PiP Dependency Confusion

dep_confusion_pip

Severity

high

Family

Dependency Confusion

Description

Dependency Confusion in PiP occurs when the project has dependencies that either they do not exist in the PyPI repository, or they exist but were created after they were added to the setup.py file.

Security

If the dependency does not exist in the PyPI repository, an attacker can create a public package with the same name and introduce the malicious code in your project.

If the dependency exists in the PyPI repository but was created after, the attack could have been done already, or you may not have control on the package with the same name published by a third party.

Examples

setup.py

 setup(
   ...
   install_requires=[
      ...
      'myprivatepackage',
      ...
   ],
   ...
 )

Mitigation / Fix

Always use an internal 'proxy' private, inner PyPI repository, and avoid public registries altogether. Ensure that all pip configurations use this repository, and never a public one (there is a avoid-public-repostories-pip rule to enforce this).