Skip to content

Add security standard: No use of requests to download Python code/libraries for use in modules #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+12 −0
Open

Add security standard: No use of requests to download Python code/libraries for use in modules #50

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions registry/standards.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,3 +71,15 @@ Code obfuscation is prohibited in custom nodes.
Obfuscated code:
- Impossible to review and likely to be malicious

#### Use of `requests` or direct downloading to populate Python code or libraries for use in modules
The use of the `requests` library to download Python code from other repositories is not permitted.

#### Policy
Runtime package and library installation through `requests` calls, similar to `subprocess` calls to run `pip` installs and such, is not permitted.

#### Reasoning
The use of `requests` and other downloading libraries to directly download files can lead to injection of bad URLs via memory manipulation or by hijacked URLs. This leads to situations where insecure and unvetted code are downloaded and executed in your environment, including:
- Keyloggers
- Ransomware
- Data exfiltration and theft through unaudited code.
- Other malicious code execution