DEV Community

Bhavani Ravi
Bhavani Ravi

Posted on • Originally published at bhavaniravi.com on

Are your Secrets Safe In Python?

Are your Secrets Safe In Python?

On scrolling through Hackernews, I stumbled upon this article where Jesse points out how you or your organization can have secrets hidden in the form of pyc files.

While Jesse's code has scrolled through Github repos and intimated the code owners, there is a good chance that our private repo could have some hanging around.

I modified the code to scroll through Saama's private repositories. Gladly I didn't find any pyc files checked in.

You can use the same code to scroll through your private repositories.

Dependencies

pip install PyGithub
pip install uncompyle6

Enter fullscreen mode Exit fullscreen mode

Code

If you want to jump ahead to the whole code checkout the Github repo

  1. Import necessary packages
import base64
import io
import os
import tempfile
import uncompyle6
from github import Github

Enter fullscreen mode Exit fullscreen mode
  1. Authenticate with Github

Create a private access token and use it to authenticate yourself

GITHUB_KEY = <GITHUB_ACCESS_TOKEN>
g = Github(GITHUB_KEY)

Enter fullscreen mode Exit fullscreen mode
  1. Get all repos given an organization
repos = g.get_organization(<ORGANIZATION>).get_repos(type="private")

Enter fullscreen mode Exit fullscreen mode
  1. Find files with *.pyc extension
for repo in repos:
    print (repo)
    try:
        contents = repo.get_contents("")
    except:
        continue
    for file_ in contents:
        try:
            extension = file_.name.split(".")[1]
        except IndexError:
            extension = None
        if file_.name in secrets or ( extension and extension == "pyc"):
            items.append(file_)

Enter fullscreen mode Exit fullscreen mode
  1. If there are no pyc files, you are good to go
if not items:
    print ("No files found, you are good!")

Enter fullscreen mode Exit fullscreen mode
  1. If any pyc files might contain secrets decompile and print them out
for item in items:
    print(f"DECOMPILING REPO https://github.com/{item.repository.full_name}")
    print(f"OWNER TYPE: {item.repository.owner.type}")
    try:
        contents = base64.b64decode(item.content)
        with tempfile.NamedTemporaryFile(suffix=".pyc") as f:
            f.write(contents)
            f.seek(0)

            out = io.StringIO()
            uncompyle6.decompile_file(f.name, out)
            out.seek(0)
            print(out.read())
    except Exception as e:
        print(e)
        print(f"COULD NOT DECOMPILE REPO https://github.com/{item.repository.full_name}")
        continue
    print("\n\n\n")

Enter fullscreen mode Exit fullscreen mode

Top comments (0)