Dangers of the Python Standard Library

🤓 Andrew Scott

📧 andrew@ochrona.dev

🐦 @drownedcoast - ✍️ @aclaytonscott

Dangers of the Python Standard Library - Andrew Scott

What is the Standard Library?

Please don’t do this!

“Batteries included” modules that are shipped with python to help developers accomplish common tasks. Examples might be os (interacting with operating system), csv (working with csv files), etc.

Dangers of the Python Standard Library - Andrew Scott

Assert

“assert” statements should not be used in production code because they require that the __debug__ constant is True.*

* __debug__ can be disbled by passing the -O flag to python (Capital o, not zero)

Dangers of the Python Standard Library - Andrew Scott

Assert

Please don’t do this!

Dangers of the Python Standard Library - Andrew Scott

Assert

format_string

Solution?

​

• Never use assert in production code, use if/else instead.
• Write checks in a fail-safe way. I.e. if something unexpected happens, don’t allow access.

Dangers of the Python Standard Library - Andrew Scott

String Formatting

The legacy format() string formatter is susceptible to data leakage IF an attacker has the ability to modify the “format_string”.

format_string

Dangers of the Python Standard Library - Andrew Scott

String Formatting

An “illustrative” Example

Dangers of the Python Standard Library - Andrew Scott

String Formatting

“An illustrative Example”

A “Real World” Example

Dangers of the Python Standard Library - Andrew Scott

String Formatting

format_string

Solution?

​

• Avoid the ability for users to impact the format_string at all
• Use f-string where possible, they’re easier to use and more readable
• Do sanitization if you have a situation where this could be possible

Dangers of the Python Standard Library - Andrew Scott

Arbitrary File Write (tarfile)

Arbitrary file write is when you extract files from an archive and file write into unexpected locations occurs. Python tarfile is susceptible to this vulnerability, however, zipfile, notably is not.

Dangers of the Python Standard Library - Andrew Scott

Arbitrary File Write (tarfile)

Creating a malicious archive

Usage: <payload file> <archive name> <# of levels up> <final directory name> Ex. python maker.py evil.sh archive.tar.gz 3 ../

Dangers of the Python Standard Library - Andrew Scott

Arbitrary File Write (tarfile)

format_string

Solution?

​

• If your application accepts user archives and extracts them, you should add safety checks.
• You can use a safety wrapper like tarsafe, which does basic checks for you.

Dangers of the Python Standard Library - Andrew Scott

XML Parsing (xml)

XML Parsing using the python standard library leaves you susceptible to a couple attack vectors including the DOS-style “billion laughs attack” as well as “external entity expansion”

Dangers of the Python Standard Library - Andrew Scott

XML Parsing (xml)

The infamous “billion laughs”

Demo!

Dangers of the Python Standard Library - Andrew Scott

XML Parsing (xml)

format_string

Solution?

​

• Use a safer alternative for xml like defusedxml.

Dangers of the Python Standard Library - Andrew Scott

Deserialization (pickle)

Python pickle is vulnerable to arbitrary code execution when loading untrusted data. This means if you load a malicious pickle it can literally take any action available to the current user!

Dangers of the Python Standard Library - Andrew Scott

Deserialization (pickle)

A gross pickle

Dangers of the Python Standard Library - Andrew Scott

Deserialization (pickle)

format_string

Solution?

​

• Don’t load untrusted pickles.
• You could attempt to inspect the pickled object before loading, but this could get quite messy and would likely be incomplete.
• Consider using an alternative like json for serialization/deserialization.

Thanks!

Check out ochrona.dev for more on python security and dependency management!