Demo Python Remediated

A demonstration Python application showcasing remediated dependencies for solutions engineers. This project demonstrates the difference between vulnerable and patched versions of dependencies, specifically focusing on CVE-2024-23334 in aiohttp.

Prerequisites (steps below):

• Access to internal-libraries-testing, chainguard-edu or chainguard-private in the console for libraries access
• Access to Chainguard's Artifactory instance
• Access to demo-python-remediated, go to ynad download the code and cd into python-remediated-demo
• Access to ecosystem-packages as IT if unable now

Configure Docker to

Make sure you authenticate to you Chainguard registry and update your local Docker config (docs here). Please specify and group name with images.

(Odds are you've already done this.)

Configuring pip for Artifactory

First, go to Chainguard's Virtual Repositories. Then hover on "PyPi-Group", click the [...] on the right and select "Set Me Up".

Enter your password, and set the client at the top-right as pip. Then you should see a URL like:

https://<email>:<token>@chainguard.jfrog.io/artifactory/api/pypi/PyPI-Group/simple

For this project to pickup Chainguard's patches, you will need a uv.toml file at the root of your project with the following structure:

index-strategy = "unsafe-best-match"

[[index]]
name = "chainguard-remediated"
url = "https://<email>:<token>@chainguard.jfrog.io/artifactory/api/pypi/PyPI-Group/simple"

I recommend storing the config above in a file called temp.uv.toml. I added this file to the gitignore. This way you can change your uv.toml file to temp.uv.toml for vulnerable builds, then back for patched builds.

Building with Vulnerable Version (PyPi)

From pypi (vulnerable version)

# remove any existing uv.toml
[ -f uv.toml ] && rm uv.toml

# build without a uv.toml (using default pypi.org index)
docker build --no-cache . -t python-remediated:vulnerable

Run & Test Expoit

Run vulnerable container (change name to run patched)

docker run --rm -it -p 8080:8080 python-remediated:vulnerable

In a separate shell test valid/non-malicious request

curl localhost:8080/static/index.html

In a separate shell, test malicious request. This should print out the usename and password of the static secret file, and represents a traversal exploit:

curl --path-as-is localhost:8080/static/../secret.cfg

Building with With Chainguard Libraries

# create uv.toml. note that we need 'unsafe-best-match' to use dependencies
# from the main repo when installing packages from the remediated repo
cat > uv.toml <<EOF
index-strategy = "unsafe-best-match"

[[index]]
name = "chainguard-remediated"
url = "https://<email>:<token>@chainguard.jfrog.io/artifactory/api/pypi/PyPI-Group/simple"
EOF

##########################################
# MANUAL STEP - fill out username/password
##########################################

# build with uv.toml (using chainguard repos)
# make sure to use --no-cache or this will reuse the dependency layer from the
# vulnerable version instead of rebuilding properly
docker build --no-cache --secret id=uv_toml,src=./uv.toml . -t python-remediated:patched

Show Exploit Prevention

Run the chainguard image that is now using Chainguard Libraries

docker run --rm -it -p 8080:8080 python-remediated:patched

In a separate shell test valid/non-malicious request

curl localhost:8080/static/index.html

In a separate shell, test malicious request. This should not succeed and will display a 404 Error. illustrating CVE back-porting resolution:

curl --path-as-is localhost:8080/static/../secret.cfg

Useful links

These links will help you show our process:

1. How we find a patch
2. How we apply the upstream patch to prior versions
3. How we run baseline tests
4. How we run regression tests
5. Which versions we build for (when a patch is built/passes tests)
6. Our VEX feed updates

Here are the useline links for proof (number w.r.t points above):

1. Upstream patch metadata https://github.com/chainguard-dev/ecosystems-packages/blob/main/python/vulnerabilities/triaged/aiohttp-CVE-2024-23334.yaml
2. Our patch/code-change https://github.com/chainguard-dev/ecosystems-packages/blob/main/python/patches/aiohttp-3.9.1%2Bcgr.1/0002-CVE-2024-23334-primary-fix.patch
3. Baseline tests https://github.com/chainguard-dev/ecosystems-packages/blob/main/python/package-metadata/upstream-tests/aiohttp/3.9.1.yaml
4. Regression tests https://github.com/chainguard-dev/ecosystems-packages/blob/main/python/vulnerabilities/remediated/aiohttp-CVE-2024-23334/3.9.1.yaml#L78-L93
5. List of hardened packages https://libraries.cgr.dev/python-remediated/simple/ access docs here chainctl auth pull-token --library-ecosystem=python --parent=internal-libraries-testing --ttl=8670h
6. VEX feed https://libraries.cgr.dev/openvex/v1/all.json