Python Safety

What is Python Safety?

Python Safety is a tool which provides feedback regarding to known if any python applications have known Common Vulnerabilities and Exposures [CVE].

How does Python Safety work?

Python Safety takes input of a list of python modules and reports back any that are in that have been reported to contain Common Vulnerabilities and Exposures [CVE].  For more information on CVE’s please click here for a good Wikipedia page, or here for the MITRE’s explanation.

What Role should Python Safety play in CD/CI?

Python Safety is a feedback loop the role it plays depends on the security risk which the application in question.  Some environments may make a rule that any found CVE’s will require redressement prior to promotion into a production environment.  My recommendation is to use Safety as a feedback loop, trusting application teams to decide if the application is safe for deployment to production.

How to install?

You can install Safety using python pip.  I recommend doing so using a virtual environment.

How to install python virtual environment in debian/ubuntu?

[startCodeBlock]
[email protected]:/# apt-get install python2.7 python-virtualenv virtualenv python-pip
Reading package lists... Done
.....
done.
[email protected]:/#

How to install python virtual environment in CentOS / AmazonLiunux?

[[email protected] /]# yum search virtualenv
Loaded plugins: fastestmirror, ovl
....
Complete!
[[email protected] /]#

How to setup a Virtual Environment?

[email protected]:/# virtualenv /venv
Running virtualenv with interpreter /usr/bin/python2
New python executable in /venv/bin/python2
Also creating executable in /venv/bin/python
Installing setuptools, pip...done.
[email protected]:/# source /venv/bin/activate
(venv)[email protected]:/# pip install -U pip
Downloading/unpacking pip from https://pypi.python.org/packages/b6/ac/7015eb97dc749283ffdec1c3a88ddb8ae03b8fad0f0e611408f196358da3/pip-9.0.1-py2.py3-none-any.whl#md5=297dbd16ef53bcef0447d245815f5144
  Downloading pip-9.0.1-py2.py3-none-any.whl (1.3MB): 1.3MB downloaded
Installing collected packages: pip
  Found existing installation: pip 1.5.6
    Uninstalling pip:
      Successfully uninstalled pip
Successfully installed pip
Cleaning up...
(venv)[email protected]:/# pip install safety
Collecting safety
  Downloading safety-1.4.0-py2.py3-none-any.whl
....
Installing collected packages: six, pyparsing, packaging, certifi, chardet, urllib3, idna, requests, Click, safety
Successfully installed Click-6.7 certifi-2017.4.17 chardet-3.0.4 idna-2.5 packaging-16.8 pyparsing-2.2.0 requests-2.18.1 safety-1.4.0 six-1.10.0 urllib3-1.21.1
(venv)[email protected]:/# 

How to use?

To check a python application for CVE’s, I recommend using the requirements.txt for the application as shown below.

(venv)bash-4.2# echo 'django-extensions==1.6.1' > cat requirements.txt

(venv)bash-4.2# safety check -r requirements.txt --not-bare --full-report
╒══════════════════════════════════════════════════════════════════════════════╕
│                                                                              │
│                               /$$$$$$            /$$                         │
│                              /$$__  $$          | $$                         │
│           /$$$$$$$  /$$$$$$ | $$  __//$$$$$$  /$$$$$$   /$$   /$$           │
│          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           │
│         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           │
│          ____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           │
│          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           │
│         |_______/  _______/|__/     _______/   ___/   ____  $$           │
│                                                          /$$  | $$           │
│                                                         |  $$$$$$/           │
│  by pyup.io                                              ______/            │
│                                                                              │
╞══════════════════════════════════════════════════════════════════════════════╡
│ REPORT                                                                       │
╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package                    │ installed │ affected                 │ ID       │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ django                     │ 1.8.8     │ <1.8.10                  │ 33073    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before │
│  1.9.3 allows remote attackers to redirect users to arbitrary web sites and  │
│ conduct phishing attacks or possibly conduct cross-site scripting (XSS) atta │
│ cks via a URL containing basic authentication, as demonstrated by https://mys │
│ [email protected]                                               │
╞══════════════════════════════════════════════════════════════════════════════╡
│ django                     │ 1.8.8     │ <1.8.10                  │ 33074    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1 │
│ .9.x before 1.9.3 allows remote attackers to enumerate users via a timing at │
│ tack involving login requests.                                               │
╞══════════════════════════════════════════════════════════════════════════════╡
│ django                     │ 1.8.8     │ <1.8.15                  │ 25718    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, whe │
│ n used on a site with Google Analytics, allows remote attackers to bypass an │
│  intended CSRF protection mechanism by setting arbitrary cookies.            │
╞══════════════════════════════════════════════════════════════════════════════╡
│ django                     │ 1.8.8     │ >=1.8,<1.8.16            │ 33075    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1. │
│ 10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS reb │
│ inding attacks by leveraging failure to validate the HTTP Host header agains │
│ t settings.ALLOWED_HOSTS.                                                    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ django                     │ 1.8.8     │ >=1.8,<1.8.16            │ 33076    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 us │
│ e a hardcoded password for a temporary database user created when running te │
│ sts with an Oracle database, which makes it easier for remote attackers to o │
│ btain access to the database server by leveraging failure to manually specif │
│ y a password in the database settings TEST dictionary.                       │
╞══════════════════════════════════════════════════════════════════════════════╡
│ django                     │ 1.8.8     │ >=1.8,<1.8.18            │ 33301    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ Django 1.8.18 fixes two security issues in 1.8.17.                           │
│                                                                              │
│ CVE-2017-7233: Open re                                                       │
│ direct and possible XSS attack via user-supplied numeric redirect URLs       │
│ ====                                                                         │
│ ============================================================================ │
│ ============                                                                 │
│                                                                              │
│ Django relies on user input in some cases  (e.g.                             │
│ :func:`dja                                                                   │
│ ngo.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)          │
│ to redi                                                                      │
│ rect the user to an "on success" URL. The security check for these           │
│ redirect                                                                     │
│ s (namely ``django.utils.http.is_safe_url()``) considered some numeric       │
│ URLs                                                                         │
│  (e.g. ``https:999999999``) "safe" when they shouldn't be.                    │
│                                                                              │
│ Also, if a deve                                                              │
│ loper relies on ``is_safe_url()`` to provide safe redirect                   │
│ targets and puts                                                             │
│  such a URL into a link, they could suffer from an XSS attack.               │
│                                                                              │
│ CVE-2017-7                                                                   │
│ 234: Open redirect vulnerability in ``django.views.static.serve()``          │
│ =======                                                                      │
│ ======================================================================       │
│                                                                              │
│ A                                                                            │
│ maliciously crafted URL to a Django site using the                           │
│ :func:`~django.views.sta                                                     │
│ tic.serve` view could redirect to any other domain. The                      │
│ view no longer does                                                          │
│  any redirects as they don't provide any known, useful                       │
│ functionality.                                                               │
│                                                                              │
│ No                                                                           │
│ te, however, that this view has always carried a warning that it is not      │
│ har                                                                          │
│ dened for production use and should be used only as a development aid.       │
╘══════════════════════════════════════════════════════════════════════════════╛
(venv)bash-4.2# 

Other Reference Sources

The safety site on pypi.python.org.

Safety github page.