ELI5: Pysa – A Safety-Targeted Static Evaluation Device for Python Code
In this post we explain Pysa, a static analysis tool for detecting and preventing security issues in Python code in a way that is very easy to understand (or as it is commonly known online, ELI5. If you are interested, by looking To Learn If you are listening, watch a video about this open source project on our Facebook Open Source Youtube channel.
Think about how large code bases are built. Many new changes could be proposed in a single day, and each change could have many touchpoints. It is important to test to see if there are any bugs in your code, especially bugs that can cause security problems.
Pysa, which stands for Python Static Analyzer, was designed to solve these problems. It tracks data as it flows through a program to quickly identify if there is a bug and highlights all of the affected code. When a problem is found, Pysa notifies the software or safety engineers so that they can fix the problem before the code change is ever reflected in the code base.
Here’s how it works. First of all, Pysa is a static analyzer that can analyze code without having to run it. To use it, the user must define sources (places where the data we are interested in comes from) as well as sinks (dangerous places where data from sources might end up). Let’s look at an example. Suppose we want to detect remote code execution (RCE), a known vulnerability in web applications. One source would be when user-controlled data is entered into the code, e.g. B. when accessing request.GET. A possible sink could be during code execution, e.g. B. executing subprocess.run (). Pysa would track the flow of user controlled data to see if it got into subprocess.run. This tracking is done through iterative rounds of analysis. Each round, summaries are made that keep track of which functions return data from the source and which functions ultimately pass data to the sink. If Pysa detects that the source is connecting to the sink, it will report a problem.
Where is it used?
Pysa was first offered as an open source solution in early 2018 as part of the Pyre project. At Facebook, we use Pysa extensively, based on the Instagram code. In the first half of 2020, 44% of the Instagram server issues identified by the security team were identified with Pysa. Outside of Facebook, Pysa has been integrated into open source projects such as Zulip. Pysa has identified security issues such as CVE-2019-19775 as well as Remote Code Execution (RCE) attacks, Server Side Request Forgeries (SSRF), Cross-Site Scripting (XSS) attacks and Open Redirect vulnerabilities.
Where can i learn more?
To learn more about Pysa, visit their website. It contains documentation for those who are just starting out or want to use more advanced features. If you’d like to see Pysa in action, the project’s Github repo has several Pysa tutorials and a related video to walk you through them.
If you have any questions, feel free to submit an issue on the Github repo.
If you have any further questions about Pysa, please let us know on our Youtube channel or by tweeting. We always want to hear from you, and we hope you find this open source project and the new ELI5 series useful.
About the ELI5 series
In a series of short videos (around 1 minute long) one of our developer attorneys on the Facebook Open Source team explains a Facebook Open Source project in a way that is easy to understand and use.
For each of these videos we are writing an accompanying blog post (like the one you are reading right now) that you can find on our YouTube channel.
To learn more about Facebook Open Source, visit our Open Source website, subscribe to our YouTube channel, or follow us on Twitter and Facebook.
Would you like to work with open source on Facebook? Check out our open source related job postings on our careers page by taking this short survey.