Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
HardMediaGroup, CC BY-SA 3.0, via Wikimedia Commons
Generic dual-paradigm hooking mechanism
This project is part of the Pyrustic Open Ecosystem.
This project is a minimalist Python library that implements an intuitive, flexible, and generic dual-paradigm hooking mechanism.
In short, methods and functions, called targets, are decorated and assigned user-defined hooks. So when a target is called, the assigned hooks will be automatically executed upstream or downstream according to the specification provided by the programmer.
The programmer may wish to have tight or loose coupling between targets and hooks, depending on the requirement. Hence, for a nice developer experience, this library provides two interfaces each representing a paradigm (tight or loose coupling) to cover the needs.
From a hook, the programmer has access to the keyword arguments passed to the decorator, the arguments passed to the target, the target itself, and other useful information through a Context
object.
Depending on whether the hook is executed upstream or downstream, the programmer can modify arguments to target, override the target itself with an arbitrary callable, break the execution of the chain of hooks, modify the return of the target, et cetera.
This library allows the programmer to wrap, augment, or override a function or method with either a tight or loose coupling. It is therefore the perfect solution to create a plugin mechanism for a project.
It can also be used for debugging, benchmarking, event-driven programming, implementing routing in a web development framework (Flask uses decorators to implement routing), et cetera.
The interface of this library is designed to be intuitive to use not only for crafting an API but also for consuming it.
Here are some examples of using this library in the tight and loose coupling paradigm.
Here we will use the tight coupling paradigm to override the target function with a hook. From inside the hook, the target will be executed and we will measure the execution time.
The following example can be copy-pasted into a file (e.g. test.py
) and run as is:
import time
from hooking import override
def timeit(context, *args, **kwargs):
# execute and measure the target run time
start_time = time.perf_counter()
context.result = context.target(*args, **kwargs)
total_time = time.perf_counter() - start_time
# print elapsed time
text = context.config.get("text") # get 'text' from config data
print(text.format(total=total_time))
# decorate 'heavy_computation' with 'override' (tight coupling)
# here, 'timeit' is the hook to execute when the target is called
# all following keyword arguments are part of the configuration data
@override(timeit, text="Done in {total:.3f} seconds !")
def heavy_computation(a, b):
time.sleep(2) # doing some heavy computation !
return a*b
if __name__ == "__main__":
# run 'heavy_computation'
result = heavy_computation(6, 9)
print("Result:", result)
$ python -m test
Done in 2.001 seconds !
Result: 54
This example is divided into two parts:
# Script for the server-side (API consumer side)
# web_script.py
from my_web_framework import Routing, start
# bind to 'home_view', three tags representing
# three paths. This view will be executed when
# the user will request the home page for example
@Routing.tag("/")
@Routing.tag("/home")
@Routing.tag("/index")
def home_view():
return "Welcome !"
@Routing.tag("/about")
def about_view():
return "About..."
if __name__ == "__main__":
start()
# Framework internals (API creator side)
# my_web_framework.py
import random
from hooking import H
# implementing custom routing mechanism by subclassing hooking.H
Routing = H.subclass("Routing")
def start():
# entry point of the web framework
# Get user request, then serve the appropriate page
path = get_user_request()
serve_page(path)
def get_user_request():
# use randomness to simulate user page request
paths = ("/", "/home", "/index", "/about")
return random.choice(paths)
def serve_page(path):
# get the list of functions and methods
# tagged with the Routing.tag decorator
cache = Routing.targets.get(path, list())
for target_info in cache:
view = target_info.target
html = view()
render_html(html)
def render_html(html):
print(html)
As mentioned in the Overview section, functions and methods are the targets to which hooks are attached with a tight or loose coupling. A hook is a function that can be attached one or more times to one or more targets.
Static methods, class methods, or decorated methods or functions should work fine with this library as long as one comes as close as possible to the native definition of the function or method. Example:
from hooking import H, on_enter, on_leave
class MyClass:
# Good !
@staticmethod
@H.tag # innermost
def do_something1(arg):
pass
# BAD !!!
@H.tag # outermost
@classmethod
def do_something2(cls, arg):
pass
def my_hook(context, *arg, **kwargs):
pass
# Good !
@ExoticDecorator
@on_enter(my_hook) # innermost
def my_func():
pass
# BAD !!!
@on_leave(my_hook) # outermost
@ExoticDecorator
def my_func():
pass
A hook is a callable that accepts an instance of hooking.Context
and arguments passed to the target.
The hooking.Context
instance exposes the following attributes:
H.wrap
, H.on_enter
, and H.on_leave
;hooking.ENTER
constant or the hooking.LEAVE
constant;The attributes listed above can be updated with the Context.update
method that accepts keyword arguments.
from hooking import H
# defining my_hook
def my_hook(context, *args, **kwargs):
if context.tag != "target":
raise Exception("Wrong tag !")
# reset arguments
context.update(args=tuple(), kwargs=dict())
@H.tag("target") # tagging my_func with "target"
def my_func(*args, **kwargs):
pass
# binding my_hook to the tag "target"
H.on_enter("target", my_hook)
From an upstream hook, we can change the arguments passed to a target:
# ...
def upstream_hook(context, *args, **kwargs):
# positional arguments are represented with a tuple
context.args = (val1, val2)
# keywords arguments are represented with a dictionary
context.kwargs = {"item1": val1, "item2": val2}
# ...
The library exposes the hooking.override
to override a target function:
from hooking import override
def myhook(context, *args, **kwargs):
context.result = new_target_function(*args, **kwargs)
@override(myhook)
def target():
pass
but one can still override the target from an arbitrary upstream hook:
from hooking import on_enter
def upstream_hook(context, *args, **kwargs):
# override target with a new target that
# that accepts same type signature
context.target = new_target_function
@on_enter(upstream_hook)
def target():
pass
Note that you can set None
to context.target
to prevent the library for automatically running the target between the execution of upstream and downstream hooks.
From a downstream hook, we can change the return of a target:
# ...
def downstream_hook(context, *args, **kwargs):
context.result = new_value
# ...
In this paradigm, hooks are directly bound to target. The library exposes the following decorators to decorate targets:
Decorator | Description | Signature |
---|---|---|
hooking.override | Bind to a target a hook that will override it | @override(hook, **config) |
hooking.wrap | Bind to a target two hooks that will be executed upstream and downstream | @wrap(hook1, hook2, **config) |
hooking.on_enter | Bind to a target a hook that will be executed upstream, i.e, before the target | @on_enter(hook, **config) |
hooking.on_leave | Bind to a target a hook that will be executed downstream, i.e, after the target | @on_leave(hook, **config) |
The library exposes the hooking.override
decorator to bind to a target a hook that will override it:
from hooking import override
def myhook(context, *args, **kwargs):
context.result = context.target(*args, **kwargs)
# or
my_new_target = lambda *args, **kwargs: print("New Target Here !")
context.result = my_new_target(*args, **kwargs)
# override target with myhook
@override(hook3, foo=42, bar="Alex") # foo and bar are config data
def target():
pass
Note that with the
hooking.override
decorator, the programmer must execute the target or its replacement inside the hook and set the result tocontext.result
.
The hooking.wrap
decorator allows the programmer to wrap the target between two hooks that will be executed upstream and downstream. Two additional decorators hooking.on_enter
and hooking.on_leave
allow the programmer to bind either a upstream or a downstream hook to a target.
from hooking import wrap, on_enter, on_leave
def hook1(context, *args, **kwargs):
pass
def hook2(context, *args, **kwargs):
pass
# bind an upstream hook and a downstream hook to my_func1
@wrap(hook1, hook2, foo=42, bar="Alex") # foo and bar are config data
def my_func1():
pass
# bind an upstream hook to my_func2
@on_enter(hook1, foo=42, bar="Alex")
def my_func2():
pass
# bind a downstream hook to my_func3
@on_leave(hook2, foo=42, bar="Alex")
def my_func3():
pass
In this paradigm, hooks aren't directly bound to target but to tags which are linked to targets. The library exposes the hooking.H
class to support the loose coupling paradigm. In short, the hooking.H.tag
decorator is used to tag targets, then class methods hooking.H.on_enter
, hooking.H.on_leave
, and hooking.H.wrap
are used to bind hooks to tags.
The hooking.H.tag
class method allows you to tag a function or a method:
from hooking import H
@H.tag
def my_func(*args, **kwargs):
pass
class MyClass:
@H.tag
def my_method(self, *args, **kwargs):
pass
The hooking.H.tag
decorator accepts a label
string as argument. By default, when this argument isn't provided, the library uses the qualified name of the method or function as the label
.
Here we provide the label
argument:
from hooking import H
@H.tag("my_func")
def my_func(*args, **kwargs):
pass
class MyClass:
@H.tag("MyClass.my_method")
def my_method(self, *args, **kwargs):
pass
These are the hooking.H
class methods to bind hooks to tags:
Class method | Description | Signature |
---|---|---|
hooking.H.on_enter | Bind to a tag a hook that will be executed downstream, i.e, before the target | on_enter(tag, hook) |
hooking.H.on_leave | Bind to a tag a hook that will be executed downstream, i.e, after the target | on_leave(tag, hook) |
hooking.H.wrap | Bind to a tag two hooks that will be executed upstream and downstream | wrap(tag, hook1, hook2) |
from hooking import H
@H.tag("target")
def my_func(*args, **kwargs):
pass
def my_hook1(context, *args, **kwargs):
pass
def my_hook2(context, *args, **kwargs):
pass
# bind my_hook1 to "target" and run it upstream
hook_id = H.on_enter("target", my_hook1)
# bind my_hook2 to "target" and run it downstream
hook_id = H.on_leave("target", my_hook2)
# bind my_hook1 and my_hook2 to "target"
hook_id1, hook_id2 = H.wrap("target", my_hook1, my_hook2)
Whenever a hook is bound to a tag, the Hook ID (HID) which could be used later to unbind the hook, is returned:
from hooking import H
def hook(context, *args, **kwargs):
pass
# bind
hid = H.on_enter("tag", hook)
# unbind
H.unbind(hid)
Multiple hooks can be unbound in a single statement:
from hooking import H
def hook1(context, *args, **kwargs):
pass
def hook2(context, *args, **kwargs):
pass
# bind
hid1 = H.on_enter("tag", hook1)
hid2 = H.on_leave("tag", hook2)
# unbind multiple hooks manually
H.unbind(hid1, hid2)
The clear
class method of hooking.H
unbinds all hooks bound to a specific tag:
from hooking import H
def hook1(context, *args, **kwargs):
pass
def hook2(context, *args, **kwargs):
pass
@H.tag
def target():
pass
# bind
hid1 = H.on_enter("target", hook1)
hid2 = H.on_enter("target", hook2)
# unbind hook1 and hook2 from "target"
H.clear("target")
You can clear multiple tags in a single statement:
from hooking import H
def hook1(context, *args, **kwargs):
pass
def hook2(context, *args, **kwargs):
pass
@H.tag
def target1():
pass
@H.tag
def target2():
pass
# bind
hid1 = H.on_enter("target1", hook1)
hid2 = H.on_enter("target2", hook2)
# unbind hook1 and hook2 from "target1" and "target2"
H.clear("target1", "target2")
This library exposes an Exception subclass to allow the programmer to break the execution of a chain of hooks:
from hooking import H, ChainBreak
@H.tag("target")
def my_func(*args, **kwargs):
pass
def hook1(context, *args, **kwargs):
pass
def hook2(context, *args, **kwargs):
raise ChainBreak
def hook3(context, *args, **kwargs):
pass
# bind hook1, hook2 and hook3 to 'target'
for hook in (hook1, hook2, hook3):
H.on_enter("target", hook)
# call the target
my_func()
# since the target was called,
# the chain of hooks (hook1, hook2, hook3)
# must be executed.
# hook2 having used ChainBreak,
# the chain of execution will be broken
# and hook3 will be ignored
We could freeze the hooking class and thus prevent the execution of all hooks:
from hooking import H
@H.tag
def my_func(*args, **kwargs):
pass
H.freeze()
# from now, no hook will be executed anymore
To unfreeze the hooking class, use the H.unfreeze
class method:
from hooking import H
H.unfreeze()
# from now, hooks will be executed when needed
The library exposes data through a class method, class variables, and data transfer objects (namedtuples).
Upstream and downstream hooks bound to a specific tag can be retrieved with the get_hooks
class method.
from hooking import H
# returns a 2-tuple of upstream hooks and
# downstream hooks
upstream_hooks, downstream_hooks = H.get_hooks("tag")
# iterate through upstream_hooks which is
# a list of instances of hooking.HookInfo
for hook_info in upstream_hooks:
print(hook_info)
The hooking.H
class exposes the following class variables:
Class variable | Description |
---|---|
targets | Ordered dictionary. Keys are tags and values are lists of instances of hooking.TargetInfo . Example: {"tag1": [TargetInfo(), TargetInfo(), ...], ...} |
hooks | Ordered dictionary. Keys are tags and values are lists of instances of hooking.HookInfo . Example: {"tag1": [HookInfo(), HookInfo(), ...], ...} |
tags | The set of registered tags |
frozen | Boolean to tell whether the hooking mechanism is frozen or not |
Note: it is not recommended to modify the contents of these class variables directly. Use the appropriate class methods for this purpose.
Both hooking.TargetInfo
and hoooking.HookInfo
are namedtuples that will be explored in the next subsection.
Here are the fields from the hooking.TargetInfo
namedtuple:
Here are the fields from the hooking.HookInfo
namedtuple:
hooking.ENTER
or hooking.LEAVE
.You may need to reset the hooking class, i.e., reinitialize the contents of the following class variables: hooking.H.hooks
, hooking.H.tags
, and hooking.H.frozen
. In this case, you just have to call the hooking.H.reset
class method.
Note: targets won't be removed.
This library is flexible enough to allow the programmer to create their own subclass of hooking.H
like this:
from hooking import H
MyCustomHookingClass = H.subclass("MyCustomHookingClass")
Subclassing hooking.H
allows the programmer to apply the separation of concerns. For example, a web framework creator might create a Routing
subclass to implement a routing mechanism, and also create an Extension
subclass to implement a plugin mechanism. Each subclass would have its own set of tags, hooks, and targets.
Note: class variables are automatically reset when subclassing
hooking.H
.
Whenever threads are introduced into a program, the state shared between threads becomes vulnerable to corruption. To avoid this situation, this library uses threading.Lock as a synchronization tool.
Hooking is cross-platform and should work on Python 3.5 or newer.
$ pip install hooking
$ pip install hooking --upgrade --upgrade-strategy eager
$ pip show hooking
FAQs
Generic dual-paradigm hooking mechanism
We found that hooking demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.