Uploaded image for project: 'Policy Framework'
  1. Policy Framework
  2. POLICY-1509

Investigate Apex org.python.jython-standalone.2.7.1

    Details

    • Type: Task
    • Status: Delivered
    • Priority: Medium
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:

      Description

      Per security subcommitte, request JIRA's for false positives.

      This dependency brings in the Jython (Python) interpreter for executing scripts written in Python under the control of Apex.

      There are two vulnerabilities, both concerning adding extra modules to the Python libraries on a host running Python scripts under Jython.

      • The setup.py and build_py.py files allow extra python packages to be installed on the host during the startup of Jython. This mechanism uses the setuptools mechanism to install those packages. That mechanism does not enforce path traversal restrictions, allowing malicious packages to access protected areas on the host.
      • Jython uses packages installed with the python pip utility. Pip is vulnerable to Path Traversal attacks, malicious packages installed with pip can access protected areas on the host

      The solution is to warn developers not to install malicious extra Python packages.

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                pdragosh Pamela Dragosh
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: