--- a/eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py Tue Jun 09 20:10:59 2020 +0200
+++ b/eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py Wed Jun 10 17:52:53 2020 +0200
@@ -49,6 +49,14 @@
"Security",
"Probable insecure usage of temp file/directory."),
+ # try-except
+ "S110": QCoreApplication.translate(
+ "Security",
+ "Try, Except, Pass detected."),
+ "S112": QCoreApplication.translate(
+ "Security",
+ "Try, Except, Continue detected."),
+
# flask app
"S201": QCoreApplication.translate(
"Security",
@@ -236,12 +244,40 @@
"'requests' call with verify=False disabling SSL certificate checks,"
" security issue."),
+ # insecure SSL/TLS protocol version
+ "S502.1": QCoreApplication.translate(
+ "Security",
+ "'ssl.wrap_socket' call with insecure SSL/TLS protocol version"
+ " identified, security issue."),
+ "S502.2": QCoreApplication.translate(
+ "Security",
+ "'SSL.Context' call with insecure SSL/TLS protocol version identified,"
+ " security issue."),
+ "S502.3": QCoreApplication.translate(
+ "Security",
+ "Function call with insecure SSL/TLS protocol version identified,"
+ " security issue."),
+ "S503": QCoreApplication.translate(
+ "Security",
+ "Function definition identified with insecure SSL/TLS protocol"
+ " version by default, possible security issue."),
+ "S504": QCoreApplication.translate(
+ "Security",
+ "'ssl.wrap_socket' call with no SSL/TLS protocol version specified,"
+ " the default 'SSLv23' could be insecure, possible security issue."),
+
# YAML load
"S506": QCoreApplication.translate(
"Security",
"Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary"
" objects. Consider 'yaml.safe_load()'."),
+ # SSH host key verification
+ "S507": QCoreApplication.translate(
+ "Security",
+ "Paramiko call with policy set to automatically trust the unknown"
+ " host key."),
+
# Shell injection
"S601": QCoreApplication.translate(
"Security",
@@ -276,6 +312,17 @@
"Security",
"Starting a process with a partial executable path."),
+ # SQL injection
+ "S608": QCoreApplication.translate(
+ "Security",
+ "Possible SQL injection vector through string-based query"
+ " construction."),
+
+ # Wildcard injection
+ "S609": QCoreApplication.translate(
+ "Security",
+ "Possible wildcard injection in call: {0}"),
+
# Django SQL injection
"S610": QCoreApplication.translate(
"Security",
@@ -284,11 +331,32 @@
"Security",
"Use of 'RawSQL()' opens a potential SQL attack vector."),
+ # Jinja2 templates
+ "S701.1": QCoreApplication.translate(
+ "Security",
+ "Using jinja2 templates with 'autoescape=False' is dangerous and can"
+ " lead to XSS. Use 'autoescape=True' or use the 'select_autoescape'"
+ " function to mitigate XSS vulnerabilities."),
+ "S701.2": QCoreApplication.translate(
+ "Security",
+ "By default, jinja2 sets 'autoescape' to False. Consider using"
+ " 'autoescape=True' or use the 'select_autoescape' function to"
+ " mitigate XSS vulnerabilities."),
+
+ # Mako templates
+ "S702": QCoreApplication.translate(
+ "Security",
+ "Mako templates allow HTML/JS rendering by default and are inherently"
+ " open to XSS attacks. Ensure variables in all templates are properly"
+ " sanitized via the 'n', 'h' or 'x' flags (depending on context). For"
+ " example, to HTML escape the variable 'data' do ${{ data |h }}."),
+
# Django XSS vulnerability
"S703": QCoreApplication.translate(
"Security",
"Potential XSS on 'mark_safe()' function."),
+ # Syntax error
"S999": QCoreApplication.translate(
"Security",
"{0}: {1}"),
@@ -329,5 +397,7 @@
"S412": ["wsgiref.handlers.CGIHandler"],
"S413": ["Crypto.Cipher"],
+ "S609": ["os.system"],
+
"S999": ["SyntaxError", "Invalid Syntax"],
}
