2

I am trying to import libraries I have used previously to calculate metrics between text, one being evaluate package. When I import the package it says the requests package has been hijacked

I tried uninstalling python-requests, evaluate, and requests and reinstalling requests and evaluate but nothing changed. Also tried installing python-dotenv. I have python==3.9.13 requests==2.31.0

This is the output

from evaluate import load

bertscore = load("bertscore")
predictions = ["hello there", "general kenobi"]
references = ["hello there", "general kenobi"]

results = bertscore.compute(predictions=predictions, references=references, lang="en")

Well . The `requests` library you installed has been been hijacked 
An exception has occurred, use %tb to see the full traceback.

SystemExit:

Edit: Screenshot of pip freezeScreenshot of terminal pip freeze

kraytdragon
  • 41
  • 3
  • 1
    Sounds like you may have installed something else with a very similar name to `requests`. – user2357112 Jul 21 '23 at 19:02
  • 2
    Generally, this means what it says. Be more careful about `pip` commands, and/or about auditing the dependencies of the packages you install. (If you use `pip install python-requests` instead of `pip install requests`, f/e, there was something typosquatting there for a while; but `requests` is common enough to be a frequent target, so it's not like it has only one impersonator). – Charles Duffy Jul 21 '23 at 19:02
  • 2
    Can you update your question with `pip freeze` result? – Abdul Niyas P M Jul 21 '23 at 19:02
  • 3
    (if you have a greybearded long-time sysadmin handy, ask them how they feel about modern packages -- especially in the npm would, but increasingly now in the Python data-science world as well -- with dependency chains that reach into the hundreds fo packages; it's an utter mess, and congrats -- you stumbled into an example of why; everything in that chain is something you're trusting to install and run any code it wants on your computer). – Charles Duffy Jul 21 '23 at 19:06
  • @AbdulNiyasPM I added it – kraytdragon Jul 21 '23 at 21:31
  • @CharlesDuffy but it says I dont have python-requests installed so what else could it be? – kraytdragon Jul 21 '23 at 21:31
  • 1
    pip isn't always right about everything -- it only knows what its bookkeeping tells it. `import requests`, then `print(requests.__file__)` to see where it's coming from. – Charles Duffy Jul 21 '23 at 22:43
  • If you can't get that far, there are plenty of options; you could use `importlib` to try to break down the import process into steps and stop before actual execution. You could use `strace` to run your Python interpreter to trace execution so you have a log of every file it read. You could use the PYTHONVERBOSE environment variable to tell the interpreter to log more of what it's doing... etc, etc, etc. – Charles Duffy Jul 21 '23 at 22:46
  • Try `PYTHONVERBOSE=2 python3 yourscript`, and read the log to see where the unwanted file is being read from. – Charles Duffy Jul 21 '23 at 22:48

2 Answers2

2

You have apparently installed python-requests. Uninstall it.

wim
  • 338,267
  • 99
  • 616
  • 750
0

[TL;DR: specific solution at the bottom, OP needs to run step 2]

This happens because an installed package overwrote the original package's namespace (and files). While there may be cases where such behavior is actually desired, this isn't one of them. Packages like this attempt to exploit common typos or use confusing names similar to legitimate packages, so unsuspecting victims would install (and then run) them on their environments. Many packages using such practices are usually malicious, though sometimes this can happen in error, or as a proof-of-concept (which while may be annoying, are relatively innocent).

Generally speaking (not just for the specific package in question), it is hard to predict the extent of exposure, however if this happens I'd suggest assuming that at the very least the python environment is compromised, and in some cases the entire system may be as well. Generally I'd suggest searching for further information about such a package (hoping that you're not the first to encounter it), and follow reputable suggestions. In some extreme cases it may be required to wipe and reinstall the entire OS.

Specific solution for python-requests==0.0.0.2

Seeing as this appears to be a proof-of-concept and does not execute malicious code (other than destroying requests), this can be fixed by first uninstalling python-requests, and since it overwrote the original package, repairing requests is also needed. Assuming you are using pip, follow these steps:

  1. First, remove the offending package with pip uninstall -y python-requests
    The -y flag prevents pip from asking for confirmation.
  2. Now, repair the original package with pip install --force-reinstall requests
    This will fix the installation, as it will rewrite the overtaken (and now deleted) files from the damaging package.

I would not recommend this for all such packages, only for this one, at this point in time, and for this specific version. There's nothing (at the moment) to stop the maintainer from actually injecting malicious code into newer releases of this package. Seeing as you have already uninstalled the package but are still stuck with a broken requests installation, simply fix the package (as mentioned in step 2), and you should be good to go.

micromoses
  • 6,747
  • 2
  • 20
  • 29