Reject locked malware installations

[woodruffw]

If the user's uv.lock contains a version that is known to be malicious, then we should reject its installation.

This is slightly different from what uv audit does -- uv audit principally checks from known vulnerabilities, not malware or compromised packages. The latter is reported via a distinct "stream" on OSV (MAL- reports).

I need to think a bit more about the design here/implications.

• Support filtering by malware (MAL-) in the OSV client: Enable filtering OSV results for malware #18934
• Fetch MAL- entries during lockfile installation and reject the install if we have any: Reject locked malware installations #18936
• Cache MAL- lookups: Cache positive OSV hits #19038

[woodruffw]

For context: when PyPI quarantines/removes malware, it removes references from the index but not the backing file storage, so any malicious distributions referenced in the lockfile (via their file URLs) will still be retrievable.

[konstin]

For context: when PyPI quarantines/removes malware, it removes references from the index but not the backing file storage, so any malicious distributions referenced in the lockfile (via their file URLs) will still be retrievable.

Do you know why it doesn't remove those? Both uv.lock and pylock.toml store resolved URLs, so they'd both be affected here.

[woodruffw]

Do you know why it doesn't remove those? Both uv.lock and pylock.toml store resolved URLs, so they'd both be affected here.

@miketheman or @ewdurbin would have the definitive answer here, but I think it's a combination of (1) competing requirements (PyPI itself doesn't consider the file URLs stable IIRC, it's just that everyone else does 😅) and (2) complexity.

[ewdurbin]

Some of the motivators:

0. Indeed, the PEPs around the concept of a Python Package Index do not bind us to supporting dependance on static urls for resolution or installation outside of the /simple urls, allowing us to migrate to a new domain or file structure for file hosting (in theory).

1. Security barrier: Currently the PyPI application has write-only access to the ground truth object storage bucket and the optimistic cache that saves us on egress costs. No online system has access to delete files from object storage, preventing a compromise of our systems from destroying artifacts. Currently deleting an artifact from either the archival storage or optimistic cache would leave it online as our CDN tries both locations. Deleting from both object stores means that the artifact would be gone gone forever, even to PyPI for future review/research. We have discussed a third disaster recovery/private tier of object storage that is not used for servicing requests which would allow us to ease the barrier a little and give PyPI's services the ability to delete files.

2. Complexity. Yep! We currently only have two-tiers of object storage and the complexity is a lot for a small team. Coordinating across 2 or more buckets to ensure consistency when deletion is an option is... non-trivial and the limited resources haven't been pointed in that direction (yet).

[kam193]

It may be a total coincidence, but I was analyzing this behavior in a blog post three weeks ago. I'd argue that installing removed packages generally brings a few additional risks (I don't think now about delayed removal caused by caches etc.), even just because you don't get quick feedback about packages that are no longer available and keep shipping projects that actually should break. I think that it could be better to fail by default, eventually leaving it as an optional, explicit behavior to skip consulting the index - if you know what you are doing.

[zanieb]

It's consider it important that we don't need to query the index to install from a lockfile and would be quite hesitant to change our behavior for deleted releases that are not malicious. I'm curious to hear more from people though.

[woodruffw]

Yeah, I think hitting the index would be a really significant performance ding in locked flows. I think the equivalent malware checks from OSV should be much cheaper, and will achieve the same outcome 🙂

[kam193]

It seems to be a fair compromise, given bulk queries available in OSV :)

However, to be sure you have the full picture of the data, there is no guarantee OSV will ever have this information. In cases like the recent two, where we were speaking about two popular packages, the MAL entries were actually earlier than PyPI (so it would actually be even better!), but there is no guarantee:

• MAL advisories are issued by https://github.com/ossf/malicious-packages independent of PyPI,
• PyPI publishes its own PYSEC advisories, which to my knowledge is not strictly limited to malware,
• There is currently no process of obligatory publishing of either of them: PYSEC advisories are published mainly for compromised malicious releases (this is an observation; I don't know if Mike has other criteria right now), and the MAL advisories are published either manually or when one of the integrated sources publishes them. In the last two cases, they were manually created.

I personly think we have the majority visible in OSV, so this may be a suitable solution in most cases.

[zanieb]

We're certainly open to collaborating with the PyPI security team to add whatever is needed to best serve the ecosystem here.

[woodruffw]

Yeah, a dedicated efficient way to query this on PyPI is arguably the best of all worlds 🙂

(As a point of information: PYSEC advisories typically get populated from OSV, not vice versa. So generally speaking OSV will have the "first" copy of a vulnerability report unless it either came in via CVE or was manually created on the PYSEC side. MAL reports are a different beast as you note, but in this case we kind of need to depend on them versus normal OSV or PYSEC reports since the latter don't have metadata distinguishers for malware vs. known vulnerability. Maybe they could in the future though!)

[kam193]

(Yes, of course, I meant only reports about malicious data, the vulnerabilities are out-of-scope here. 😅 But another fun fact: PYSEC seems to consume only NVD database, so it's just a part of vulnerabilities)