| name | construct | severity | info |
|---|---|---|---|
| Check on assert | assert | Low | Assertions are for debugging and development. Misuse can lead to security vulnerabilities. |
| Encodings | base64 | Low | Base encoding visually hides otherwise easily recognized information such as passwords, but does not provide any computational confidentiality. |
| Built-in Functions: Check on compile usage. | compile | High | It is possible to crash the Python interpreter when using this function. |
| Multiprocessing | connection.recv | High | Connection.recv() uses pickle |
| Exception Handling- Continue statement | continue | Low | Too broad exception handling risk when not used correctly. |
| Check on eval usage | eval | High | This function can executes arbitrary code. |
| Built-in Functions: Check for exec usage. | exec | High | This built-in function can execute code you do not want and/or aware of. So check and validate if it is used correct. |
| Hash Check - md5 | hashlib.md5 | High | Use of insecure hashing algorithms detected. |
| Hash Check -sha1 | hashlib.sha1 | High | Use of insecure hashing algorithms detected. |
| HTTP servers: Check on usage. | http.server BaseHTTPRequestHandler |
High | Insecure for production use. |
| HTTP servers: Check on usage. | http.server HTTPServer |
High | Insecure for production use. |
| Check on input statement | input | Low | Use of input requires strict sanitizing and validation. |
| Logging - configuration | logging.config | Low | Potential security issues can arise with parsing objects and incorrect sanitizing. |
| Marshal | marshal.load | High | The marshal module is not intended to be secure against erroneous or maliciously constructed data. |
| Marshal | marshal.loads | High | The marshal module is not intended to be secure against erroneous or maliciously constructed data. |
| Multiprocessing | multiprocessing.connection Connection |
High | Connection.recv() uses pickle |
| OS Access | os.access | High | Operating System calls can have a security impact and should be inspected in detail. |
| Check for chmod | os.chmod | High | Operating System calls can have a security impact and should be inspected in detail. |
| OS - execl | os.execl | High | Operating System calls can have a security impact and should be inspected in detail. |
| OS - execle | os.execle | High | Operating System calls can have a security impact and should be inspected in detail. |
| OS - execlp | os.execlp | High | Operating System calls can have a security impact and should be inspected in detail. |
| OS - execlpe | os.execlpe | High | Operating System calls can have a security impact and should be inspected in detail. |
| OS - execv | os.execv | High | Operating System calls can have a security impact and should be inspected in detail. |
| OS - execve | os.execve | High | Operating System calls can have a security impact and should be inspected in detail. |
| OS - execvp | os.execvp | High | Operating System calls can have a security impact and should be inspected in detail. |
| OS - execvpe | os.execvpe | High | Operating System calls can have a security impact and should be inspected in detail. |
| OS System call - Fork a child process | os.fork | Low | On macOS use of this function is unsafe when mixed with using higher-level system APIs, and that includes using urllib.request. |
| OS Interfaces | os.forkpty | Low | Use of forkpty can be unsafe when used on MacOS. |
| Directory Creation | os.makedev | Low | Operating System calls can have a security impact and should be inspected in detail. |
| Directory Creation | os.makedirs | Low | Operating System calls can have a security impact and should be inspected in detail. |
| Directory Creation | os.mkdir | Low | Operating System calls can have a security impact and should be inspected in detail. |
| Directory Creation | os.mkfifo | Low | Operating System calls can have a security impact and should be inspected in detail. |
| Directory Creation | os.mknod | Low | Operating System calls can have a security impact and should be inspected in detail. |
| OS - popen | os.popen | High | Operating System calls can have a security impact and should be inspected in detail. |
| OS Interface | os.read | Low | When files can be read from , they can be transfered to some place you do not want. |
| OS - direct calls | os.system | High | Operating System calls can have a security impact and should be inspected in detail. |
| OS Interfaces | os.write | Low | os.write can cause availability issues if not done correct. |
| OS Interfaces | os.writev | Low | os.writev can cause availability issues if not done correct. |
| Exception Handling | pass | Low | Too broad exception handling risk when not used correctly. |
| Pickle use | pickle.load | High | unpickling will import any class or function that it finds in the pickle data |
| Pickle use | pickle.loads | High | unpickling will import any class or function that it finds in the pickle data |
| Random numbers generation module | random.random | Low | The pseudo-random generators of this module should not be used for security purposes. |
| Random numbers generation module | random.seed | Low | The pseudo-random generators of this module should not be used for security purposes. |
| Binding All Interfaces | s.bind | Medium | Network sockets require additional measurements. |
| Shelve module | shelve.open | High | Only loading a shelve from a trusted source is secure. So check if this is the case. |
| shutil | shutil.chown | Medium | Programs should not change access rights on files they do not own. |
| shutil | shutil.copy | Medium | Information can be transfered without permission. |
| shutil | shutil.copy2 | Medium | Information can be transfered without permission. |
| shutil | shutil.copytree | Medium | Information can be transfered without permission. |
| shutil | shutil.unpack_archive | Medium | Extracting files within a program should not be trusted by default. |
| Subprocesses - Popen | subprocess.Popen | Medium | Use of the subprocess module calls should be analyzed in-depth. |
| Subprocesses - call | subprocess.call | High | Use of the subprocess module calls should be analyzed in-depth. |
| Subprocesses - check_call | subprocess.check_call | High | Use of the subprocess module calls should be analyzed in-depth. |
| Subprocesses - run | subprocess.run | Medium | Use of the subprocess module calls should be analyzed in-depth. |
| Sys calls | sys.call_tracing | Medium | Sys functions that can give ow-level access to the interpreter's execution flow. |
| Sys calls | sys.setprofile | Medium | Sys functions that can give ow-level access to the interpreter's execution flow. |
| Sys calls | sys.settrace | Medium | Sys functions that can give ow-level access to the interpreter's execution flow. |
| Tarfile | tarfile.TarFile | High | Extracting files within a program should never be trusted by default. This issue is detected when the zipfile and/or tarfile module with an extraction method is used. |
| tempfile | tempfile.mktemp | Low | This function may introduce race conditions which could negatively impact security. |
| XML - client | xmlrpc.client | High | xmlrpc is vulnerable to the “decompression bomb” attack. |
| XML - server | xmlrpc.server SimpleXMLRPCServer |
High | xmlrpc.server is vulnerable to the “decompression bomb” attack. |
| Zipfile | zipfile.ZipFile | High | Extracting files within a program should never be trusted by default. This issue is detected when the zipfile and/or tarfile module with an extraction method is used. |
Number of implemented security validations:62
Version of codeaudit: 0.8.0
Because Python and cybersecurity are constantly changing, issue reports SHOULD specify the codeaudit version used.
Disclaimer:This SAST tool 'codeaudit' provides a powerful automatic security analysis for Python source code. However it's not a substitute for human review in combination with business knowledge. Undetected vulnerabilities may still exist. There is and will never be a single security tool that gives 100% automatic guarantees. By reporting any issues you find, you contribute to a better tool for everyone.