[PyCon APAC 2022] Writing secure code in Python

Transcript

1. Writing secure code in Python @yyyyyyyan_ Yan Orestes Software engineer

   PyCon APAC

2. “Programming in Python is easy”

3. Is programming in Python easy?

4. 01. eval() is really dangerous

5. eval(expression[, globals[, locals]]) Evaluates a Python expression and return the

   result. Optional parameters: globals: dict locals: Any mapping object

6. The danger begins when… ⚠

7. What if we clean the global variables?

8. Python automatically inserts builtins… ⚠

9. What if we specifically clean the builtins?

10. Creating a payload

11. Creating a payload ⚠

12. eval() is really dangerous ❤ @SamuelAntilla / netsec.expert ⚠

13. Alternatives - ast.literal_eval(node_or_string) - String parsing

14. So when should we use eval()? When there is no

    other viable way to accomplish a task

15. So when should we use eval()? When there is no

    other viable way to accomplish a task (never)

16. 02. arbitrary code execution with pickle

17. Serializes a Python object to a sequence of bytes. Optional

    parameters: protocol: int denoting the protocol used for the serialization. Currently goes from 0 (oldest) to 5 (Python 3.8) pickle.dump(obj, file, protocol=None, *) pickle.dumps(obj, protocol=None, *)

18. The magic method __reduce__() Used to customize how class instances

    are serialized. Should return a str or a tuple containing a callable and its parameters.

19. The magic method __reduce__() Used to customize how class instances

    are serialized. Should return a str or a tuple containing a callable and its parameters. ⚠

20. Opening the pickle jar with pickletools

21. But what about arbitrary code execution?

22. Serializing arbitrary code with marshal

23. And to run it? ⚠

24. Assembling the malicious pickle

25. Demo

26. Prevention pickle signing with HMAC Alternative Using a safer serialization

    format (JSON)

27. 03. the power of pip install

28. What happens when we run pip install? 1. Identification of

    base requirements and given parameters 2. Resolution of dependencies and determination of what will be installed 3. Determination of installation method 4. Installation of packages

29. Determination of installation method If wheel is available: Download wheel

    and install from it; Else: Download package source code; If it's possible to build wheel from source code: Build wheel and install from it; Else: Install from setup.py;

30. setup.py - dynamic metadata

31. Arbitrary code execution in package installation

32. Demo

33. Real life risk Typosquatting

34. Real life risk --extra-index-url https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

35. Prevention - --only-binary - --require-hashes - NEVER download a package

    as sudo/admin

36. Prevention - --only-binary - --require-hashes - NEVER download a package

    as sudo/admin

37. 04. outdated dependencies

38. Vulnerabilities are found all the time!

39. Prevention - Keep up with the releases of packages we

    use - Keep up with the CVE vulnerabilities list (cve.mitre.org)

40. 05. outdated python

41. Vulnerabilities are found all the time!

42. Understanding Python's versions status

43. Be cautious with deprecated functions!

44. 06. the problem with pseudorandomness

45. How not to generate secure passwords

46. The random module and the infamous seed

47. Alternatives - The secrets module - os.urandom() - random.SystemRandom

48. 07. watch out for bomb files

49. Billion laughs attack

50. Prevention

51. Tarbombs and path traversal

52. Prevention Don't use extractall() without prior inspection of the files!

53. 08. assert is for debug!

54. What is the purpose of assert?

55. Saving a line with assert?

56. Are not equivalent Are equivalent

57. The __debug__ constant and the -O flag

58. Auditing our code

59. Lots of options! • Codacy (free for open source projects)

    • Horusec (open source) • Pyre/Pysa (open source) • Coverity Scan (exclusive for open source projects) • Bandit (open source)

60. Using bandit

61. key points to never forget

62. 01. never trust user input

63. 02. avoid running Python code as sudo/admin

64. 03. keep your system up-to-date

65. 04. read the docs

66. 04. read the docs

67. 05. use static code analysis tools

68. Thank you! Twitter: @yyyyyyyan_ GitHub: @yyyyyyyan LinkedIn: /in/yyyyyyyan [email protected] |

    [email protected] PyCon APAC