoid fallback to public repositories.

Dependency Overrides:

• Detecting cases where a public module might override a private module due to version differences.
• Highlighting modules with identical names in both public and private repositories.

[htrgouvea]

Cpanfile examples:

Vulnerable:

requires 'Some::Public::Module';
requires 'PrivateAndPublic::Module';
requires 'Local::PrivateModule';
requires 'DarkPAN::Module';
mirror "https://cpan.metacpan.org/";

Safe:

requires 'Some::Public::Module', '1.2.3';
requires 'PrivateAndPublic::Module', '0.3.0',
  url => 'https://darkpan.local/authors/id/U/US/USER/PrivateAndPublic-0.3.0.tar.gz';
requires '_Underscore::PrivateModule';
mirror "http://darkpan.local/";
mirror "https://cpan.metacpan.org/";
mirror_only 'http://darkpan.local/';