[HN Gopher] A Large-Scale Security-Oriented Static Analysis of P...
___________________________________________________________________
A Large-Scale Security-Oriented Static Analysis of Python Packages
in PyPI
Author : afrcnc
Score : 21 points
Date : 2021-07-29 12:48 UTC (10 hours ago)
(HTM) web link (arxiv.org)
(TXT) w3m dump (arxiv.org)
| jonathrg wrote:
| Their conclusion, "security issues are common in PyPI packages",
| doesn't really follow from the results. Their methods will
| classify _any_ use of a function that is not cryptographically
| secure (MD5, random), even if it is not used in a cryptographic
| setting. Similarly _any_ use of a function that is not safe to
| use on untrusted input (pickle, yaml.load, subprocess, eval) will
| be flagged, even if the usage is completely safe.
| nonameiguess wrote:
| Yes this, but also you shouldn't do an analysis like this on
| all of PyPi. Anyone can upload to it. It's full of abandoned
| experiments, name-squatting, and college students uploading
| hello world libraries just to learn how to do it. Analyzing
| those is pointless because nobody is using them and nobody is
| going to use them.
|
| Also listing the subprocess module as a standout because of
| code injection seems silly. That's the entire point of it
| existing. You may as well say a shell is insecure because it
| allows injecting shell commands. Obviously, don't put strings
| from untrusted sources in there, but Python is largely intended
| for system administration automation, the first thing to turn
| to when the shell isn't enough if you don't like Perl. It would
| be pretty useless if you couldn't actually use it to
| orchestrate arbitrary shell commands.
___________________________________________________________________
(page generated 2021-07-29 23:00 UTC)