避免 python 中的依赖混淆
[英]Avoiding dependency confusion in python
问题描述
In the python project I work on at my workplace, we install some packages from PyPI, and some private company packages from Gemfury, using a standard requirements file.
在我在工作场所工作的 python 项目中,我们使用标准需求文件安装来自 PyPI 的一些包和来自 Gemfury 的一些私人公司包。
After reading this article: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 .看完这篇文章: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 。
Our requirement file looks something like:我们的需求文件看起来像:
--index-url <OUR_GEMFURY_URL>
--extra-index-url https://pypi.python.org/simple
aiohttp==3.7.1
simplejson==3.17.1
<our-package>==1.0.0
<our-other-package>==1.2.0
I tried reading some of pip's documentation but I wasn't able to fully understand how it chooses from where to download the package.我尝试阅读一些 pip 的文档,但我无法完全理解它如何选择从哪里下载 package。 For example, what happens if someone uploads a malicious version 1.0.0 to pypi-prod - how does pip know which one of the packages to take?例如,如果有人将恶意版本 1.0.0 上传到 pypi-prod 会发生什么 - pip 怎么知道要使用哪个包? Is there maybe a way to specify to pip for a specific package to only search for it in --index-url?有没有办法为特定的 package 指定 pip 以仅在 --index-url 中搜索它?
How do you protect against dependency confusion in your code?如何防止代码中的依赖混淆? Thanks for the help!谢谢您的帮助!
1 个解决方案
解决方案1
0 2021-03-09 10:14:19
The article mentions the algorithm pip uses:文章提到算法 pip 使用:
- Checks whether library exists on the specified (internal) package index检查指定(内部)package 索引上是否存在库
- Checks whether library exists on the public package index (PyPI)检查公共 package 索引 (PyPI) 上是否存在库
- Installs whichever version is found.安装找到的任何版本。 If the package exists on both, it defaults to installing from the source with the higher version number.如果 package 两者都存在,则默认从具有更高版本号的源安装。
So if your script requires <our-other-package>>=1.2.0 , you can get some mailicios package from public pypi server if it has higher than the version you intented to install.因此,如果您的脚本需要<our-other-package>>=1.2.0 ,如果它的版本高于您打算安装的版本,您可以从公共 pypi 服务器获取一些 mailicios package。
The straightforward solution mentioned in the article is removing --extra-index-url文章中提到的直接解决方案是删除--extra-index-url
If package 1.0 is internal or external package and is present in private pypi server it will be downloaded from there.如果package 1.0是内部或外部 package 并且存在于私有 pypi 服务器中,它将从那里下载。
External packages will be downloaded from public pypi server through internal pypi server which will cache them for future usage.外部包将通过内部 pypi 服务器从公共 pypi 服务器下载,内部 pypi 服务器将缓存它们以供将来使用。
I'd also suggest to have explicit versions in requirements.txt, this way you are aware of versions you get and do conscious upgrades by increasing the versions.我还建议在 requirements.txt 中有明确的版本,这样您就可以知道您获得的版本并通过增加版本来进行有意识的升级。
To sum up the guidelines (which by no means exhaustive and protect against all possible security holes)总结指南(绝不是详尽的并防止所有可能的安全漏洞)
- remove
--extra-index-url https://pypi.python.org/simplefrompip.conf,requirements.txtand automation scripts.从pip.conf、requirements.txt和自动化脚本中删除--extra-index-url https://pypi.python.org/simple。 - specify explicit versions of internal and external packages in requirements.txt在 requirements.txt 中指定内部和外部包的显式版本
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.