Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
directory-api-client
Advanced tools
Great API client.
$ pip install directory-api-client
The api client expects the following settings:
Setting | Notes |
---|---|
DIRECTORY_API_CLIENT_BASE_URL | |
DIRECTORY_API_CLIENT_API_KEY | Unique to client. Retrieved during the on-boarding process. |
DIRECTORY_API_CLIENT_SENDER_ID | Unique to client. Retrieved during the on-boarding process. |
DIRECTORY_API_CLIENT_DEFAULT_TIMEOUT |
The following directory client core settings also apply to directory cms client:
Setting | Notes |
---|---|
DIRECTORY_CLIENT_CORE_CACHE_EXPIRE_SECONDS | Duration to store the retrieved content in the cache. |
DIRECTORY_CLIENT_CORE_CACHE_LOG_THROTTLING_SECONDS | Duration to throttle log events for a given url for. |
And the caching expects the following key in CACHES setting: api_fallback
Once that is done the API client can be used:
from directory_api_client.client import api_client
$ git clone https://github.com/uktrade/directory-api-client
$ cd directory-api-client
$ [create virtual environment and activate]
$ make test_requirements
Use make checks
to validate the codebase with black
and isort
, in dry-run mode
Use make autoformat
to run black
and isort
in file-updating mode
Where feasible the response is cached to the client's fallback cache. This allows retrieval later if API returns non successful response or times out.
When enabling the fallback cache on a handler make sure that the request's querystring or url path are unique per user, otherwise the User B's details could be leaked User A.
For example, api_client.company.profile_retrieve
looks up the company for the authenticated user. The authentication header is not used when generating the cache key for the response. This means for that endpoint the querystring and url are the same for all users, so the cache key would therefore also be the same for all users. This means if API was down then all users would see the company details for the last user to successfully retrieve their company.
The package should be published to PyPI on merge to master. If you need to do it locally then get the credentials from rattic and add the environment variables to your host machine:
Setting |
---|
DIRECTORY_PYPI_USERNAME |
DIRECTORY_PYPI_PASSWORD |
Then run the following command:
$ make publish
FAQs
Python client for Directory API.
We found that directory-api-client demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.