The Python Package Index – also known as the PyPi repository – is host to thousands of helpful libraries that enhance Python’s already powerful core. Recently, however, a vulnerability was found by the Japanese security researcher that goes by the name “Ryotak”. As readers may be aware, Ryotak is the same person responsible for uncovering the bug in Cloudflare’s CDJNS service, which left roughly 12% of the world’s websites vulnerable to third-party, malicious code.
Ryotak posted about three bugs he discovered on the PyPi web portal on his blog. According to Ryotak, he ran an analysis of PyPi’s package index, which works as a database that stores Python libraries and works alongside Python’s pip package installer. Pip, for the uninitiated, lets developers search and install Python libraries for their software development projects and applications.
During his analysis, the security researcher discovered three exploitable bugs while searching the PyPi codebase on GitHub. These bugs had the potential to allow malicious programmers and hackers to delete other projects’ doc files, delete project permission roles, and run bash commands on the PyPi code base.
The most disconcerting of the three bugs is the one that allowed attackers to run commands on PyPi’s codebase, which they could use to collect tokens and other information that would, in turn, allow them to access or edit PyPi itself. It was such a concern that it was labeled a “critical issue” and quickly addressed by the Python security team. The other two exploits were fixed as well.
Ryotak was awarded a total of $3,000 for his bug reports ($1,000 per reported bug) and public acknowledgment. You can read the acknowledgment and learn more about the vulnerabilities and mitigation at PyPi’s official Twitter feed.