Impact
There are two Python characteristics (1, 2) that allow malicious code to “poison-pill” command-line Safety
package detection routines by disguising, or obfuscating, other malicious or non-secure packages.
This vulnerability is considered to be of low severity because the attack makes use of an existing Python condition, not the Safety
tool itself.
This can happen if:
- You are running
Safety
in a Python environment that you don’t trust.
- You are running
Safety
from the same Python environment where you have your dependencies installed.
- Dependency packages are being installed arbitrarily or without proper verification.
Mitigation options
- Perform a static analysis by installing Docker and running the
Safety
Docker image:
$ docker run --rm -it pyupio/safety check -r requirements.txt
- Run
Safety
against a static dependencies list, such as the requirements.txt file, in a separate, clean Python environment.
- Run
Safety
from a Continuous Integration pipeline.
- Use PyUp.io, which runs
Safety
in a controlled environment and checks Python for dependencies without any need to install them.
- Use PyUp's Online Requirements Checker.
References
https://mulch.dev/blog/CVE-2020-5252-python-safety-vuln/
https://github.com/akoumjian/python-safety-vuln
https://pyup.io/posts/patched-vulnerability/
Researchers
Alec Koumjian
Impact
There are two Python characteristics (1, 2) that allow malicious code to “poison-pill” command-line
Safety
package detection routines by disguising, or obfuscating, other malicious or non-secure packages.This vulnerability is considered to be of low severity because the attack makes use of an existing Python condition, not the
Safety
tool itself.This can happen if:
Safety
in a Python environment that you don’t trust.Safety
from the same Python environment where you have your dependencies installed.Mitigation options
Safety
Docker image:$ docker run --rm -it pyupio/safety check -r requirements.txt
Safety
against a static dependencies list, such as the requirements.txt file, in a separate, clean Python environment.Safety
from a Continuous Integration pipeline.Safety
in a controlled environment and checks Python for dependencies without any need to install them.References
https://mulch.dev/blog/CVE-2020-5252-python-safety-vuln/
https://github.com/akoumjian/python-safety-vuln
https://pyup.io/posts/patched-vulnerability/
Researchers
Alec Koumjian