feat: include inspector package urls as part of the malicious metadata facts for pypi packages #935

art1f1c3R · 2024-12-03T05:22:35Z

To allow for retention of packages when they are taken off PyPI, this new feature includes the inspector.pypi.io URL for the distribution files as part of the MaliciousMetadataFacts detail_information field. This has been done by modifying the wheel_absence.py heuristic to instead of returning filenames, return the python hosted URL and corresponding pypi inspector URL. The unit test for this, test_wheel_absence.py has been updated to reflect these changes accordingly.

…information

…g and inspector links

art1f1c3R · 2024-12-03T05:27:58Z

One change I have made that I am unsure about is, in wheel_absence.py:91 if _valid_url returns False, then currently I add an empty string. I am not sure what action should be taken if the constructed inspector link is not accessible.

The reason the check for a 200 OK response exists is due to the way I have constructed the pypi inspector link. I observe that the format of the pypi inspector link was the same as files.pythonhosted.org except replacing this prefix with the inspector URL, followed by the package name and then version. Everything else after was the same (using blake2b_256 and the filename), only this was only an observation and I haven't managed to find this documented anywhere, so I added in that check.

src/macaron/malware_analyzer/pypi_heuristics/metadata/wheel_absence.py

behnazh-w · 2024-12-04T04:29:10Z

One change I have made that I am unsure about is, in wheel_absence.py:91 if _valid_url returns False, then currently I add an empty string. I am not sure what action should be taken if the constructed inspector link is not accessible.

The reason the check for a 200 OK response exists is due to the way I have constructed the pypi inspector link. I observe that the format of the pypi inspector link was the same as files.pythonhosted.org except replacing this prefix with the inspector URL, followed by the package name and then version. Everything else after was the same (using blake2b_256 and the filename), only this was only an observation and I haven't managed to find this documented anywhere, so I added in that check.

I have added a suggestion in this comment to improve the return value. If the inspector HEAD request fails, the value corresponding to the inspector could be None.

src/macaron/malware_analyzer/pypi_heuristics/metadata/wheel_absence.py

art1f1c3R · 2024-12-05T07:31:49Z

Took a look at the source code for inspector, and I have confirmed the way it organises its URLs is what is used in this new feature. At https://github.com/pypi/inspector/blob/main/inspector/main.py line 125:

@app.route(
    "/project/<project_name>/<version>/packages/<first>/<second>/<rest>/<distname>/"
)

…or source code

src/macaron/malware_analyzer/pypi_heuristics/metadata/wheel_absence.py

tromai

LGTM. Thanks.

art1f1c3R added 5 commits November 29, 2024 16:50

chore: adding in todo for the new branch

f9bf81d

chore: adding in todo for the new branch

c7e2f0b

feat: include pypi inspector links of packages in malicious metadata …

d2862e8

…information

chore: fixed branch divergence

bbb273f

test: updated unit tests for wheel absence to account for url checkin…

2ebd8e3

…g and inspector links

art1f1c3R requested review from behnazh-w and tromai as code owners December 3, 2024 05:22

oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Dec 3, 2024

art1f1c3R self-assigned this Dec 3, 2024

fix: changed to using a macaron.util function for head request

f9626a7

behnazh-w reviewed Dec 4, 2024

View reviewed changes