Mercurial Repositories > eric / file diff

diff: eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py

eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py

changeset 7613
382f89c11e27
parent 7612
ca1ce1e0fcff
child 7614
646742c260bd
--- a/eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py	Mon Jun 08 08:17:14 2020 +0200
+++ b/eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py	Mon Jun 08 20:08:27 2020 +0200
@@ -5,16 +5,26 @@
 
 
 """
-Module implementing message translations for the code style plugin messages.
+Module implementing message translations for the code style plugin messages
+(security part).
 """
 
-
 from PyQt5.QtCore import QCoreApplication
 
-
-__all__ = ["getTranslatedMessage"]
-
-_messages = {
+_securityMessages = {
+    # assert used
+    "S101": QCoreApplication.translate(
+        "Security",
+        "Use of assert detected. The enclosed code will be removed when"
+        " compiling to optimised byte code."),
+    
+    # flask app
+    "S201": QCoreApplication.translate(
+        "Security",
+        "A Flask app appears to be run with debug=True, which exposes the"
+        " Werkzeug debugger and allows the execution of arbitrary code."),
+    
+    # blacklisted calls
     "S301": QCoreApplication.translate(
         "Security",
         "Pickle and modules that wrap it can be unsafe when used to "
@@ -25,33 +35,216 @@
     "S303": QCoreApplication.translate(
         "Security",
         "Use of insecure MD2, MD4, MD5, or SHA1 hash function."),
-}
-
-
-_messages_sample_args = {
+    "S304": QCoreApplication.translate(
+        "Security",
+        "Use of insecure cipher '{0}'. Replace with a known secure cipher"
+        " such as AES."),
+    "S305": QCoreApplication.translate(
+        "Security",
+        "Use of insecure cipher mode '{0}'."),
+    "S306": QCoreApplication.translate(
+        "Security",
+        "Use of insecure and deprecated function (mktemp)."),
+    "S307": QCoreApplication.translate(
+        "Security",
+        "Use of possibly insecure function - consider using safer"
+        " ast.literal_eval."),
+    "S308": QCoreApplication.translate(
+        "Security",
+        "Use of mark_safe() may expose cross-site scripting vulnerabilities"
+        " and should be reviewed."),
+    "S309": QCoreApplication.translate(
+        "Security",
+        "Use of HTTPSConnection on older versions of Python prior to 2.7.9"
+        " and 3.4.3 do not provide security, see"
+        " https://wiki.openstack.org/wiki/OSSN/OSSN-0033"),
+    "S310": QCoreApplication.translate(
+        "Security",
+        "Audit url open for permitted schemes. Allowing use of file:/ or"
+        " custom schemes is often unexpected."),
+    "S311": QCoreApplication.translate(
+        "Security",
+        "Standard pseudo-random generators are not suitable for"
+        " security/cryptographic purposes."),
+    "S312": QCoreApplication.translate(
+        "Security",
+        "Telnet-related functions are being called. Telnet is considered"
+        " insecure. Use SSH or some other encrypted protocol."),
+    "S313": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+        " XML attacks. Replace '{0}' with its defusedxml equivalent function"
+        " or make sure defusedxml.defuse_stdlib() is called."),
+    "S314": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+        " XML attacks. Replace '{0}' with its defusedxml equivalent function"
+        " or make sure defusedxml.defuse_stdlib() is called."),
+    "S315": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+        " XML attacks. Replace '{0}' with its defusedxml equivalent function"
+        " or make sure defusedxml.defuse_stdlib() is called."),
+    "S316": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+        " XML attacks. Replace '{0}' with its defusedxml equivalent function"
+        " or make sure defusedxml.defuse_stdlib() is called."),
+    "S317": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+        " XML attacks. Replace '{0}' with its defusedxml equivalent function"
+        " or make sure defusedxml.defuse_stdlib() is called."),
+    "S318": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+        " XML attacks. Replace '{0}' with its defusedxml equivalent function"
+        " or make sure defusedxml.defuse_stdlib() is called."),
+    "S319": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+        " XML attacks. Replace '{0}' with its defusedxml equivalent function"
+        " or make sure defusedxml.defuse_stdlib() is called."),
+    "S320": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+        " XML attacks. Replace '{0}' with its defusedxml equivalent"
+        " function."),
+    "S321": QCoreApplication.translate(
+        "Security",
+        "FTP-related functions are being called. FTP is considered insecure."
+        " Use SSH/SFTP/SCP or some other encrypted protocol."),
+    "S322": QCoreApplication.translate(
+        "Security",
+        "The input method in Python 2 will read from standard input, evaluate"
+        " and run the resulting string as Python source code. This is"
+        " similar, though in many ways worse, than using eval. On Python 2,"
+        " use raw_input instead, input is safe in Python 3."),
+    "S323": QCoreApplication.translate(
+        "Security",
+        "By default, Python will create a secure, verified SSL context for"
+        " use in such classes as HTTPSConnection. However, it still allows"
+        " using an insecure context via the _create_unverified_context that"
+        " reverts to the previous behavior that does not validate"
+        " certificates or perform hostname checks."),
+    "S325": QCoreApplication.translate(
+        "Security",
+        "Use of os.tempnam() and os.tmpnam() is vulnerable to symlink"
+        " attacks. Consider using tmpfile() instead."),
+    
+    # blacklisted imports
+    "S401": QCoreApplication.translate(
+        "Security",
+        "A telnet-related module is being imported.  Telnet is considered"
+        " insecure. Use SSH or some other encrypted protocol."),
+    "S402": QCoreApplication.translate(
+        "Security",
+        "A FTP-related module is being imported.  FTP is considered"
+        " insecure. Use SSH/SFTP/SCP or some other encrypted protocol."),
+    "S403": QCoreApplication.translate(
+        "Security",
+        "Consider possible security implications associated with '{0}'"
+        " module."),
+    "S404": QCoreApplication.translate(
+        "Security",
+        "Consider possible security implications associated with '{0}'"
+        " module."),
+    "S405": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable"
+        " to XML attacks. Replace '{0}' with the equivalent defusedxml"
+        " package, or make sure defusedxml.defuse_stdlib() is called."),
+    "S406": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable"
+        " to XML attacks. Replace '{0}' with the equivalent defusedxml"
+        " package, or make sure defusedxml.defuse_stdlib() is called."),
+    "S407": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable"
+        " to XML attacks. Replace '{0}' with the equivalent defusedxml"
+        " package, or make sure defusedxml.defuse_stdlib() is called."),
+    "S408": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable"
+        " to XML attacks. Replace '{0}' with the equivalent defusedxml"
+        " package, or make sure defusedxml.defuse_stdlib() is called."),
+    "S409": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable"
+        " to XML attacks. Replace '{0}' with the equivalent defusedxml"
+        " package, or make sure defusedxml.defuse_stdlib() is called."),
+    "S410": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable"
+        " to XML attacks. Replace '{0}' with the equivalent defusedxml"
+        " package."),
+    "S411": QCoreApplication.translate(
+        "Security",
+        "Using '{0}' to parse untrusted XML data is known to be vulnerable"
+        " to XML attacks. Use defused.xmlrpc.monkey_patch() function to"
+        " monkey-patch xmlrpclib and mitigate XML vulnerabilities."),
+    "S412": QCoreApplication.translate(
+        "Security",
+        "Consider possible security implications associated with '{0}'"
+        " module."),
+    "S413": QCoreApplication.translate(
+        "Security",
+        "The pyCrypto library and its module '{0}' are no longer actively"
+        " maintained and have been deprecated. Consider using"
+        " pyca/cryptography library."),
+    
+    # insecure certificate usage
+    "S501": QCoreApplication.translate(
+        "Security",
+        "Requests call with verify=False disabling SSL certificate checks,"
+        " security issue."),
+    
+    # YAML load
+    "S506": QCoreApplication.translate(
+        "Security",
+        "Use of unsafe yaml load. Allows instantiation of arbitrary objects."
+        " Consider yaml.safe_load()."),
+    
+    # Django SQL injection
+    "S610": QCoreApplication.translate(
+        "Security",
+        "Use of extra potential SQL attack vector."),
+    "S611": QCoreApplication.translate(
+        "Security",
+        "Use of RawSQL potential SQL attack vector."),
+    
+    # Django XSS vulnerability
+    "S703": QCoreApplication.translate(
+        "Security",
+        "Potential XSS on mark_safe() function."),
+    
+##    "S": QCoreApplication.translate(
+##        "Security",
+##        ""),
 }
 
-
-def getTranslatedMessage(messageCode, messageArgs):
-    """
-    Module function to get a translated and formatted message for a
-    given message ID.
+_securityMessagesSampleArgs = {
+    "S304": ["Crypto.Cipher.DES"],
+    "S305": ["cryptography.hazmat.primitives.ciphers.modes.ECB"],
+    "S313": ["xml.etree.cElementTree.parse"],
+    "S314": ["xml.etree.ElementTree.parse"],
+    "S315": ["xml.sax.expatreader.create_parser"],
+    "S316": ["xml.dom.expatbuilder.parse"],
+    "S317": ["xml.sax.parse"],
+    "S318": ["xml.dom.minidom.parse"],
+    "S319": ["xml.dom.pulldom.parse"],
+    "S320": ["lxml.etree.parse"],
     
-    @param messageCode the message code
-    @type str
-    @param messageArgs list of arguments or a single integer value to format
-        the message
-    @type list or int
-    @return translated and formatted message
-    @rtype str
-    """
-    if messageCode in _messages:
-        if isinstance(messageArgs, int):
-            # Retranslate with correct plural form
-            return _messages[messageCode](messageArgs)
-        else:
-            return _messages[messageCode].format(*messageArgs)
-    else:
-        return QCoreApplication.translate(
-            "CodeStyleFixer", " no message defined for code '{0}'"
-        ).format(messageCode)
+    "S403": ["pickle"],
+    "S404": ["subprocess"],
+    "S405": ["xml.etree.ElementTree"],
+    "S406": ["xml.sax"],
+    "S407": ["xml.dom.expatbuilder"],
+    "S408": ["xml.dom.minidom"],
+    "S409": ["xml.dom.pulldom"],
+    "S410": ["lxml"],
+    "S411": ["xmlrpclib"],
+    "S412": ["wsgiref.handlers.CGIHandler"],
+    "S413": ["Crypto.Cipher"],
+}

Mercurial Repository: eric

eric ide

mercurial