Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
ocflib is a Python library for working with Open Computing Facility services (in particular, accounts and server management).
The library targets Python 3.5.3 and 3.7 (the versions available in Debian stretch and buster).
The goal of the library is to make it easier to re-use OCF python code. In the past, code was split between approve, atool, create, chpass, sorry, signat, etc., which made it difficult to do things like share common password requirements.
In general, code which can be re-used should be here, but standalone applications or binaries shouldn't. For example, ocfweb uses ocflib code to change passwords and create accounts, but the Django web app doesn't belong here.
ocflib is installed by Puppet on the OCF, so you can simply do things
like import ocflib.lab.stats
from the system python3 installation. We don't
install it to python2 site-packages.
We build a Debian package which is installed by Puppet. We also publish new versions to PyPI, which is useful because it allows easy installation into virtualenvs.
This repository includes a poetry.lock
file. Lockfiles are usually used to
ensure that the exact same versions of dependencies are installed across
different machines. However, as this is a library, we don't want to force
downstream users to use the exact same versions of dependencies as us, and
indeed, the lockfile is ignored when distributing. We still include it in the
repository to make it easier to develop, test, and debug ocflib.
Development of ocflib uses Poetry. The easiest way to test changes to ocflib is to let Poetry manage the virtual environment for you:
poetry install
poetry shell
Now, if you import something from ocflib, you'll be using the version from your working copy.
We use pytest to test our code, and pre-commit to lint it. You should run
make test
before pushing to run both.
The tests
directory contains automated tests which you're encouraged to add to
(and not break). The tests-manual
directory contains scripts intended for
testing.
We use pre-commit to lint our code before commiting. While some of the rules might seem a little arbitrary, it helps keep the style consistent, and ensure annoying things like trailing whitespace don't creep in.
You can simply run make install-hooks
to install the necessary git hooks; once
installed, pre-commit will run every time you commit.
Alternatively, if you'd rather not install any hooks, you can simply use
make test
as usual, which will also run the hooks.
If you're trying to run make install-hooks on ocfweb (or related repos) and get this error:
./_cracklib.c:40:10: fatal error: 'crack.h' file not found
#include <crack.h>
^~~~~~~~~
1 error generated.
The issue relates to the cracklib package not finding the necessary header files
to install. Make sure cracklib is installed on your machine
(https://github.com/cracklib/cracklib, if you're on Mac,
brew install cracklib
).
Deploying changes involves:
Jenkins will automatically perform all of these steps for you on
every push, including automatically generating a new version number. As long as
make test
passes, your code will be automatically deployed. You can monitor
the progress of your deploy here.
FAQs
libraries for account and server management
We found that ocflib demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.