Mercurial Repositories > eric / file revision
eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py@382f89c11e27
eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py
Mon, 08 Jun 2020 20:08:27 +0200
- author
- Detlev Offenbach <detlev@die-offenbachs.de>
- date
- Mon, 08 Jun 2020 20:08:27 +0200
- changeset 7613
- 382f89c11e27
- parent 7612
- ca1ce1e0fcff
- child 7614
- 646742c260bd
- permissions
- -rw-r--r--
Code Style Checker: continued to implement checker for security related issues.
# -*- coding: utf-8 -*- # Copyright (c) 2020 Detlev Offenbach <detlev@die-offenbachs.de> # """ Module implementing message translations for the code style plugin messages (security part). """ from PyQt5.QtCore import QCoreApplication _securityMessages = { # assert used "S101": QCoreApplication.translate( "Security", "Use of assert detected. The enclosed code will be removed when" " compiling to optimised byte code."), # flask app "S201": QCoreApplication.translate( "Security", "A Flask app appears to be run with debug=True, which exposes the" " Werkzeug debugger and allows the execution of arbitrary code."), # blacklisted calls "S301": QCoreApplication.translate( "Security", "Pickle and modules that wrap it can be unsafe when used to " "deserialize untrusted data, possible security issue."), "S302": QCoreApplication.translate( "Security", "Deserialization with the marshal module is possibly dangerous."), "S303": QCoreApplication.translate( "Security", "Use of insecure MD2, MD4, MD5, or SHA1 hash function."), "S304": QCoreApplication.translate( "Security", "Use of insecure cipher '{0}'. Replace with a known secure cipher" " such as AES."), "S305": QCoreApplication.translate( "Security", "Use of insecure cipher mode '{0}'."), "S306": QCoreApplication.translate( "Security", "Use of insecure and deprecated function (mktemp)."), "S307": QCoreApplication.translate( "Security", "Use of possibly insecure function - consider using safer" " ast.literal_eval."), "S308": QCoreApplication.translate( "Security", "Use of mark_safe() may expose cross-site scripting vulnerabilities" " and should be reviewed."), "S309": QCoreApplication.translate( "Security", "Use of HTTPSConnection on older versions of Python prior to 2.7.9" " and 3.4.3 do not provide security, see" " https://wiki.openstack.org/wiki/OSSN/OSSN-0033"), "S310": QCoreApplication.translate( "Security", "Audit url open for permitted schemes. Allowing use of file:/ or" " custom schemes is often unexpected."), "S311": QCoreApplication.translate( "Security", "Standard pseudo-random generators are not suitable for" " security/cryptographic purposes."), "S312": QCoreApplication.translate( "Security", "Telnet-related functions are being called. Telnet is considered" " insecure. Use SSH or some other encrypted protocol."), "S313": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called."), "S314": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called."), "S315": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called."), "S316": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called."), "S317": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called."), "S318": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called."), "S319": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called."), "S320": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent" " function."), "S321": QCoreApplication.translate( "Security", "FTP-related functions are being called. FTP is considered insecure." " Use SSH/SFTP/SCP or some other encrypted protocol."), "S322": QCoreApplication.translate( "Security", "The input method in Python 2 will read from standard input, evaluate" " and run the resulting string as Python source code. This is" " similar, though in many ways worse, than using eval. On Python 2," " use raw_input instead, input is safe in Python 3."), "S323": QCoreApplication.translate( "Security", "By default, Python will create a secure, verified SSL context for" " use in such classes as HTTPSConnection. However, it still allows" " using an insecure context via the _create_unverified_context that" " reverts to the previous behavior that does not validate" " certificates or perform hostname checks."), "S325": QCoreApplication.translate( "Security", "Use of os.tempnam() and os.tmpnam() is vulnerable to symlink" " attacks. Consider using tmpfile() instead."), # blacklisted imports "S401": QCoreApplication.translate( "Security", "A telnet-related module is being imported. Telnet is considered" " insecure. Use SSH or some other encrypted protocol."), "S402": QCoreApplication.translate( "Security", "A FTP-related module is being imported. FTP is considered" " insecure. Use SSH/SFTP/SCP or some other encrypted protocol."), "S403": QCoreApplication.translate( "Security", "Consider possible security implications associated with '{0}'" " module."), "S404": QCoreApplication.translate( "Security", "Consider possible security implications associated with '{0}'" " module."), "S405": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" " to XML attacks. Replace '{0}' with the equivalent defusedxml" " package, or make sure defusedxml.defuse_stdlib() is called."), "S406": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" " to XML attacks. Replace '{0}' with the equivalent defusedxml" " package, or make sure defusedxml.defuse_stdlib() is called."), "S407": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" " to XML attacks. Replace '{0}' with the equivalent defusedxml" " package, or make sure defusedxml.defuse_stdlib() is called."), "S408": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" " to XML attacks. Replace '{0}' with the equivalent defusedxml" " package, or make sure defusedxml.defuse_stdlib() is called."), "S409": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" " to XML attacks. Replace '{0}' with the equivalent defusedxml" " package, or make sure defusedxml.defuse_stdlib() is called."), "S410": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" " to XML attacks. Replace '{0}' with the equivalent defusedxml" " package."), "S411": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" " to XML attacks. Use defused.xmlrpc.monkey_patch() function to" " monkey-patch xmlrpclib and mitigate XML vulnerabilities."), "S412": QCoreApplication.translate( "Security", "Consider possible security implications associated with '{0}'" " module."), "S413": QCoreApplication.translate( "Security", "The pyCrypto library and its module '{0}' are no longer actively" " maintained and have been deprecated. Consider using" " pyca/cryptography library."), # insecure certificate usage "S501": QCoreApplication.translate( "Security", "Requests call with verify=False disabling SSL certificate checks," " security issue."), # YAML load "S506": QCoreApplication.translate( "Security", "Use of unsafe yaml load. Allows instantiation of arbitrary objects." " Consider yaml.safe_load()."), # Django SQL injection "S610": QCoreApplication.translate( "Security", "Use of extra potential SQL attack vector."), "S611": QCoreApplication.translate( "Security", "Use of RawSQL potential SQL attack vector."), # Django XSS vulnerability "S703": QCoreApplication.translate( "Security", "Potential XSS on mark_safe() function."), ## "S": QCoreApplication.translate( ## "Security", ## ""), } _securityMessagesSampleArgs = { "S304": ["Crypto.Cipher.DES"], "S305": ["cryptography.hazmat.primitives.ciphers.modes.ECB"], "S313": ["xml.etree.cElementTree.parse"], "S314": ["xml.etree.ElementTree.parse"], "S315": ["xml.sax.expatreader.create_parser"], "S316": ["xml.dom.expatbuilder.parse"], "S317": ["xml.sax.parse"], "S318": ["xml.dom.minidom.parse"], "S319": ["xml.dom.pulldom.parse"], "S320": ["lxml.etree.parse"], "S403": ["pickle"], "S404": ["subprocess"], "S405": ["xml.etree.ElementTree"], "S406": ["xml.sax"], "S407": ["xml.dom.expatbuilder"], "S408": ["xml.dom.minidom"], "S409": ["xml.dom.pulldom"], "S410": ["lxml"], "S411": ["xmlrpclib"], "S412": ["wsgiref.handlers.CGIHandler"], "S413": ["Crypto.Cipher"], }
