.pypirc credentials

ID

pypirc

Severity

critical

Vendor

-

Family

Password

Description

Some tools for publishing Python packages into registries, like easy_install or twine, are configured with a .pypirc file; this file is typically private and should not be committed to source repositories, because often it may contain credentials for remote package repositories.

Security

For authenticated access to certain repositories, internal or public, the credentials (often a username / password pair) are often encoded in the .pypirc configuration file.

When a bad actor knows your index credentials, he/she is in the position of publishing malicious packages on your behalf.

Examples

The following .pypirc file contains a secret (password or token), allowing to publish packages in the public PyPI repository:

[distutils]
index-servers =
    pypi

[pypi]
repository: http://www.python.org/pypi
username: my-user
password: S3kret_th1ng

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s).

  2. Remove the .pypirc from the source code or committed configuration file.

  3. Consider a safer way to authenticate using the keyring service, or at least pass the password to the tool using environment variables, instead of hard-coding the password / token in a configuration file. For example, using keyring tool:

    $ keyring set https://upload.pypi.org/legacy/ __token__
Password for '__token__' in 'https://upload.pypi.org/legacy/':

  4. Check access logs to ensure that the secret was not used by unintended actors during the compromised period.

    For the public PyPI registry, go to your PyPI Account, navigate to the last Security history section showing security-related events. There you may search for logins at odd times or from unexpected locations. If you see suspicious activity, follow the steps listed in the What should I do if I notice suspicious activity on my account?.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference