Introduction of a supply chain attack

[earonesty]

changing this in a program that has no deps:

subprocess.run(
["ls], cwd=build_temp, check=True
)

to a security module and a requirements.txt requirement with no ---hash

means that we have strictly made things less secure.

i think

1. if there no variables used in the subprocess call, then probably, it's better not to introduce a new dependency
2. anytime when adding to requirements.txt, include the --hash sha256:... command, to make it harder to attack

[drdavella]

Hi @earonesty thanks so much for your feedback.

First of all, correct me if I'm wrong, but I'm assuming this change was introduced by @pixeebot? If so, and if it was in a public repository, would you mind sharing a link to the PR?

To address your specific comments:

• Yes you are correct that in this case, with a hard-coded command, it looks like there's not as much value in adding this hardening layer. This change is actually implemented here: https://github.com/pixee/codemodder-python/blob/main/src/core_codemods/process_creation_sandbox.py. I will open an issue on https://github.com/pixee/codemodder-python to suggest that we should try harder to detect this case.
• Your idea about adding a specific --hash for requirements.txt is a good one. I'm not entirely sure whether this is possible for dependencies expressed in setup.py or pyproject.toml but it bears more research

[drdavella]

Closing this issue since the items raised here are really related to the behavior of https://github.com/pixee/codemodder-python. Please see the linked issues and join the discussion there.

Thanks again for your feedback.