pydistcheck icon indicating copy to clipboard operation
pydistcheck copied to clipboard

Published 20 hours ago verified publisher icon jameslamb

[new check] executable files

Open jameslamb opened this issue 3 years ago • 2 comments

What should be checked?

By default, pydistcheck should warn on the presence of executable files found in Python distributions.

I expect most Python distributions to be code that is loaded at runtime in a Python process, and to therefore not need to contain executable files.

This check would probably be most useful as a part of a security-scanning process (to detect downloads of executable files from package repositories).

NOTE: this should use the mode of the files in the distribution (e.g. https://docs.python.org/3/library/tarfile.html#tarfile.TarInfo.mode), not heuristics based on file extensions like .exe (that type of heuristic is captured in a separate check, #55 ).

What should the name of this check be?

found-executable-files

Will this check introduce any additional configuration?

no

Details on additional configuration required.

No response

Distribution type

  • [X] source (e.g. .tar.gz)
  • [X] built (e.g. .whl)

Notes

No response

jameslamb avatar Oct 24 '22 03:10 jameslamb

some references:

  • https://develop.secure.software/overpowered-plugins-pypi-can-burn-it-all-down
  • https://www.gnu.org/software/libc/manual/html_node/Permission-Bits.html
  • https://unix.stackexchange.com/a/14727/550004
  • https://stackoverflow.com/a/67613246/3986677
  • https://www.multacom.com/faq/password_protection/file_permissions.htm
  • https://securitylabs.datadoghq.com/articles/guarddog-identify-malicious-pypi-packages/

Related project (one of many that scans Python packages for know vulnerabilities): https://pypi.org/project/safety/

jameslamb avatar Dec 22 '22 06:12 jameslamb

Somewhat related: https://stackoverflow.com/questions/43886777/is-there-a-tool-to-check-python-distribution-sdist-files

... we released a Python source distribution (sdist) file on PyPI, and there was an issue that was only noticed after making the release. Namely for some files, the permissions were set to not allow read by all, and then in some cases those files couldn't be read on user machines after they installed the package with sudo.

We're considering starting our own script to check an sdist for this issue and to run it before uploading to PyPI.

jameslamb avatar Jan 15 '23 06:01 jameslamb