diff -r ca1ce1e0fcff -r 382f89c11e27 eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py
--- a/eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py Mon Jun 08 08:17:14 2020 +0200
+++ b/eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py Mon Jun 08 20:08:27 2020 +0200
@@ -5,16 +5,26 @@
"""
-Module implementing message translations for the code style plugin messages.
+Module implementing message translations for the code style plugin messages
+(security part).
"""
-
from PyQt5.QtCore import QCoreApplication
-
-__all__ = ["getTranslatedMessage"]
-
-_messages = {
+_securityMessages = {
+ # assert used
+ "S101": QCoreApplication.translate(
+ "Security",
+ "Use of assert detected. The enclosed code will be removed when"
+ " compiling to optimised byte code."),
+
+ # flask app
+ "S201": QCoreApplication.translate(
+ "Security",
+ "A Flask app appears to be run with debug=True, which exposes the"
+ " Werkzeug debugger and allows the execution of arbitrary code."),
+
+ # blacklisted calls
"S301": QCoreApplication.translate(
"Security",
"Pickle and modules that wrap it can be unsafe when used to "
@@ -25,33 +35,216 @@
"S303": QCoreApplication.translate(
"Security",
"Use of insecure MD2, MD4, MD5, or SHA1 hash function."),
-}
-
-
-_messages_sample_args = {
+ "S304": QCoreApplication.translate(
+ "Security",
+ "Use of insecure cipher '{0}'. Replace with a known secure cipher"
+ " such as AES."),
+ "S305": QCoreApplication.translate(
+ "Security",
+ "Use of insecure cipher mode '{0}'."),
+ "S306": QCoreApplication.translate(
+ "Security",
+ "Use of insecure and deprecated function (mktemp)."),
+ "S307": QCoreApplication.translate(
+ "Security",
+ "Use of possibly insecure function - consider using safer"
+ " ast.literal_eval."),
+ "S308": QCoreApplication.translate(
+ "Security",
+ "Use of mark_safe() may expose cross-site scripting vulnerabilities"
+ " and should be reviewed."),
+ "S309": QCoreApplication.translate(
+ "Security",
+ "Use of HTTPSConnection on older versions of Python prior to 2.7.9"
+ " and 3.4.3 do not provide security, see"
+ " https://wiki.openstack.org/wiki/OSSN/OSSN-0033"),
+ "S310": QCoreApplication.translate(
+ "Security",
+ "Audit url open for permitted schemes. Allowing use of file:/ or"
+ " custom schemes is often unexpected."),
+ "S311": QCoreApplication.translate(
+ "Security",
+ "Standard pseudo-random generators are not suitable for"
+ " security/cryptographic purposes."),
+ "S312": QCoreApplication.translate(
+ "Security",
+ "Telnet-related functions are being called. Telnet is considered"
+ " insecure. Use SSH or some other encrypted protocol."),
+ "S313": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+ " XML attacks. Replace '{0}' with its defusedxml equivalent function"
+ " or make sure defusedxml.defuse_stdlib() is called."),
+ "S314": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+ " XML attacks. Replace '{0}' with its defusedxml equivalent function"
+ " or make sure defusedxml.defuse_stdlib() is called."),
+ "S315": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+ " XML attacks. Replace '{0}' with its defusedxml equivalent function"
+ " or make sure defusedxml.defuse_stdlib() is called."),
+ "S316": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+ " XML attacks. Replace '{0}' with its defusedxml equivalent function"
+ " or make sure defusedxml.defuse_stdlib() is called."),
+ "S317": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+ " XML attacks. Replace '{0}' with its defusedxml equivalent function"
+ " or make sure defusedxml.defuse_stdlib() is called."),
+ "S318": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+ " XML attacks. Replace '{0}' with its defusedxml equivalent function"
+ " or make sure defusedxml.defuse_stdlib() is called."),
+ "S319": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+ " XML attacks. Replace '{0}' with its defusedxml equivalent function"
+ " or make sure defusedxml.defuse_stdlib() is called."),
+ "S320": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable to"
+ " XML attacks. Replace '{0}' with its defusedxml equivalent"
+ " function."),
+ "S321": QCoreApplication.translate(
+ "Security",
+ "FTP-related functions are being called. FTP is considered insecure."
+ " Use SSH/SFTP/SCP or some other encrypted protocol."),
+ "S322": QCoreApplication.translate(
+ "Security",
+ "The input method in Python 2 will read from standard input, evaluate"
+ " and run the resulting string as Python source code. This is"
+ " similar, though in many ways worse, than using eval. On Python 2,"
+ " use raw_input instead, input is safe in Python 3."),
+ "S323": QCoreApplication.translate(
+ "Security",
+ "By default, Python will create a secure, verified SSL context for"
+ " use in such classes as HTTPSConnection. However, it still allows"
+ " using an insecure context via the _create_unverified_context that"
+ " reverts to the previous behavior that does not validate"
+ " certificates or perform hostname checks."),
+ "S325": QCoreApplication.translate(
+ "Security",
+ "Use of os.tempnam() and os.tmpnam() is vulnerable to symlink"
+ " attacks. Consider using tmpfile() instead."),
+
+ # blacklisted imports
+ "S401": QCoreApplication.translate(
+ "Security",
+ "A telnet-related module is being imported. Telnet is considered"
+ " insecure. Use SSH or some other encrypted protocol."),
+ "S402": QCoreApplication.translate(
+ "Security",
+ "A FTP-related module is being imported. FTP is considered"
+ " insecure. Use SSH/SFTP/SCP or some other encrypted protocol."),
+ "S403": QCoreApplication.translate(
+ "Security",
+ "Consider possible security implications associated with '{0}'"
+ " module."),
+ "S404": QCoreApplication.translate(
+ "Security",
+ "Consider possible security implications associated with '{0}'"
+ " module."),
+ "S405": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable"
+ " to XML attacks. Replace '{0}' with the equivalent defusedxml"
+ " package, or make sure defusedxml.defuse_stdlib() is called."),
+ "S406": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable"
+ " to XML attacks. Replace '{0}' with the equivalent defusedxml"
+ " package, or make sure defusedxml.defuse_stdlib() is called."),
+ "S407": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable"
+ " to XML attacks. Replace '{0}' with the equivalent defusedxml"
+ " package, or make sure defusedxml.defuse_stdlib() is called."),
+ "S408": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable"
+ " to XML attacks. Replace '{0}' with the equivalent defusedxml"
+ " package, or make sure defusedxml.defuse_stdlib() is called."),
+ "S409": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable"
+ " to XML attacks. Replace '{0}' with the equivalent defusedxml"
+ " package, or make sure defusedxml.defuse_stdlib() is called."),
+ "S410": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable"
+ " to XML attacks. Replace '{0}' with the equivalent defusedxml"
+ " package."),
+ "S411": QCoreApplication.translate(
+ "Security",
+ "Using '{0}' to parse untrusted XML data is known to be vulnerable"
+ " to XML attacks. Use defused.xmlrpc.monkey_patch() function to"
+ " monkey-patch xmlrpclib and mitigate XML vulnerabilities."),
+ "S412": QCoreApplication.translate(
+ "Security",
+ "Consider possible security implications associated with '{0}'"
+ " module."),
+ "S413": QCoreApplication.translate(
+ "Security",
+ "The pyCrypto library and its module '{0}' are no longer actively"
+ " maintained and have been deprecated. Consider using"
+ " pyca/cryptography library."),
+
+ # insecure certificate usage
+ "S501": QCoreApplication.translate(
+ "Security",
+ "Requests call with verify=False disabling SSL certificate checks,"
+ " security issue."),
+
+ # YAML load
+ "S506": QCoreApplication.translate(
+ "Security",
+ "Use of unsafe yaml load. Allows instantiation of arbitrary objects."
+ " Consider yaml.safe_load()."),
+
+ # Django SQL injection
+ "S610": QCoreApplication.translate(
+ "Security",
+ "Use of extra potential SQL attack vector."),
+ "S611": QCoreApplication.translate(
+ "Security",
+ "Use of RawSQL potential SQL attack vector."),
+
+ # Django XSS vulnerability
+ "S703": QCoreApplication.translate(
+ "Security",
+ "Potential XSS on mark_safe() function."),
+
+## "S": QCoreApplication.translate(
+## "Security",
+## ""),
}
-
-def getTranslatedMessage(messageCode, messageArgs):
- """
- Module function to get a translated and formatted message for a
- given message ID.
+_securityMessagesSampleArgs = {
+ "S304": ["Crypto.Cipher.DES"],
+ "S305": ["cryptography.hazmat.primitives.ciphers.modes.ECB"],
+ "S313": ["xml.etree.cElementTree.parse"],
+ "S314": ["xml.etree.ElementTree.parse"],
+ "S315": ["xml.sax.expatreader.create_parser"],
+ "S316": ["xml.dom.expatbuilder.parse"],
+ "S317": ["xml.sax.parse"],
+ "S318": ["xml.dom.minidom.parse"],
+ "S319": ["xml.dom.pulldom.parse"],
+ "S320": ["lxml.etree.parse"],
- @param messageCode the message code
- @type str
- @param messageArgs list of arguments or a single integer value to format
- the message
- @type list or int
- @return translated and formatted message
- @rtype str
- """
- if messageCode in _messages:
- if isinstance(messageArgs, int):
- # Retranslate with correct plural form
- return _messages[messageCode](messageArgs)
- else:
- return _messages[messageCode].format(*messageArgs)
- else:
- return QCoreApplication.translate(
- "CodeStyleFixer", " no message defined for code '{0}'"
- ).format(messageCode)
+ "S403": ["pickle"],
+ "S404": ["subprocess"],
+ "S405": ["xml.etree.ElementTree"],
+ "S406": ["xml.sax"],
+ "S407": ["xml.dom.expatbuilder"],
+ "S408": ["xml.dom.minidom"],
+ "S409": ["xml.dom.pulldom"],
+ "S410": ["lxml"],
+ "S411": ["xmlrpclib"],
+ "S412": ["wsgiref.handlers.CGIHandler"],
+ "S413": ["Crypto.Cipher"],
+}
