| name | construct | severity | info |
|---|---|---|---|
| Dynamic Imports | __import__ | Medium | Importing modules dynamically can load untrusted code. |
| Assertions | assert | Low | Assertions are for debugging and development. Assertions can be disabled during runtime. Use in production can introduce vulnerabilities. |
| Base64 Encoding | base64 | Low | Base64 encoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code. |
| BZ2 File Handling | bz2.BZ2File | Medium | Decompressing untrusted data can lead to resource exhaustion attacks. |
| BZ2 File Handling | bz2.open | Medium | Decompressing untrusted data can lead to resource exhaustion attacks. |
| Dangerous Built-in: compile | compile | High | This function can be used to execute arbitrary code or crash the Python interpreter. |
| Unsafe Deserialization: multiprocessing | connection.recv | High | Uses pickle, which can execute arbitrary code when receiving data. |
| Overly Broad Exception Handling | continue | Low | Skipping over exceptions can mask critical errors and security risks. |
| Dangerous Built-in: eval | eval | High | This function can execute arbitrary code. Never safe with untrusted input. |
| Dangerous Built-in: exec | exec | High | This function can execute arbitrary code and should be used only with validated constructs. |
| Gzip File Handling | gzip.open | Medium | Risk of decompression bombs or resource exhaustion with untrusted data. |
| Insecure Hashing Algorithm | hashlib.md5 | High | MD5 is cryptographically broken and should not be used for security purposes. |
| Insecure Hashing Algorithm | hashlib.sha1 | High | SHA-1 is cryptographically broken and should not be used for security purposes. |
| HTTP Server (Base Handler) | http.server BaseHTTPRequestHandler |
High | These modules are for development only and are not secure for production use. |
| HTTP Server | http.server HTTPServer |
High | These modules are for development only and are not secure for production use. |
| Dynamic Imports | importlib.import_module | Medium | Importing modules dynamically can load untrusted code. |
| Input Function | input | Low | User input must be strictly sanitized and validated to prevent injection vulnerabilities. |
| Logging Configuration | logging.config | Medium | Parsing untrusted logging configurations can lead to vulnerabilities if not handled correctly. |
| LZMA File Handling | lzma.LZMAFile | Medium | Risk of decompression bombs or resource exhaustion with untrusted data. |
| LZMA File Handling | lzma.open | Medium | Risk of decompression bombs or resource exhaustion with untrusted data. |
| Marshal Usage | marshal.load | High | This module is not secure and should not be used to deserialize data from untrusted sources. |
| Marshal Usage | marshal.loads | High | This module is not secure and should not be used to deserialize data from untrusted sources. |
| Unsafe Deserialization: multiprocessing | multiprocessing.connection Connection |
High | Relies on pickle; dangerous with untrusted data. |
| OS Access | os.access | High | Direct OS function calls can have significant security implications and require careful review. |
| OS File Permissions | os.chmod | High | Changing permissions carelessly can expose sensitive files. |
| OS Execution | os.execl | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Execution | os.execle | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Execution | os.execlp | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Execution | os.execlpe | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Execution | os.execv | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Execution | os.execve | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Execution | os.execvp | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Execution | os.execvpe | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Forking | os.fork | Low | On macOS use of this function is unsafe when mixed with using higher-level system APIs, and that includes using urllib.request. |
| OS Interfaces | os.forkpty | Low | Use of forkpty can be unsafe when used on MacOS. |
| Directory Creation | os.makedev | Low | Direct file system calls require careful input validation to prevent vulnerabilities. |
| Directory Creation | os.makedirs | Low | Direct file system calls require careful input validation to prevent vulnerabilities. |
| Directory Creation | os.mkdir | Low | Direct file system calls require careful input validation to prevent vulnerabilities. |
| Directory Creation | os.mkfifo | Low | Direct file system calls require careful input validation to prevent vulnerabilities. |
| Directory Creation | os.mknod | Low | Direct file system calls require careful input validation to prevent vulnerabilities. |
| OS Execution | os.popen | High | Direct OS function calls can have significant security implications and require careful review. |
| OS File Operations | os.read | Low | Reading from unvalidated file descriptors can lead to information disclosure. |
| OS Execution | os.system | High | Direct OS function calls can have significant security implications and require careful review. |
| OS File Operations | os.write | Low | Writing to unvalidated or unintended file descriptors can lead to data corruption, privilege escalation, or denial of service. |
| OS File Operations | os.writev | Low | Writing to unvalidated or unintended file descriptors can lead to data corruption, privilege escalation, or denial of service. |
| Overly Broad Exception Handling | pass | Low | Using `pass` in an `except` block can silently ignore critical security exceptions. |
| Pickle Usage | pickle.load | High | Deserializing untrusted data with `pickle` can lead to arbitrary code execution. |
| Pickle Usage | pickle.loads | High | Deserializing untrusted data with `pickle` can lead to arbitrary code execution. |
| Cryptographically Unsafe Randomness | random.random | Low | The pseudo-random generators in this module are not suitable for security purposes. |
| Cryptographically Unsafe Randomness | random.seed | Low | The pseudo-random generators in this module are not suitable for security purposes. |
| Insecure Network Binding | s.bind | Medium | Binding to all interfaces can expose the service to a wider network attack surface. |
| Shelve Usage | shelve.open | High | The `shelve` module uses `pickle` internally, making it unsafe for untrusted data. |
| Shutil Operations | shutil.chown | Medium | Changing file ownership can introduce vulnerabilities. |
| Shutil Copying | shutil.copy | Medium | Files may be copied without authorization if paths are not validated. |
| Shutil Copying | shutil.copy2 | Medium | Files may be copied without authorization if paths are not validated. |
| Shutil Copying | shutil.copytree | Medium | Files may be copied without authorization if paths are not validated. |
| Shutil Removal | shutil.rmtree | Medium | Vulnerable to path traversal attacks if not used carefully. |
| Shutil Extraction | shutil.unpack_archive | Medium | Untrusted archives can contain malicious paths or payloads. |
| Subprocess Usage | subprocess.Popen | Medium | Requires careful input validation to prevent command injection vulnerabilities. |
| Subprocess Usage | subprocess.call | High | Requires careful input validation to prevent command injection vulnerabilities. |
| Subprocess Usage | subprocess.check_call | High | Requires careful input validation to prevent command injection vulnerabilities. |
| Subprocess Usage | subprocess.run | Medium | Requires careful input validation to prevent command injection vulnerabilities. |
| Sys Calls | sys.call_tracing | Medium | Provides low-level access to interpreter execution; dangerous if exposed. |
| Sys Calls | sys.setprofile | Medium | Provides low-level access to interpreter execution; dangerous if exposed. |
| Sys Calls | sys.settrace | Medium | Provides low-level access to interpreter execution; dangerous if exposed. |
| Tarfile Extraction | tarfile.TarFile | High | Vulnerable to path traversal attacks if used with untrusted archives. |
| Tempfile | tempfile.mktemp | Low | This function is deprecated because of race conditions that can lead to security vulnerabilities. |
| XML-RPC Client | xmlrpc.client | High | Vulnerable to denial-of-service via decompression bombs. |
| XML-RPC Server | xmlrpc.server SimpleXMLRPCServer |
High | Vulnerable to denial-of-service via decompression bombs. |
| Zipfile Extraction | zipfile.ZipFile | High | Vulnerable to path traversal attacks if used with untrusted archives. |
Number of implemented security validations:70
Version of codeaudit: 1.1.0
Because Python and cybersecurity are constantly changing, issue reports SHOULD specify the codeaudit version used.
Disclaimer:This SAST tool 'codeaudit' provides a powerful automatic security analysis for Python source code. However it's not a substitute for human review in combination with business knowledge. Undetected vulnerabilities may still exist. There is and will never be a single security tool that gives 100% automatic guarantees. By reporting any issues you find, you contribute to a better tool for everyone.