Skip to content

pan-net-security/artifactory-pypi-scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Artifactory PyPI Scanner

Go Report Card Build Status

artifactory-pypi-scanner lists all Python packages in a jfrog artifactory instance. Checks whether they're present on PyPI and creates new ones with the same name if they do not exist on PyPI.

But why?

When pip searches for packages, it searches PyPI first and other repositories next. This creates a security issue which was described here. Let's say we have a package in an internal repository. Someone can upload a package containing malicious code with the same name to PyPI. When downloading the package users will download the malicious package. To prevent this package injection we create a placeholder on PyPI.

OK, but haven't I just performed a package injection on myself?

Well yes, actually but no. If the package version is not specified, pip tries to get the latest version possible. By creating a package with a low enough version (0.0.47) on PyPI, we make sure that pip downloads the package from internal repositories.

Be nice and prefix your package name with, e.g. name of your organization, not to clutter PyPI

Installation

You can build it from source or download pre-build binaries from releases.

go get github.com/pan-net-security/artifactory-pypi-scanner

Configuration

artifactory-pypi-scanner is configured by environmental variables. All variables are mandatory.

  • ARTIFACTORY_URL
  • PYPI_UPLOAD_URL - used for uploading packages via legacy endpoint
  • PYPI_URL - used for checking presence of package via json endpoint
  • PYPI_EMAIL - used for checking authors of conflicting packages
  • PYPI_TOKEN - API token, not a password

Example

artifactory-pypi-scanner outputs JSON since it is easily consumable by other services.

$ artifactory-pypi-scanner | jq
{
  "error": "",
  "artifactoryPackages": 3,
  "pypiPlaceholders": 2,
  "repositoryResults": [
    {
      "error": "",
      "url": "https://af.example.com/artifactory//repository1-pypi-local",
      "packageResults": [
        {
          "error": "",
          "name": "package1",
          "isOurs": false,
          "created": false
        }
      ]
    },
    {
      "error": "",
      "url": "https://af.example.com/artifactory//repository2-pypi-local",
      "packageResults": [
        {
          "error": "",
          "name": "package2",
          "isOurs": true,
          "created": false
        },
        {
          "error": "",
          "name": "package3",
          "isOurs": true,
          "created": true
        }
      ]
    }
  ]
}

About

Saves you from Python supply chain attack!

Topics

scanner pypi artifactory pypi-package

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

12 stars

Watchers

5 watching

Forks

2 forks
Report repository

Releases 1

0.1.0 Latest
Oct 5, 2020

Languages