CVE-2020-5252: another mitigation suggestion

Question

CVE-2020-5252: another mitigation suggestion

Closed this issue 10 months ago · 0 comments

I believe it is possible to "undo" the patching of a malicious package as described in CVE-2020-5252, only if you are running safety as a library, in the same venv/process:

import importlib
import sys

# undo the patching
for module in sys.modules:
    if module.startswith("safety.") or module == "safety":
        del sys.modules[module]

# didn't dig deep enough to ensure it's never needed
importlib.invalidate_caches()

# reload original, unpatched safety
from safety import safety
from safety.formatter import report
from safety.util import read_requirements

# check using safety as a library
packages = list(read_requirements(sys.stdin))  # or any other method to retrieve the list of packages
vulns = safety.check(packages=packages, ignore_ids="", key="", db_mirror="", cached=False, proxy={})
output_report = report(vulns=vulns, full=True, checked_packages=len(packages))
if vulns:
    print(output_report)

Maybe this could be done in safety itself, for example in the check click command body? But I guess it would be playing cat and mouse with exploit writers since that would be an "official" mitigation users rely upon.