pip.conf proxy credential

ID

pip_proxy

Severity

low

Vendor

-

Family

Password

Description

Pip is the package installer for the Python ecosystem. The tool installs packages from the Python Package Index and other indexes.

The tool is configured with a pip.conf file; this file is typically private and should not be committed to source repositories, because often it may contain credentials for remote package repositories, or for network proxies.

Security

For authenticated access to certain repositories, internal or public, the credentials (often a username / password pair) are encoded in URLs.

When a bad actor knows your proxy credentials, the proxy could be used for exfiltration of data and other unexpected usages.

Please note that leaking credentials in the index / index-url / extra-index-url / find-links properties of the pip.conf file is much worse, as it may public malicious packages on your behalf.

Examples

The following pip.conf file contains secrets both in the index URL and in the local proxy.

[global]
index = https://username:hardcoded1@pypi.example.com/pypi
proxy = username:pass@myproxy.example.com:8080

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). You need to renew the password in the target proxy server.

  2. Remove the pip.conf from the source code or committed configuration file, if that happened.

  3. Replace the hard-code password with the new one using an alternate way of storing the credentials, without hard-coding them in pip.conf.

    One way is netrc support: to use .netrc (which should not be under version control, otherwise the problem is the same).

    The other one is Keyring support: to use keyring library, which can be enabled by passing the --keyring-provider option to pip.

  4. Check the proxy access logs to ensure that the secret was not used by unintended actors during the compromised period.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://warehouse.readthedocs.io/api-reference/index.html