A Patched Vulnerability in PyUp’s “Safety” Open-Source Command-Line Tool (CVE-2020-5252)

March 20, 2020

At PyUp, we take the security of our users and their systems very seriously. That’s why we are informing you right away about a vulnerability that one of our users reported.

What is the PyUp Safety Tool?

Safety is an open-source command-line tool that was created by PyUp to help developers detect outdated or non-secure Python dependency packages.

When configured properly, Safety will search for vulnerabilities in Python project dependencies by checking the dependencies against SafetyDB, which is an open-source database of vulnerabilities in Python packages. However, Safety is not an antivirus tool and should not be considered a viable solution for detecting harmful or malicious code in the larger operating environment.

The Vulnerability in the Safety Command-Line Tool

One way to run the Safety tool is by installing it in a live Python environment and executing it from the command line; Safety will then check the installed packages in its running environment and inform the user about outdated and non-secure packages. The vulnerability described in this notice is about two Python characteristics (1, 2) that allow malicious code to “poison-pill” these command-line Safety package detection routines by disguising, or obfuscating, other malicious or non-secure packages.

This vulnerability is considered to be of low severity because the attack makes use of an existing Python condition, not the Safety tool itself.

You may have been affected if:

● You are running Safety in a Python environment that you don’t trust.

● You are running Safety from the same Python environment where you have your dependencies installed.

● Dependency packages are being installed arbitrarily or without proper verification.

At the time of writing, we have not received any notices from affected users.

What We’re Doing About It

● We are adding runtime warnings and will update our main project page to emphasize that Safety ideally should be run from a trusted, truly isolated Python environment.

● We made available binary versions of our command-line Safety tool.

● You can now also perform a static analysis by installing Docker and running our Docker image:

$ docker run --rm -it pyupio/safety check -r requirements.txt

There are other workarounds. Users can:

● Run Safety against a static dependencies list, such as the requirements.txt file, in a separate, clean Python environment.

● Run Safety from a Continuous Integration pipeline.

● Use PyUp.io, which runs Safety in a controlled environment and checks Python for dependencies without any need to install them.