pip.conf credential

ID

pip

Severity

critical

Vendor

-

Family

Password

Description

Pip is the package installer for the Python ecosystem. The tool installs packages from the Python Package Index and other indexes.

The tool is configured with a pip.conf file; this file is typically private and should not be committed to source repositories, because often it may contain credentials for remote package repositories, or for network proxies.

Security

For authenticated access to certain repositories, internal or public, the credentials (often a username / password pair) are encoded in URLs.

If the credentials permit package publishing, the risk is much higher: When a bad actor knows your index credentials, he/she is in the position of publishing malicious packages on your behalf.

Even with read-only credentials the attacker can download internal packages, gaining access to private source code and tools that could be abused for ransom, identifying vulnerabilities that could be exploited, obtaining hard-coded secrets, and more.

Examples

The following pip.conf file contains secrets both in the index URL (an internal PyPI clone) and in the local proxy.

[global]
index = https://username:hardcoded1@pypi.example.com/pypi
proxy = username:pass@myproxy.example.com:8080

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). You need to renew the password in the target registry.

  2. Remove the pip.conf from the source code or committed configuration file, if that happened.

  3. Replace the hard-code password with the new one using an alternate way of storing the credentials, without hard-coding them in pip.conf.

    One way is netrc support: to use .netrc (which should not be under version control, otherwise the problem is the same).

    The other one is Keyring support: to use keyring library, which can be enabled by passing the --keyring-provider option to pip.

  4. Check access logs to ensure that the secret was not used by unintended actors during the compromised period. For public registries like PyPI, the Security history section at the end of the PyPI Account page shows the latest events that are security-related, like changes in configuration or logins.

  5. If you notice something suspicious, reset your password, enable multi-factor authentication if not done yet,

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://warehouse.readthedocs.io/api-reference/index.html