2

This question is directly connected to my last question, however tackles a different topic so I am opening a new one.

As mentioned there I am getting an error relating to a missing SSL cert. The error does not appear when the script is started from Terminal, using PyCharm or running from VSCode, but without the debugger. Only when the script is run with the debugger, the exception is thrown.

After debugging a while I have found that the reason for the problem is the environment variable os.environ['SSL_CERT_FILE'] which in this case leads to a non-existing C:\\Users\\MYUSER~1\\AppData\\Local\\Temp\\_MEI97082\\certifi\\cacert.pem

  1. Starting the script without the debugger or in PyCharm, this variable is not set (debugging the imported minio package showed me that the result of certifi.where() is used if the variable is empty.
  2. With the debugger on, it is set before any of my script is executed (import os and print out all environment variables in the first line)
  3. If I manually delete the variable with del os.environ['SSL_CERT_FILE'] the rest of the script works fine, but the variable is again set in the next run
  4. I am using python 3.11, MiniConda and Windows 10, Visual Studio Code is updated to the last version 1.77.0
  5. Setting the environment variable in launch.json with "env": {"SSL_CERT_FILE": "foo"} will override the varible as expected, however as soon as I remove this line the wrong value appears again.
  6. The part "..\\_MEI247522\\..." in the value will change from run to run
  7. Creating a completely new folder/project the problem still exists
  8. I also tested with another python environment (Python 3.9.7) and the problem still is the same.
  9. From user @Horsing's suggestion: I have also removed all the code from my script, except for import os. As soon as os is imported and I can inspect os.environ, the environment variable is already set.

I honestly have no idea, where and why this variable is set when the script is run in the debugger and what triggers it. Any help would be much appreciated, since manually deleting it is not really a good solution!

Addition Here is the Python Debug Console output in VS Code (with my username changed). For this I have removed the launch.json and started the debugger with Python:File

complete code:

import os
print(os.environ.get('SSL_CERT_FILE'))

console output:

(minio) PS C:\Users\myuser\Documents\source\Python\minio-project>  c:; cd 'c:\Users\myuser\Documents\source\Python\minio-project'; & 'C:\Users\myuser\Miniconda3\envs\minio\python.exe' 'c:\Users\myuser\.vscode\extensions\ms-python.python-2023.6.0\pythonFiles\lib\python\debugpy\adapter/../..\debugpy\launcher' '60007' '--' 'C:\Users\myuser\Documents\source\Python\minio-project\main.py' 
C:\Users\MYUSER~1\AppData\Local\Temp\_MEI223042\certifi\cacert.pem

Again, the printed path does not exist on my computer

Roland Deschain
  • 2,211
  • 19
  • 50
  • Is it useful if you configure `SSL_CERT_FILE` in *Launch.json*? – JialeDu Apr 05 '23 at 08:33
  • @JialeDu I think so - I have to try it you. What I am wondering is, why is this variable even set here? It shouldn't, right? I'm not sure, if this is an issue on my side, or some VSCode bug. Anyway I will test out setting it in the launch.json :) – Roland Deschain Apr 05 '23 at 08:40
  • @JialeDu setting the environment to a random value ("foo") works as well. – Roland Deschain Apr 07 '23 at 07:17
  • Glad to know you've found the solution to resolve this issue! Please consider accepting it as the answer to change its status to Answered. See [can I answer my own question..](https://stackoverflow.com/help/self-answer), Just a reminder :) – JialeDu Apr 07 '23 at 07:21
  • @JialeDu thanks for the tip, but I still would be very much interested as to why (and where) this variable is wrongly set in the first place. Setting a environment variable in `launch.json` that I don't even want to use can only be a temporary solution I think. – Roland Deschain Apr 07 '23 at 07:29
  • Check about your local `.env` configuration and your `virtual env` settings in `visual studio code` settings, such as `Venv Folders` and `Venv Path`. Or just try debugging from the first line to checkout who set the envrionment. – Horsing Apr 07 '23 at 07:49
  • @Horsing Just checked. `Python: Venv Path` and `Python: Venv Folders` are both empty. Additionally there is no `.env` file set in the workspace folder. – Roland Deschain Apr 07 '23 at 07:58
  • @RolandDeschain Then I guess you'd better debugging from the first line to check the environment to figure out which part modify it. – Horsing Apr 07 '23 at 08:15
  • @Horsing sorry overlooked that in your last comment. I have tested it and added the result as point #9 in my list above. – Roland Deschain Apr 07 '23 at 08:50
  • Is your problem related to Python at all? Is this variable set if you start a new `cmd` prompt? – tripleee Apr 07 '23 at 09:19
  • @RolandDeschain Could you please paste your original debugging command line options? As what I know, debugging in vscode will show original command line options in the beginning. Maybe here we can know something. Together with launch.json part maybe helpful. – Horsing Apr 07 '23 at 09:33
  • @tripleee sorry for the wait... the variable is not set in a new cmd prompt. – Roland Deschain Apr 07 '23 at 10:42
  • @Horsing I will add the complete debug console output to the OP – Roland Deschain Apr 07 '23 at 10:42
  • @RolandDeschain Can I know which version of the python extension you are using now? I'm going to dig into the extension to check how the `Python:File` work. – Horsing Apr 07 '23 at 13:42
  • 1
    @Horsing In the meantime I also reported the issue on vscode githb repo. There is all the information about my system, versions and extensions: https://github.com/microsoft/vscode/issues/179447 – Roland Deschain Apr 07 '23 at 13:49

2 Answers2

0

I have not found the reason this problem appeared, but after a complete clean re-intall (which neatly got me into this issue :-/ ) the problem is gone and the environment variable is not set anymore.

I will post this issue as a bug on the conda repo since it seems to be an their issue, at least as far as I can tell.

Roland Deschain
  • 2,211
  • 19
  • 50
0

The path set in the SSL_CERT_FILE variable is suspiciously similar to what you would get when running a python application packaged by PyInstaller for windows.

Since the _MEI directory name is changing with each run, part of the code between the last place you can consistently not see SSL_CERT_FILE set and your python test program must be unpacking a PyInstaller package, running some code, then continuing on with executing the python interpreter with the modified environment.

This behavior could be due to malware that has inserted itself somewhere in the code path when you execute python.exe inside the minio conda environment. This could be in a library loaded by the debugger, or for some reason only the debugging path activates that particular malware. Maybe the malware is looking for web browser behavior and the debugpy satisfies those requirements (it does open a network socket).

Why would the malware modify SSL_CERT_PATH? Probably to perform a man-in-the-middle attack against ssl/https traffic, stealing passwords, banking credentials, session keys, etc. Why is the file not actually present? Maybe the malware crashed, maybe it failed when attaching to a process that isn't actually a web browser, or the specific software it's targeting.

M Virts
  • 173
  • 5