Mercurial Repositories > eric / file revision
eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py@91e843545d9a
eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py
Wed, 30 Dec 2020 11:00:05 +0100
- author
- Detlev Offenbach <detlev@die-offenbachs.de>
- date
- Wed, 30 Dec 2020 11:00:05 +0100
- changeset 7923
- 91e843545d9a
- parent 7628
- f904d0eef264
- child 8198
- 1c765dc90c21
- permissions
- -rw-r--r--
Updated copyright for 2021.
# -*- coding: utf-8 -*- # Copyright (c) 2020 - 2021 Detlev Offenbach <detlev@die-offenbachs.de> # """ Module implementing message translations for the code style plugin messages (security part). """ from PyQt5.QtCore import QCoreApplication _securityMessages = { # assert used "S101": QCoreApplication.translate( "Security", "Use of 'assert' detected. The enclosed code will be removed when" " compiling to optimised byte code."), # exec used "S102": QCoreApplication.translate( "Security", "Use of 'exec' detected."), # bad file permissions "S103": QCoreApplication.translate( "Security", "'chmod' setting a permissive mask {0} on file ({1})."), # bind to all interfaces "S104": QCoreApplication.translate( "Security", "Possible binding to all interfaces."), # hardcoded passwords "S105": QCoreApplication.translate( "Security", "Possible hardcoded password: '{0}'"), "S106": QCoreApplication.translate( "Security", "Possible hardcoded password: '{0}'"), "S107": QCoreApplication.translate( "Security", "Possible hardcoded password: '{0}'"), # hardcoded tmp directory "S108": QCoreApplication.translate( "Security", "Probable insecure usage of temp file/directory."), # try-except "S110": QCoreApplication.translate( "Security", "Try, Except, Pass detected."), "S112": QCoreApplication.translate( "Security", "Try, Except, Continue detected."), # flask app "S201": QCoreApplication.translate( "Security", "A Flask app appears to be run with debug=True, which exposes the" " Werkzeug debugger and allows the execution of arbitrary code."), # blacklisted calls "S301": QCoreApplication.translate( "Security", "Pickle and modules that wrap it can be unsafe when used to " "deserialize untrusted data, possible security issue."), "S302": QCoreApplication.translate( "Security", "Deserialization with the marshal module is possibly dangerous."), "S303": QCoreApplication.translate( "Security", "Use of insecure MD2, MD4, MD5, or SHA1 hash function."), "S304": QCoreApplication.translate( "Security", "Use of insecure cipher '{0}'. Replace with a known secure cipher" " such as AES."), "S305": QCoreApplication.translate( "Security", "Use of insecure cipher mode '{0}'."), "S306": QCoreApplication.translate( "Security", "Use of insecure and deprecated function (mktemp)."), "S307": QCoreApplication.translate( "Security", "Use of possibly insecure function - consider using safer" " ast.literal_eval."), "S308": QCoreApplication.translate( "Security", "Use of mark_safe() may expose cross-site scripting vulnerabilities" " and should be reviewed."), "S309": QCoreApplication.translate( "Security", "Use of HTTPSConnection on older versions of Python prior to 2.7.9" " and 3.4.3 do not provide security, see" " https://wiki.openstack.org/wiki/OSSN/OSSN-0033"), "S310": QCoreApplication.translate( "Security", "Audit url open for permitted schemes. Allowing use of file:/ or" " custom schemes is often unexpected."), "S311": QCoreApplication.translate( "Security", "Standard pseudo-random generators are not suitable for" " security/cryptographic purposes."), "S312": QCoreApplication.translate( "Security", "Telnet-related functions are being called. Telnet is considered" " insecure. Use SSH or some other encrypted protocol."), "S313": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called."), "S314": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called."), "S315": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called."), "S316": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called."), "S317": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called."), "S318": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called."), "S319": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent function" " or make sure defusedxml.defuse_stdlib() is called."), "S320": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable to" " XML attacks. Replace '{0}' with its defusedxml equivalent" " function."), "S321": QCoreApplication.translate( "Security", "FTP-related functions are being called. FTP is considered insecure." " Use SSH/SFTP/SCP or some other encrypted protocol."), "S322": QCoreApplication.translate( "Security", "The input method in Python 2 will read from standard input, evaluate" " and run the resulting string as Python source code. This is" " similar, though in many ways worse, than using eval. On Python 2," " use raw_input instead, input is safe in Python 3."), "S323": QCoreApplication.translate( "Security", "By default, Python will create a secure, verified SSL context for" " use in such classes as HTTPSConnection. However, it still allows" " using an insecure context via the _create_unverified_context that" " reverts to the previous behavior that does not validate" " certificates or perform hostname checks."), "S324": QCoreApplication.translate( "Security", "Use of os.tempnam() and os.tmpnam() is vulnerable to symlink" " attacks. Consider using tmpfile() instead."), # hashlib.new "S331": QCoreApplication.translate( "Security", "Use of insecure {0} hash function."), # blacklisted imports "S401": QCoreApplication.translate( "Security", "A telnet-related module is being imported. Telnet is considered" " insecure. Use SSH or some other encrypted protocol."), "S402": QCoreApplication.translate( "Security", "A FTP-related module is being imported. FTP is considered" " insecure. Use SSH/SFTP/SCP or some other encrypted protocol."), "S403": QCoreApplication.translate( "Security", "Consider possible security implications associated with the '{0}'" " module."), "S404": QCoreApplication.translate( "Security", "Consider possible security implications associated with the '{0}'" " module."), "S405": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" " to XML attacks. Replace '{0}' with the equivalent defusedxml" " package, or make sure defusedxml.defuse_stdlib() is called."), "S406": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" " to XML attacks. Replace '{0}' with the equivalent defusedxml" " package, or make sure defusedxml.defuse_stdlib() is called."), "S407": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" " to XML attacks. Replace '{0}' with the equivalent defusedxml" " package, or make sure defusedxml.defuse_stdlib() is called."), "S408": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" " to XML attacks. Replace '{0}' with the equivalent defusedxml" " package, or make sure defusedxml.defuse_stdlib() is called."), "S409": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" " to XML attacks. Replace '{0}' with the equivalent defusedxml" " package, or make sure defusedxml.defuse_stdlib() is called."), "S410": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" " to XML attacks. Replace '{0}' with the equivalent defusedxml" " package."), "S411": QCoreApplication.translate( "Security", "Using '{0}' to parse untrusted XML data is known to be vulnerable" " to XML attacks. Use defused.xmlrpc.monkey_patch() function to" " monkey-patch xmlrpclib and mitigate XML vulnerabilities."), "S412": QCoreApplication.translate( "Security", "Consider possible security implications associated with '{0}'" " module."), "S413": QCoreApplication.translate( "Security", "The pyCrypto library and its module '{0}' are no longer actively" " maintained and have been deprecated. Consider using" " pyca/cryptography library."), # insecure certificate usage "S501": QCoreApplication.translate( "Security", "'requests' call with verify=False disabling SSL certificate checks," " security issue."), # insecure SSL/TLS protocol version "S502.1": QCoreApplication.translate( "Security", "'ssl.wrap_socket' call with insecure SSL/TLS protocol version" " identified, security issue."), "S502.2": QCoreApplication.translate( "Security", "'SSL.Context' call with insecure SSL/TLS protocol version identified," " security issue."), "S502.3": QCoreApplication.translate( "Security", "Function call with insecure SSL/TLS protocol version identified," " security issue."), "S503": QCoreApplication.translate( "Security", "Function definition identified with insecure SSL/TLS protocol" " version by default, possible security issue."), "S504": QCoreApplication.translate( "Security", "'ssl.wrap_socket' call with no SSL/TLS protocol version specified," " the default 'SSLv23' could be insecure, possible security issue."), # weak cryptographic keys "S505": QCoreApplication.translate( "Security", "{0} key sizes below {1:d} bits are considered breakable."), # YAML load "S506": QCoreApplication.translate( "Security", "Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary" " objects. Consider 'yaml.safe_load()'."), # SSH host key verification "S507": QCoreApplication.translate( "Security", "Paramiko call with policy set to automatically trust the unknown" " host key."), # Shell injection "S601": QCoreApplication.translate( "Security", "Possible shell injection via 'Paramiko' call, check inputs are" " properly sanitized."), "S602.L": QCoreApplication.translate( "Security", "'subprocess' call with shell=True seems safe, but may be changed" " in the future, consider rewriting without shell"), "S602.H": QCoreApplication.translate( "Security", "'subprocess' call with shell=True identified, security issue."), "S603": QCoreApplication.translate( "Security", "'subprocess' call - check for execution of untrusted input."), "S604": QCoreApplication.translate( "Security", "Function call with shell=True parameter identified, possible" " security issue."), "S605.L": QCoreApplication.translate( "Security", "Starting a process with a shell: Seems safe, but may be changed in" " the future, consider rewriting without shell"), "S605.H": QCoreApplication.translate( "Security", "Starting a process with a shell, possible injection detected," " security issue."), "S606": QCoreApplication.translate( "Security", "Starting a process without a shell."), "S607": QCoreApplication.translate( "Security", "Starting a process with a partial executable path."), # SQL injection "S608": QCoreApplication.translate( "Security", "Possible SQL injection vector through string-based query" " construction."), # Wildcard injection "S609": QCoreApplication.translate( "Security", "Possible wildcard injection in call: {0}"), # Django SQL injection "S610": QCoreApplication.translate( "Security", "Use of 'extra()' opens a potential SQL attack vector."), "S611": QCoreApplication.translate( "Security", "Use of 'RawSQL()' opens a potential SQL attack vector."), # Jinja2 templates "S701.1": QCoreApplication.translate( "Security", "Using jinja2 templates with 'autoescape=False' is dangerous and can" " lead to XSS. Use 'autoescape=True' or use the 'select_autoescape'" " function to mitigate XSS vulnerabilities."), "S701.2": QCoreApplication.translate( "Security", "By default, jinja2 sets 'autoescape' to False. Consider using" " 'autoescape=True' or use the 'select_autoescape' function to" " mitigate XSS vulnerabilities."), # Mako templates "S702": QCoreApplication.translate( "Security", "Mako templates allow HTML/JS rendering by default and are inherently" " open to XSS attacks. Ensure variables in all templates are properly" " sanitized via the 'n', 'h' or 'x' flags (depending on context). For" " example, to HTML escape the variable 'data' do ${{ data |h }}."), # Django XSS vulnerability "S703": QCoreApplication.translate( "Security", "Potential XSS on 'mark_safe()' function."), # hardcoded AWS passwords "S801": QCoreApplication.translate( "Security", "Possible hardcoded AWS access key ID: {0}"), "S802": QCoreApplication.translate( "Security", "Possible hardcoded AWS secret access key: {0}"), # Syntax error "S999": QCoreApplication.translate( "Security", "{0}: {1}"), } _securityMessagesSampleArgs = { "S103": ["0o777", "testfile.txt"], "S105": ["password"], "S106": ["password"], "S107": ["password"], "S304": ["Crypto.Cipher.DES"], "S305": ["cryptography.hazmat.primitives.ciphers.modes.ECB"], "S313": ["xml.etree.cElementTree.parse"], "S314": ["xml.etree.ElementTree.parse"], "S315": ["xml.sax.expatreader.create_parser"], "S316": ["xml.dom.expatbuilder.parse"], "S317": ["xml.sax.parse"], "S318": ["xml.dom.minidom.parse"], "S319": ["xml.dom.pulldom.parse"], "S320": ["lxml.etree.parse"], "S331": ["MD5"], "S403": ["pickle"], "S404": ["subprocess"], "S405": ["xml.etree.ElementTree"], "S406": ["xml.sax"], "S407": ["xml.dom.expatbuilder"], "S408": ["xml.dom.minidom"], "S409": ["xml.dom.pulldom"], "S410": ["lxml"], "S411": ["xmlrpclib"], "S412": ["wsgiref.handlers.CGIHandler"], "S413": ["Crypto.Cipher"], "S505": ["RSA", 2048], "S609": ["os.system"], "S801": ["A1B2C3D4E5F6G7H8I9J0"], # secok "S802": ["aA1bB2cC3dD4/eE5fF6gG7+hH8iI9jJ0=kKlLM+="], # secok "S999": ["SyntaxError", "Invalid Syntax"], }
