From 38af8afeb03d1e00f62f405f044d6b50efc9a991 Mon Sep 17 00:00:00 2001 From: Angelo DeLuca Date: Wed, 12 Apr 2023 17:16:42 -0400 Subject: [PATCH 1/2] Add a mailto link generator to easily report malicious packages. --- inspector/main.py | 23 ++++++++++++++++++++++- inspector/templates/code.html | 1 + 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/inspector/main.py b/inspector/main.py index 14f02dd..70ac2e6 100755 --- a/inspector/main.py +++ b/inspector/main.py @@ -200,12 +200,30 @@ def distribution(project_name, version, first, second, rest, distname): return "Distribution type not supported" +def mailto_report_link(project_name, version, file_path, request_url): + """ + Generate a mailto report link for malicious code. + """ + message_body = "PyPI Malicious Package Report\n" \ + "--\n" \ + f"Package Name: {project_name}\n" \ + f"Version: {version}\n" \ + f"File Path: {file_path}\n" \ + f"Inspector URL: {request_url}\n\n" \ + "Additional Information:\n\n" + + subject = f"Malicious Package Report: {project_name}" + + return f"mailto:security@pypi.org?" \ + f"subject={urllib.parse.quote(subject)}" \ + f"&body={urllib.parse.quote(message_body)}" + + @app.route( "/project///packages/////" # noqa ) def file(project_name, version, first, second, rest, distname, filepath): dist = _get_dist(first, second, rest, distname) - if dist: try: contents = dist.contents(filepath) @@ -213,9 +231,12 @@ def file(project_name, version, first, second, rest, distname, filepath): return "Binary files are not supported" except FileNotFoundError: return abort(404) + + report_link = mailto_report_link(project_name, version, filepath, request.url) return render_template( "code.html", code=contents, + mailto_report_link=report_link, h2=f"{project_name}", h2_link=f"/project/{project_name}", h2_paren="View this project on PyPI", diff --git a/inspector/templates/code.html b/inspector/templates/code.html index 510677c..6efcf60 100644 --- a/inspector/templates/code.html +++ b/inspector/templates/code.html @@ -5,6 +5,7 @@ {% endblock %} {% block body %} + Report Malicious Package 
 {{- code }}
From 681b891440aba064c853debc6059b1e43a4d55e5 Mon Sep 17 00:00:00 2001 From: Angelo DeLuca Date: Wed, 12 Apr 2023 17:28:27 -0400 Subject: [PATCH 2/2] Applied black reformat. --- inspector/main.py | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/inspector/main.py b/inspector/main.py index 70ac2e6..86c9220 100755 --- a/inspector/main.py +++ b/inspector/main.py @@ -48,7 +48,7 @@ def handle_bad_request(e): @app.route("/") def index(): if project := request.args.get("project"): - return redirect(f"/project/{ project }") + return redirect(f"/project/{project}") return render_template("index.html") @@ -78,7 +78,7 @@ def versions(project_name): def distributions(project_name, version): resp = requests.get(f"https://pypi.org/pypi/{project_name}/{version}/json") if resp.status_code != 200: - return redirect(f"/project/{ project_name }/") + return redirect(f"/project/{project_name}/") dist_urls = [ "." + urllib.parse.urlparse(url["url"]).path + "/" @@ -204,19 +204,23 @@ def mailto_report_link(project_name, version, file_path, request_url): """ Generate a mailto report link for malicious code. """ - message_body = "PyPI Malicious Package Report\n" \ - "--\n" \ - f"Package Name: {project_name}\n" \ - f"Version: {version}\n" \ - f"File Path: {file_path}\n" \ - f"Inspector URL: {request_url}\n\n" \ - "Additional Information:\n\n" + message_body = ( + "PyPI Malicious Package Report\n" + "--\n" + f"Package Name: {project_name}\n" + f"Version: {version}\n" + f"File Path: {file_path}\n" + f"Inspector URL: {request_url}\n\n" + "Additional Information:\n\n" + ) subject = f"Malicious Package Report: {project_name}" - return f"mailto:security@pypi.org?" \ - f"subject={urllib.parse.quote(subject)}" \ - f"&body={urllib.parse.quote(message_body)}" + return ( + f"mailto:security@pypi.org?" + f"subject={urllib.parse.quote(subject)}" + f"&body={urllib.parse.quote(message_body)}" + ) @app.route(