I believe it is possible to "undo" the patching of a malicious package as described in CVE-2020-5252, only if you are running safety as a library, in the same venv/process:
import importlib
import sys
# undo the patching
for module in sys.modules:
if module.startswith("safety.") or module == "safety":
del sys.modules[module]
# didn't dig deep enough to ensure it's never needed
importlib.invalidate_caches()
# reload original, unpatched safety
from safety import safety
from safety.formatter import report
from safety.util import read_requirements
# check using safety as a library
packages = list(read_requirements(sys.stdin)) # or any other method to retrieve the list of packages
vulns = safety.check(packages=packages, ignore_ids="", key="", db_mirror="", cached=False, proxy={})
output_report = report(vulns=vulns, full=True, checked_packages=len(packages))
if vulns:
print(output_report)
Maybe this could be done in safety itself, for example in the check click command body? But I guess it would be playing cat and mouse with exploit writers since that would be an "official" mitigation users rely upon.
I believe it is possible to "undo" the patching of a malicious package as described in CVE-2020-5252, only if you are running safety as a library, in the same venv/process:
Maybe this could be done in safety itself, for example in the
checkclick command body? But I guess it would be playing cat and mouse with exploit writers since that would be an "official" mitigation users rely upon.