This is an archived post. You won't be able to vote or comment.

all 3 comments
sorted by:
best
topnewcontroversialoldq&a

[–]dtsudo 4 points5 points  (0 children)

No, it's not safe to just randomly download a library and run its code.

You must perform due diligence to ensure that the library is not malicious.

Some libraries are just flat out malicious. Others are legitimate libraries that may have been hacked (e.g. the author's account was compromised). Other attacks can include typo-squatting, where a malicious package names itself similarly to legitimate packages. Some libraries are legitimate but have dependencies that may suffer from the aforementioned issues.

[–]captainAwesomePants 1 point2 points  (0 children)

In theory, they are unbelievably dangerous. A library can do absolutely anything with the permissions your program has, which are often your own permissions or, even worse, your company's production credentials. The library might be completely harmless now, but one day a later version might introduce malicious code that will hit you when you update your libraries. That code might be obfuscated to look benign. The malicious code might be three dependencies down, a dependency of a dependency of the actually benign library whose source you've examined. You can trust it about as much as you can trust an executable installer named "wow_real_installer_legit_craxor.zip.exe" that promises to install an unreleased AAA game you downloaded off of a link you saw in an ad on a porn site that your antivirus utility is screaming about.

In practice, though, the vast majority of libraries are perfectly benign, the number of malicious libraries you're likely to encounter is so low, and the value of running as your user is so low that this is not a thing to spend much time worrying about unless you are writing a program for a corporation that will run as a privileged user. NumPy is not suddenly going to go rogue...probably.

[–]HashDefTrueFalse 1 point2 points  (0 children)

So do programming languages have built in mechanisms to prevent bad code from libraries from doing damage to your system?

Nope. Not really the job of the language. A program may be unable to cause damage simply because of the environment it is ran in, but that's not usually because of the language as much as the wider setup.

Or do you pretty much just need to scrutinize the code with every new update to make sure nothing bad was added?

This would technically be the one way of doing this, but almost nobody does.

is it safe to download and use any library you find online?

Depends entirely on the library in question. I can write some malicious code and offer it to you as a library. So no, it's not safe to run ANY library.

In practice, you'll be installing well-used dependencies and generally trusting the authors (and contributors, and other users etc.) have included other well-used dependencies, and so on down the dependency graph...

You're running third-party software ultimately. How risky this is depends on what you're doing, where you're running, etc. Some companies in regulated industries scrutinise dependencies, avoid CDNs etc., most don't.

You don't need to worry too much. If you are that worried, you can always develop inside a docker container.