In this post, we explain Pysa, a static analysis tool to detect and prevent security issues in Python code, in a way that is super simple to understand (or as it’s commonly known online, ELI5. If you’re interested in learning by watching or listening, check out a video about this open source project on our Facebook Open Source Youtube channel.
Consider how large code bases are built; in a single day, many new changes could be proposed, and each change could have many touch points. It is important to test if there are any bugs in the code, especially bugs which could cause security issues.
Pysa, which stands for Python Static Analyser, was developed to help catch these issues. It tracks data as it flows through a program to quickly detect if there is a bug and highlight all the affected code. If an issue is found, Pysa alerts the software engineers or security engineers so they can fix the bug before the code change is ever merged into the codebase.
Here’s how it works. First off, Pysa is a static analyzer which means it can analyze code without needing to run it. To use it, the user needs to define sources (places where the data we are interested in originates) as well as sinks (dangerous locations where data from sources could end up). Let’s look at an example. Say that we want to detect a remote code execution (RCE), a well-known vulnerability in web applications. A source would be when user controlled data enters the code, such as when accessing request.GET. A possible sink could be during code execution, such as running subprocess.run(). Pysa would track the flow of user controlled data to see if it makes it into subprocess.run. This tracking is done by performing iterative rounds of analysis. Each round builds out summaries that track which functions return data from the source and which functions eventually pass data to the sink. If Pysa does detect that the source connects to the sink, it will report an issue.
Where is it used?
Pysa was first open sourced in early 2018 as part of the Pyre project. At Facebook, we use Pysa extensively on Instagram’s code base. In the first half of 2020, 44% of Instagram server issues found by the security team were found using Pysa. Outside of Facebook, Pysa has been incorporated into open source projects such as Zulip. Pysa has detected security issues such as CVE-2019-19775, as well as remote code execution (RCE) attacks, server side request forgeries (SSRF), cross-site scripting (XSS) attacks, and open redirection vulnerabilities.
Where can I learn more?
To learn more about Pysa, visit their website. It contains documentation for those who are just starting out or want to use more advanced features. If you would like to see Pysa in action, the project’s github repo has several Pysa tutorials and an accompanying video to walk you through them.
If you have any questions, you can file an issue on the Github repo.
If you have any further questions about Pysa, let us know on our Youtube channel, or by tweeting at us. We always want to hear from you and hope you will find this open source project and the new ELI5 series useful.
About the ELI5 series
In a series of short videos (~1 min in length), one of our Developer Advocates on the Facebook Open Source team explains a Facebook open source project in a way that is easy to understand and use.
We will write an accompanying blog post (like the one you’re reading right now) for each of these videos, which you can find on our YouTube channel.
Interested in working with open source at Facebook? Check out our open source-related job postings on our career page by taking this quick survey.
Facebook-Meta Earns the ‘Worst Company of 2021’ Title in This Survey
Facebook parent Meta has been named the Worst Company of the Year (2021) by Yahoo Finance respondents. According to the publication, an “open-ended” survey was published on Yahoo Finance on December 4 and 5, where 1,541 respondents participated. Facebook received 8 percent of the write-in vote, but respondents were seemingly mad about the Robinhood trading app as well. Electric truck startup Nikola, which was named last year’s worst company by the same publication also faced respondents ire.
Yahoo Finance even highlights, “At the same time, some critics, including conservatives, say Facebook over-policed the platform’s speech and stifled their voices.” Critics also blame Facebook and other social media platforms for not curbing hate speech that led to Capitol Building riots.
However, around 30 percent of Yahoo Finance readers said that Facebook or Meta could redeem itself. One respondent suggested that the company could issue a formal apology for negligence and donate a sizable amount of its profits to a foundation to help reverse its harm.
On the other hand, respondents chose Microsoft as the Company of the Year (2021). The Satya Nadella-led company touched the trillion-mark this year and introduced notable upgrades. The most notable is the Windows 11 OS update that succeeds Windows 10.
Facebook pays 1.7 Cr fine to Russia after failing to delete content Moscow deems illegal
In the latest legal tussle with Russia over controversial social media regulation laws, Facebook paid 17 million roubles (Rs 1.7 Crore) for failing to remove content deemed illegal by Moscow. With a threat of potential larger fines looming, Facebook parent company Meta, owned by Mark Zuckerberg, is scheduled to face court next week over repeated violations of Russian legislation on content, Interfax News Agency reported. As per the latest updates, the social media giant could be fined a percentage of its annual revenue.
In October, Moscow sent state bailiffs to enforce the collection of 17 million roubles. Meanwhile, as per Interfax report citing a federal bailiffs’ database, on Sunday, there were more enforcement proceedings against the company. Apart from the popular social media app, Telegram has also paid 15 million roubles in fines for failing to comply with the Russian social media legislations that came into force in 2016.
Facebook pays $53k to Russia for refusing controversial social media laws
It is pertinent to mention that Facebook has locked horns with Moscow earlier in November, resulting in it paying 4 million roubles ($53,000) over its refusal to adhere to Russian data localisation laws, the Moscow Times reported. The Moscow court on November 25 had said that Facebook paid the fine levied in February, following which all proceedings against the US-based social media giant. The payment comes against the litigation filed against the company in 2018, alongside Twitter. The tech companies were also forced to pay an additional 3000 rubles ($40) for failing to comply with user data sharing rules as per the law. The Russian authorities have also previously blocked LinkedIn, owned by Microsoft, for failing to abide by the laws.
Russian social media laws
As per Moscow Times, under the Russian social media regulation laws, all foreign technology companies are required to store data related to Russian customers and users on servers located in Russia. Additionally, the Russian tech companies will also have to share encryption data with the federal authorities as well as record user calls, messages and civil society group conversation records. The apparatus is said to be a severe breach of privacy rights and unfettered back-door access to personal data that could be used to harass Kremlin critics.
Facebook Messenger Is Launching a Split Payments Feature for Users to Quickly Share Expenses
Meta has announced the arrival of a new Split Payments feature in Facebook Messenger. This feature, as the name suggests, will let you calculate and split expenses with others right from Facebook Messenger. This feature essentially looks to bring an easier method to share the cost of bills and expenses — for example, splitting a dinner bill with friends. Using this new Split Payment feature, Facebook Messenger users will be able to split bills evenly or modify the contribution for each individual, including their own.
The company took to its blog post to announce the new Split Payment feature in Facebook Messenger. 9to5Mac reports that this new bill splitting feature is still in beta and will be exclusive to US users at first. The rollout will begin early next week. As mentioned, it will help users share the cost of bills, expenses, and payments. This feature is especially useful for those who share an apartment and need to split the monthly rent and other expenses with their mates. It could also come handy at a group dinner with many people.
With Split Payments, users can add the number of people the expense needs to be divided with and, by default, the amount entered will be divided in equal parts. A user can also modify each person’s contribution including their own. To use Split Payments, click the Get Started button in a group chat or the Payments Hub in Messenger. Users can modify the contribution in the Split Payments option and send a notification to all the users who need to make payments. After entering a personalised message and confirming your Facebook Pay details, the request will be sent and viewable in the group chat thread.
Once someone has made the payment, you can mark their transaction as ‘completed’. The Split Payment feature will automatically take into account your share as well and calculate the amount owed accordingly.
Tasneem Akolawala is a Senior Reporter for Gadgets 360. Her reporting expertise encompasses smartphones, wearables, apps, social media, and the overall tech industry. She reports out of Mumbai, and also writes about the ups and downs in the Indian telecom sector. Tasneem can be reached on Twitter at @MuteRiot, and leads, tips, and releases can be sent to firstname.lastname@example.org.