[HN Gopher] A Large-Scale Security-Oriented Static Analysis of P... ___________________________________________________________________ A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI Author : afrcnc Score : 21 points Date : 2021-07-29 12:48 UTC (10 hours ago) (HTM) web link (arxiv.org) (TXT) w3m dump (arxiv.org) | jonathrg wrote: | Their conclusion, "security issues are common in PyPI packages", | doesn't really follow from the results. Their methods will | classify _any_ use of a function that is not cryptographically | secure (MD5, random), even if it is not used in a cryptographic | setting. Similarly _any_ use of a function that is not safe to | use on untrusted input (pickle, yaml.load, subprocess, eval) will | be flagged, even if the usage is completely safe. | nonameiguess wrote: | Yes this, but also you shouldn't do an analysis like this on | all of PyPi. Anyone can upload to it. It's full of abandoned | experiments, name-squatting, and college students uploading | hello world libraries just to learn how to do it. Analyzing | those is pointless because nobody is using them and nobody is | going to use them. | | Also listing the subprocess module as a standout because of | code injection seems silly. That's the entire point of it | existing. You may as well say a shell is insecure because it | allows injecting shell commands. Obviously, don't put strings | from untrusted sources in there, but Python is largely intended | for system administration automation, the first thing to turn | to when the shell isn't enough if you don't like Perl. It would | be pretty useless if you couldn't actually use it to | orchestrate arbitrary shell commands. ___________________________________________________________________ (page generated 2021-07-29 23:00 UTC)