Pin exotel dependency to 0.1.5 due to security issue in 0.1.6

[anroots-tw]

Description

Version 0.1.6 of exotel package was released 2 hours ago (with the last release 0.1.5 happening in 2017).

Version 0.1.6 has malicious code in setup.py. Lock version of the package to last known good, 0.1.5 as a hotfix.

Ref https://pypi.org/project/exotel/0.1.6/#history

Checklist

• I have reviewed the contributing guidelines.
• I have included unit tests for my changes or additions.
• I have successfully run make test-docker with my changes.
• I have manually tested all relevant modes of the change in this PR.
• I have updated the documentation.
• I have updated the changelog.

Questions or Comments

[jertel]

Thanks for submitting this. I reviewed 0.1.6 and I do see the requests to two Russian-owned domains, with Windows-hosts being the infection target. Are you aware of any known CVE for this?

[anroots-tw]

Not as of now.

Cross linking report to maintainer repo - sarathsp06/exotel-py#10

[jertel]

I've sent a request to PyPI to have the Exotel 0.1.6 removed. Thanks again for raising this so quickly.

[andres-tw]

We've also notified PyPi about the issue

[andres-tw]

@jertel Since the dependency is unmaintained and only contains about 5 post request functions, maybe it's worth dropping the dependency entirely and implementing support directly inside elastalert itself?
Additionally the package is only used inside the exotel alerter, so maybe a suitable spot for the code would be inside that alerter.
A side discussion here is maybe making alerter dependencies optional? Then unless an alerter type is specifically used, the dependencies wouldn't even get pulled in, thereby reducing chances of these kinds of incidents affecting all users?

[jertel]

Implementing the Exotel integration directly into ElastAlert2 exotel.py file is fine with me, if you are up to submitting the PR. Optional dependencies would reduce risk but will still cause code scanners to trigger, simply by having the python code exist, even if the main codebase didn't include that module. So to avoid the code scanners from triggering you'd have to dynamically pull down the alerters from the Internet. I'm not opposed to the idea but it would be a significant change.

[pawelaugustyn]

Version 0.1.6 got deleted just now.

[anroots]

Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI.
/--/
At this time, the malicious releases that we are aware of are:- exotel==0.1.6
https://twitter.com/pypi/status/1562442188285308929