PyPI URL Dependency
ID |
url_dependency_pip |
Severity |
low |
Family |
URL dependency |
Tags |
reachable |
Description
This detector reports URL-based direct dependencies.
These dependencies are not fetched from the PyPI repository, so they are not immutable and could be changed by attackers to inject malicious code. In addition, the target resource could be removed.
In general, URL-based dependencies reduce the possibility for a reproducible build.
Security
Although versioning could be specified with tags encoded in the URL, tags could be changed to point to another snapshot of the target component, making the build potentially non-reproducible.
Additionally, an attacker with write permissions to the target resource could add malicious dependencies or inject unintended code.
Even though git tags should be always pointing to a commit and should not move once created, git allows a tag to be moved to a different commit (git tag --force my-tag <commit SHA> and git push --force --tags). Of course, branches are pointers to the commit history that move when changes are committed.
|
Examples
The following dependency for the urllib3 library uses a direct reference to a specific tag pointing at a particular commit in the GitHub repository.
requirements.txt ... urllib3@https://github.com/urllib3/urllib3/archive/refs/tags/1.26.8.zip ...
Mitigation / Fix
For third-party packages, it is customary to have packages and published versions registered in a public PyPI repository (possibly wrapped by an internal repository for better control of the allowed dependencies). When possible, use a matching package version in the repository for the reported URL.