A group of researchers from the University of Turku (Finland) published Results Package analysis in Pypi repository for use of potentially hazardous designs capable Lead to the appearance of vulnerabilities. During the analysis of 197 thousand packages, 749 thousand potential security problems were revealed. In 46% of the packages there is at least one such problem. Among the most common problems, flaws are allocated for the processing of exceptions and the use of opportunities allowing the code substitution.
From the identified 749 thousand problems 442 thousand (41%) are marked as minor, 227 thousand (30%) as problems of moderate danger and 80 thousand (11%) as dangerous. Some packages are knocked out of the total mass and contain thousands of problems: for example, 2589 problems have been identified in Pyggi package, mainly related to the use of the “TRY-EXCEPT-PASS” design, 2356 problems have been found in the APPENGINE-SDK package. A large number of problems are also present in Genie.libs.OPS packages, PBcore and Genie.libs.parser.
It should be noted that the results are obtained on the basis of an automated static analysis, which does not take into account the context of the use of certain structures. Developer toolkit Bandit , which was used to scan code, expressed the opinion that due to a sufficiently high number of false positives, the test results cannot be directly considered vulnerabilities without additional manual review of each problem.
For example, the analyzer considers the safety problem with the use of unreliable generators of random numbers and hashing algorithms, such as MD5, while in code such algorithms can be used for purposes that do not affect safety. The analyzer also considers any processing of external data in unsafe functions, such as Pickle, Yaml.Load, Subprocess and Eval, but this use does not necessarily be associated with the advent of vulnerability and in fact applying the specified functions can be implemented without a security threat.
Among the inspections used in the study:
- Using potentially unsafe functions Exec, Mktemp, Eval, Mark_Safe, etc.
- unsafe access rights for files.
- Joining a network socket to all network interfaces.
- Use rigidly specified in password code and keys.
- Using a predefined temporary directory.
- Using Pass and Continue in Catch-All-Style Catch-All-Style Exception Handlers;
- Starting Web Applications based on web framework Flask with the debug mode included.
- Using unsafe data deserialization methods.
- Using Hash functions MD2, MD4, MD5 and SHA1.
- Using unsafe SIFROS DES and encryption modes.
- Using the unsafe implementation of httpsconnection in some Python versions.
- Specifying Schemes File: // in Urlopen.
- Use of pseudo-random numbers when performing cryptographic tasks.
- Using Telnet protocol.
- Using unsafe Parsers XML.