How to determine the source of an import?

Question

Forgive my ignorance here. I don't read Python well and I can't write it at all.

I'm trying to audit a python project for CVE-2013-1445. I believe found a source file that might need attention (among other opportunities for improvement). The file is util.py, and it has the line:

import base64

from Crypto.Hash import HMAC
from Crypto import Random
...

When I look at the Python crypto docs, I don't see mention of a Random class. Only hashlib and hmac:

The modules described in this chapter implement various algorithms of a
cryptographic nature. They are available at the discretion of the
installation. On Unix systems, the crypt module may also be available.
Here’s an overview:

    15.1. hashlib — Secure hashes and message digests
    15.2. hmac — Keyed-Hashing for Message Authentication

...

Where precisely is Random coming from? Is it native or third party?

Or should my question be, where is Crypto coming from? If Crypto its third party, how do I determine how/where third party libraries and classes are included (versus native libraries and classes)?

For completeness, I tried to understand Python's Scopes and Namespaces, but it makes no sense to me at the moment (as this question probably demonstrates). For example, there is no obvious Scope or Namespace for Crypto or Random (other than Random is part of Crypto).

Thanks in advance.

Answer 1

Crypto is not part of any standard Python distribution. That's why the Python docs don't mention it ;-) You can download the source here:

https://www.dlitz.net/software/pycrypto/

Answer 2

Are you asking where the file is stored? Modules have an attribute named __file__ which lists the path the module on disk.

>>> from Crypto import Random
>>> Random.__file__
'/home/ubuntu/.env/local/lib/python2.7/site-packages/Crypto/Random/__init__.pyc'

(In my case, PyCrypto is installed in a a virtualenv in my home dir)