Impact
There are two Python characteristics (1, 2) that allow malicious code to “poison-pill” command-line Safety package detection routines by disguising, or obfuscating, other malicious or non-secure packages.
This vulnerability is considered to be of low severity because the attack makes use of an existing Python condition, not the Safety tool itself.
This can happen if:
- You are running
Safety in a Python environment that you don’t trust.
- You are running
Safety from the same Python environment where you have your dependencies installed.
- Dependency packages are being installed arbitrarily or without proper verification.
Mitigation options
- Perform a static analysis by installing Docker and running the
Safety Docker image:
$ docker run --rm -it pyupio/safety check -r requirements.txt
- Run
Safety against a static dependencies list, such as the requirements.txt file, in a separate, clean Python environment.
- Run
Safety from a Continuous Integration pipeline.
- Use PyUp.io, which runs
Safety in a controlled environment and checks Python for dependencies without any need to install them.
- Use PyUp's Online Requirements Checker.
References
https://mulch.dev/blog/CVE-2020-5252-python-safety-vuln/
https://github.com/akoumjian/python-safety-vuln
https://pyup.io/posts/patched-vulnerability/
Researchers
Alec Koumjian
Impact
There are two Python characteristics (1, 2) that allow malicious code to “poison-pill” command-line
Safetypackage detection routines by disguising, or obfuscating, other malicious or non-secure packages.This vulnerability is considered to be of low severity because the attack makes use of an existing Python condition, not the
Safetytool itself.This can happen if:
Safetyin a Python environment that you don’t trust.Safetyfrom the same Python environment where you have your dependencies installed.Mitigation options
SafetyDocker image:$ docker run --rm -it pyupio/safety check -r requirements.txtSafetyagainst a static dependencies list, such as the requirements.txt file, in a separate, clean Python environment.Safetyfrom a Continuous Integration pipeline.Safetyin a controlled environment and checks Python for dependencies without any need to install them.References
https://mulch.dev/blog/CVE-2020-5252-python-safety-vuln/
https://github.com/akoumjian/python-safety-vuln
https://pyup.io/posts/patched-vulnerability/
Researchers
Alec Koumjian