Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
This package provides two access modifiers for Python: private methods and protected methods. The goal is to be able to document methods as being private or protected and to provide basic guards against accidentally calling private and protected methods from outside the allowed scopes.
Example usage of private methods:
from access_modifiers import privatemethod
class Class:
@privatemethod
def private_method(self) -> str:
return "private method"
def public_method(self) -> str:
return "public method calls " + self.private_method()
c = Class()
print(c.public_method()) # Prints "public method calls private method"
print(c.private_method()) # Raises an exception
Example usage of protected methods:
from access_modifiers import protectedmethod
class Class:
@protectedmethod
def protected_method(self) -> str:
return "protected method"
def public_method(self) -> str:
return "public method calls " + self.protected_method()
class Subclass(Class):
@protectedmethod
def protected_method(self) -> str:
return "overridden protected method calls " + super().protected_method()
c = Subclass()
print(c.public_method()) # Prints "public method calls overridden protected method calls protected method"
print(c.protected_method()) # Raises an exception
Private methods can be combined with static methods. Note that the order matters: staticmethod should be the outermost decorator.
from access_modifiers import privatemethod
class Class:
@staticmethod
@privatemethod
def static_private_method() -> str:
return "static private method"
def public_method(self) -> str:
return "public method calls " + self.static_private_method()
c = Class()
print(c.public_method()) # Prints "public method calls static private method"
print(c.static_private_method()) # Raises an exception
Combining protected methods with static methods is not supported. Combining access modifiers with class methods is not supported (yet).
The access modifier decorators work by looking at the code that is calling the decorator to decide whether it is allowed to call the method. To do so, the decorators use implementation details of CPython, like sys._getframe() and the names of code objects such as lambdas and modules. These checks are done on each method call. Consequently, there is a considerable performance impact. Therefore it's recommended to use the access modifiers during testing and turn them off in production using the access_modifiers.disable()
method. Note that you need to call this method before any of the access modifier decorators are evaluated, i.e.:
from access_modifiers import disable, privatemethod
disable() # This will disable the access checks
class Class:
@privatemethod
def private_method(self) -> str:
return "private_method"
disable() # Calling disable here will not work, Class.private_method has already been wrapped
The package is available from the Python Package Index, install with pip install access-modifiers
.
To clone the repository: git clone git@github.com:fniessink/access-modifiers.git
.
To install the development dependencies: pip install -r requirements-dev.txt
.
To run the unittests and measure the coverage (which should always be at 100%): ci/unittest.sh
.
To run Pylint (which should score a 10) and Mypy (which shouldn't complain): ci/quality.sh
.
The implementation is driven by (unit) tests and has 100% unit test statement and branch coverage. Please look at the tests to see which usage scenario's are currently covered.
FAQs
Private and protected access modifiers for Python
We found that access-modifiers demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.