First, let us acknowledge that the python package ecosystem is a relatively new one. Where did this idea that the only safe code is code that comes from the vendor community come from? In the early days of the internet, before the days of security testing like penetration tests, the ecosystem was filled with malicious hackers. They found that many of the python packages on PyPI were often insecure. They started to package their own code in a way that could be distributed as a python package and make money doing so. Because python packages are often used by programmers new to the language, they have been hit hard by this attack vector. The vendors are late to the game, often releasing insecure packages with code execution backdoors.

The Python Package Development Best Practices is a document designed to provide guidance for writing secure python packages. It is aimed at both developers of python packages and users of them. The best practices are not exhaustive, but they represent a set of suggestions that should enable the creation of secure python packages.
This document was created by members of the security community. Every code snippet in the document was scrutinized by multiple people before being accepted as best practice by the team, who sought to make sure that no language limitation could be exploited to cause security vulnerabilities in python packages.
There are many more resources available on this topic:
- https://www.surveymonkey.com/r/PwrM6ZF
- http://blog.agilebit.org/2014/06/best-practices-for-building-secure-python-packages

How to check if a package is vulnerable?

To check if a package is vulnerable, you can use the "python -m pylint" command. Pylint will then spit out all possible warnings and errors that the package might expose. This includes code execution security flaws, buffer overflow vulnerabilities, insecure cryptography implementations, and more.
Another way to find out if a package is vulnerable is to download the source code from a repository on PyPI and use it locally. If you see an error when compiling or running the code, that means something is wrong with it and there could be a security flaw. The authors of this blog post suggest using tools like pylint or travis-ci-checker (a tool for detecting security vulnerabilities in python packages) to scan your local copy of the package's source code before trusting it with your application code.

Code execution backdoors

A "code execution backdoor" is a hidden piece of code inserted by the developer that has the ability to execute commands on a computer when triggered by an event. For example, the following code would log into a remote machine and run a command:
def my_backdoor():
my_password = raw_input("Enter your password: ")
sshpass = ""
while sshpass != "":
sshpass = input("Enter your password again: ")
print sshpass
if len(sshpass) == 0:
print "I am sorry, try again."
else:
exec(sshpass)

Python packages are old, stale code

Python packages have been around since the late nineties. This means that many of these packages are old and outdated. They may be missing security features or they may have insecure code. There is a reason why they were developed in the first place. It is often quite difficult to pull out a python package, because so much of the work has gone into it over the years, and it can be hard to reconstruct all that work if you just want to release a new version of your package.
There are also third party libraries that make use of these old packages for various functions, like web framework wrappers that wrap an old python module into something that can be used with a newer framework like Django. The problem here is that these frameworks have not done any security testing on their own libraries and are still assuming that the package they need is safe. So when users use libraries from this wrapper, they're using unsafe packages and introduce vulnerabilities from their own software onto their users' software.

How to check if a package is vulnerable

#1- You can use the pip freeze command to find out if a package is vulnerable.
#2- If you run pip list on your machine, you'll get a list of all the packages that are installed and their version numbers. This will allow you to see what packages are affected by any vulnerability.
#3- If it's a package that you need to install, it's best to just uninstall it. If it's not needed anymore, then make sure that the package doesn't exist in your system and don't install new versions of it anymore.

Timeline

Published on: 09/19/2022 15:15:00 UTC
Last modified on: 09/21/2022 15:36:00 UTC

References