A group of researchers from the University of Turku (Finland) published the results of analyzing packages in the PyPI repository for the use of potentially dangerous constructs that could lead to vulnerabilities. The analysis of 197 packages revealed 749 potential security issues. 46% of packages have at least one such problem. Among the most frequently encountered problems are the flaws associated with exception handling and the use of features that allow code substitution.
Of the 749 issues identified, 442 (41%) are labeled as minor, 227 (30%) as moderate, and 80 (11%) as severe. Some packages stand out from the crowd and contain thousands of problems: for example, 2589 problems were found in the PyGGI package, mainly related to the use of the "try-except-pass" construct, 2356 problems were found in the appengine-sdk package. A large number of issues are also present in the genie.libs.ops, pbcore, and genie.libs.parser packages.
It should be noted that the results were obtained on the basis of an automated static analysis, which does not take into account the context of the application of certain structures. The developer of the bandit tool that was used to scan the code expressed the opinion that due to the rather high number of false positives, the results of the scan cannot be directly considered vulnerabilities without additional manual review of each problem.
For example, the analyzer considers the use of unreliable random number generators and hashing algorithms, such as MD5, as a security problem, while in code such algorithms can be used for purposes that do not affect security. The analyzer also considers any processing of external data in unsafe functions such as pickle, yaml.load, subprocess, and eval to be a problem, but this use is not necessarily associated with a vulnerability, and in fact, the use of these functions can be implemented without a security risk.
Among the checks used in the study:
- Use of potentially unsafe functions exec, mktemp, eval, mark_safe, etc.
- Insecure file permissions.
- Attaching a network socket to all network interfaces.
- Using hard-coded passwords and keys.
- Using a predefined temporary directory.
- Using pass and continue in catch-all-style exception handlers;
- Running web applications based on the Flask web framework with debug mode enabled.
- Use of unsafe data deserialization methods.
- Using hash functions MD2, MD4, MD5 and SHA1.
- Using insecure DES ciphers and encryption modes.
- Use of an insecure implementation of HTTPSConnection in some versions of Python.
- Specifying the file:// scheme in urlopen.
- Using pseudo-random number generators when performing cryptographic tasks.
- Using the Telnet protocol.
- Using unsafe XML parsers.
Additionally, it can be noted that malicious packages were detected in the PyPI 8 catalog. The problematic packages were downloaded more than 30 times before being removed. To hide malicious activity and bypass warnings of simple static analyzers in packets, code blocks were encoded using Base64 and organized from execution after decoding through the eval call.
Noblesse, genesisbot, are, suffer, noblesse2, and noblessev2 packages revealed code to intercept credit card numbers and passwords stored in Chrome and Edge browsers, as well as transfer account tokens from the Discord application and send system data, including screenshots of the screen content . The pytagora and pytagora2 packages included the ability to load and execute third-party executable code.
Source: opennet.ru