Impact

There are two Python characteristics (1, 2) that allow malicious code to “poison-pill” command-line Safety package detection routines by disguising, or obfuscating, other malicious or non-secure packages.

This vulnerability is considered to be of low severity because the attack makes use of an existing Python condition, not the Safety tool itself.

This can happen if:

• You are running Safety in a Python environment that you don’t trust.
• You are running Safety from the same Python environment where you have your dependencies installed.
• Dependency packages are being installed arbitrarily or without proper verification.

Mitigation options

• Perform a static analysis by installing Docker and running the Safety Docker image:
  $ docker run --rm -it pyupio/safety check -r requirements.txt
• Run Safety against a static dependencies list, such as the requirements.txt file, in a separate, clean Python environment.
• Run Safety from a Continuous Integration pipeline.
• Use PyUp.io, which runs Safety in a controlled environment and checks Python for dependencies without any need to install them.
• Use PyUp's Online Requirements Checker.

References

https://mulch.dev/blog/CVE-2020-5252-python-safety-vuln/
https://github.com/akoumjian/python-safety-vuln
https://pyup.io/posts/patched-vulnerability/

Researchers

Alec Koumjian