Mercurial Repositories > eric / file comparison

comparison: src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py

src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py

branch
eric7
changeset 9209
b99e7fd55fd3
parent 8881
54e42bc2437a
child 9221
bf71ee032bb4
equal deleted inserted replaced
9208:3fc8dfeb6ebe 9209:b99e7fd55fd3
1 # -*- coding: utf-8 -*-
2
3 # Copyright (c) 2020 - 2022 Detlev Offenbach <detlev@die-offenbachs.de>
4 #
5
6
7 """
8 Module implementing message translations for the code style plugin messages
9 (security part).
10 """
11
12 from PyQt6.QtCore import QCoreApplication
13
14 _securityMessages = {
15 # assert used
16 "S101": QCoreApplication.translate(
17 "Security",
18 "Use of 'assert' detected. The enclosed code will be removed when"
19 " compiling to optimised byte code."),
20
21 # exec used
22 "S102": QCoreApplication.translate(
23 "Security",
24 "Use of 'exec' detected."),
25
26 # bad file permissions
27 "S103": QCoreApplication.translate(
28 "Security",
29 "'chmod' setting a permissive mask {0} on file ({1})."),
30
31 # bind to all interfaces
32 "S104": QCoreApplication.translate(
33 "Security",
34 "Possible binding to all interfaces."),
35
36 # hardcoded passwords
37 "S105": QCoreApplication.translate(
38 "Security",
39 "Possible hardcoded password: '{0}'"),
40 "S106": QCoreApplication.translate(
41 "Security",
42 "Possible hardcoded password: '{0}'"),
43 "S107": QCoreApplication.translate(
44 "Security",
45 "Possible hardcoded password: '{0}'"),
46
47 # hardcoded tmp directory
48 "S108": QCoreApplication.translate(
49 "Security",
50 "Probable insecure usage of temp file/directory."),
51
52 # try-except
53 "S110": QCoreApplication.translate(
54 "Security",
55 "Try, Except, Pass detected."),
56 "S112": QCoreApplication.translate(
57 "Security",
58 "Try, Except, Continue detected."),
59
60 # flask app
61 "S201": QCoreApplication.translate(
62 "Security",
63 "A Flask app appears to be run with debug=True, which exposes the"
64 " Werkzeug debugger and allows the execution of arbitrary code."),
65
66 # blacklisted calls
67 "S301": QCoreApplication.translate(
68 "Security",
69 "Pickle and modules that wrap it can be unsafe when used to "
70 "deserialize untrusted data, possible security issue."),
71 "S302": QCoreApplication.translate(
72 "Security",
73 "Deserialization with the marshal module is possibly dangerous."),
74 "S303": QCoreApplication.translate(
75 "Security",
76 "Use of insecure MD2, MD4, MD5, or SHA1 hash function."),
77 "S304": QCoreApplication.translate(
78 "Security",
79 "Use of insecure cipher '{0}'. Replace with a known secure cipher"
80 " such as AES."),
81 "S305": QCoreApplication.translate(
82 "Security",
83 "Use of insecure cipher mode '{0}'."),
84 "S306": QCoreApplication.translate(
85 "Security",
86 "Use of insecure and deprecated function (mktemp)."),
87 "S307": QCoreApplication.translate(
88 "Security",
89 "Use of possibly insecure function - consider using safer"
90 " ast.literal_eval."),
91 "S308": QCoreApplication.translate(
92 "Security",
93 "Use of mark_safe() may expose cross-site scripting vulnerabilities"
94 " and should be reviewed."),
95 "S309": QCoreApplication.translate(
96 "Security",
97 "Use of HTTPSConnection on older versions of Python prior to 2.7.9"
98 " and 3.4.3 do not provide security, see"
99 " https://wiki.openstack.org/wiki/OSSN/OSSN-0033"),
100 "S310": QCoreApplication.translate(
101 "Security",
102 "Audit url open for permitted schemes. Allowing use of file:/ or"
103 " custom schemes is often unexpected."),
104 "S311": QCoreApplication.translate(
105 "Security",
106 "Standard pseudo-random generators are not suitable for"
107 " security/cryptographic purposes."),
108 "S312": QCoreApplication.translate(
109 "Security",
110 "Telnet-related functions are being called. Telnet is considered"
111 " insecure. Use SSH or some other encrypted protocol."),
112 "S313": QCoreApplication.translate(
113 "Security",
114 "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
115 " XML attacks. Replace '{0}' with its defusedxml equivalent function"
116 " or make sure defusedxml.defuse_stdlib() is called."),
117 "S314": QCoreApplication.translate(
118 "Security",
119 "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
120 " XML attacks. Replace '{0}' with its defusedxml equivalent function"
121 " or make sure defusedxml.defuse_stdlib() is called."),
122 "S315": QCoreApplication.translate(
123 "Security",
124 "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
125 " XML attacks. Replace '{0}' with its defusedxml equivalent function"
126 " or make sure defusedxml.defuse_stdlib() is called."),
127 "S316": QCoreApplication.translate(
128 "Security",
129 "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
130 " XML attacks. Replace '{0}' with its defusedxml equivalent function"
131 " or make sure defusedxml.defuse_stdlib() is called."),
132 "S317": QCoreApplication.translate(
133 "Security",
134 "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
135 " XML attacks. Replace '{0}' with its defusedxml equivalent function"
136 " or make sure defusedxml.defuse_stdlib() is called."),
137 "S318": QCoreApplication.translate(
138 "Security",
139 "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
140 " XML attacks. Replace '{0}' with its defusedxml equivalent function"
141 " or make sure defusedxml.defuse_stdlib() is called."),
142 "S319": QCoreApplication.translate(
143 "Security",
144 "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
145 " XML attacks. Replace '{0}' with its defusedxml equivalent function"
146 " or make sure defusedxml.defuse_stdlib() is called."),
147 "S320": QCoreApplication.translate(
148 "Security",
149 "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
150 " XML attacks. Replace '{0}' with its defusedxml equivalent"
151 " function."),
152 "S321": QCoreApplication.translate(
153 "Security",
154 "FTP-related functions are being called. FTP is considered insecure."
155 " Use SSH/SFTP/SCP or some other encrypted protocol."),
156 "S322": QCoreApplication.translate(
157 "Security",
158 "The input method in Python 2 will read from standard input, evaluate"
159 " and run the resulting string as Python source code. This is"
160 " similar, though in many ways worse, than using eval. On Python 2,"
161 " use raw_input instead, input is safe in Python 3."),
162 "S323": QCoreApplication.translate(
163 "Security",
164 "By default, Python will create a secure, verified SSL context for"
165 " use in such classes as HTTPSConnection. However, it still allows"
166 " using an insecure context via the _create_unverified_context that"
167 " reverts to the previous behavior that does not validate"
168 " certificates or perform hostname checks."),
169 "S324": QCoreApplication.translate(
170 "Security",
171 "Use of os.tempnam() and os.tmpnam() is vulnerable to symlink"
172 " attacks. Consider using tmpfile() instead."),
173
174 # hashlib.new
175 "S331": QCoreApplication.translate(
176 "Security",
177 "Use of insecure {0} hash function."),
178
179 # blacklisted imports
180 "S401": QCoreApplication.translate(
181 "Security",
182 "A telnet-related module is being imported. Telnet is considered"
183 " insecure. Use SSH or some other encrypted protocol."),
184 "S402": QCoreApplication.translate(
185 "Security",
186 "A FTP-related module is being imported. FTP is considered"
187 " insecure. Use SSH/SFTP/SCP or some other encrypted protocol."),
188 "S403": QCoreApplication.translate(
189 "Security",
190 "Consider possible security implications associated with the '{0}'"
191 " module."),
192 "S404": QCoreApplication.translate(
193 "Security",
194 "Consider possible security implications associated with the '{0}'"
195 " module."),
196 "S405": QCoreApplication.translate(
197 "Security",
198 "Using '{0}' to parse untrusted XML data is known to be vulnerable"
199 " to XML attacks. Replace '{0}' with the equivalent defusedxml"
200 " package, or make sure defusedxml.defuse_stdlib() is called."),
201 "S406": QCoreApplication.translate(
202 "Security",
203 "Using '{0}' to parse untrusted XML data is known to be vulnerable"
204 " to XML attacks. Replace '{0}' with the equivalent defusedxml"
205 " package, or make sure defusedxml.defuse_stdlib() is called."),
206 "S407": QCoreApplication.translate(
207 "Security",
208 "Using '{0}' to parse untrusted XML data is known to be vulnerable"
209 " to XML attacks. Replace '{0}' with the equivalent defusedxml"
210 " package, or make sure defusedxml.defuse_stdlib() is called."),
211 "S408": QCoreApplication.translate(
212 "Security",
213 "Using '{0}' to parse untrusted XML data is known to be vulnerable"
214 " to XML attacks. Replace '{0}' with the equivalent defusedxml"
215 " package, or make sure defusedxml.defuse_stdlib() is called."),
216 "S409": QCoreApplication.translate(
217 "Security",
218 "Using '{0}' to parse untrusted XML data is known to be vulnerable"
219 " to XML attacks. Replace '{0}' with the equivalent defusedxml"
220 " package, or make sure defusedxml.defuse_stdlib() is called."),
221 "S410": QCoreApplication.translate(
222 "Security",
223 "Using '{0}' to parse untrusted XML data is known to be vulnerable"
224 " to XML attacks. Replace '{0}' with the equivalent defusedxml"
225 " package."),
226 "S411": QCoreApplication.translate(
227 "Security",
228 "Using '{0}' to parse untrusted XML data is known to be vulnerable"
229 " to XML attacks. Use defused.xmlrpc.monkey_patch() function to"
230 " monkey-patch xmlrpclib and mitigate XML vulnerabilities."),
231 "S412": QCoreApplication.translate(
232 "Security",
233 "Consider possible security implications associated with '{0}'"
234 " module."),
235 "S413": QCoreApplication.translate(
236 "Security",
237 "The pyCrypto library and its module '{0}' are no longer actively"
238 " maintained and have been deprecated. Consider using"
239 " pyca/cryptography library."),
240
241 # insecure certificate usage
242 "S501": QCoreApplication.translate(
243 "Security",
244 "'requests' call with verify=False disabling SSL certificate checks,"
245 " security issue."),
246
247 # insecure SSL/TLS protocol version
248 "S502.1": QCoreApplication.translate(
249 "Security",
250 "'ssl.wrap_socket' call with insecure SSL/TLS protocol version"
251 " identified, security issue."),
252 "S502.2": QCoreApplication.translate(
253 "Security",
254 "'SSL.Context' call with insecure SSL/TLS protocol version identified,"
255 " security issue."),
256 "S502.3": QCoreApplication.translate(
257 "Security",
258 "Function call with insecure SSL/TLS protocol version identified,"
259 " security issue."),
260 "S503": QCoreApplication.translate(
261 "Security",
262 "Function definition identified with insecure SSL/TLS protocol"
263 " version by default, possible security issue."),
264 "S504": QCoreApplication.translate(
265 "Security",
266 "'ssl.wrap_socket' call with no SSL/TLS protocol version specified,"
267 " the default 'SSLv23' could be insecure, possible security issue."),
268
269 # weak cryptographic keys
270 "S505": QCoreApplication.translate(
271 "Security",
272 "{0} key sizes below {1:d} bits are considered breakable."),
273
274 # YAML load
275 "S506": QCoreApplication.translate(
276 "Security",
277 "Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary"
278 " objects. Consider 'yaml.safe_load()'."),
279
280 # SSH host key verification
281 "S507": QCoreApplication.translate(
282 "Security",
283 "Paramiko call with policy set to automatically trust the unknown"
284 " host key."),
285
286 # Shell injection
287 "S601": QCoreApplication.translate(
288 "Security",
289 "Possible shell injection via 'Paramiko' call, check inputs are"
290 " properly sanitized."),
291 "S602.L": QCoreApplication.translate(
292 "Security",
293 "'subprocess' call with shell=True seems safe, but may be changed"
294 " in the future, consider rewriting without shell"),
295 "S602.H": QCoreApplication.translate(
296 "Security",
297 "'subprocess' call with shell=True identified, security issue."),
298 "S603": QCoreApplication.translate(
299 "Security",
300 "'subprocess' call - check for execution of untrusted input."),
301 "S604": QCoreApplication.translate(
302 "Security",
303 "Function call with shell=True parameter identified, possible"
304 " security issue."),
305 "S605.L": QCoreApplication.translate(
306 "Security",
307 "Starting a process with a shell: Seems safe, but may be changed in"
308 " the future, consider rewriting without shell"),
309 "S605.H": QCoreApplication.translate(
310 "Security",
311 "Starting a process with a shell, possible injection detected,"
312 " security issue."),
313 "S606": QCoreApplication.translate(
314 "Security",
315 "Starting a process without a shell."),
316 "S607": QCoreApplication.translate(
317 "Security",
318 "Starting a process with a partial executable path."),
319
320 # SQL injection
321 "S608": QCoreApplication.translate(
322 "Security",
323 "Possible SQL injection vector through string-based query"
324 " construction."),
325
326 # Wildcard injection
327 "S609": QCoreApplication.translate(
328 "Security",
329 "Possible wildcard injection in call: {0}"),
330
331 # Django SQL injection
332 "S610": QCoreApplication.translate(
333 "Security",
334 "Use of 'extra()' opens a potential SQL attack vector."),
335 "S611": QCoreApplication.translate(
336 "Security",
337 "Use of 'RawSQL()' opens a potential SQL attack vector."),
338
339 # Jinja2 templates
340 "S701.1": QCoreApplication.translate(
341 "Security",
342 "Using jinja2 templates with 'autoescape=False' is dangerous and can"
343 " lead to XSS. Use 'autoescape=True' or use the 'select_autoescape'"
344 " function to mitigate XSS vulnerabilities."),
345 "S701.2": QCoreApplication.translate(
346 "Security",
347 "By default, jinja2 sets 'autoescape' to False. Consider using"
348 " 'autoescape=True' or use the 'select_autoescape' function to"
349 " mitigate XSS vulnerabilities."),
350
351 # Mako templates
352 "S702": QCoreApplication.translate(
353 "Security",
354 "Mako templates allow HTML/JS rendering by default and are inherently"
355 " open to XSS attacks. Ensure variables in all templates are properly"
356 " sanitized via the 'n', 'h' or 'x' flags (depending on context). For"
357 " example, to HTML escape the variable 'data' do ${{ data |h }}."),
358
359 # Django XSS vulnerability
360 "S703": QCoreApplication.translate(
361 "Security",
362 "Potential XSS on 'mark_safe()' function."),
363
364 # hardcoded AWS passwords
365 "S801": QCoreApplication.translate(
366 "Security",
367 "Possible hardcoded AWS access key ID: {0}"),
368 "S802": QCoreApplication.translate(
369 "Security",
370 "Possible hardcoded AWS secret access key: {0}"),
371 }
372
373 _securityMessagesSampleArgs = {
374 "S103": ["0o777", "testfile.txt"],
375 "S105": ["password"],
376 "S106": ["password"],
377 "S107": ["password"],
378
379 "S304": ["Crypto.Cipher.DES"],
380 "S305": ["cryptography.hazmat.primitives.ciphers.modes.ECB"],
381 "S313": ["xml.etree.cElementTree.parse"],
382 "S314": ["xml.etree.ElementTree.parse"],
383 "S315": ["xml.sax.expatreader.create_parser"],
384 "S316": ["xml.dom.expatbuilder.parse"],
385 "S317": ["xml.sax.parse"],
386 "S318": ["xml.dom.minidom.parse"],
387 "S319": ["xml.dom.pulldom.parse"],
388 "S320": ["lxml.etree.parse"],
389
390 "S331": ["MD5"],
391
392 "S403": ["pickle"],
393 "S404": ["subprocess"],
394 "S405": ["xml.etree.ElementTree"],
395 "S406": ["xml.sax"],
396 "S407": ["xml.dom.expatbuilder"],
397 "S408": ["xml.dom.minidom"],
398 "S409": ["xml.dom.pulldom"],
399 "S410": ["lxml"],
400 "S411": ["xmlrpclib"],
401 "S412": ["wsgiref.handlers.CGIHandler"],
402 "S413": ["Crypto.Cipher"],
403
404 "S505": ["RSA", 2048],
405
406 "S609": ["os.system"],
407
408 "S801": ["A1B2C3D4E5F6G7H8I9J0"], # secok
409 "S802": ["aA1bB2cC3dD4/eE5fF6gG7+hH8iI9jJ0=kKlLM+="], # secok
410 }

Mercurial Repository: eric

eric ide

mercurial