Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify packages with Datadog's guarddog #1060

Open
edgarrmondragon opened this issue Dec 2, 2022 · 0 comments
Open

Verify packages with Datadog's guarddog #1060

edgarrmondragon opened this issue Dec 2, 2022 · 0 comments
Labels
kind/Feature New feature or request valuestream/Hub

Comments

@edgarrmondragon
Copy link
Collaborator

Some of these checks may be useful:

Heuristic Description
Command overwrite The install command is overwritten in the setup.py file, indicating that a system command is automatically run when installing the package through pip install.
Dynamic execution of base64-encoded data A base64-encoded string ends up being executed by a function like exec or eval
Download of an executable to disk Data coming from an HTTP response ends up being written to disk and made executable
Exfiltration of sensitive data to a remote server Sensitive data from the environment ends up being sent through an HTTP request
Code execution in setup.py Code in setup.py executes code dynamically or starts a new process
Unusual domain extension Usage of a domain name with an extension frequently used by malware (e.g. .xyz or .top)
Dynamic execution of hidden data from an image The package uses steganography to extract a payload from an image and execute it
Use of a common obfuscation method The package uses an obfuscation method commonly used by malware, such as running eval on hexadecimal strings

In particular, exec-base64 detected a backdoor in a FastAPI extension: https://securitylabs.datadoghq.com/articles/malicious-pypi-package-fastapi-toolkit/

Example execution for tap-getpocket using pipx and pip freeze:

pipx install git+https://github.com/edgarrmondragon/tap-getpocket.git
pipx runpip tap-getpocket freeze > requirements.txt
guarddog verify requirements.txt --json > results.json
Results JSON 
[
    {
        "dependency": "appdirs",
        "version": "1.4.4",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmptr8m2ln1/appdirs"
        }
    },
    {
        "dependency": "attrs",
        "version": "22.1.0",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpvou1f8j6/attrs"
        }
    },
    {
        "dependency": "backoff",
        "version": "2.2.1",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpvbn21yvr/backoff"
        }
    },
    {
        "dependency": "certifi",
        "version": "2022.9.24",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpqkdmplzl/certifi"
        }
    },
    {
        "dependency": "cffi",
        "version": "1.15.1",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpoq43ygar/cffi"
        }
    },
    {
        "dependency": "charset-normalizer",
        "version": "2.1.1",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpybjfohg7/charset-normalizer"
        }
    },
    {
        "dependency": "click",
        "version": "8.1.3",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpckftknlk/click"
        }
    },
    {
        "dependency": "cryptography",
        "version": "38.0.4",
        "result": {
            "issues": 1,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": [
                    {
                        "location": "cryptography-38.0.4/setup.py:99",
                        "code": "            rustc_output = subprocess.run(\n                [\"rustc\", \"--version\"],\n                capture_output=True,\n                timeout=0.5,\n                encoding=\"utf8\",\n                check=True,\n            ).stdout",
                        "message": "setup.py file executing code"
                    }
                ],
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpg6_21bam/cryptography"
        }
    },
    {
        "dependency": "decorator",
        "version": "5.1.1",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpyrfvyf3l/decorator"
        }
    },
    {
        "dependency": "fs",
        "version": "2.4.16",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmp4pa90msu/fs"
        }
    },
    {
        "dependency": "greenlet",
        "version": "2.0.1",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmp_i6ua1tw/greenlet"
        }
    },
    {
        "dependency": "idna",
        "version": "3.4",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpcslqlvtm/idna"
        }
    },
    {
        "dependency": "inflection",
        "version": "0.5.1",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpemcrd7_9/inflection"
        }
    },
    {
        "dependency": "joblib",
        "version": "1.2.0",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpu2ly475t/joblib"
        }
    },
    {
        "dependency": "jsonpath-ng",
        "version": "1.5.3",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpuqlm8_1m/jsonpath-ng"
        }
    },
    {
        "dependency": "jsonschema",
        "version": "4.17.3",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpsb4o0s7l/jsonschema"
        }
    },
    {
        "dependency": "memoization",
        "version": "0.4.0",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpu2mcl3j0/memoization"
        }
    },
    {
        "dependency": "pendulum",
        "version": "2.1.2",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpzcobv_9v/pendulum"
        }
    },
    {
        "dependency": "ply",
        "version": "3.11",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpv9ic2esl/ply"
        }
    },
    {
        "dependency": "pycparser",
        "version": "2.21",
        "result": {
            "issues": 1,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": [
                    {
                        "location": "pycparser-2.21/setup.py:35",
                        "code": "setup(\n    # metadata\n    name='pycparser',\n    description='C parser in Python',\n    long_description=\"\"\"\n        pycparser is a complete parser of the C language, written in\n        pure Python using the PLY parsing library.\n        It pa... sdist},\n)",
                        "message": "Standard pip command overwritten in setup.py"
                    }
                ],
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmp2sd_ekor/pycparser"
        }
    },
    {
        "dependency": "PyJWT",
        "version": "2.6.0",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmp8hg4etm_/PyJWT"
        }
    },
    {
        "dependency": "pyrsistent",
        "version": "0.19.2",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpom7bg167/pyrsistent"
        }
    },
    {
        "dependency": "python-dateutil",
        "version": "2.8.2",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmp5e5mu4ti/python-dateutil"
        }
    },
    {
        "dependency": "python-dotenv",
        "version": "0.21.0",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpec3td2ce/python-dotenv"
        }
    },
    {
        "dependency": "pytz",
        "version": "2022.6",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpa2kh8_18/pytz"
        }
    },
    {
        "dependency": "pytzdata",
        "version": "2020.1",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpaou479s7/pytzdata"
        }
    },
    {
        "dependency": "PyYAML",
        "version": "6.0",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpphll_zt8/PyYAML"
        }
    },
    {
        "dependency": "PyYAML",
        "version": "6.0b1",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmp734uzumh/PyYAML"
        }
    },
    {
        "dependency": "requests",
        "version": "2.28.1",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpd1wr40zq/requests"
        }
    },
    {
        "dependency": "simplejson",
        "version": "3.18.0",
        "result": {
            "issues": 1,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": [
                    {
                        "location": "simplejson-3.18.0/setup.py:87",
                        "code": "            subprocess.call([sys.executable,\n                             # Turn on deprecation warnings\n                             '-Wd',\n                             'simplejson/tests/__init__.py']))",
                        "message": "setup.py file executing code"
                    }
                ],
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpsx98ixfk/simplejson"
        }
    },
    {
        "dependency": "singer-sdk",
        "version": "0.14.0",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpm_hberzg/singer-sdk"
        }
    },
    {
        "dependency": "six",
        "version": "1.16.0",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpnysji8bl/six"
        }
    },
    {
        "dependency": "SQLAlchemy",
        "version": "1.4.44",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmp3xb06muv/SQLAlchemy"
        }
    },
    {
        "dependency": "tap-getpocket",
        "version": null,
        "result": {
            "issues": 1,
            "errors": {},
            "results": {
                "empty_information": "This package has an empty description on PyPi",
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpvzo51ll5/tap-getpocket"
        }
    },
    {
        "dependency": "typing-extensions",
        "version": "4.4.0",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmpixj7zk6e/typing-extensions"
        }
    },
    {
        "dependency": "urllib3",
        "version": "1.26.13",
        "result": {
            "issues": 0,
            "errors": {},
            "results": {
                "exfiltrate-sensitive-data": {},
                "obfuscation": {},
                "steganography": {},
                "exec-base64": {},
                "cmd-overwrite": {},
                "shady-links": {},
                "code-execution": {},
                "download-executable": {}
            },
            "path": "/var/folders/8b/z9sdckf92_g3hgnh6nv0yhbh0000gn/T/tmp2lp6c9mu/urllib3"
        }
    }
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/Feature New feature or request valuestream/Hub
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tayloramurphy @edgarrmondragon