BACK TO LIST

Python rules

The Codiga Static Analysis engine is powered by the best open-source tools to check your Python code. Make sure your code does not have any security issues and follow design and other best practices. Automate your code reviews today and merge with confidence with Codiga.

B102

Security
Error

Detect use of exec (security issue)

Learn more

B103

Security
Error

Chmod setting a permissive mask 0o755 on file (entryfile).

Learn more

B104

Security
Error

Possible binding to all interfaces.

Learn more

B108

Security
Error

Insecure usage of file or directory

Learn more

B201

Security
Critical

A Flask app appears to be run with debug=True

Learn more

B301

Security
Error

Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data

Learn more

B302

Security
Error

Deserialization with the marshal module is possibly dangerous.

Learn more

B305

Security
Error

Use of insecure cipher mode cryptography.hazmat.primitives.ciphers.modes.ECB.

Learn more

B306

Security
Error

Use of insecure and deprecated function (mktemp).

Learn more

B307

Security
Error

Use of possibly insecure function - consider using safer ast.literal\_eval.

Learn more

B308

Security
Error

Use of mark\_safe() may expose cross-site scripting vulnerabilities and should be reviewed.

Learn more

B309

Security
Error

Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security

Learn more

B310

Security
Error

Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.

Learn more

B312

Security
Critical

Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.

Learn more

B313

Security
Error

Using xml.etree.cElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called

Learn more

B314

Security
Error

Using xml.etree.ElementTree.iterparse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.iterparse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called

Learn more

B317

Security
Error

Using xml.sax.make\_parser to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.sax.make\_parser with its defusedxml equivalent function or make sure defusedxml.defuse\_stdlib() is called

Learn more

B318

Security
Error

Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called

Learn more

B320

Security
Error

Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.

Learn more

B321

Security
Critical

FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.

Learn more

B322

Security
Critical

The input method in Python 2 will read from standard input

Learn more

B323

Security
Error

Detect unsecure use of HTTPS connexion

Learn more

B324

Security
Error

Use of insecure MD4 or MD5 hash function.

Learn more

B401

Security
Critical

A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.

Learn more

B402

Security
Critical

A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.

Learn more

B411

Security
Critical

Using MAXINT to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.

Learn more

B413

Security
Critical

The pyCrypto library and its module SHA256 are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.

Learn more

B501

Security
Critical

Requests call with verify=False disabling SSL certificate checks

Learn more

B506

Security
Error

Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().

Learn more

B601

Security
Error

Possible shell injection via Paramiko call

Learn more

B602

Security
Critical

subprocess call with shell=True identified

Learn more

B605

Security
Critical

Starting a process with a shell

Learn more

B608

Security
Error

Possible SQL injection vector through string-based query construction.

Learn more

B701

Security
Critical

Using jinja2 templates with autoescape=False is dangerous and can lead to XSS. Ensure autoescape=True or use the select\_autoescape function to mitigate XSS vulnerabilities.

Learn more

B702

Security
Error

Mako templates allow HTML/JS rendering by default and are inherently open to XSS attacks. Ensure variables in all templates are properly sanitized via the 'n'

Learn more

B703

Security
Error

Potential XSS on mark\_safe function.

Learn more

W1510

Security
Error

Using subprocess.run without explicitly set `check` is not recommended.

Learn more

B319

Security
Error

Blacklist Python calls known to be dangerous

Learn more

B610

Security
Error

Potential SQL injection on extra function

Learn more

B611

Security
Error

Potential SQL injection on RawSQL function

Learn more

E2515

Security
Warning

Invalid unescaped character zero-width-space, use "u200B" instead.

Learn more

B507

Security
Error

Paramiko call with policy set to automatically trust the unknown host key.

Learn more

We use cookies to improve your site experience, including analytics cookies to understand how you use our product and design better experiences. Please read our Cookie Policy.