Packages and PyPI¶
Check for known vulnerabilities¶
- https://github.com/pyupio/safety-db and https://pyup.io/
- safety package: Safety checks your installed dependencies for known security vulnerabilities.
GPG¶
- Verifying PyPI and Conda Packages by Stuart Mumford (2016-06-21)
- Sign a package using GPG and Twine
pip security¶
PyPI¶
- PEP 458 – Surviving a Compromise of PyPI (27-Sep-2013)
- PEP 480 – Surviving a Compromise of PyPI: The Maximum Security Model (8-Oct-2014)
- Making PyPI security independent of SSL/TLS by Nick Coghlan
Vulnerabilites in the Package Index¶
- Index Vulnerability: Unchecked File Deletion
- PyPI credential exposure on GitHub
- Authentication Flaws in 2FA and API Tokens
- Upload endpoint CSRF vulnerability
- Unintended Deployments to PyPI Servers
- Vulnerability in Legacy Document Deletion on PyPI
- Vulnerability in GitHub Actions workflow for PyPI
- Vulnerability in Role Deletion on PyPI
- Account Takeover and Malicious Replacement of ctx Project
PyPI typo squatting¶
- Typosquatting programming language package managers by Nikolai Tschacher (8 June, 2016)
- LWN: Typosquatting in package repositories (July 20, 2016)
- Building a botnet on PyPi by Steve Stagg (May 19, 2017)
- warehouse bug (pypi.org): Block package names that conflict with core libraries (reported at June 28, 2017)
- 2017-09-09: skcsirt-sa-20170909-pypi-malicious-code advisory
fate0:
- 2017-05-27 04:38 - 2017-05-31 12:24 (5 days): 10,685 downloads
- May-June, 2017
- https://mail.python.org/pipermail/distutils-sig/2017-June/030592.html
- http://blog.fatezero.org/2017/06/01/package-fishing/
- https://github.com/pypa/pypi-legacy/issues/644
- http://evilpackage.fatezero.org/
- https://github.com/fate0/cookiecutter-evilpy-package
- Packages (this list needs to be validated):
- caffe
- ffmpeg
- ftp
- git
- hbase
- memcached
- mkl
- mongodb
- opencv
- openssl
- phantomjs
- proxy
- pygpu
- python-dev
- rabbitmq
- requirement.txt
- requirements.txt
- rrequirements.txt
- samba
- shadowsock
- smb
- tkinter
- vtk
- youtube-dl
- zookeeper
- ztz
- …
Example of typos:
urllib
,urllib2
: part of the standard libraryurlib3
instead ofurllib3
Links¶
- The Update Framework (TUF): Like the S in HTTPS, a plug-and-play library for securing a software updater.