Skip to content

fix: Add pytest-cov.pth to known-safe allowlists (false positive)#7

Merged
Desperado merged 1 commit intoQuality-Max:mainfrom
itinance:fix/allowlist-pytest-cov-pth
Mar 26, 2026
Merged

fix: Add pytest-cov.pth to known-safe allowlists (false positive)#7
Desperado merged 1 commit intoQuality-Max:mainfrom
itinance:fix/allowlist-pytest-cov-pth

Conversation

@itinance
Copy link
Copy Markdown
Contributor

@itinance itinance commented Mar 26, 2026

Summary

Add pytest-cov.pth to the known-safe allowlists in both test_no_suspicious_pth_files and test_no_credential_exfiltration_in_startup, fixing two false-positive test failures.

Problem

When pytest-cov is installed (which is very common — it's one of the most popular pytest plugins), two tests fail with false positives:

Failure 1: test_no_suspicious_pth_files

CRITICAL: Suspicious .pth files detected (potential supply chain attack):
  pytest-cov.pth: ['executable import: import os, sys;exec(...)', 
                    'suspicious pattern: exec\\s*\\(', 
                    'suspicious pattern: subprocess']

Failure 2: test_no_credential_exfiltration_in_startup

CRITICAL: Startup files attempting to access sensitive paths:
  pytest-cov.pth: references .env

Why pytest-cov uses a .pth file

pytest-cov needs to measure coverage in subprocesses spawned during test runs. Since pytest plugins don't propagate into child processes, pytest-cov installs a .pth file that hooks into Python interpreter startup:

import os, sys
exec('if "COV_CORE_SOURCE" in os.environ:\n  from pytest_cov.embed import init\n  init()')

This checks the COV_CORE_SOURCE environment variable and, if present, initializes coverage tracking. The .env false positive comes from the substring os.environ matching the .env exfiltration target pattern.

This is the same mechanism used by other already-allowlisted packages:

  • _virtualenv.pth — virtualenv startup hook
  • a1_coverage.pth / coverage.pth — coverage.py startup hook
  • distutils-precedence.pth — setuptools path configuration

Impact on users

Any user who has pytest-cov installed (directly or transitively) will see these two tests fail on every run, which:

  • Produces alert fatigue from false positives
  • May cause users to distrust or disable the scanner
  • Masks real threats behind noise

Fix

Add pytest-cov.pth to both allowlists:

test_no_suspicious_pth_files (line 326):

known_safe_pth_files = {
    "distutils-precedence.pth",
    "_virtualenv.pth",
    "a1_coverage.pth",
    "coverage.pth",
    "pytest-cov.pth",  # pytest-cov -- subprocess coverage via startup hook
}

test_no_credential_exfiltration_in_startup (line 648):

known_safe = {
    "distutils-precedence.pth",
    "_virtualenv.pth",
    "virtualenv.pth",
    "a1_coverage.pth",
    "coverage.pth",
    "pytest-cov.pth",
}

Verification

With this fix applied, all 17 tests pass (14 pass, 3 skip due to no requirements.txt):

======================== 14 passed, 3 skipped in 0.30s =========================

@itinance
fix: Add pytest-cov.pth to known-safe allowlists
1ea0fb7 
pytest-cov installs a .pth file that uses exec() and references
os.environ at interpreter startup to enable subprocess coverage
tracking. This is legitimate behavior but triggers false positives
in the .pth file injection and credential exfiltration tests.
@Desperado
Copy link
Copy Markdown
Contributor

Desperado commented Mar 26, 2026

Good catch — pytest-cov uses the same .pth startup hook pattern as coverage.py for subprocess coverage collection. Legitimate allowlist entry.

@Desperado Desperado merged commit 4243cd4 into Quality-Max:main Mar 26, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@itinance @Desperado