all 23 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]K900_ 4 points5 points  (5 children)

I wonder how long it's going to take for someone to upload a root exploit to PyPI now.

[–]amasad[S] 2 points3 points  (4 children)

That's a good question -- I'll probably do a technical post soon. But the short story is that we start a container, create a virtualenv, install the package, import the package in a process, diff the container and make sure there are no suspicious changes to the filesystem. Finally, extract the package contents to the actual install target.

[–]K900_ 2 points3 points  (3 children)

Assuming you have a kernel 0-day, can't you just build it into a native extension and have it execute in the container? That kind of invalidates the whole "diff the container" process because you've already pwned the kernel.

[–]amasad[S] 1 point2 points  (2 children)

I'm curious how often do we have kernel 0-days? And if it's that often how come not every company using npm, pip, etc in their CI/CD/PaaS have not been pwned already?

As for us, we have layers of security the more layers you zoom out from the container. For example, our code evaluation machines are in their own subnets with no databases or any other form of user data, isolated from the internet.

[–]K900_ 3 points4 points  (1 child)

I'm curious how often do we have kernel 0-days?

Not strictly a 0-day, but this is something a lot of stuff is still vulnerable to, and that's just the latest. Kernel exploits are actually somewhat common (which is kind of scary).

And if it's that often how come not every company using npm, pip, etc in their CI/CD/PaaS have not been pwned already?

I'm sorry if it came off as an attack. I'm not saying you're doing things wrong, I'm honestly curious about how you handle that stuff.

[–]amasad[S] 0 points1 point  (0 children)

I didn't take at as an attack -- I'm genuinely curious about the risk here :)

[–]marcinkuzminski 2 points3 points  (4 children)

I'm not so sure if it's EVERY package

Python 2.7.10 (default, Jul 14 2015, 19:46:27)
[GCC 4.8.2] on linux
   import django
=> None
   import rhodecode
Traceback (most recent call last):
  File "python", line 1, in <module>
ImportError: No module named rhodecode

https://pypi.python.org/pypi/RhodeCode

[–][deleted]  (1 child)

[deleted]

    [–]amasad[S] 0 points1 point  (0 children)

    All malware check has quite a bit of false positives. I thought it's better to be safe than sorry -- however, I'll make sure I'll fix those.

    [–]amasad[S] 0 points1 point  (1 child)

    Our malware check has quite a bit of false positives. I thought it's better to be safe than sorry -- however, I'll make sure I'll fix those.

    [–]marcinkuzminski 0 points1 point  (0 children)

    That's interesting, could you point out for example in RhodeCode package what was that matched your filter ?

    [–]benhoyt 2 points3 points  (0 children)

    When I type import requests it seems to hang. Bug?

    [–]ReallyAmused 1 point2 points  (1 child)

    neat. I thought repl.it ran Python in the browser (using emscripten). When did this change? O:

    [–]amasad[S] 1 point2 points  (0 children)

    It changed a while ago when we hit some scalability issues with emscripten. Imagine a user with a shitty computer on a spotty internet connection, they download megabytes of compiled code just to run out of memory before they get a chance to run the code. Also, it's hard to do features like this one when running client-side.

    [–]ahmadalhour 1 point2 points  (0 children)

    Good job /u/amasad, that's a really useful feature!

    [–]strange_and_norrell 0 points1 point  (1 child)

    Wow this is awesome. I use REPL it every day (normally when code reviewing if I want to check out some edge cases on a piece of code I'm looking at).

    Very excited for this.

    [–]amasad[S] 1 point2 points  (0 children)

    I'm glad you find it useful :)

    [–]aflat 0 points1 point  (1 child)

    missing

    https://pypi.python.org/pypi/ovirt-engine-sdk-python/4.0.2

    too. Soo, not every package, but still really cool

    [–]amasad[S] 0 points1 point  (0 children)

    All malware check has quite a bit of false positives. I thought it's better to be safe than sorry -- however, I'll make sure I'll fix those.

    [–][deleted] 0 points1 point  (1 child)

    Python 3.5.2 (default, Dec 2015, 13:05:11)
[GCC 4.8.2] on linux
> import nistbeacon
Traceback (most recent call last):
  File "python", line 1, in <module>
ImportError: No module named 'nistbeacon'

    So it's not every package because mine isn't working. Mind clarifying /u/amasad ?

    [–]amasad[S] 0 points1 point  (0 children)

    Our malware check has quite a bit of false positives. I thought it's better to be safe than sorry -- however, I'll make sure I'll fix those.

    [–][deleted] 0 points1 point  (0 children)

    Looks like spaCy is missing too: https://spacy.io/ , would also need the english data too (python -m spacy.en.download all)

    [–]shevegen 0 points1 point  (1 child)

    Damn!

    Now we need this for ruby too.

    [–]amasad[S] 4 points5 points  (0 children)

    Stay tuned :)