I'm making a simple project where I will have a downloadable scraper on an HTML website. The scraper is made in Python and is converted to a .exe file for downloading purposes. Inside the python code, however, I included a Google app password to an email account, because the scraper sends an email and I need the server to login with an available Google account. Whilst .exe files are hard to get source code for, I've seen that there are ways to do so, and I'm wondering, how could I make it so that anyone who has downloaded the scraper.exe file cannot see the email login details that I will be using to send them an email when the scraper needs to? If possible, maybe even block them from accessing any of the .exe source code or bytecode altogether? I'm using the Python libraries bs4 and requests.
Additionally, this is off-topic, however, as it is my first time developing a downloadable file, even whilst converting the Python file to a .exe file, my antivirus picked it up as a suspicious file. This is like a 50 line web scraper and obviously doesn't have any malicious code within it. How can I make the code be less suspicious to antivirus programs?
Sadly even today,there is no perfect solution to this problem.
The ideal usecase is to provide this secret_password from web application,but in your case seems unlikelly since you are building a rather small desktop app.
The best and easiest way is to create a function providing this secret_password in a separate file,and compile this file with Cython,thing that will obcufate your script(and your secret_password) at a very good extend.Will this protect you from lets say Anonymous or a state security agency?No.Here comes the reasonable thinking about how secret and important really your password is and from who you mainly can be harmed.
Finally before compiling you can 'salt' your script or further obscufate it with bcrypt or other libaries.
As for your second question antiviruses and specifically windows don't like programms running without installers and unsigned.
You can use inno setup to create a real life program installer.
If you want to deal with UAC or other issues related to unsigned programms you can sign your programm(will cost money).
Firstly, why is it even sending them an email? Since they'll be running the .exe, it can pop up a window and offer to save the file. If an email must be sent, it can be from the user's gmail rather than yours.
Secondly, using your gmail account in this way may be against the terms of service. You could get your account suspended, and it may technically be a felony in the US. Consult a lawyer if this is a concern.
To your question, there's basically no way to obfuscate the password that will be more than a mild annoyance to anyone with the least interest. At the end of the day, (a) the script runs under the control of the user, potentially in a VM or a container, potentially with network communications captured; and (b) at some point it has to decrypt and send the password. Decoding and following either the script, or the network communications that it makes will be relatively straightforward for anyone who wants to put in quite modest effort.
Related
Our company has recently added an automatic filter to all incoming Emails (O365) that rewrites URLs to some redirection service that is both unreliable and buggy. Additionally I hate it if a link is replaced by some garbage service I have not opted in to. Imagine it like a man-in-the-middle attack on your inbox.
So I wrote a Python script that can replace the rewritten links with the original ones. Currently I'm saving the email contents to a file, use the script and then copy & paste the output back. Evidently, this is not a good solution.
What I am trying to achieve is a way to do this automatically from inside Outlook, but I am open to other suggestions. I would like a solution to use Python since I'm comfortable with it, but if there is a different way that can handle this problem I'm open for that also.
I have created a really cool Python program that I want all of my friends to try out. I really want to put the running code onto a website so people can try it all around the world. Is it possible to run Python code on a HTML page? If so, how?
In answer to your question: Yes, this is possible.
If you merely want to share your code with your friends, and allow them to try it out (even without them having Python installed), in browser, then there are a number of tools that you can use.
For example, with https://trinket.io/ , you can embed a snippet of python code in an HTML webpage or share it via a link.
Update:
Another alternative online python site is http://repl.it/. Repl.it has compiled the CPython interpreter into Javascript, using an LLVM -> Javascript compiler. It is opensource, so you could even self-host if you wanted. Caveat: Some of the libraries still have bugs in them.
The simple pedestrian solution is to create a WSGI wrapper. You can configure your web server to accept input through a form (typically) and feed that to your Python program as input, then display the program's output as the response to the form submission. Thus your program runs on the server -- which needs to have the required services and resources -- but the user interaction happens simply using the client's web browser.
There are more-complex interaction models but this is how the entire web 1.0 was set up and is quick and easy to get going. (The spec back then was the similar platform-independent CGI API.)
This question is a bit far fetched (i don't even know if the way i'm going about doing this is correct).
I have a script that gathers some information on a computer. The intent is to have that script ftp/sftp/any-transfer etc some data to a remote server. This script is intended to be distributed among many people also.
Is it possible to hide the password/user of remote server in the script (or perhaps even the implementation details?). I was thinking of encoding it in some way. Any suggestions?
Also, in compiled languages like java or C, is it safe to just distribute around a compiled version of the code?
Thanks.
The answer is no. You can't put the authentication details into the program and make it impossible for users to get those same authentication details. You can try to obfuscate them, but it is not possible to ensure that they cannot be read.
Compiling the code will not even obfuscate them very much.
One approach to the problem would be to implement a REST web interface and supply each distribution of the program with an API key of some sort. Then set up the program to connect to the interface over SSL using its key and put whatever information it needs there. Then you could track which version is connecting from where and limit each distribution of the program to updating a restricted set of resources on the server. Furthermore you could use server heuristics to guess if an api key has leaked and block an account if that occurs.
Another way would be if all of the hosts/users of the program are trusted, then you could set up user accounts on a server node and each script could authenticate with its own username and password or SSH key. Your server node would then have to restrict access based on what each user is allowed to update. Using SSH key based authentication allows you to avoid leaving the passwords around while still allowing authenticated access to your server.
Just set the name to "username" and password to "password", and then when you give it to your friends, provision an account/credential that's only for them, and tell them to change the script and be done with it. That's the best/easiest way to do this.
to add onto jmh's comments and answer another part of your question, it is possible to decompile the java from the .class byte code and get almost exactly what the .java file contains so that won't help you. C is more difficult to piece back together but again, its certainly possible.
I sometimes compress credentials with zlib and compile to pyo file.
It protect from "open in editor and press ctrl+f" and from not-programmers only.
Sometimes I used PGP cryptography.)
I know that with the SimpleHTTPServer I can make my directories accessible by web-browsers via Internet. So, I run just one line of the code and, as a result, another person working on another computer can use his/her browser to see content of my directories.
But I wander if I can make more complicated things. For example, somebody uses his/her browser to load my Python program with a set of parameter (example.py?x=2&y=2) and, as a result, he/she sees the HTML page generated by the Python program (not the Python program).
I also wander if I can process html form submitted to the SimpleHTTPServer.
While it is possible, you have to do pretty much everything yourself (parsing request parameters, handle routing, etc).
If you are not looking to get experience in creating web-frameworks, but just want to create a small site you should probably use a minimalistic framework instead.
Try Bottle, a simple single-file web framework: http://bottlepy.org
Maybe the VerseMatch project and related recipes over at ActiveState is something you would be interested in examining? It implements a small application using the standard library for dynamic running.
have you considered using CGIHTTPServer instead of SimpleHTTPServer? Then you can toss your scripts in cgi-bin and they'll execute. You have to include content-type header and whatnot but if you're looking for quick and dirty it's real convenient
I'm building a centralized desktop application using Python/wxPython. One of the requirements is User authentication, which I'm trying to implement using LDAP (although this is not mandatory).
Users of the system will be mechanical and electrical engineers making budgets, and the biggest problem would be industrial espionage. Its a common problem that leaks occur commonly from the bottom on informal ways, and this could pose problems. The system is set up in such a way that every user has access to all and only the information it needs, so that no one person but the people on top has monetary information on the whole project.
The problem is that, for every way I can think to implement the authentication system, Python's openness makes me think of at least one way of bypassing/getting sensible information from the system, because "compiling" with py2exe is the closest I can get to obfuscation of the code on Windows.
I'm not really trying to hide the code, but rather make the authentication routine secure by itself, make it in such a way that access to the code doesn't mean capability to access the application. One thing I wanted to add, was some sort of code signing to the access routine, so the user can be sure that he is not running a modified client app.
One of the ways I've thought to avoid this is making a C module for the authentication, but I would rather not have to do that.
Of course this question is changing now and is not just "Could anyone point me in the right direction as to how to build a secure authentication system running on Python? Does something like this already exist?", but "How do you harden an scripting (Python) against wrongful modification?"
How malicious are your users? Really.
Exactly how malicious?
If your users are evil sociopaths and can't be trusted with a desktop solution, then don't build a desktop solution. Build a web site.
If your users are ordinary users, they'll screw the environment up by installing viruses, malware and keyloggers from porn sites before they try to (a) learn Python (b) learn how your security works and (c) make a sincere effort at breaking it.
If you actually have desktop security issues (i.e., public safety, military, etc.) then rethink using the desktop.
Otherwise, relax, do the right thing, and don't worry about "scripting".
C++ programs are easier to hack because people are lazy and permit SQL injection.
Possibly:
The user enters their credentials into the desktop client.
The client says to the server: "Hi, my name username and my password is password".
The server checks these.
The server says to the client: "Hi, username. Here is your secret token: ..."
Subsequently the client uses the secret token together with the username to "sign" communications with the server.