Simple Stupid Insecure Practices and GitHub's Code Search: A Looming Threat?

Abstract

Insecure coding practices are a known, long-standing problem in open-source development, which takes on a new dimension with the current capabilities for mining open-source software repositories through version control systems. Although most insecure practices require a sequence of interlinked behaviour, prior work also determined that simpler, one-liner coding practices can introduce vulnerabilities in the code. Such simple stupid insecure practices (SSIPs) can have severe security implications for package-based software systems, as they are easily spread over version-control systems. Moreover, GitHub is piloting regular-expression-based code searches across public repositories through its Code Search Technology, potentially simplifying unearthing SSIPs. As an exploratory case study, we focused on popular PyPi packages and analysed their source code using regular expressions (as done by GitHub’s incoming search engine). The goal was to explore how detectable these simple vulnerabilities are and how exploitable Code Search Technology is. Results show that packages on lower versions are more vulnerable, that code injection is the most scattered issue, and that about 20% of the scouted packages have at least one vulnerability. Concerningly, malicious use of this engine was straightforward, raising severe concerns about the implications of a publicly available Code Search Technology.

Publication
in Journal of Systems and Software, vol. 202, paper 111698


Preliminary Results

Our findings reveal that packages on lower versions (such as version zero) are more prone to include SSIPs, and that “code injection” is the most scattered SSIP. About 20% of the scouted packages had at least one vulnerability, with others representing concerning outliers with high numbers of vulnerabilities. Nevertheless, through a basic combination of regexes and a public list of insecure practices, we highlight that the malicious use of this incoming “Code Search” engine was straightforward.


Citation

@article{Go2023,
title = {Simple stupid insecure practices and GitHub’s code search: A looming threat?},
journal = {Journal of Systems and Software},
volume = {202},
pages = {111698},
year = {2023},
issn = {0164-1212},
doi = {https://doi.org/10.1016/j.jss.2023.111698},
url = {https://www.sciencedirect.com/science/article/pii/S0164121223000936},
author = {Ken Russel Go and Sruthi Soundarapandian and Aparupa Mitra and Melina Vidoni and Nicolás E. Díaz Ferreyra},
keywords = {Python, GitHub code search, Simple stupid insecure practices},
}


Venue Impact

The following is the venue impact, according to Scimago Journal Ranking:

SCImago Journal & Country Rank