Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security concerns from mypy --install-types and malicious third-party stubs #10538

Closed
Zac-HD opened this issue May 27, 2021 · 4 comments · Fixed by #10555
Closed

Security concerns from mypy --install-types and malicious third-party stubs #10538

Zac-HD opened this issue May 27, 2021 · 4 comments · Fixed by #10555
Labels
documentation priority-0-high

Comments

@Zac-HD
Copy link
Contributor

Zac-HD commented May 27, 2021

Reading the recent blog post announcing --install-types, I was concerned that malicious third parties might create a types-$popular_package package and have it recommended or even installed by mypy.

The docs for this feature don't outline any security considerations. Has the risk of malicious packages been considered? If so, what mitigations are in place? It would be great to document this.
@srittau
Copy link
Contributor

srittau commented May 27, 2021

See also pypi/warehouse#4967. This is a serious concern.

@JukkaL
Copy link
Collaborator

JukkaL commented May 27, 2021

Mypy ships with information about a various known stub packages and these are the only ones that it will suggest installing, or install using --install-types. All of these originate from typeshed. The typeshed uploader script for packages lives in another repository with restricted write access, and we make sure to only include stub files (not executable code) in the packages that are uploaded.

It makes sense to mention this in the documentation as otherwise users may be hesitant to install these packages without first manually validating them.

Having a dedicated namespace for stub packages would be nice, but it's unclear when this might be supported.

I have plans to claim types-foo for a large number of projects on PyPI for typeshed, by auto-generating stubs and uploading them (assuming typeshed maintainers are okay with this). I think that this would make things less risky.

@JukkaL JukkaL mentioned this issue May 27, 2021
Closed
@srittau
Copy link
Contributor

srittau commented May 27, 2021

@JukkaL Sounds like a good plan! Both restricting --install-types to known stub packages as well as auto-generating stubs. I hope we will get namespaces on PyPI at some point, though.

@JukkaL
Copy link
Collaborator

JukkaL commented May 27, 2021

Note that --install-types is already restricted to known stub packages, but auto-generating additional stubs won't happen before the 0.900 release (I don't have a concrete timeline yet for it).

TheCleric added a commit to TheCleric/mypy that referenced this issue May 29, 2021
@TheCleric
Resolves python#10538; add security documentation for --install-types
2a5b6ec
@TheCleric TheCleric mentioned this issue May 29, 2021
Merged
hauntsaninja pushed a commit to hauntsaninja/mypy that referenced this issue May 30, 2021
rename STUBS_NOT_INSTALLED to APPROVED_STUBS_NOT_INSTALLED
4236f04 
Since this code path involves mypy recommending installation of a stub
package, I thought I'd rename the enum to make it slightly clearer
that this should only be triggered for packages we know to be good.

Linking python#10538
@hauntsaninja hauntsaninja mentioned this issue May 30, 2021
Merged
hauntsaninja pushed a commit that referenced this issue May 30, 2021
@TheCleric
Add security documentation for --install-types (#10555)
d57d5d1 
Resolves #10538
JelleZijlstra pushed a commit that referenced this issue May 30, 2021
@hauntsaninja
rename STUBS_NOT_INSTALLED to APPROVED_STUBS_NOT_INSTALLED (#10558)
0635422 
Since this code path involves mypy recommending installation of a stub
package, I thought I'd rename the enum to make it slightly clearer
that this should only be triggered for packages we know to be good.

Linking #10538

Co-authored-by: hauntsaninja <>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation priority-0-high
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Resolves #10538; add security documentation for --install-types TheCleric/mypy
3 participants
@srittau @JukkaL @Zac-HD