B102
Detect use of exec (security issue)
The Codiga Static Analysis engine is powered by the best open-source tools to check your Python code. Make sure your code does not have any security issues and follow design and other best practices. Automate your code reviews today and merge with confidence with Codiga.
Detect use of exec (security issue)
Chmod setting a permissive mask 0o755 on file (entryfile).
Possible binding to all interfaces.
Insecure usage of file or directory
Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data
Deserialization with the marshal module is possibly dangerous.
Use of insecure MD2
Use of insecure cipher mode cryptography.hazmat.primitives.ciphers.modes.ECB.
Use of insecure and deprecated function (mktemp).
Use of possibly insecure function - consider using safer ast.literal\_eval.
Use of mark\_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security
Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.
Using xml.etree.cElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Using xml.etree.ElementTree.iterparse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.iterparse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Using xml.sax.make\_parser to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.sax.make\_parser with its defusedxml equivalent function or make sure defusedxml.defuse\_stdlib() is called
Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.
Detect unsecure use of HTTPS connexion
Use of insecure MD4 or MD5 hash function.
Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
Possible shell injection via Paramiko call
Possible SQL injection vector through string-based query construction.
Mako templates allow HTML/JS rendering by default and are inherently open to XSS attacks. Ensure variables in all templates are properly sanitized via the 'n'
Potential XSS on mark\_safe function.
Use of exec
Using subprocess.run without explicitly set `check` is not recommended.
Blacklist Python calls known to be dangerous
Potential SQL injection on extra function
Potential SQL injection on RawSQL function
Paramiko call with policy set to automatically trust the unknown host key.
We use cookies to improve your site experience, including analytics cookies to understand how you use our product and design better experiences. Please read our Cookie Policy.