RuleDescriptionexamplekpi
B101-assert_usedUse of assert detected. The enclosed code will be removed when
compiling to optimised byte code.
assert logged_in
display_assets()
Maintainability
B102-exec_usedUse of exec detected.exec("do evil")
exec "do evil"
Maintainability
B103-set_bad_file_permissionsProbable insecure usage of temp file/directory.os.chmod('/etc/hosts', 0o777)
os.chmod('/tmp/oh_hai', 0x1ff)
os.chmod('/etc/passwd', stat.S_IRWXU
Maintainability
B104-hardcoded_bind_all_interfacesPossible binding to all interfaces.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('0.0.0.0', 31137))
s.bind(('192.168.0.1', 8080))
Maintainability
B105-hardcoded_password_stringPossible hardcoded password '(root)'def someFunction2(password):
if password == "root":
print("OK, logged in")
Maintainability
B106-hardcoded_password_funcargPossible hardcoded password: 'blerg'doLogin(password="blerg")Maintainability
B107-hardcoded_password_defaultPossible hardcoded
password: 'Admin'
def someFunction(user, password="Admin"):
print("Hi " + user)
Maintainability
B108-hardcoded_tmp_directoryinsecure usage of tmp file/directorytmp_dirs: ['/tmp', '/var/tmp', '/dev/shm']Maintainability
B110-try_except_passa pass in the except blocktry:
do_some_stuff()
except Exception:
pass
Maintainability
B112-try_except_continuea continue in the except blockwhile keep_going:
try:
do_some_stuff()
except Exception:
continue
Maintainability
B201-flask_debug_trueA Flask app appears to be run with debug=True, which exposes
the Werkzeug debugger and allows the execution of arbitrary code.
app.run(debug=True)Maintainability
B501-request_with_no_cert_validationRequests call with verify=False
disabling SSL certificate checks, security issue.
requests.get('https://gmail.com', verify=True)
requests.get('https://gmail.com', verify=False)
requests.post('https://gmail.com', verify=True)
Maintainability
B502-ssl_with_bad_versionssl.wrap_socket call with insecure SSL/TLS protocol version
identified, security issue
ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)
ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)
Maintainability
B503-ssl_with_bad_defaultsFunction definition identified with insecure SSL/TLS protocol
version by default, possible security issue.
def open_ssl_socket(version=SSL.SSLv2_METHOD): passMaintainability
B504-ssl_with_no_versionssl.wrap_socket call with no SSL/TLS protocol version
specified, the default SSLv23 could be insecure, possible security
issue.
ssl.wrap_socket(Maintainability
B505-weak_cryptographic_keyDSA key sizes below 1024 bits are considered breakable.dsa.generate_private_key(512,
backends.default_backend())
rsa.generate_private_key(3,
Maintainability
B506-yaml_loaduse of yaml loadystr = yaml.dump({‘a’ : 1, ‘b’ : 2, ‘c’ : 3}) y = yaml.load(ystr) 6 yaml.dump(y)Maintainability
B507-ssh_no_host_key_verificationParamiko call with policy set
to automatically trust the unknown host key.
ssh_client = client.SSHClient()
ssh_client.set_missing_host_key_policy(client.AutoAddPolicy)
ssh_client.set_missing_host_key_policy(client.WarningPolicy)
Maintainability
B601-paramiko_callsPossible shell injection via Paramiko call, check inputs are
properly sanitized.
paramiko.exec_command('something; really; unsafe')Maintainability
B602-subprocess_popen_with_shell_equals_truesubprocess call with shell=True seems safe, but may be
changed in the future, consider rewriting without shell
subprocess.check_call(['/bin/ls', '-l'], shell=False)
subprocess.check_call('/bin/ls -l', shell=True)
Maintainability
B603-subprocess_without_shell_equals_truesubprocess call - check for execution of untrusted input.subprocess.check_output(['/bin/ls', '-l'])Maintainability
B604-any_other_function_with_shell_equals_trueFunction call with shell=True parameter identified, possible
security issue.
pop('/bin/gcc --version', shell=True)
Popen('/bin/gcc --version', shell=True)
Maintainability
B605-start_process_with_a_shellStarting a process with a shell: check for injection.os.system('/bin/echo hi')Maintainability
B606-start_process_with_no_shellStarting a process without a
shell.
os.spawnv(mode, path, args)
os.spawnve(mode, path, args, env)
os.spawnvp(mode, file, args)
Maintainability
B607-start_process_with_partial_pathStarting a process with a partial executable pathfrom subprocess import Popen as pop
pop('gcc --version', shell=False)
Maintainability
B608-hardcoded_sql_expressionsSQL injectioquery = "DELETE FROM foo WHERE id = '%s'" % identifier
query = "UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier
Maintainability
B609-linux_commands_wildcard_injectionPossible wildcard injection in call: subprocess.Popeno.popen2('/bin/chmod *')
subp.Popen('/bin/chown *', shell=True)
Maintainability
B610-django_extra_usedPotential SQL injection on extra functionMaintainability
B611-django_rawsql_usedPotential SQL injection on RawSQL functionMaintainability
B701-jinja2_autoescape_falseUsing jinja2 templates with autoescape=False is dangerous and can
lead to XSS. Use autoescape=True to mitigate XSS vulnerabilities.
templateEnv = jinja2.Environment(autoescape=False,
loader=templateLoader)
Environment(loader=templateLoader,
load=templateLoader,
autoescape=False)
Maintainability
B702-use_of_mako_templatesMako templates allow HTML/JS rendering by default and are
inherently open to XSS attacks. Ensure variables in all templates are
properly sanitized via the 'n', 'h' or 'x' flags (depending on context).
mako.template.Template("hern")
template.Template("hern")
Maintainability
B703-django_mark_safePotential XSS on mark_safe functionMaintainability
B301-blacklist_callspickleImports : pickle.loads
pickle.load
pickle.Unpickler
cPickle.loads
cPickle.load
cPickle.Unpickler
dill.loads
dill.load
dill.Unpickler
shelve.open
shelve.DbfilenameShelf
Maintainability
B302-blacklist_callsmarshalImports : marshal.load
marshal.loads
Maintainability
B303-blacklist_callsmd5Imports : hashlib.md5
hashlib.sha1
Crypto.Hash.MD2.new
Crypto.Hash.MD4.new
Crypto.Hash.MD5.new
Crypto.Hash.SHA.new
Cryptodome.Hash.MD2.new
Cryptodome.Hash.MD4.new
Cryptodome.Hash.MD5.new
Cryptodome.Hash.SHA.new
cryptography.hazmat.primitives .hashes.MD5
cryptography.hazmat.primitives .hashes.SHA1
Maintainability
B304-blacklist_callsciphersImports : Crypto.Cipher.ARC2.new
Crypto.Cipher.ARC4.new
Crypto.Cipher.Blowfish.new
Crypto.Cipher.DES.new
Crypto.Cipher.XOR.new
Cryptodome.Cipher.ARC2.new
Cryptodome.Cipher.ARC4.new
Cryptodome.Cipher.Blowfish.new
Cryptodome.Cipher.DES.new
Cryptodome.Cipher.XOR.new
cryptography.hazmat.primitives .ciphers.algorithms.ARC4
cryptography.hazmat.primitives .ciphers.algorithms.Blowfish
cryptography.hazmat.primitives .ciphers.algorithms.IDEA
Maintainability
B305-blacklist_callscipher_modesImports : cryptography.hazmat.primitives .ciphers.modes.ECBMaintainability
B306-blacklist_callsmktemp_qImports : tempfile.mktempMaintainability
B307-blacklist_callsevalImports : evalMaintainability
B308-blacklist_callsmark_safeImports : django.utils.safestring.mark_safeMaintainability
B309-blacklist_callshttpsconnectionImports : httplib.HTTPSConnection
http.client.HTTPSConnection
six.moves.http_client .HTTPSConnection
Maintainability
B310-blacklist_callsurllib_urlopenImports : urllib.urlopen
urllib.request.urlopen
urllib.urlretrieve
urllib.request.urlretrieve
urllib.URLopener
urllib.request.URLopener
urllib.FancyURLopener
urllib.request.FancyURLopener
urllib2.urlopen
urllib2.Request
six.moves.urllib.request.urlopen
six.moves.urllib.request .urlretrieve
six.moves.urllib.request .URLopener
six.moves.urllib.request .FancyURLopener
Maintainability
B311-blacklist_callsrandomImports : random.random
random.randrange
random.randint
random.choice
random.uniform
random.triangular
Maintainability
B312-blacklist_callstelnetlibImports : telnetlib.*Maintainability
B313-blacklist_callsxml_bad_cElementTreeImports : xml.etree.cElementTree.parse
xml.etree.cElementTree.iterparse
xml.etree.cElementTree.fromstring
xml.etree.cElementTree.XMLParser
Maintainability
B314-blacklist_callsxml_bad_ElementTreeImports : xml.etree.ElementTree.parse
xml.etree.ElementTree.iterparse
xml.etree.ElementTree.fromstring
xml.etree.ElementTree.XMLParser
Maintainability
B315-blacklist_callsxml_bad_expatreaderImports : xml.sax.expatreader.create_parserMaintainability
B316-blacklist_callsxml_bad_expatbuilderImports : xml.dom.expatbuilder.parse
xml.dom.expatbuilder.parseString
Maintainability
B317-blacklist_callsxml_bad_saxImports : xml.sax.parse
xml.sax.parseString
xml.sax.make_parser
Maintainability
B318-blacklist_callsxml_bad_minidomImports : xml.dom.minidom.parse
xml.dom.minidom.parseString
Maintainability
B319-blacklist_callsxml_bad_pulldomImports : xml.dom.pulldom.parse
xml.dom.pulldom.parseString
Maintainability
B320-blacklist_callsxml_bad_etreeImports : lxml.etree.parse
lxml.etree.fromstring
lxml.etree.RestrictedElement
lxml.etree.GlobalParserTLS
lxml.etree.getDefaultParser
lxml.etree.check_docinfo
Maintainability
B321-blacklist_callsftplibImports : ftplib.*Maintainability
B322-blacklist_callsinputImports : inputMaintainability
B323-blacklist_callsunverified_contextImports : ssl._create_unverified_contextMaintainability
B325-blacklist_callstempnamImports : os.tempnam
os.tmpnam
Maintainability
B403-blacklist_callspickle
cPickle
dill
shelve
Maintainability
B404-blacklist_callssubprocessMaintainability
B405-blacklist_callsxml.etree.cElementTree
xml.etree.ElementTree
Maintainability
B406-blacklist_callsxml.saxMaintainability
B407-blacklist_callsxml.dom.expatbuilderMaintainability
B408-blacklist_callsxml.dom.minidomMaintainability
B409-blacklist_callsxml.dom.pulldomMaintainability
B410-blacklist_callslxmlMaintainability