eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py

Sat, 27 Feb 2021 12:08:23 +0100

author
Detlev Offenbach <detlev@die-offenbachs.de>
date
Sat, 27 Feb 2021 12:08:23 +0100
changeset 8138
169e65a6787c
parent 7923
91e843545d9a
child 8198
1c765dc90c21
permissions
-rw-r--r--

Shell: added functionality to show a prompt when the main client process has exited (e.g. a script ended).

# -*- coding: utf-8 -*-

# Copyright (c) 2020 - 2021 Detlev Offenbach <detlev@die-offenbachs.de>
#


"""
Module implementing message translations for the code style plugin messages
(security part).
"""

from PyQt5.QtCore import QCoreApplication

_securityMessages = {
    # assert used
    "S101": QCoreApplication.translate(
        "Security",
        "Use of 'assert' detected. The enclosed code will be removed when"
        " compiling to optimised byte code."),
    
    # exec used
    "S102": QCoreApplication.translate(
        "Security",
        "Use of 'exec' detected."),
    
    # bad file permissions
    "S103": QCoreApplication.translate(
        "Security",
        "'chmod' setting a permissive mask {0} on file ({1})."),
    
    # bind to all interfaces
    "S104": QCoreApplication.translate(
        "Security",
        "Possible binding to all interfaces."),
    
    # hardcoded passwords
    "S105": QCoreApplication.translate(
        "Security",
        "Possible hardcoded password: '{0}'"),
    "S106": QCoreApplication.translate(
        "Security",
        "Possible hardcoded password: '{0}'"),
    "S107": QCoreApplication.translate(
        "Security",
        "Possible hardcoded password: '{0}'"),
    
    # hardcoded tmp directory
    "S108": QCoreApplication.translate(
        "Security",
        "Probable insecure usage of temp file/directory."),
    
    # try-except
    "S110": QCoreApplication.translate(
        "Security",
        "Try, Except, Pass detected."),
    "S112": QCoreApplication.translate(
        "Security",
        "Try, Except, Continue detected."),
    
    # flask app
    "S201": QCoreApplication.translate(
        "Security",
        "A Flask app appears to be run with debug=True, which exposes the"
        " Werkzeug debugger and allows the execution of arbitrary code."),
    
    # blacklisted calls
    "S301": QCoreApplication.translate(
        "Security",
        "Pickle and modules that wrap it can be unsafe when used to "
        "deserialize untrusted data, possible security issue."),
    "S302": QCoreApplication.translate(
        "Security",
        "Deserialization with the marshal module is possibly dangerous."),
    "S303": QCoreApplication.translate(
        "Security",
        "Use of insecure MD2, MD4, MD5, or SHA1 hash function."),
    "S304": QCoreApplication.translate(
        "Security",
        "Use of insecure cipher '{0}'. Replace with a known secure cipher"
        " such as AES."),
    "S305": QCoreApplication.translate(
        "Security",
        "Use of insecure cipher mode '{0}'."),
    "S306": QCoreApplication.translate(
        "Security",
        "Use of insecure and deprecated function (mktemp)."),
    "S307": QCoreApplication.translate(
        "Security",
        "Use of possibly insecure function - consider using safer"
        " ast.literal_eval."),
    "S308": QCoreApplication.translate(
        "Security",
        "Use of mark_safe() may expose cross-site scripting vulnerabilities"
        " and should be reviewed."),
    "S309": QCoreApplication.translate(
        "Security",
        "Use of HTTPSConnection on older versions of Python prior to 2.7.9"
        " and 3.4.3 do not provide security, see"
        " https://wiki.openstack.org/wiki/OSSN/OSSN-0033"),
    "S310": QCoreApplication.translate(
        "Security",
        "Audit url open for permitted schemes. Allowing use of file:/ or"
        " custom schemes is often unexpected."),
    "S311": QCoreApplication.translate(
        "Security",
        "Standard pseudo-random generators are not suitable for"
        " security/cryptographic purposes."),
    "S312": QCoreApplication.translate(
        "Security",
        "Telnet-related functions are being called. Telnet is considered"
        " insecure. Use SSH or some other encrypted protocol."),
    "S313": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
        " XML attacks. Replace '{0}' with its defusedxml equivalent function"
        " or make sure defusedxml.defuse_stdlib() is called."),
    "S314": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
        " XML attacks. Replace '{0}' with its defusedxml equivalent function"
        " or make sure defusedxml.defuse_stdlib() is called."),
    "S315": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
        " XML attacks. Replace '{0}' with its defusedxml equivalent function"
        " or make sure defusedxml.defuse_stdlib() is called."),
    "S316": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
        " XML attacks. Replace '{0}' with its defusedxml equivalent function"
        " or make sure defusedxml.defuse_stdlib() is called."),
    "S317": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
        " XML attacks. Replace '{0}' with its defusedxml equivalent function"
        " or make sure defusedxml.defuse_stdlib() is called."),
    "S318": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
        " XML attacks. Replace '{0}' with its defusedxml equivalent function"
        " or make sure defusedxml.defuse_stdlib() is called."),
    "S319": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
        " XML attacks. Replace '{0}' with its defusedxml equivalent function"
        " or make sure defusedxml.defuse_stdlib() is called."),
    "S320": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
        " XML attacks. Replace '{0}' with its defusedxml equivalent"
        " function."),
    "S321": QCoreApplication.translate(
        "Security",
        "FTP-related functions are being called. FTP is considered insecure."
        " Use SSH/SFTP/SCP or some other encrypted protocol."),
    "S322": QCoreApplication.translate(
        "Security",
        "The input method in Python 2 will read from standard input, evaluate"
        " and run the resulting string as Python source code. This is"
        " similar, though in many ways worse, than using eval. On Python 2,"
        " use raw_input instead, input is safe in Python 3."),
    "S323": QCoreApplication.translate(
        "Security",
        "By default, Python will create a secure, verified SSL context for"
        " use in such classes as HTTPSConnection. However, it still allows"
        " using an insecure context via the _create_unverified_context that"
        " reverts to the previous behavior that does not validate"
        " certificates or perform hostname checks."),
    "S324": QCoreApplication.translate(
        "Security",
        "Use of os.tempnam() and os.tmpnam() is vulnerable to symlink"
        " attacks. Consider using tmpfile() instead."),
    
    # hashlib.new
    "S331": QCoreApplication.translate(
        "Security",
        "Use of insecure {0} hash function."),
    
    # blacklisted imports
    "S401": QCoreApplication.translate(
        "Security",
        "A telnet-related module is being imported.  Telnet is considered"
        " insecure. Use SSH or some other encrypted protocol."),
    "S402": QCoreApplication.translate(
        "Security",
        "A FTP-related module is being imported.  FTP is considered"
        " insecure. Use SSH/SFTP/SCP or some other encrypted protocol."),
    "S403": QCoreApplication.translate(
        "Security",
        "Consider possible security implications associated with the '{0}'"
        " module."),
    "S404": QCoreApplication.translate(
        "Security",
        "Consider possible security implications associated with the '{0}'"
        " module."),
    "S405": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable"
        " to XML attacks. Replace '{0}' with the equivalent defusedxml"
        " package, or make sure defusedxml.defuse_stdlib() is called."),
    "S406": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable"
        " to XML attacks. Replace '{0}' with the equivalent defusedxml"
        " package, or make sure defusedxml.defuse_stdlib() is called."),
    "S407": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable"
        " to XML attacks. Replace '{0}' with the equivalent defusedxml"
        " package, or make sure defusedxml.defuse_stdlib() is called."),
    "S408": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable"
        " to XML attacks. Replace '{0}' with the equivalent defusedxml"
        " package, or make sure defusedxml.defuse_stdlib() is called."),
    "S409": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable"
        " to XML attacks. Replace '{0}' with the equivalent defusedxml"
        " package, or make sure defusedxml.defuse_stdlib() is called."),
    "S410": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable"
        " to XML attacks. Replace '{0}' with the equivalent defusedxml"
        " package."),
    "S411": QCoreApplication.translate(
        "Security",
        "Using '{0}' to parse untrusted XML data is known to be vulnerable"
        " to XML attacks. Use defused.xmlrpc.monkey_patch() function to"
        " monkey-patch xmlrpclib and mitigate XML vulnerabilities."),
    "S412": QCoreApplication.translate(
        "Security",
        "Consider possible security implications associated with '{0}'"
        " module."),
    "S413": QCoreApplication.translate(
        "Security",
        "The pyCrypto library and its module '{0}' are no longer actively"
        " maintained and have been deprecated. Consider using"
        " pyca/cryptography library."),
    
    # insecure certificate usage
    "S501": QCoreApplication.translate(
        "Security",
        "'requests' call with verify=False disabling SSL certificate checks,"
        " security issue."),
    
    # insecure SSL/TLS protocol version
    "S502.1": QCoreApplication.translate(
        "Security",
        "'ssl.wrap_socket' call with insecure SSL/TLS protocol version"
        " identified, security issue."),
    "S502.2": QCoreApplication.translate(
        "Security",
        "'SSL.Context' call with insecure SSL/TLS protocol version identified,"
        " security issue."),
    "S502.3": QCoreApplication.translate(
        "Security",
        "Function call with insecure SSL/TLS protocol version identified,"
        " security issue."),
    "S503": QCoreApplication.translate(
        "Security",
        "Function definition identified with insecure SSL/TLS protocol"
        " version by default, possible security issue."),
    "S504": QCoreApplication.translate(
        "Security",
        "'ssl.wrap_socket' call with no SSL/TLS protocol version specified,"
        " the default 'SSLv23' could be insecure, possible security issue."),
    
    # weak cryptographic keys
    "S505": QCoreApplication.translate(
        "Security",
        "{0} key sizes below {1:d} bits are considered breakable."),
    
    # YAML load
    "S506": QCoreApplication.translate(
        "Security",
        "Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary"
        " objects. Consider 'yaml.safe_load()'."),
    
    # SSH host key verification
    "S507": QCoreApplication.translate(
        "Security",
        "Paramiko call with policy set to automatically trust the unknown"
        " host key."),
    
    # Shell injection
    "S601": QCoreApplication.translate(
        "Security",
        "Possible shell injection via 'Paramiko' call, check inputs are"
        " properly sanitized."),
    "S602.L": QCoreApplication.translate(
        "Security",
        "'subprocess' call with shell=True seems safe, but may be changed"
        " in the future, consider rewriting without shell"),
    "S602.H": QCoreApplication.translate(
        "Security",
        "'subprocess' call with shell=True identified, security issue."),
    "S603": QCoreApplication.translate(
        "Security",
        "'subprocess' call - check for execution of untrusted input."),
    "S604": QCoreApplication.translate(
        "Security",
        "Function call with shell=True parameter identified, possible"
        " security issue."),
    "S605.L": QCoreApplication.translate(
        "Security",
        "Starting a process with a shell: Seems safe, but may be changed in"
        " the future, consider rewriting without shell"),
    "S605.H": QCoreApplication.translate(
        "Security",
        "Starting a process with a shell, possible injection detected,"
        " security issue."),
    "S606": QCoreApplication.translate(
        "Security",
        "Starting a process without a shell."),
    "S607": QCoreApplication.translate(
        "Security",
        "Starting a process with a partial executable path."),
    
    # SQL injection
    "S608": QCoreApplication.translate(
        "Security",
        "Possible SQL injection vector through string-based query"
        " construction."),
    
    # Wildcard injection
    "S609": QCoreApplication.translate(
        "Security",
        "Possible wildcard injection in call: {0}"),
    
    # Django SQL injection
    "S610": QCoreApplication.translate(
        "Security",
        "Use of 'extra()' opens a potential SQL attack vector."),
    "S611": QCoreApplication.translate(
        "Security",
        "Use of 'RawSQL()' opens a potential SQL attack vector."),
    
    # Jinja2 templates
    "S701.1": QCoreApplication.translate(
        "Security",
        "Using jinja2 templates with 'autoescape=False' is dangerous and can"
        " lead to XSS. Use 'autoescape=True' or use the 'select_autoescape'"
        " function to mitigate XSS vulnerabilities."),
    "S701.2": QCoreApplication.translate(
        "Security",
        "By default, jinja2 sets 'autoescape' to False. Consider using"
        " 'autoescape=True' or use the 'select_autoescape' function to"
        " mitigate XSS vulnerabilities."),
    
    # Mako templates
    "S702": QCoreApplication.translate(
        "Security",
        "Mako templates allow HTML/JS rendering by default and are inherently"
        " open to XSS attacks. Ensure variables in all templates are properly"
        " sanitized via the 'n', 'h' or 'x' flags (depending on context). For"
        " example, to HTML escape the variable 'data' do ${{ data |h }}."),
    
    # Django XSS vulnerability
    "S703": QCoreApplication.translate(
        "Security",
        "Potential XSS on 'mark_safe()' function."),
    
    # hardcoded AWS passwords
    "S801": QCoreApplication.translate(
        "Security",
        "Possible hardcoded AWS access key ID: {0}"),
    "S802": QCoreApplication.translate(
        "Security",
        "Possible hardcoded AWS secret access key: {0}"),
    
    # Syntax error
    "S999": QCoreApplication.translate(
        "Security",
        "{0}: {1}"),
}

_securityMessagesSampleArgs = {
    "S103": ["0o777", "testfile.txt"],
    "S105": ["password"],
    "S106": ["password"],
    "S107": ["password"],
    
    "S304": ["Crypto.Cipher.DES"],
    "S305": ["cryptography.hazmat.primitives.ciphers.modes.ECB"],
    "S313": ["xml.etree.cElementTree.parse"],
    "S314": ["xml.etree.ElementTree.parse"],
    "S315": ["xml.sax.expatreader.create_parser"],
    "S316": ["xml.dom.expatbuilder.parse"],
    "S317": ["xml.sax.parse"],
    "S318": ["xml.dom.minidom.parse"],
    "S319": ["xml.dom.pulldom.parse"],
    "S320": ["lxml.etree.parse"],
    
    "S331": ["MD5"],
    
    "S403": ["pickle"],
    "S404": ["subprocess"],
    "S405": ["xml.etree.ElementTree"],
    "S406": ["xml.sax"],
    "S407": ["xml.dom.expatbuilder"],
    "S408": ["xml.dom.minidom"],
    "S409": ["xml.dom.pulldom"],
    "S410": ["lxml"],
    "S411": ["xmlrpclib"],
    "S412": ["wsgiref.handlers.CGIHandler"],
    "S413": ["Crypto.Cipher"],
    
    "S505": ["RSA", 2048],
    
    "S609": ["os.system"],
    
    "S801": ["A1B2C3D4E5F6G7H8I9J0"],                           # secok
    "S802": ["aA1bB2cC3dD4/eE5fF6gG7+hH8iI9jJ0=kKlLM+="],       # secok
    
    "S999": ["SyntaxError", "Invalid Syntax"],
}

eric ide

mercurial