Opened 5 years ago

Closed 4 years ago

#12642 closed defect (fixed)

Can Network Attacker Downgrade Dependency Install Security?

Reported by: earthrise Owned by: hellais
Priority: Medium Milestone:
Component: Archived/Ooni Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

From the ooni-backend readme:

pip install -r requirements.txt --use-mirrors
# Note: it is important that you install the requirements before you run
# the setup.py script. If you fail to do so they will be downloaded over
# plaintext.
python setup.py install


What happens if an attacker is MITMing the network connection, and they make one package inaccessible during the pip install, but allow setup.py to download it. Will it fall back to an insecure connection, allowing the attacker to modify the code?

Child Tickets

Change History (4)

comment:1 Changed 5 years ago by hellais

The user must make sure that the pip command does not return any errors. Failing to do so can lead to a compromise.

If you are using that procedure in a script you should check for the return code of pip. If the return code is != 0 then it should hard fail and not continue to the python setup.py step.

Is there something that should be done to address this issue? Should the documentation for the README.md of ooni-backend be more clear?

comment:2 Changed 5 years ago by hellais

Another approach could be to upload ooni-backend to pypi and update the docs to instruct to download ooni-backend via pip only.

comment:3 Changed 5 years ago by nathan-at-least

Note, this kind of problem is widespread in the python community, and several different projects are attempting a similar solution as found here.

One example I've recently been introduced to is the petmail safe_develop setup.py command: https://github.com/warner/petmail/blob/master/setup.py#L131

In this Ooni case, the README is correct, but I believe it's likely that users will fail to follow the instructions in various ways. For example, if they pasted the quoted lines above into a bash script with the default set +e behavior, then they may not notice if pip fails and then setup.py proceeds to re-download (potentially malicious) dependencies.

For another example, Least Authority (or someone else on mlab1) appears to have run python ./setup.py install without ever running the pip command, perhaps just from muscle memory. After all, that's "how you install python packages", right?

I don't know of a good solution at the moment. I know that pip install . will delegate to setup.py, but would it be possible to convince pip install . to *also* do the equivalent of pip install -r requirements.txt --use-mirrors prior to delegating to setup.py? In other words, is there a way to replace the quoted instructions above with "just run pip install . " ?

comment:4 Changed 4 years ago by hellais

Resolution: fixed
Severity: Normal
Status: newclosed

This has been fixed in later versions of pip so it's no longer an issue.

Note: See TracTickets for help on using tickets.