Security Issue with your package from pypi.org #28
Description
Hello! Found a security issue in your package in pypi:
https://pypi.org/project/curlify/
Affected versions of package:
- 2.2.0 (Jul 21, 2019)
There's an unmet dependency on module shlex if you will try to install these versions of curlify:
>python -m pip install --upgrade curlify==2.2.0
Collecting curlify==2.2.0
Downloading curlify-2.2.0.tar.gz (3.0 kB)
Preparing metadata (setup.py) ... done
Requirement already satisfied: requests in python\python310\lib\site-packages (from curlify==2.2.0) (2.28.0)
ERROR: Could not find a version that satisfies the requirement shlex>="3" (from curlify) (from versions: none)
ERROR: No matching distribution found for shlex>="3"
It happens because there is missed requirement in setup.py file:
...
setup(
name='curlify',
version='2.2.0',
py_modules=[
'curlify',
],
include_package_data=True,
install_requires=[
'requests',
'shlex >= "3"',
'pipes < "3"',
],
license='MIT License',
...It's dangerous because the intruder can create malicious package shlex on pypi and:
- Make online guides how to use your package and abuse this malicious supply chain attack to compromise users
- Infect automated CI/CD pipelines that uses old version of your package
- Infect other users by hardcoding those versions of package in opensource projects that use it
It's dangerous because usage of curlify, even a bit outdated (it's the second fresh release before 2.2.1 on pypi), is not something strange. Everyone likes hardcoded versions of packages, even in the era of protestware.
The best solution is to delete exact version of package from pypi. Better to break dependencies in some old pipelines than compromise them. You can also make a post-release of this version.
Also suggest you to set security email address for reporting this type of vulnerabilities: https://github.com/ofw/curlify/security/policy
Rakovsky Stanislav (Positive Technologies)