pipenv checks outside of pipenv-managed venv

[tucked]

Issue description

pipenv check can fail on packages not managed by pipenv.

python3 -m venv venv
venv/bin/python -m pip install --upgrade 'pip<21' pipenv
venv/bin/pipenv --python="$PWD/venv/bin/python" install 'pip>=21'
venv/bin/pipenv check

It doesn't seem to matter if PIPENV_IGNORE_VIRTUALENVS is set.

Expected result

Checking PEP 508 requirements...
Passed!
Checking installed package safety...
All good!

Actual result

Checking PEP 508 requirements...
Passed!
Checking installed package safety...
40291: pip <21.1 resolved (20.3.4 installed)!
Pip version 21.1 updates its dependency "urllib3" to 1.26.4 to fix CVE-2021-28363.

pipenv check --verbose

Checking PEP 508 requirements...
Running command: $ /ifs/home/dtucker/.local/share/virtualenvs/tmp.X2jD7mSKG6-hzRazx7h/bin/python /tmp/tmp.X2jD7mSKG6/venv/lib/python3.6/site-packages/pipenv/pep508checker.py
Command output: {"os_name": "posix", "sys_platform": "linux", "platform_machine": "x86_64", "platform_python_implementation": "CPython", "platform_release": "4.15.0-159-generic", "platform_system": "Linux", "platform_version": "#167-Ubuntu SMP Tue Sep 21 08:55:05 UTC 2021", "python_version": "3.6", "python_full_version": "3.6.9", "implementation_name": "cpython", "implementation_version": "3.6.9"}
Passed!

Checking installed package safety...

Running command: $ /ifs/home/dtucker/.local/share/virtualenvs/tmp.X2jD7mSKG6-hzRazx7h/bin/python /tmp/tmp.X2jD7mSKG6/venv/lib/python3.6/site-packages/pipenv/patched/safety check --json

Command output: [

[

"pip",

"<21.1",

"20.3.4",

"Pip version 21.1 updates its dependency "urllib3" to 1.26.4 to fix CVE-2021-28363.",

"40291"

]

]
40291: pip <21.1 resolved (20.3.4 installed)!

Pip version 21.1 updates its dependency "urllib3" to 1.26.4 to fix CVE-2021-28363.

---

$ pipenv --support

Pipenv version: '2021.5.29'

Pipenv location: '/tmp/tmp.X2jD7mSKG6/venv/lib/python3.6/site-packages/pipenv'

Python location: '/tmp/tmp.X2jD7mSKG6/venv/bin/python'

Python installations found:

• 3.10.0: /ifs/home/dtucker/.pyenv/versions/3.10.0/bin/python3
• 3.9.7: /ifs/home/dtucker/.pyenv/versions/3.9.7/bin/python3
• 3.9.0: /ifs/home/dtucker/.pyenv/versions/3.9.0/bin/python3
• 3.8.12: /ifs/home/dtucker/.pyenv/versions/3.8.12/bin/python3.8
• 3.8.6: /ifs/home/dtucker/.pyenv/versions/3.8.6/bin/python3.8
• 3.8.0: /ifs/home/dtucker/.pyenv/versions/3.8.0/bin/python3.8
• 3.8.0: /usr/bin/python3.8
• 3.7.12: /ifs/home/dtucker/.pyenv/versions/3.7.12/bin/python3.7m
• 3.7.9: /ifs/home/dtucker/.pyenv/versions/3.7.9/bin/python3.7m
• 3.7.5: /usr/bin/python3.7
• 3.7.5: /usr/bin/python3.7m
• 3.7.4: /ifs/home/dtucker/.pyenv/versions/3.7.4/bin/python3.7m
• 3.7.1: /ifs/home/dtucker/.pyenv/versions/3.7.1/bin/python3.7m
• 3.6.15: /ifs/home/dtucker/.pyenv/versions/3.6.15/bin/python3.6m
• 3.6.12: /ifs/home/dtucker/.pyenv/versions/3.6.12/bin/python3.6m
• 3.6.9: /ifs/home/dtucker/.pyenv/versions/3.6.9/bin/python3.6m
• 3.6.9: /usr/bin/python3.6
• 3.6.9: /usr/bin/python3.6m
• 3.6.9: /usr/bin/python3
• 3.5.10: /ifs/home/dtucker/.pyenv/versions/3.5.10/bin/python3.5m
• 3.5.7: /ifs/home/dtucker/.pyenv/versions/3.5.7/bin/python3.5m
• 3.4.10: /ifs/home/dtucker/.pyenv/versions/3.4.10/bin/python3.4m
• 2.7.18: /ifs/home/dtucker/.pyenv/versions/2.7.18/bin/python2.7
• 2.7.17: /usr/bin/python2
• 2.7.17: /usr/bin/python2.7
• 2.7.16: /ifs/home/dtucker/.pyenv/versions/2.7.16/bin/python2.7
• 2.6.9: /ifs/home/dtucker/.pyenv/versions/2.6.9/bin/python2.6

PEP 508 Information:

{'implementation_name': 'cpython',
 'implementation_version': '3.6.9',
 'os_name': 'posix',
 'platform_machine': 'x86_64',
 'platform_python_implementation': 'CPython',
 'platform_release': '4.15.0-159-generic',
 'platform_system': 'Linux',
 'platform_version': '#167-Ubuntu SMP Tue Sep 21 08:55:05 UTC 2021',
 'python_full_version': '3.6.9',
 'python_version': '3.6',
 'sys_platform': 'linux'}

System environment variables:

• LC_ALL
• LS_COLORS
• SSH_CONNECTION
• LANG
• HISTCONTROL
• HOSTNAME
• OLDPWD
• EDITOR
• GPG_TTY
• PYENV_VIRTUALENV_INIT
• JIRA_PROXY
• S_COLORS
• XDG_SESSION_ID
• PIP_INDEX_URL
• USER
• PWD
• HOME
• SSH_CLIENT
• TESTLAB_LOG_DIRECTORY
• TMUX
• PIP_REQUIRE_VIRTUALENV
• SSH_TTY
• MAIL
• TERM
• SHELL
• TMUX_PANE
• SHLVL
• PYENV_SHELL
• LOGNAME
• DBUS_SESSION_BUS_ADDRESS
• HELIX_LOGDIR
• XDG_RUNTIME_DIR
• PIP_TRUSTED_HOST
• PATH
• PS1
• HISTSIZE
• _
• PIP_DISABLE_PIP_VERSION_CHECK
• PYTHONDONTWRITEBYTECODE
• PIP_SHIMS_BASE_MODULE
• PIP_PYTHON_PATH
• PYTHONFINDER_IGNORE_UNSUPPORTED

Pipenv–specific environment variables:

Debug–specific environment variables:

• PATH: /ifs/home/dtucker/.pyenv/plugins/pyenv-virtualenv/shims:/ifs/home/dtucker/.pyenv/bin:/ifs/home/dtucker/.local/bin:/ifs/home/dtucker/bin:/ifs/home/dtucker/.pyenv/plugins/pyenv-virtualenv/shims:/ifs/home/dtucker/.pyenv/shims:/ifs/home/dtucker/.pyenv/bin:/ifs/home/dtucker/.local/bin:/ifs/home/dtucker/bin:.:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
• SHELL: /bin/bash
• EDITOR: vim
• LANG: en_US.UTF-8
• PWD: /tmp/tmp.X2jD7mSKG6

---

Contents of Pipfile ('/tmp/tmp.X2jD7mSKG6/Pipfile'):

[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"

[packages]
pip = {version = ">=21", index = "http://artifactory.west.isilon.com/artifactory/api/pypi/pypi-repo/simple"}

[dev-packages]

[requires]
python_version = "3.6"

Contents of Pipfile.lock ('/tmp/tmp.X2jD7mSKG6/Pipfile.lock'):

{
    "_meta": {
        "hash": {
            "sha256": "fb1685a8ca4420f6d2bad5672d155b3fdc508c19848f2cef4deeee0d6c74cea0"
        },
        "pipfile-spec": 6,
        "requires": {
            "python_version": "3.6"
        },
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "pip": {
            "index": "http://artifactory.west.isilon.com/artifactory/api/pypi/pypi-repo/simple",
            "version": ">=21"
        }
    },
    "develop": {}
}

[matteius]

I was able to reproduce this issue based on the report. It would seem there is discrepancy between the help text of pipenv check mentioning it checks against the Pipfile and the observation that it seems to check with what is installed in the Python environment. The virtualenv have the vulnerable version of pip because that was the second command to install an older version of pip with the vulnerability venv/bin/python -m pip install --upgrade 'pip<21' pipenv.

From the virtualenv, we find package:
/Users/mdavis/Projects/venv/lib/python3.9/site-packages/pip-20.3.4.dist-info

[matteius]

@tucked Please see this, the checker does do some introspection of the Pipfile, but it also does a PEP 508 checker in the virtualenv

pipenv/pipenv/core.py

Lines 2566 to 2578 in cdde3f7

	# Run the PEP 508 checker in the virtualenv.
	cmd = _cmd + [Path(pep508checker_path).as_posix()]
	c = run_command(cmd, is_verbose=project.s.is_verbose())
	if c.returncode is not None:
	try:
	results = simplejson.loads(c.stdout.strip())
	except JSONDecodeError:
	click.echo("{}\n{}\n{}".format(
	crayons.white(decode_for_output("Failed parsing pep508 results: "), bold=True),
	c.stdout.strip(),
	c.stderr.strip()
	))
	sys.exit(1)

(pipenv) bash-3.2$ python pipenv/patched/safety check --json
[
    [
        "pip",
        "<21.1",
        "20.3.4",
        "Pip version 21.1 stops splitting on unicode separators in git references, which could be maliciously used to install a different revision on the repository. \r\nhttps://github.com/pypa/pip/issues/9827",
        "42218",
        null,
        null
    ],
    [
        "pip",
        "<21.1",
        "20.3.4",
        "Pip version 21.1 updates its dependency 'urllib3' to v1.26.4 to include a security fix.",
        "40291",
        null,
        null
    ],
    [
        "pip",
        "<21.1",
        "20.3.4",
        "Pip version 21.1 includes a fix for CVE-2021-3572: A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1962856",
        "42559",
        null,
        null
    ]
]

[tucked]

The virtualenv have the vulnerable version of pip because that was the second command

It's not the correct virtualenv (i.e. it's the environment pipenv is installed in, not the one pipenv is managing).

python pipenv/patched/safety

Side note: It's not a great idea to call into library code this way (because you lose the package context):

$ tree -I __pycache__ foo/
foo/
├── __init__.py
└── __main__.py

0 directories, 2 files
$ cat foo/__init__.py
$ cat foo/__main__.py
print("main", __package__)
$ python3 -m foo
main foo
$ python3 foo/
main

Try python -m pipenv.patched.safety check --json instead.
(Not that that should change the output you're seeing... Again, those hits are for the wrong environment.)

[asheidan]

I'm seeing the same issue (or at least difference from expected behaviour).

Is the intended behavior that pipenv check would also check the python environment that pipenv is installed in/running from instead of the "current environment managed by pipenv"? Or is that a consequence of pipenv using safety internally?

[matteius]

New version of pipenv released today has the latest version of safety check. Please check it out.

[tucked]

I hit #5491 before the repro.

[matteius]

@tucked Yeah sorry about that -- if you wanted to try it now you can do the editable install of pipenv, it was broken in the wheel. Otherwise there should be a new release in the next day.

[tucked]

Yup, still repros on 66153e2

tox --devenv venv -r
venv/bin/python -m pip install --upgrade 'pip<21'
venv/bin/pipenv --python="$PWD/venv/bin/python" install 'pip>=21'
venv/bin/pipenv check

-> Vulnerability found in pip version 20.3.4
   Vulnerability ID: 42559
   Affected spec: <21.1
   ADVISORY: A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker
   could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to...   CVE-2021-3572
   For more information, please visit https://pyup.io/v/42559/742

[yeisonvargasf]

@tucked and @matteius; I'm working on this issue right now. I'll return to this thread soon with more info/questions or a PR.

[yeisonvargasf]

@matteius and @tucked, I decided to get the target packages from the target venv and pass them as a temporal file to the internal Safety. That change will fix this issue.

Safety inside of pipenv check isn't running as a subprocess now, so getting the package list is done by a pip list.

About #4600, the difference is because pipenv graph (pipdeptree) is using iter_installed_distributions filtering by local_only=True, and this isn't the case for Safety.

The team is thinking in allow passing a target venv path in a Safety argument instead of checking the current one, but for now, it doesn't have a high priority.

Let me know if I can help more or if you need me to make changes to PR #5501. Happy to help!

[matteius]

@tucked pipenv==2022.11.24 was just released and should solve for this.

[matteius]

Ah bummer, the published wheel is still missing ruamel.

[tucked]

I just reran the repro with 2022.11.25, and:

+================================================================+

 REPORT

  Safety v2.3.2 is scanning for
    Vulnerabilities...
  Scanning dependencies in your files:

  -> /tmp/tmp.cFYrWVX4gk-Zdbrv0k-zrqz9k_u_requirements.txt

  Found and scanned 3 packages
  Timestamp 2022-11-25 10:17:53
  0 vulnerabilities found
  0 vulnerabilities ignored
+================================================================+

 No known security vulnerabilities found.

+================================================================+

🎉 Thanks @yeisonvargasf and @matteius!