Mercurial Repositories > eric / file comparison
comparison: eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py
eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py
- changeset 7615
- ca2949b1a29a
- parent 7614
- 646742c260bd
- child 7616
- 01d646569115
equal
deleted
inserted
replaced
| 7614:646742c260bd | 7615:ca2949b1a29a |
|---|---|
| 46 | 46 |
| 47 # hardcoded tmp directory | 47 # hardcoded tmp directory |
| 48 "S108": QCoreApplication.translate( | 48 "S108": QCoreApplication.translate( |
| 49 "Security", | 49 "Security", |
| 50 "Probable insecure usage of temp file/directory."), | 50 "Probable insecure usage of temp file/directory."), |
| 51 | |
| 52 # try-except | |
| 53 "S110": QCoreApplication.translate( | |
| 54 "Security", | |
| 55 "Try, Except, Pass detected."), | |
| 56 "S112": QCoreApplication.translate( | |
| 57 "Security", | |
| 58 "Try, Except, Continue detected."), | |
| 51 | 59 |
| 52 # flask app | 60 # flask app |
| 53 "S201": QCoreApplication.translate( | 61 "S201": QCoreApplication.translate( |
| 54 "Security", | 62 "Security", |
| 55 "A Flask app appears to be run with debug=True, which exposes the" | 63 "A Flask app appears to be run with debug=True, which exposes the" |
| 234 "S501": QCoreApplication.translate( | 242 "S501": QCoreApplication.translate( |
| 235 "Security", | 243 "Security", |
| 236 "'requests' call with verify=False disabling SSL certificate checks," | 244 "'requests' call with verify=False disabling SSL certificate checks," |
| 237 " security issue."), | 245 " security issue."), |
| 238 | 246 |
| 247 # insecure SSL/TLS protocol version | |
| 248 "S502.1": QCoreApplication.translate( | |
| 249 "Security", | |
| 250 "'ssl.wrap_socket' call with insecure SSL/TLS protocol version" | |
| 251 " identified, security issue."), | |
| 252 "S502.2": QCoreApplication.translate( | |
| 253 "Security", | |
| 254 "'SSL.Context' call with insecure SSL/TLS protocol version identified," | |
| 255 " security issue."), | |
| 256 "S502.3": QCoreApplication.translate( | |
| 257 "Security", | |
| 258 "Function call with insecure SSL/TLS protocol version identified," | |
| 259 " security issue."), | |
| 260 "S503": QCoreApplication.translate( | |
| 261 "Security", | |
| 262 "Function definition identified with insecure SSL/TLS protocol" | |
| 263 " version by default, possible security issue."), | |
| 264 "S504": QCoreApplication.translate( | |
| 265 "Security", | |
| 266 "'ssl.wrap_socket' call with no SSL/TLS protocol version specified," | |
| 267 " the default 'SSLv23' could be insecure, possible security issue."), | |
| 268 | |
| 239 # YAML load | 269 # YAML load |
| 240 "S506": QCoreApplication.translate( | 270 "S506": QCoreApplication.translate( |
| 241 "Security", | 271 "Security", |
| 242 "Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary" | 272 "Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary" |
| 243 " objects. Consider 'yaml.safe_load()'."), | 273 " objects. Consider 'yaml.safe_load()'."), |
| 274 | |
| 275 # SSH host key verification | |
| 276 "S507": QCoreApplication.translate( | |
| 277 "Security", | |
| 278 "Paramiko call with policy set to automatically trust the unknown" | |
| 279 " host key."), | |
| 244 | 280 |
| 245 # Shell injection | 281 # Shell injection |
| 246 "S601": QCoreApplication.translate( | 282 "S601": QCoreApplication.translate( |
| 247 "Security", | 283 "Security", |
| 248 "Possible shell injection via 'Paramiko' call, check inputs are" | 284 "Possible shell injection via 'Paramiko' call, check inputs are" |
| 274 "Starting a process without a shell."), | 310 "Starting a process without a shell."), |
| 275 "S607": QCoreApplication.translate( | 311 "S607": QCoreApplication.translate( |
| 276 "Security", | 312 "Security", |
| 277 "Starting a process with a partial executable path."), | 313 "Starting a process with a partial executable path."), |
| 278 | 314 |
| 315 # SQL injection | |
| 316 "S608": QCoreApplication.translate( | |
| 317 "Security", | |
| 318 "Possible SQL injection vector through string-based query" | |
| 319 " construction."), | |
| 320 | |
| 321 # Wildcard injection | |
| 322 "S609": QCoreApplication.translate( | |
| 323 "Security", | |
| 324 "Possible wildcard injection in call: {0}"), | |
| 325 | |
| 279 # Django SQL injection | 326 # Django SQL injection |
| 280 "S610": QCoreApplication.translate( | 327 "S610": QCoreApplication.translate( |
| 281 "Security", | 328 "Security", |
| 282 "Use of 'extra()' opens a potential SQL attack vector."), | 329 "Use of 'extra()' opens a potential SQL attack vector."), |
| 283 "S611": QCoreApplication.translate( | 330 "S611": QCoreApplication.translate( |
| 284 "Security", | 331 "Security", |
| 285 "Use of 'RawSQL()' opens a potential SQL attack vector."), | 332 "Use of 'RawSQL()' opens a potential SQL attack vector."), |
| 286 | 333 |
| 334 # Jinja2 templates | |
| 335 "S701.1": QCoreApplication.translate( | |
| 336 "Security", | |
| 337 "Using jinja2 templates with 'autoescape=False' is dangerous and can" | |
| 338 " lead to XSS. Use 'autoescape=True' or use the 'select_autoescape'" | |
| 339 " function to mitigate XSS vulnerabilities."), | |
| 340 "S701.2": QCoreApplication.translate( | |
| 341 "Security", | |
| 342 "By default, jinja2 sets 'autoescape' to False. Consider using" | |
| 343 " 'autoescape=True' or use the 'select_autoescape' function to" | |
| 344 " mitigate XSS vulnerabilities."), | |
| 345 | |
| 346 # Mako templates | |
| 347 "S702": QCoreApplication.translate( | |
| 348 "Security", | |
| 349 "Mako templates allow HTML/JS rendering by default and are inherently" | |
| 350 " open to XSS attacks. Ensure variables in all templates are properly" | |
| 351 " sanitized via the 'n', 'h' or 'x' flags (depending on context). For" | |
| 352 " example, to HTML escape the variable 'data' do ${{ data |h }}."), | |
| 353 | |
| 287 # Django XSS vulnerability | 354 # Django XSS vulnerability |
| 288 "S703": QCoreApplication.translate( | 355 "S703": QCoreApplication.translate( |
| 289 "Security", | 356 "Security", |
| 290 "Potential XSS on 'mark_safe()' function."), | 357 "Potential XSS on 'mark_safe()' function."), |
| 291 | 358 |
| 359 # Syntax error | |
| 292 "S999": QCoreApplication.translate( | 360 "S999": QCoreApplication.translate( |
| 293 "Security", | 361 "Security", |
| 294 "{0}: {1}"), | 362 "{0}: {1}"), |
| 295 | 363 |
| 296 ## "S": QCoreApplication.translate( | 364 ## "S": QCoreApplication.translate( |
| 327 "S410": ["lxml"], | 395 "S410": ["lxml"], |
| 328 "S411": ["xmlrpclib"], | 396 "S411": ["xmlrpclib"], |
| 329 "S412": ["wsgiref.handlers.CGIHandler"], | 397 "S412": ["wsgiref.handlers.CGIHandler"], |
| 330 "S413": ["Crypto.Cipher"], | 398 "S413": ["Crypto.Cipher"], |
| 331 | 399 |
| 400 "S609": ["os.system"], | |
| 401 | |
| 332 "S999": ["SyntaxError", "Invalid Syntax"], | 402 "S999": ["SyntaxError", "Invalid Syntax"], |
| 333 } | 403 } |
