search

DissectMalware / XLMMacroDeobfuscator

Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
Apache License 2.0
568 stars 116 forks source link

Handling of dependencies #100

Closed tbeadle closed 2 years ago

tbeadle commented 2 years ago

Currently, in setup.py, the dependencies for pyxlsb2 and xlrd2 use:

        "pyxlsb2@https://github.com/DissectMalware/pyxlsb2/archive/master.zip",
        "xlrd2@https://github.com/DissectMalware/xlrd2/archive/master.zip",

This causes a problem for packages that depend on this one, such as https://github.com/kevoreilly/CAPEv2, where hashes are provided in their requirements.txt, because the hashes for pyxlsb2 and xlrd2 will change any time there is a commit to master. If that requirements.txt is changed to pin it to a specific commit (e.g. https://github.com/DissectMalware/pyxlsb2/archive/a751dc2c85f4134578232e0b1497d177775c2d2d.zip), pip install -r requirements.txt will (in addition to downloading that zip file) still try to download master.zip because of the declaration in XLMMacroDeobfuscator's setup.py, and, since there's no hash for master.zip in requirements.txt, it will fail:

ERROR: Hashes are required in --require-hashes mode, but they are missing from some requirements. Here is a list of those requirements along with the hashes their downloaded archives actually had. Add lines like these to your requirements files to prevent tampering. (If
 you did not enable --require-hashes manually, note that it turns on automatically when any package has a hash.)
    https://github.com/DissectMalware/pyxlsb2/archive/master.zip --hash=sha256:7b0a3301f31a432faf0312c88591891df170d03ceb4b97eb9585f82b910adf96
doomedraven commented 2 years ago

one small note to clarify a bit more. in order to protect any python project, pip-compile is used to enforce sha256 of each package, to avoid project hack and replace of the content, the problem is when master.zip is specified, then on any update it breaks the security checks as sha256 wont match

pip-compile comes from this neat project https://github.com/jazzband/pip-tools

DissectMalware commented 2 years ago

Fixed the issue by removing sources from setup.py

I also uploaded pyxlsb2 v0.0.8 and xlrd2 v1.3.4 to pypi

Will make sure that pyxlsb2 and xlrd2 packages are updated more frequently to prevent requiring adding sources to setup.py...