Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

python: PyPi public modules: How to determine if secure and safe?

Tags:

python

security

docker

pypi

I am have completed my python 3 application, and it is using multiple public modules from PyPi.

However, before I deploy it to run within my company's enterprise which will be handling credentials of our customers and accessing 3rd party APIs, I need to do due diligence that they are both secure and safe.

What steps must I perform:

  1. Validate security of PyPi modules and safe to use, and it is important to note that the target Python 3 app will be handling credentials?
  2. What is the most recommended way validate PyPi modules' signature?
  3. Can PyPi module signature be trusted?

By the way, the Python 3 application will be running within a Docker container.

Thank you

like image 213
jeff00seattle Avatar asked Jun 21 '16 23:06

jeff00seattle

People also ask

How do I know if a Python module is safe?

You'll have to audit the package (or get someone else to do that) to know if it's secure. No easy way around it. All pypi packages have md5 signature attached (link in parentheses after the file).

Are modules on PyPI safe?

They are not safe. It would be easy to upload malicious code to PyPI. That's debatable.

Does PyPI check for malware?

PyPI's Malware-Scanning Approach In addition, the repository's scanning tools analyze a projects commits and contributors for suspicious changes that could suggest malicious contributions. The researchers built their data set using 168 known examples of malicious attacks on the PyPI repository.

What is PyPI simple index?

pypi-simple 0.10. 0 pypi-simple is a client library for the Python Simple Repository API as specified in PEP 503 and updated by PEP 592, PEP 629, PEP 658, and PEP 691.

1 Answers

These are 3 separate questions, so:

  1. You'll have to audit the package (or get someone else to do that) to know if it's secure. No easy way around it.

  2. All pypi packages have md5 signature attached (link in parentheses after the file). Some of them also attach the pgp signature which shows up in the same place, but it's up to the author whether they're published or not. (https://pypi.python.org/pypi/rpc4django for example includes both md5 and pgp) Md5 verifies integrity. Pgp verifies integrity and origin, so it's a better choice when available.

  3. Just as much as any other signature.

If you're worried about dependencies to that level, I think you should look at maintaining your internal pypi repository. It gives you better verification (just sign the packages yourself after initial download and only accept your signature). It gives you better reliability and speed (you can still build the software if pypi goes down). And it avoids issues with replaced / updated packages which you haven't audited/approved yet.

like image 85
viraptor Avatar answered Sep 22 '22 04:09

viraptor
Sign in to Comment

Related questions

Get the diff details of first commit in GitPython
How to detect system ACPI G2/S5 Soft Off event with python on linux
Scikit - Combining scale and grid search
What is the Python way of doing a \G anchored parsing loop?
Static URL in cherrypy
Read xlsx stored on sharepoint location with openpyxl in python?
Received Print Job Python
How to reuse a process pool for parallel programming in Python 3
How do I increase the spacing between subplots with subplot2grid?
Weird behaviour of boto inside docker
Dictionary with range as key
How to make imports / closures work from IPython's embed?
django oscar and djangocms
Linear shift between 2 sets of coordinates
Dynamic self-referencing conditional in list comprehension
Python: Matplotlib Surface_plot
Pyinstaller automatically includes unneeded modules
How do I fuzzy match word to a full word (and only full word) in a sentence?
rdkit installation issues with Anaconda
Unable to install pandas on AWS Lambda

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!