Skip to content

fix: Emit warnings when files cannot be read instead of failing silently#3

Merged
Desperado merged 1 commit intoQuality-Max:mainfrom
itinance:fix/log-skipped-files
Mar 26, 2026
Merged

fix: Emit warnings when files cannot be read instead of failing silently#3
Desperado merged 1 commit intoQuality-Max:mainfrom
itinance:fix/log-skipped-files

Conversation

@itinance
Copy link
Copy Markdown
Contributor

@itinance itinance commented Mar 26, 2026

Summary

Replace all silent except (OSError, PermissionError): continue blocks with warnings.warn() calls so that unreadable files are surfaced in test output.

Problem

The scanner silently skips files it cannot read — in 8 separate locations:

try:
    content = pth_file.read_text(errors="replace")
except (OSError, PermissionError):
    continue  # ← silently skipped, no record

Why this is a security concern

An attacker who understands this scanner's behavior could restrict file permissions on malicious files to evade detection:

# Attacker's malicious post-install script
chmod 000 /path/to/site-packages/evil_package/__init__.py
chmod 000 /path/to/site-packages/malicious.pth

With the current code, the scanner would:

  1. Attempt to read the malicious file
  2. Get a PermissionError
  3. Silently skip it
  4. Report "all tests passed" — a false negative

The operator would have no indication that files were skipped, creating a false sense of security.

Affected scan areas

This silent-skip pattern exists in every major scanning function:

Test What gets silently skipped
test_no_suspicious_pth_files .pth files with suspicious patterns
test_pth_files_are_path_only .pth files with executable imports
test_no_encoded_exfiltration_payloads Package __init__.py files
test_no_string_concat_obfuscation Package __init__.py files
test_no_suspicious_egg_info_scripts Post-install scripts
test_no_setup_py_with_network_calls setup.py files
test_no_unexpected_pth_files Unexpected .pth files
test_no_credential_exfiltration_in_startup Startup .pth files

Fix

Every except (OSError, PermissionError) block now emits a warning via warnings.warn():

except (OSError, PermissionError) as exc:
    warnings.warn(f"Could not read {pth_file}: {exc}", stacklevel=1)
    continue

Why warnings.warn() instead of print() or logging

  • warnings.warn() integrates natively with pytest — warnings are collected and displayed in the test summary, making them impossible to miss.
  • It avoids adding a logging dependency or configuration burden.
  • Users can control warning behavior with standard -W pytest flags (e.g., -W error to treat skipped files as failures).

OWASP Reference

  • A09:2021 – Security Logging and Monitoring Failures: The scanner's inability to report files it could not analyze constitutes a monitoring gap that can be exploited.

@itinance
fix: Emit warnings when files cannot be read instead of failing silently
7ef747f 
Replace all silent `except (OSError, PermissionError): continue` blocks
with `warnings.warn()` calls so that skipped files are visible in test
output. Silent failures allow attackers to evade the scanner by
restricting file permissions on malicious code.
@Desperado
Copy link
Copy Markdown
Contributor

Desperado commented Mar 26, 2026

Good catch — permission-based evasion is a real attack pattern. Visibility > silence.

@Desperado Desperado merged commit e35b843 into Quality-Max:main Mar 26, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@itinance @Desperado