At PyUp, we take the security of our users and their systems very seriously. That’s why we are informing you right away about a vulnerability that one of our users reported.
Safety is an open-source command-line tool that was created by PyUp to help developers detect outdated or non-secure Python dependency packages.
When configured properly, Safety will search for vulnerabilities in Python project dependencies by checking the dependencies against SafetyDB, which is an open-source database of vulnerabilities in Python packages. However, Safety is not an antivirus tool and should not be considered a viable solution for detecting harmful or malicious code in the larger operating environment.
One way to run the Safety tool is by installing it in a live Python environment and executing it from the command line; Safety will then check the installed packages in its running environment and inform the user about outdated and non-secure packages. The vulnerability described in this notice is about two Python characteristics (1, 2) that allow malicious code to “poison-pill” these command-line Safety package detection routines by disguising, or obfuscating, other malicious or non-secure packages.
This vulnerability is considered to be of low severity because the attack makes use of an existing Python condition, not the Safety tool itself.
● You are running Safety in a Python environment that you don’t trust.
● You are running Safety from the same Python environment where you have your dependencies installed.
● Dependency packages are being installed arbitrarily or without proper verification.
At the time of writing, we have not received any notices from affected users.
● We are adding runtime warnings and will update our main project page to emphasize that Safety ideally should be run from a trusted, truly isolated Python environment.
● We made available binary versions of our command-line Safety tool.
● You can now also perform a static analysis by installing Docker and running our Docker image:
$ docker run --rm -it pyupio/safety check -r requirements.txt
There are other workarounds. Users can:
● Run Safety against a static dependencies list, such as the requirements.txt
file, in a separate, clean Python environment.
● Run Safety from a Continuous Integration pipeline.
● Use PyUp.io, which runs Safety in a controlled environment and checks Python for dependencies without any need to install them.