Mercurial Repositories > eric / file diff

--- a/eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py	Mon Jun 08 20:08:27 2020 +0200
+++ b/eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py	Tue Jun 09 20:10:59 2020 +0200
@@ -15,9 +15,40 @@
     # assert used
     "S101": QCoreApplication.translate(
         "Security",
-        "Use of assert detected. The enclosed code will be removed when"
+        "Use of 'assert' detected. The enclosed code will be removed when"
         " compiling to optimised byte code."),
     
+    # exec used
+    "S102": QCoreApplication.translate(
+        "Security",
+        "Use of 'exec' detected."),
+    
+    # bad file permissions
+    "S103": QCoreApplication.translate(
+        "Security",
+        "'chmod' setting a permissive mask {0} on file ({1})."),
+    
+    # bind to all interfaces
+    "S104": QCoreApplication.translate(
+        "Security",
+        "Possible binding to all interfaces."),
+    
+    # hardcoded passwords
+    "S105": QCoreApplication.translate(
+        "Security",
+        "Possible hardcoded password: '{0}'"),
+    "S106": QCoreApplication.translate(
+        "Security",
+        "Possible hardcoded password: '{0}'"),
+    "S107": QCoreApplication.translate(
+        "Security",
+        "Possible hardcoded password: '{0}'"),
+    
+    # hardcoded tmp directory
+    "S108": QCoreApplication.translate(
+        "Security",
+        "Probable insecure usage of temp file/directory."),
+    
     # flask app
     "S201": QCoreApplication.translate(
         "Security",
@@ -132,6 +163,11 @@
         "Use of os.tempnam() and os.tmpnam() is vulnerable to symlink"
         " attacks. Consider using tmpfile() instead."),
     
+    # hashlib.new
+    "S324": QCoreApplication.translate(
+        "Security",
+        "Use of insecure {0} hash function."),
+    
     # blacklisted imports
     "S401": QCoreApplication.translate(
         "Security",
@@ -197,27 +233,65 @@
     # insecure certificate usage
     "S501": QCoreApplication.translate(
         "Security",
-        "Requests call with verify=False disabling SSL certificate checks,"
+        "'requests' call with verify=False disabling SSL certificate checks,"
         " security issue."),
     
     # YAML load
     "S506": QCoreApplication.translate(
         "Security",
-        "Use of unsafe yaml load. Allows instantiation of arbitrary objects."
-        " Consider yaml.safe_load()."),
+        "Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary"
+        " objects. Consider 'yaml.safe_load()'."),
+    
+    # Shell injection
+    "S601": QCoreApplication.translate(
+        "Security",
+        "Possible shell injection via 'Paramiko' call, check inputs are"
+        " properly sanitized."),
+    "S602.L": QCoreApplication.translate(
+        "Security",
+        "'subprocess' call with shell=True seems safe, but may be changed"
+        " in the future, consider rewriting without shell"),
+    "S602.H": QCoreApplication.translate(
+        "Security",
+        "'subprocess' call with shell=True identified, security issue."),
+    "S603": QCoreApplication.translate(
+        "Security",
+        "'subprocess' call - check for execution of untrusted input."),
+    "S604": QCoreApplication.translate(
+        "Security",
+        "Function call with shell=True parameter identified, possible"
+        " security issue."),
+    "S605.L": QCoreApplication.translate(
+        "Security",
+        "Starting a process with a shell: Seems safe, but may be changed in"
+        " the future, consider rewriting without shell"),
+    "S605.H": QCoreApplication.translate(
+        "Security",
+        "Starting a process with a shell, possible injection detected,"
+        " security issue."),
+    "S606": QCoreApplication.translate(
+        "Security",
+        "Starting a process without a shell."),
+    "S607": QCoreApplication.translate(
+        "Security",
+        "Starting a process with a partial executable path."),
     
     # Django SQL injection
     "S610": QCoreApplication.translate(
         "Security",
-        "Use of extra potential SQL attack vector."),
+        "Use of 'extra()' opens a potential SQL attack vector."),
     "S611": QCoreApplication.translate(
         "Security",
-        "Use of RawSQL potential SQL attack vector."),
+        "Use of 'RawSQL()' opens a potential SQL attack vector."),
     
     # Django XSS vulnerability
     "S703": QCoreApplication.translate(
         "Security",
-        "Potential XSS on mark_safe() function."),
+        "Potential XSS on 'mark_safe()' function."),
+    
+    "S999": QCoreApplication.translate(
+        "Security",
+        "{0}: {1}"),
     
 ##    "S": QCoreApplication.translate(
 ##        "Security",
@@ -225,6 +299,11 @@
 }
 
 _securityMessagesSampleArgs = {
+    "S103": ["0o777", "testfile.txt"],
+    "S105": ["password"],
+    "S106": ["password"],
+    "S107": ["password"],
+    
     "S304": ["Crypto.Cipher.DES"],
     "S305": ["cryptography.hazmat.primitives.ciphers.modes.ECB"],
     "S313": ["xml.etree.cElementTree.parse"],
@@ -236,6 +315,8 @@
     "S319": ["xml.dom.pulldom.parse"],
     "S320": ["lxml.etree.parse"],
     
+    "S324": ["MD5"],
+    
     "S403": ["pickle"],
     "S404": ["subprocess"],
     "S405": ["xml.etree.ElementTree"],
@@ -247,4 +328,6 @@
     "S411": ["xmlrpclib"],
     "S412": ["wsgiref.handlers.CGIHandler"],
     "S413": ["Crypto.Cipher"],
+    
+    "S999": ["SyntaxError", "Invalid Syntax"],
 }