-3

I've searched the Google and on stackoverflow for this, so if it exists anywhere, my sincerest apologies. I'm (obviously) a newbie to Python, and one of my main concern with finding a new module that does whatever new programming project comes my way is this:

What's preventing a module (once imported) from doing nefarious things, such as logging all keystrokes while the script is executing, then emailing that out?

Am I being paranoid? Is this not possible in Python? Is there a website where modules have been code reviewed, and people can download / install them without needing to worry? Do I have to read the code of every module / sub-module every time I download it to ensure this exact thing isn't happening?

I'm currently using Python 3.5.1 64-bit on Windows 8, but I doubt that's too relevant.

Brent Rockwell
  • 49
  • 1
  • 9
    You shouldn't import arbitrary modules to begin with. It's not Python's fault . – Ryan Jun 03 '16 at 16:18
  • 1
    If you're downloading and running arbitrary shady software, you're hosed whether or not that software is a Python module. – user2357112 Jun 03 '16 at 16:19
  • If I wrote a module called "virus" which did useful things for your application, I'm not sure I would see a problem. It's like @self says - don't import arbitrary modules that you don't understand. – Makoto Jun 03 '16 at 16:19
  • I’m voting to close this question because it's more on-topic at [security.se], assuming it is not a duplicate, and once edited to fit their guidelines. – nanofarad Nov 23 '20 at 20:43

1 Answers1

8

Nothing prevents it. That's one of the benefits of open-source software (in the strictest sense of "source code that I can view"): you can, in theory, examine it to see exactly what it does before actually running it.

In practice, you usually just extend some level of trust to the source:

  1. Is the module in wide use, such that others would have discovered or mentioned a problem in the first place?
  2. Did I get the module from a reputable source?
  3. Does the checksum of my copy match the checksum provided by my source?

If the answer to all three is yes, you can assume that the module isn't doing anything shady without explicitly verifying it yourself.

chepner
  • 497,756
  • 71
  • 530
  • 681