logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Dependency Confusion - Python

Need

Secure and accurate dependency management

Context

  1. Usage of Python 3.0 for developing Python applications
  2. Usage of Django for building web applications in Python
  3. Usage of the app package for building and running a Node.js application
  4. Usage of random_package for a specific functionality or feature

Description

Insecure Code Example

# settings.py

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'app',
    'random_package', # This is a malicious package that is not directly used by your application but is installed due to dependency confusion
]

# requirements.txt

Django==3.0.7
app==0.1.0
random_package>=0.0.0

In the above code, the `requirements.txt` file has a dependency `random_package` with a version specified as `>=0.0.0`. This means that the package manager (like pip) will install the latest available version of `random_package` from the Python Package Index (PyPI). The issue here is that if an attacker publishes a package with the same name (`random_package`) on PyPI with a higher version number, pip will prefer that package over the one you intended to use. This is because pip does not differentiate between packages from different sources and just installs the one with the highest version number. This can lead to a scenario where potentially malicious code is executed when the dependencies are installed. In addition, `random_package` is also listed in the `INSTALLED_APPS` in `settings.py`. This means that Django will load this app when it starts up, and if this package contains malicious code, it can be executed. This vulnerability is known as "Dependency Confusion" and can be a serious security risk for your application. It is recommended to always specify the exact version of your dependencies in `requirements.txt` and to only use packages from trusted sources.

Steps

  1. Identify and list all the dependencies of your application.
  2. Remove 'random_package' from the INSTALLED_APPS in settings.py and requirements.txt as it is not directly used by your application.
  3. Ensure that all dependencies are explicitly defined in your requirements.txt file with specific versions to avoid any ambiguity.
  4. Use a private package index instead of a public one to prevent the installation of malicious packages.
  5. Regularly update and audit your dependencies to ensure they are secure and up-to-date.
  6. Consider using tools that can automatically check for security vulnerabilities in your dependencies.

Secure Code Example

# settings.py

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'app',
    # 'random_package', # This package has been removed as it is not directly used by your application
]

# requirements.txt

Django==3.0.7
app==0.1.0
# random_package>=0.0.0 # This package has been removed as it is not directly used by your application

The vulnerability in the code was due to the inclusion of a package 'random_package' that was not directly used by the application. This package was included in both the `INSTALLED_APPS` list in `settings.py` and the `requirements.txt` file. This could potentially lead to a dependency confusion attack, where an attacker could confuse the package manager into installing or updating a malicious version of this package. To fix this vulnerability, the 'random_package' has been removed from both the `INSTALLED_APPS` list and the `requirements.txt` file. This ensures that only the packages that are directly used by the application are included as dependencies. Furthermore, it is recommended to explicitly define all dependencies with specific versions in the `requirements.txt` file to avoid any ambiguity. Using a private package index instead of a public one can also help prevent the installation of malicious packages. Regularly updating and auditing your dependencies can ensure they are secure and up-to-date. Consider using tools that can automatically check for security vulnerabilities in your dependencies.

References

  • 410 - Dependency Confusion

    • Last updated

    2023/09/18