3

my question may seem a bit strange but that's just because I'm new to programming. I am currently reading automate the boring stuff with Python and they require you to download openxlpy to work with spreadsheets in excel. I want to use what I'm learning to generate reports where I work but it requires me to work with sensitive customer information. I'm fairly certain that they are but I just wanted more experienced advice.

So the quest is: Are third party modules like openxlpy safe to use in a workplace environment?

Improve this question
4
  • Well, if you trust the authors, yes. If you don't trust them, probably no. Not different from any other software I guess.
    – cel
    Commented Oct 15, 2016 at 18:29
  • Everybody can upload packages to PyPI, so there is no guarantee that they to what they are supposed to do. But in contrast to excel itself you can read their code, so you can check what they do.
    – timakro
    Commented Oct 15, 2016 at 18:29
  • 2
    This question is off-topic because it should be asked of your management at your company. For the general case: the question is not within the scope of questions appropriate for this site, as defined in What topics can I ask about here? Please also see: What types of questions should I avoid asking? You may be able to get help on another Stack Exchange site.
    – Makyen
    Commented Sep 16, 2017 at 23:57
  • Does this answer your question? Are PIP packages curated? Is it safe to install them?
    – Andrew
    Commented May 12, 2023 at 19:03

1 Answer 1

Reset to default
1

This is an excellent and very relevant question. Security of 3rd party modules is indeed an increasingly important question for enterprise software development as well.

One thing is security of the package manager itself. It should download packages over a secure channel (https mostly), validate downloaded packages to make sure there was no tampering either on the host or on the client after downloading but before installing. You must also be careful to enter the right package name if you install a package manually, because install scripts for the package are run with the user you are installing with (often root on Linux), see this research why that is a threat (original website is down at the time of writing this response, articles are here or here).

The other thing is the code you are adding from the installed package. When you add a 3rd party module to your application, you inherently trust the person or organization that made the package. You either want to do that or not, the risk is that you might be adding vulnerabilities to your software through the packages you install. Of course well-known packages probably pose less of a risk, but being well-known and used by many people is by far not a guarantee for the security of a package.

What you can (and should) do as due diligence when adding a new package is checking online whether there are known vulnerabilities. In general, you can use online databases like the NVD for these types of queries, I don't know of such a database specific to Python.

In case of languages like Python or Ruby, you can of course also look at the source code of the package and check it for vulnerabilities. Note though that security code review is tricky business, sometimes it's not easy to spot security flaws.

So the short answer is most packages for Python are probably ok, but using packages from unknown authors can indeed introduce serious vulnerabilities. Also over time, new vulnerabilities may be discovered in old packages, so besides checking a package when adding it to your project, you should also regularly update your 3rd party packages, especially if there are known vulnerabilities (but also if there is none).

Improve this answer
1
  • So another answer to basically the same question gave a link to an article detailing 8 malicious pip packages. I'm not finding them when I search NVD for them.
    – Andrew
    Commented May 12, 2023 at 19:02

Not the answer you're looking for? Browse other questions tagged or ask your own question.