
Research
PyPI Package Disguised as Instagram Growth Tool Harvests User Credentials
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
pyenv
source activate_settings.sh
pipenv install --dev
activate_settings.sh
and aidbox_python_sdk/settings.py
). You can also
use environment variables to define sensitive settings, eg. DB connection variables (see example .env-ptl
)python example.py
.main.py
from aidbox_python_sdk.main import create_app as _create_app
from aidbox_python_sdk.settings import Settings
from aidbox_python_sdk.sdk import SDK
settings = Settings(**{})
sdk = SDK(settings, resources={}, seeds={})
def create_app():
app = await _create_app(SDK)
return app
async def create_gunicorn_app() -> web.Application:
return create_app()
import logging
from aiohttp import web
from aidbox_python_sdk.types import SDKOperation, SDKOperationRequest
from yourappfolder import sdk
@sdk.operation(
methods=["POST", "PATCH"],
path=["signup", "register", {"name": "date"}, {"name": "test"}],
timeout=60000 ## Optional parameter to set a custom timeout for operation in milliseconds
)
def signup_register_op(_operation: SDKOperation, request: SDKOperationRequest):
"""
POST /signup/register/21.02.19/testvalue
PATCH /signup/register/22.02.19/patchtestvalue
"""
logging.debug("`signup_register_op` operation handler")
logging.debug("Operation data: %s", operation)
logging.debug("Request: %s", request)
return web.json_response({"success": "Ok", "request": request["route-params"]})
To access Aidbox Client, SDK, settings, DB Proxy the app
(web.Application
) is extended by default with the following app keys that are defined in aidbox_python_sdk.app_keys
module:
from aidbox_python_sdk import app_keys as ak
from aidbox_python_sdk.types import SDKOperation, SDKOperationRequest
@sdk.operation(["POST"], ["example"])
async def update_organization_op(_operation: SDKOperation, request: SDKOperationRequest):
app = request.app
client = app[ak.client] # AsyncAidboxClient
sdk = app[ak.sdk] # SDK
settings = app[ak.settings] # Settings
db = app[ak.db] # DBProxy
return web.json_response()
FHIR Client is not plugged in by default, however, to use it you can extend the app by adding new AppKey
app/app_keys.py
from fhirpy import AsyncFHIRClient
fhir_client: web.AppKey[AsyncFHIRClient] = web.AppKey("fhir_client", AsyncFHIRClient)
main.py
from collections.abc import AsyncGenerator
from aidbox_python_sdk.main import create_app as _create_app
from aidbox_python_sdk.settings import Settings
from aidbox_python_sdk.sdk import SDK
from aiohttp import BasicAuth, web
from fhirpy import AsyncFHIRClient
from app import app_keys as ak
settings = Settings(**{})
sdk = SDK(settings, resources={}, seeds={)
def create_app():
app = await _create_app(SDK)
app.cleanup_ctx.append(fhir_clients_ctx)
return app
async def create_gunicorn_app() -> web.Application:
return create_app()
async def fhir_clients_ctx(app: web.Application) -> AsyncGenerator[None, None]:
app[ak.fhir_client] = await init_fhir_client(app[ak.settings], "/fhir")
yield
async def init_fhir_client(settings: Settings, prefix: str = "") -> AsyncFHIRClient:
basic_auth = BasicAuth(
login=settings.APP_INIT_CLIENT_ID,
password=settings.APP_INIT_CLIENT_SECRET,
)
return AsyncFHIRClient(
f"{settings.APP_INIT_URL}{prefix}",
authorization=basic_auth.encode(),
dump_resource=lambda x: x.model_dump(),
)
After that, you can use app[ak.fhir_client]
that has the type AsyncFHIRClient
everywhere where the app is available.
from aidbox_python_sdk.types import SDKOperation, SDKOperationRequest
schema = {
"required": ["params", "resource"],
"properties": {
"params": {
"type": "object",
"required": ["abc", "location"],
"properties": {"abc": {"type": "string"}, "location": {"type": "string"}},
"additionalProperties": False,
},
"resource": {
"type": "object",
"required": ["organizationType", "employeesCount"],
"properties": {
"organizationType": {"type": "string", "enum": ["profit", "non-profit"]},
"employeesCount": {"type": "number"},
},
"additionalProperties": False,
},
},
}
@sdk.operation(["POST"], ["Organization", {"name": "id"}, "$update"], request_schema=schema)
async def update_organization_op(_operation: SDKOperation, request: SDKOperationRequest):
location = request["params"]["location"]
return web.json_response({"location": location})
POST /Organization/org-1/$update?abc=xyz&location=us
organizationType: non-profit
employeesCount: 10
FAQs
Aidbox SDK for python
We found that aidbox-python-sdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
Product
Socket now supports pylock.toml, enabling secure, reproducible Python builds with advanced scanning and full alignment with PEP 751's new standard.
Security News
Research
Socket uncovered two npm packages that register hidden HTTP endpoints to delete all files on command.