Mercurial Repositories > eric / changeset
changeset
Code Style Checker
Tue, 13 Sep 2022 20:00:55 +0200
- author
- Detlev Offenbach <detlev@die-offenbachs.de>
- date
- Tue, 13 Sep 2022 20:00:55 +0200
- branch
- eric7
- changeset 9325
- 8157eb19aba5
- parent 9324
- 7f7f3e47b238
- child 9326
- 1d8eadd8873e
Code Style Checker
- added some more security related checks
--- a/docs/changelog Tue Sep 13 19:46:19 2022 +0200 +++ b/docs/changelog Tue Sep 13 20:00:55 2022 +0200 @@ -2,6 +2,8 @@ ---------- Version 22.10: - bug fixes +- Code Style Checker + -- added some more security related checks - pip Interface -- changed the pip licenses dialog to show the count of each individual license - Project
--- a/eric7.epj Tue Sep 13 19:46:19 2022 +0200 +++ b/eric7.epj Tue Sep 13 20:00:55 2022 +0200 @@ -252,6 +252,7 @@ } }, "EMAIL": "detlev@die-offenbachs.de", + "EMBEDDED_VENV": false, "EOL": 1, "FILETYPES": { "*.epj": "OTHERS", @@ -1401,7 +1402,10 @@ "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureSslTls.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/jinja2Templates.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/makoTemplates.py", + "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/requestWithoutTimeout.py", + "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/snmpSecurity.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/sshNoHostKeyVerification.py", + "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/tarfileUnsafeMembers.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/tryExcept.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/weakCryptographicKey.py", "src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/yamlLoad.py",
--- a/src/eric7/APIs/Python3/eric7.api Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/APIs/Python3/eric7.api Tue Sep 13 20:00:55 2022 +0200 @@ -3750,6 +3750,7 @@ eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.flaskDebug.getChecks?4() eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.generalBindAllInterfaces.checkBindAllInterfaces?4(reportError, context, config) eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.generalBindAllInterfaces.getChecks?4() +eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.generalFilePermissions._statIsDangerous?5(mode) eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.generalFilePermissions.checkFilePermissions?4(reportError, context, config) eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.generalFilePermissions.getChecks?4() eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.generalHardcodedPassword.RE_CANDIDATES?7 @@ -3780,7 +3781,9 @@ eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.injectionSql.getChecks?4() eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.injectionWildcard.checkLinuxCommandsWildcardInjection?4(reportError, context, config) eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.injectionWildcard.getChecks?4() -eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew.checkHashlibNew?4(reportError, context, config) +eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew._hashlibFunc?5(reportError, context, config) +eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew._hashlibNew?5(reportError, context, config) +eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew.checkHashlib?4(reportError, context, config) eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew.getChecks?4() eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureSslTls.checkInsecureSslDefaults?4(reportError, context, config) eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureSslTls.checkInsecureSslProtocolVersion?4(reportError, context, config) @@ -3790,8 +3793,17 @@ eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.jinja2Templates.getChecks?4() eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.makoTemplates.checkMakoTemplateUsage?4(reportError, context, config) eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.makoTemplates.getChecks?4() +eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.requestWithoutTimeout.checkRequestWithouTimeout?4(reportError, context, config) +eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.requestWithoutTimeout.getChecks?4() +eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.snmpSecurity.checkInsecureVersion?4(reportError, context, config) +eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.snmpSecurity.checkWeakCryptography?4(reportError, context, config) +eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.snmpSecurity.getChecks?4() eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.sshNoHostKeyVerification.checkSshNoHostKeyVerification?4(reportError, context, config) eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.sshNoHostKeyVerification.getChecks?4() +eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tarfileUnsafeMembers._getMembersValue?5(context) +eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tarfileUnsafeMembers.checkTarfileUnsafeMembers?4(reportError, context, config) +eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tarfileUnsafeMembers.getChecks?4() +eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tryExcept.checkContextlibSuppress?4(reportError, context, config) eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tryExcept.checkTryExceptContinue?4(reportError, context, config) eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tryExcept.checkTryExceptPass?4(reportError, context, config) eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tryExcept.getChecks?4()
--- a/src/eric7/Documentation/Help/source.qhp Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Documentation/Help/source.qhp Tue Sep 13 20:00:55 2022 +0200 @@ -397,7 +397,10 @@ <section title="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureSslTls" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureSslTls.html" /> <section title="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.jinja2Templates" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.jinja2Templates.html" /> <section title="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.makoTemplates" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.makoTemplates.html" /> + <section title="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.requestWithoutTimeout" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.requestWithoutTimeout.html" /> + <section title="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.snmpSecurity" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.snmpSecurity.html" /> <section title="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.sshNoHostKeyVerification" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.sshNoHostKeyVerification.html" /> + <section title="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tarfileUnsafeMembers" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tarfileUnsafeMembers.html" /> <section title="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tryExcept" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tryExcept.html" /> <section title="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.weakCryptographicKey" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.weakCryptographicKey.html" /> <section title="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.yamlLoad" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.yamlLoad.html" /> @@ -18381,9 +18384,12 @@ <keyword name="_evaluateAst" id="_evaluateAst" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.injectionSql.html#_evaluateAst" /> <keyword name="_evaluateShellCall" id="_evaluateShellCall" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.injectionShell.html#_evaluateShellCall" /> <keyword name="_get" id="_get" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.SecurityUtils.html#_get" /> + <keyword name="_getMembersValue" id="_getMembersValue" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tarfileUnsafeMembers.html#_getMembersValue" /> <keyword name="_get_args" id="_get_args" ref="eric7.PipInterface.pipdeptree.html#_get_args" /> <keyword name="_get_parameters" id="_get_parameters" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.pycodestyle.html#_get_parameters" /> <keyword name="_getfullargs" id="_getfullargs" ref="eric7.DebugClients.Python.DebugUtilities.html#_getfullargs" /> + <keyword name="_hashlibFunc" id="_hashlibFunc" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew.html#_hashlibFunc" /> + <keyword name="_hashlibNew" id="_hashlibNew" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew.html#_hashlibNew" /> <keyword name="_indent" id="_indent" ref="eric7.Utilities.ClassBrowsers.pyclbr.html#_indent" /> <keyword name="_indent" id="_indent" ref="eric7.Utilities.ModuleParser.html#_indent" /> <keyword name="_initTypeMap" id="_initTypeMap" ref="eric7.DebugClients.Python.DebugVariables.html#_initTypeMap" /> @@ -18395,6 +18401,7 @@ <keyword name="_parse_multi_options" id="_parse_multi_options" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.pycodestyle.html#_parse_multi_options" /> <keyword name="_percentReplacementFunc" id="_percentReplacementFunc" ref="eric7.Utilities.__init__.html#_percentReplacementFunc" /> <keyword name="_shallPatch" id="_shallPatch" ref="eric7.DebugClients.Python.MultiProcessDebugExtension.html#_shallPatch" /> + <keyword name="_statIsDangerous" id="_statIsDangerous" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.generalFilePermissions.html#_statIsDangerous" /> <keyword name="_stylesheet" id="_stylesheet" ref="eric7.UI.CodeDocumentationViewerTemplate.html#_stylesheet" /> <keyword name="_weakCryptoKeySizeCryptography" id="_weakCryptoKeySizeCryptography" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.weakCryptographicKey.html#_weakCryptoKeySizeCryptography" /> <keyword name="_weakCryptoKeySizePycrypto" id="_weakCryptoKeySizePycrypto" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.weakCryptographicKey.html#_weakCryptoKeySizePycrypto" /> @@ -18430,6 +18437,7 @@ <keyword name="checkBindAllInterfaces" id="checkBindAllInterfaces" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.generalBindAllInterfaces.html#checkBindAllInterfaces" /> <keyword name="checkBlacklist" id="checkBlacklist" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.blackListCalls.html#checkBlacklist" /> <keyword name="checkBlacklist" id="checkBlacklist" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.blackListImports.html#checkBlacklist" /> + <keyword name="checkContextlibSuppress" id="checkContextlibSuppress" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tryExcept.html#checkContextlibSuppress" /> <keyword name="checkDjangoExtraUsed" id="checkDjangoExtraUsed" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.djangoSqlInjection.html#checkDjangoExtraUsed" /> <keyword name="checkDjangoRawSqlUsed" id="checkDjangoRawSqlUsed" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.djangoSqlInjection.html#checkDjangoRawSqlUsed" /> <keyword name="checkDjangoXssVulnerability" id="checkDjangoXssVulnerability" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.djangoXssVulnerability.html#checkDjangoXssVulnerability" /> @@ -18442,9 +18450,10 @@ <keyword name="checkHardcodedPasswordAsString" id="checkHardcodedPasswordAsString" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.generalHardcodedPassword.html#checkHardcodedPasswordAsString" /> <keyword name="checkHardcodedSqlExpressions" id="checkHardcodedSqlExpressions" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.injectionSql.html#checkHardcodedSqlExpressions" /> <keyword name="checkHardcodedTmpDirectory" id="checkHardcodedTmpDirectory" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.generalHardcodedTmp.html#checkHardcodedTmpDirectory" /> - <keyword name="checkHashlibNew" id="checkHashlibNew" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew.html#checkHashlibNew" /> + <keyword name="checkHashlib" id="checkHashlib" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew.html#checkHashlib" /> <keyword name="checkInsecureSslDefaults" id="checkInsecureSslDefaults" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureSslTls.html#checkInsecureSslDefaults" /> <keyword name="checkInsecureSslProtocolVersion" id="checkInsecureSslProtocolVersion" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureSslTls.html#checkInsecureSslProtocolVersion" /> + <keyword name="checkInsecureVersion" id="checkInsecureVersion" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.snmpSecurity.html#checkInsecureVersion" /> <keyword name="checkJinja2Autoescape" id="checkJinja2Autoescape" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.jinja2Templates.html#checkJinja2Autoescape" /> <keyword name="checkLinuxCommandsWildcardInjection" id="checkLinuxCommandsWildcardInjection" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.injectionWildcard.html#checkLinuxCommandsWildcardInjection" /> <keyword name="checkMakoTemplateUsage" id="checkMakoTemplateUsage" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.makoTemplates.html#checkMakoTemplateUsage" /> @@ -18453,6 +18462,7 @@ <keyword name="checkParamikoCalls" id="checkParamikoCalls" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.injectionParamiko.html#checkParamikoCalls" /> <keyword name="checkPotentialRisk" id="checkPotentialRisk" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.djangoXssVulnerability.html#checkPotentialRisk" /> <keyword name="checkPyside" id="checkPyside" ref="eric7.Utilities.__init__.html#checkPyside" /> + <keyword name="checkRequestWithouTimeout" id="checkRequestWithouTimeout" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.requestWithoutTimeout.html#checkRequestWithouTimeout" /> <keyword name="checkSshNoHostKeyVerification" id="checkSshNoHostKeyVerification" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.sshNoHostKeyVerification.html#checkSshNoHostKeyVerification" /> <keyword name="checkSslWithoutVersion" id="checkSslWithoutVersion" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureSslTls.html#checkSslWithoutVersion" /> <keyword name="checkStartProcessWithNoShell" id="checkStartProcessWithNoShell" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.injectionShell.html#checkStartProcessWithNoShell" /> @@ -18460,9 +18470,11 @@ <keyword name="checkStartProcessWithShell" id="checkStartProcessWithShell" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.injectionShell.html#checkStartProcessWithShell" /> <keyword name="checkSubprocessPopenWithShell" id="checkSubprocessPopenWithShell" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.injectionShell.html#checkSubprocessPopenWithShell" /> <keyword name="checkSubprocessPopenWithoutShell" id="checkSubprocessPopenWithoutShell" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.injectionShell.html#checkSubprocessPopenWithoutShell" /> + <keyword name="checkTarfileUnsafeMembers" id="checkTarfileUnsafeMembers" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tarfileUnsafeMembers.html#checkTarfileUnsafeMembers" /> <keyword name="checkTryExceptContinue" id="checkTryExceptContinue" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tryExcept.html#checkTryExceptContinue" /> <keyword name="checkTryExceptPass" id="checkTryExceptPass" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tryExcept.html#checkTryExceptPass" /> <keyword name="checkWeakCryptographicKey" id="checkWeakCryptographicKey" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.weakCryptographicKey.html#checkWeakCryptographicKey" /> + <keyword name="checkWeakCryptography" id="checkWeakCryptography" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.snmpSecurity.html#checkWeakCryptography" /> <keyword name="checkYamlLoad" id="checkYamlLoad" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.yamlLoad.html#checkYamlLoad" /> <keyword name="choices_from_enum" id="choices_from_enum" ref="eric7.PipInterface.piplicenses.html#choices_from_enum" /> <keyword name="className" id="className" ref="eric7.Project.UicLoadUi5.html#className" /> @@ -18755,7 +18767,10 @@ <keyword name="getChecks" id="getChecks" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureSslTls.html#getChecks" /> <keyword name="getChecks" id="getChecks" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.jinja2Templates.html#getChecks" /> <keyword name="getChecks" id="getChecks" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.makoTemplates.html#getChecks" /> + <keyword name="getChecks" id="getChecks" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.requestWithoutTimeout.html#getChecks" /> + <keyword name="getChecks" id="getChecks" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.snmpSecurity.html#getChecks" /> <keyword name="getChecks" id="getChecks" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.sshNoHostKeyVerification.html#getChecks" /> + <keyword name="getChecks" id="getChecks" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tarfileUnsafeMembers.html#getChecks" /> <keyword name="getChecks" id="getChecks" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tryExcept.html#getChecks" /> <keyword name="getChecks" id="getChecks" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.weakCryptographicKey.html#getChecks" /> <keyword name="getChecks" id="getChecks" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.yamlLoad.html#getChecks" /> @@ -19221,6 +19236,7 @@ <keyword name="render_json" id="render_json" ref="eric7.PipInterface.pipdeptree.html#render_json" /> <keyword name="render_json_tree" id="render_json_tree" ref="eric7.PipInterface.pipdeptree.html#render_json_tree" /> <keyword name="render_text" id="render_text" ref="eric7.PipInterface.pipdeptree.html#render_text" /> + <keyword name="requestWithoutTimeout (Module)" id="requestWithoutTimeout (Module)" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.requestWithoutTimeout.html" /> <keyword name="resetInterface" id="resetInterface" ref="eric7.CondaInterface.__init__.html#resetInterface" /> <keyword name="resetLayout" id="resetLayout" ref="eric7.Preferences.__init__.html#resetLayout" /> <keyword name="resetParsedModule" id="resetParsedModule" ref="eric7.Utilities.ModuleParser.html#resetParsedModule" /> @@ -19315,6 +19331,7 @@ <keyword name="signatures" id="signatures" ref="eric7.Project.UicLoadUi5.html#signatures" /> <keyword name="signatures" id="signatures" ref="eric7.Project.UicLoadUi6.html#signatures" /> <keyword name="simpleAppStartup" id="simpleAppStartup" ref="eric7.Toolbox.Startup.html#simpleAppStartup" /> + <keyword name="snmpSecurity (Module)" id="snmpSecurity (Module)" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.snmpSecurity.html" /> <keyword name="sort" id="sort" ref="eric7.Graphics.GraphicsUtilities.html#sort" /> <keyword name="sorted_tree" id="sorted_tree" ref="eric7.PipInterface.pipdeptree.html#sorted_tree" /> <keyword name="speedString" id="speedString" ref="eric7.WebBrowser.Download.DownloadUtilities.html#speedString" /> @@ -19340,6 +19357,7 @@ <keyword name="syntaxAndPyflakesCheck" id="syntaxAndPyflakesCheck" ref="eric7.Plugins.CheckerPlugins.SyntaxChecker.SyntaxCheck.html#syntaxAndPyflakesCheck" /> <keyword name="tabs_obsolete" id="tabs_obsolete" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.pycodestyle.html#tabs_obsolete" /> <keyword name="tabs_or_spaces" id="tabs_or_spaces" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.pycodestyle.html#tabs_or_spaces" /> + <keyword name="tarfileUnsafeMembers (Module)" id="tarfileUnsafeMembers (Module)" ref="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tarfileUnsafeMembers.html" /> <keyword name="timeString" id="timeString" ref="eric7.WebBrowser.Download.DownloadUtilities.html#timeString" /> <keyword name="toBool" id="toBool" ref="eric7.Globals.__init__.html#toBool" /> <keyword name="toBool" id="toBool" ref="eric7.Preferences.__init__.html#toBool" /> @@ -19735,7 +19753,10 @@ <file>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureSslTls.html</file> <file>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.jinja2Templates.html</file> <file>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.makoTemplates.html</file> + <file>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.requestWithoutTimeout.html</file> + <file>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.snmpSecurity.html</file> <file>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.sshNoHostKeyVerification.html</file> + <file>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tarfileUnsafeMembers.html</file> <file>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tryExcept.html</file> <file>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.weakCryptographicKey.html</file> <file>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.yamlLoad.html</file>
--- a/src/eric7/Documentation/Source/eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.generalFilePermissions.html Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Documentation/Source/eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.generalFilePermissions.html Tue Sep 13 20:00:55 2022 +0200 @@ -26,6 +26,10 @@ <table> <tr> +<td><a href="#_statIsDangerous">_statIsDangerous</a></td> +<td>Function to check for dangerous stat values.</td> +</tr> +<tr> <td><a href="#checkFilePermissions">checkFilePermissions</a></td> <td>Function to check for setting too permissive file permissions.</td> </tr> @@ -36,6 +40,35 @@ </table> <hr /> <hr /> +<a NAME="_statIsDangerous" ID="_statIsDangerous"></a> +<h2>_statIsDangerous</h2> +<b>_statIsDangerous</b>(<i>mode</i>) + +<p> + Function to check for dangerous stat values. +</p> +<dl> + +<dt><i>mode</i> (int)</dt> +<dd> +file mode to be checked +</dd> +</dl> +<dl> +<dt>Return:</dt> +<dd> +mode with masked dangerous values +</dd> +</dl> +<dl> +<dt>Return Type:</dt> +<dd> +int +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +<hr /> <a NAME="checkFilePermissions" ID="checkFilePermissions"></a> <h2>checkFilePermissions</h2> <b>checkFilePermissions</b>(<i>reportError, context, config</i>)
--- a/src/eric7/Documentation/Source/eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.injectionShell.html Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Documentation/Source/eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.injectionShell.html Tue Sep 13 20:00:55 2022 +0200 @@ -283,14 +283,13 @@ <dl> <dt>Return:</dt> <dd> -tuple containing a flag indicating the presence of the 'shell' - argument and flag indicating the value of the 'shell' argument +flag indicating the value of the 'shell' argument </dd> </dl> <dl> <dt>Return Type:</dt> <dd> -tuple of (bool, bool) +bool </dd> </dl> <div align="right"><a href="#top">Up</a></div>
--- a/src/eric7/Documentation/Source/eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew.html Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Documentation/Source/eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.insecureHashlibNew.html Tue Sep 13 20:00:55 2022 +0200 @@ -27,8 +27,16 @@ <table> <tr> -<td><a href="#checkHashlibNew">checkHashlibNew</a></td> -<td>Function to check for use of insecure md4, md5, or sha1 hash functions in hashlib.new().</td> +<td><a href="#_hashlibFunc">_hashlibFunc</a></td> +<td>Function to check for use of insecure md4, md5, sha or sha1 hash functions in hashlib.new() if 'usedforsecurity' is not set to 'False'.</td> +</tr> +<tr> +<td><a href="#_hashlibNew">_hashlibNew</a></td> +<td>Function to check for use of insecure md4, md5, sha or sha1 hash functions in hashlib.new().</td> +</tr> +<tr> +<td><a href="#checkHashlib">checkHashlib</a></td> +<td>Function to check for use of insecure md4, md5, sha or sha1 hash functions in hashlib.new().</td> </tr> <tr> <td><a href="#getChecks">getChecks</a></td> @@ -37,12 +45,64 @@ </table> <hr /> <hr /> -<a NAME="checkHashlibNew" ID="checkHashlibNew"></a> -<h2>checkHashlibNew</h2> -<b>checkHashlibNew</b>(<i>reportError, context, config</i>) +<a NAME="_hashlibFunc" ID="_hashlibFunc"></a> +<h2>_hashlibFunc</h2> +<b>_hashlibFunc</b>(<i>reportError, context, config</i>) <p> - Function to check for use of insecure md4, md5, or sha1 hash functions + Function to check for use of insecure md4, md5, sha or sha1 hash functions + in hashlib.new() if 'usedforsecurity' is not set to 'False'. +</p> +<dl> + +<dt><i>reportError</i> (func)</dt> +<dd> +function to be used to report errors +</dd> +<dt><i>context</i> (SecurityContext)</dt> +<dd> +security context object +</dd> +<dt><i>config</i> (dict)</dt> +<dd> +dictionary with configuration data +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +<hr /> +<a NAME="_hashlibNew" ID="_hashlibNew"></a> +<h2>_hashlibNew</h2> +<b>_hashlibNew</b>(<i>reportError, context, config</i>) + +<p> + Function to check for use of insecure md4, md5, sha or sha1 hash functions + in hashlib.new(). +</p> +<dl> + +<dt><i>reportError</i> (func)</dt> +<dd> +function to be used to report errors +</dd> +<dt><i>context</i> (SecurityContext)</dt> +<dd> +security context object +</dd> +<dt><i>config</i> (dict)</dt> +<dd> +dictionary with configuration data +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +<hr /> +<a NAME="checkHashlib" ID="checkHashlib"></a> +<h2>checkHashlib</h2> +<b>checkHashlib</b>(<i>reportError, context, config</i>) + +<p> + Function to check for use of insecure md4, md5, sha or sha1 hash functions in hashlib.new(). </p> <dl>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/eric7/Documentation/Source/eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.requestWithoutTimeout.html Tue Sep 13 20:00:55 2022 +0200 @@ -0,0 +1,86 @@ +<!DOCTYPE html> +<html><head> +<title>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.requestWithoutTimeout</title> +<meta charset="UTF-8"> +<link rel="stylesheet" href="styles.css"> +</head> +<body> +<a NAME="top" ID="top"></a> +<h1>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.requestWithoutTimeout</h1> + +<p> +Module implementing checks for using requests without timeout. +</p> +<h3>Global Attributes</h3> + +<table> +<tr><td>None</td></tr> +</table> +<h3>Classes</h3> + +<table> +<tr><td>None</td></tr> +</table> +<h3>Functions</h3> + +<table> + +<tr> +<td><a href="#checkRequestWithouTimeout">checkRequestWithouTimeout</a></td> +<td>Function to check for use of requests without timeout.</td> +</tr> +<tr> +<td><a href="#getChecks">getChecks</a></td> +<td>Public method to get a dictionary with checks handled by this module.</td> +</tr> +</table> +<hr /> +<hr /> +<a NAME="checkRequestWithouTimeout" ID="checkRequestWithouTimeout"></a> +<h2>checkRequestWithouTimeout</h2> +<b>checkRequestWithouTimeout</b>(<i>reportError, context, config</i>) + +<p> + Function to check for use of requests without timeout. +</p> +<dl> + +<dt><i>reportError</i> (func)</dt> +<dd> +function to be used to report errors +</dd> +<dt><i>context</i> (SecurityContext)</dt> +<dd> +security context object +</dd> +<dt><i>config</i> (dict)</dt> +<dd> +dictionary with configuration data +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +<hr /> +<a NAME="getChecks" ID="getChecks"></a> +<h2>getChecks</h2> +<b>getChecks</b>(<i></i>) + +<p> + Public method to get a dictionary with checks handled by this module. +</p> +<dl> +<dt>Return:</dt> +<dd> +dictionary containing checker lists containing checker function and + list of codes +</dd> +</dl> +<dl> +<dt>Return Type:</dt> +<dd> +dict +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +</body></html> \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/eric7/Documentation/Source/eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.snmpSecurity.html Tue Sep 13 20:00:55 2022 +0200 @@ -0,0 +1,117 @@ +<!DOCTYPE html> +<html><head> +<title>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.snmpSecurity</title> +<meta charset="UTF-8"> +<link rel="stylesheet" href="styles.css"> +</head> +<body> +<a NAME="top" ID="top"></a> +<h1>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.snmpSecurity</h1> + +<p> +Module implementing checks for the insecure use of SNMP. +</p> +<h3>Global Attributes</h3> + +<table> +<tr><td>None</td></tr> +</table> +<h3>Classes</h3> + +<table> +<tr><td>None</td></tr> +</table> +<h3>Functions</h3> + +<table> + +<tr> +<td><a href="#checkInsecureVersion">checkInsecureVersion</a></td> +<td>Function to check for the use of insecure SNMP version like v1, v2c.</td> +</tr> +<tr> +<td><a href="#checkWeakCryptography">checkWeakCryptography</a></td> +<td>Function to check for the use of insecure SNMP cryptography (i.e.</td> +</tr> +<tr> +<td><a href="#getChecks">getChecks</a></td> +<td>Public method to get a dictionary with checks handled by this module.</td> +</tr> +</table> +<hr /> +<hr /> +<a NAME="checkInsecureVersion" ID="checkInsecureVersion"></a> +<h2>checkInsecureVersion</h2> +<b>checkInsecureVersion</b>(<i>reportError, context, config</i>) + +<p> + Function to check for the use of insecure SNMP version like + v1, v2c. +</p> +<dl> + +<dt><i>reportError</i> (func)</dt> +<dd> +function to be used to report errors +</dd> +<dt><i>context</i> (SecurityContext)</dt> +<dd> +security context object +</dd> +<dt><i>config</i> (dict)</dt> +<dd> +dictionary with configuration data +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +<hr /> +<a NAME="checkWeakCryptography" ID="checkWeakCryptography"></a> +<h2>checkWeakCryptography</h2> +<b>checkWeakCryptography</b>(<i>reportError, context, config</i>) + +<p> + Function to check for the use of insecure SNMP cryptography + (i.e. v3 using noAuthNoPriv). +</p> +<dl> + +<dt><i>reportError</i> (func)</dt> +<dd> +function to be used to report errors +</dd> +<dt><i>context</i> (SecurityContext)</dt> +<dd> +security context object +</dd> +<dt><i>config</i> (dict)</dt> +<dd> +dictionary with configuration data +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +<hr /> +<a NAME="getChecks" ID="getChecks"></a> +<h2>getChecks</h2> +<b>getChecks</b>(<i></i>) + +<p> + Public method to get a dictionary with checks handled by this module. +</p> +<dl> +<dt>Return:</dt> +<dd> +dictionary containing checker lists containing checker function and + list of codes +</dd> +</dl> +<dl> +<dt>Return Type:</dt> +<dd> +dict +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +</body></html> \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/eric7/Documentation/Source/eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tarfileUnsafeMembers.html Tue Sep 13 20:00:55 2022 +0200 @@ -0,0 +1,119 @@ +<!DOCTYPE html> +<html><head> +<title>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tarfileUnsafeMembers</title> +<meta charset="UTF-8"> +<link rel="stylesheet" href="styles.css"> +</head> +<body> +<a NAME="top" ID="top"></a> +<h1>eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tarfileUnsafeMembers</h1> + +<p> +Module implementing checks for insecure use of 'tarfile.extracall()'. +</p> +<h3>Global Attributes</h3> + +<table> +<tr><td>None</td></tr> +</table> +<h3>Classes</h3> + +<table> +<tr><td>None</td></tr> +</table> +<h3>Functions</h3> + +<table> + +<tr> +<td><a href="#_getMembersValue">_getMembersValue</a></td> +<td>Function to extract the value of the 'members' argument.</td> +</tr> +<tr> +<td><a href="#checkTarfileUnsafeMembers">checkTarfileUnsafeMembers</a></td> +<td>Function to check for insecure use of 'tarfile.extracall()'.</td> +</tr> +<tr> +<td><a href="#getChecks">getChecks</a></td> +<td>Public method to get a dictionary with checks handled by this module.</td> +</tr> +</table> +<hr /> +<hr /> +<a NAME="_getMembersValue" ID="_getMembersValue"></a> +<h2>_getMembersValue</h2> +<b>_getMembersValue</b>(<i>context</i>) + +<p> + Function to extract the value of the 'members' argument. +</p> +<dl> + +<dt><i>context</i> (SecurityContext)</dt> +<dd> +security context object +</dd> +</dl> +<dl> +<dt>Return:</dt> +<dd> +dictionary containing the argument value +</dd> +</dl> +<dl> +<dt>Return Type:</dt> +<dd> +dict +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +<hr /> +<a NAME="checkTarfileUnsafeMembers" ID="checkTarfileUnsafeMembers"></a> +<h2>checkTarfileUnsafeMembers</h2> +<b>checkTarfileUnsafeMembers</b>(<i>reportError, context, config</i>) + +<p> + Function to check for insecure use of 'tarfile.extracall()'. +</p> +<dl> + +<dt><i>reportError</i> (func)</dt> +<dd> +function to be used to report errors +</dd> +<dt><i>context</i> (SecurityContext)</dt> +<dd> +security context object +</dd> +<dt><i>config</i> (dict)</dt> +<dd> +dictionary with configuration data +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +<hr /> +<a NAME="getChecks" ID="getChecks"></a> +<h2>getChecks</h2> +<b>getChecks</b>(<i></i>) + +<p> + Public method to get a dictionary with checks handled by this module. +</p> +<dl> +<dt>Return:</dt> +<dd> +dictionary containing checker lists containing checker function and + list of codes +</dd> +</dl> +<dl> +<dt>Return Type:</dt> +<dd> +dict +</dd> +</dl> +<div align="right"><a href="#top">Up</a></div> +<hr /> +</body></html> \ No newline at end of file
--- a/src/eric7/Documentation/Source/eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.yamlLoad.html Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Documentation/Source/eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.yamlLoad.html Tue Sep 13 20:00:55 2022 +0200 @@ -27,7 +27,7 @@ <tr> <td><a href="#checkYamlLoad">checkYamlLoad</a></td> -<td>Function to check for the use of of yaml load functions.</td> +<td>Function to check for the use of yaml load functions.</td> </tr> <tr> <td><a href="#getChecks">getChecks</a></td> @@ -41,7 +41,7 @@ <b>checkYamlLoad</b>(<i>reportError, context, config</i>) <p> - Function to check for the use of of yaml load functions. + Function to check for the use of yaml load functions. </p> <dl>
--- a/src/eric7/Documentation/Source/index-eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.html Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Documentation/Source/index-eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.html Tue Sep 13 20:00:55 2022 +0200 @@ -104,10 +104,22 @@ <td>Module implementing a check for use of mako templates.</td> </tr> <tr> +<td><a href="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.requestWithoutTimeout.html">requestWithoutTimeout</a></td> +<td>Module implementing checks for using requests without timeout.</td> +</tr> +<tr> +<td><a href="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.snmpSecurity.html">snmpSecurity</a></td> +<td>Module implementing checks for the insecure use of SNMP.</td> +</tr> +<tr> <td><a href="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.sshNoHostKeyVerification.html">sshNoHostKeyVerification</a></td> <td>Module implementing a check for use of mako templates.</td> </tr> <tr> +<td><a href="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tarfileUnsafeMembers.html">tarfileUnsafeMembers</a></td> +<td>Module implementing checks for insecure use of 'tarfile.extracall()'.</td> +</tr> +<tr> <td><a href="eric7.Plugins.CheckerPlugins.CodeStyleChecker.Security.Checks.tryExcept.html">tryExcept</a></td> <td>Module implementing checks for insecure except blocks.</td> </tr>
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/__init__.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/__init__.py Tue Sep 13 20:00:55 2022 +0200 @@ -23,7 +23,6 @@ @return dictionary containing list of tuples with checker data @rtype dict """ - # TODO: update to bandit v1.7.4 checkersDict = collections.defaultdict(list) checkersDirectory = os.path.dirname(__file__)
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/blackListCalls.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/blackListCalls.py Tue Sep 13 20:00:55 2022 +0200 @@ -17,6 +17,7 @@ import ast import fnmatch +import sys import AstUtilities @@ -38,9 +39,29 @@ "M", ), "S302": (["marshal.load", "marshal.loads"], "M"), - "S303": ( +} +if sys.version_info >= (3, 9): + _blacklists["S303"] = ( [ + "Crypto.Hash.MD2.new", + "Crypto.Hash.MD4.new", + "Crypto.Hash.MD5.new", + "Crypto.Hash.SHA.new", + "Cryptodome.Hash.MD2.new", + "Cryptodome.Hash.MD4.new", + "Cryptodome.Hash.MD5.new", + "Cryptodome.Hash.SHA.new", + "cryptography.hazmat.primitives.hashes.MD5", + "cryptography.hazmat.primitives.hashes.SHA1", + ], + "M", + ) +else: + _blacklists["S303"] = ( + [ + "hashlib.md4", "hashlib.md5", + "hashlib.sha", "hashlib.sha1", "Crypto.Hash.MD2.new", "Crypto.Hash.MD4.new", @@ -54,107 +75,115 @@ "cryptography.hazmat.primitives.hashes.SHA1", ], "M", - ), - "S304": ( - [ - "Crypto.Cipher.ARC2.new", - "Crypto.Cipher.ARC4.new", - "Crypto.Cipher.Blowfish.new", - "Crypto.Cipher.DES.new", - "Crypto.Cipher.XOR.new", - "Cryptodome.Cipher.ARC2.new", - "Cryptodome.Cipher.ARC4.new", - "Cryptodome.Cipher.Blowfish.new", - "Cryptodome.Cipher.DES.new", - "Cryptodome.Cipher.XOR.new", - "cryptography.hazmat.primitives.ciphers.algorithms.ARC4", - "cryptography.hazmat.primitives.ciphers.algorithms.Blowfish", - "cryptography.hazmat.primitives.ciphers.algorithms.IDEA", - ], - "H", - ), - "S305": (["cryptography.hazmat.primitives.ciphers.modes.ECB"], "M"), - "S306": (["tempfile.mktemp"], "M"), - "S307": (["eval"], "M"), - "S308": (["django.utils.safestring.mark_safe"], "M"), - "S309": ( - [ - "httplib.HTTPSConnection", - "http.client.HTTPSConnection", - "six.moves.http_client.HTTPSConnection", - ], - "M", - ), - "S310": ( - [ - "urllib.urlopen", - "urllib.request.urlopen", - "urllib.urlretrieve", - "urllib.request.urlretrieve", - "urllib.URLopener", - "urllib.request.URLopener", - "urllib.FancyURLopener", - "urllib.request.FancyURLopener", - "urllib2.urlopen", - "urllib2.Request", - "six.moves.urllib.request.urlopen", - "six.moves.urllib.request.urlretrieve", - "six.moves.urllib.request.URLopener", - "six.moves.urllib.request.FancyURLopener", - ], - "", - ), - "S311": ( - [ - "random.random", - "random.randrange", - "random.randint", - "random.choice", - "random.uniform", - "random.triangular", - ], - "L", - ), - "S312": (["telnetlib.*"], "H"), - "S313": ( - [ - "xml.etree.cElementTree.parse", - "xml.etree.cElementTree.iterparse", - "xml.etree.cElementTree.fromstring", - "xml.etree.cElementTree.XMLParser", - ], - "M", - ), - "S314": ( - [ - "xml.etree.ElementTree.parse", - "xml.etree.ElementTree.iterparse", - "xml.etree.ElementTree.fromstring", - "xml.etree.ElementTree.XMLParser", - ], - "M", - ), - "S315": (["xml.sax.expatreader.create_parser"], "M"), - "S316": (["xml.dom.expatbuilder.parse", "xml.dom.expatbuilder.parseString"], "M"), - "S317": (["xml.sax.parse", "xml.sax.parseString", "xml.sax.make_parser"], "M"), - "S318": (["xml.dom.minidom.parse", "xml.dom.minidom.parseString"], "M"), - "S319": (["xml.dom.pulldom.parse", "xml.dom.pulldom.parseString"], "M"), - "S320": ( - [ - "lxml.etree.parse", - "lxml.etree.fromstring", - "lxml.etree.RestrictedElement", - "lxml.etree.GlobalParserTLS", - "lxml.etree.getDefaultParser", - "lxml.etree.check_docinfo", - ], - "M", - ), - "S321": (["ftplib.*"], "H"), - "S322": (["input"], "H"), - "S323": (["ssl._create_unverified_context"], "M"), - "S324": (["os.tempnam", "os.tmpnam"], "M"), -} + ) + +_blacklists.update( + { + "S304": ( + [ + "Crypto.Cipher.ARC2.new", + "Crypto.Cipher.ARC4.new", + "Crypto.Cipher.Blowfish.new", + "Crypto.Cipher.DES.new", + "Crypto.Cipher.XOR.new", + "Cryptodome.Cipher.ARC2.new", + "Cryptodome.Cipher.ARC4.new", + "Cryptodome.Cipher.Blowfish.new", + "Cryptodome.Cipher.DES.new", + "Cryptodome.Cipher.XOR.new", + "cryptography.hazmat.primitives.ciphers.algorithms.ARC4", + "cryptography.hazmat.primitives.ciphers.algorithms.Blowfish", + "cryptography.hazmat.primitives.ciphers.algorithms.IDEA", + ], + "H", + ), + "S305": (["cryptography.hazmat.primitives.ciphers.modes.ECB"], "M"), + "S306": (["tempfile.mktemp"], "M"), + "S307": (["eval"], "M"), + "S308": (["django.utils.safestring.mark_safe"], "M"), + "S309": ( + [ + "httplib.HTTPSConnection", + "http.client.HTTPSConnection", + "six.moves.http_client.HTTPSConnection", + ], + "M", + ), + "S310": ( + [ + "urllib.urlopen", + "urllib.request.urlopen", + "urllib.urlretrieve", + "urllib.request.urlretrieve", + "urllib.URLopener", + "urllib.request.URLopener", + "urllib.FancyURLopener", + "urllib.request.FancyURLopener", + "urllib2.urlopen", + "urllib2.Request", + "six.moves.urllib.request.urlopen", + "six.moves.urllib.request.urlretrieve", + "six.moves.urllib.request.URLopener", + "six.moves.urllib.request.FancyURLopener", + ], + "", + ), + "S311": ( + [ + "random.random", + "random.randrange", + "random.randint", + "random.choice", + "random.choices", + "random.uniform", + "random.triangular", + ], + "L", + ), + "S312": (["telnetlib.*"], "H"), + "S313": ( + [ + "xml.etree.cElementTree.parse", + "xml.etree.cElementTree.iterparse", + "xml.etree.cElementTree.fromstring", + "xml.etree.cElementTree.XMLParser", + ], + "M", + ), + "S314": ( + [ + "xml.etree.ElementTree.parse", + "xml.etree.ElementTree.iterparse", + "xml.etree.ElementTree.fromstring", + "xml.etree.ElementTree.XMLParser", + ], + "M", + ), + "S315": (["xml.sax.expatreader.create_parser"], "M"), + "S316": ( + ["xml.dom.expatbuilder.parse", "xml.dom.expatbuilder.parseString"], + "M", + ), + "S317": (["xml.sax.parse", "xml.sax.parseString", "xml.sax.make_parser"], "M"), + "S318": (["xml.dom.minidom.parse", "xml.dom.minidom.parseString"], "M"), + "S319": (["xml.dom.pulldom.parse", "xml.dom.pulldom.parseString"], "M"), + "S320": ( + [ + "lxml.etree.parse", + "lxml.etree.fromstring", + "lxml.etree.RestrictedElement", + "lxml.etree.GlobalParserTLS", + "lxml.etree.getDefaultParser", + "lxml.etree.check_docinfo", + ], + "M", + ), + "S321": (["ftplib.*"], "H"), + "S322": (["input"], "H"), + "S323": (["ssl._create_unverified_context"], "M"), + "S324": (["os.tempnam", "os.tmpnam"], "M"), + } +) def getChecks():
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/blackListImports.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/blackListImports.py Tue Sep 13 20:00:55 2022 +0200 @@ -48,6 +48,7 @@ ], "H", ), + "S414": (["pyghmi"], "H"), }
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/certificateValidation.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/certificateValidation.py Tue Sep 13 20:00:55 2022 +0200 @@ -42,10 +42,10 @@ @param config dictionary with configuration data @type dict """ - http_verbs = ("get", "options", "head", "post", "put", "patch", "delete") + httpVerbs = ("get", "options", "head", "post", "put", "patch", "delete") if ( "requests" in context.callFunctionNameQual - and context.callFunctionName in http_verbs + and context.callFunctionName in httpVerbs and context.checkCallArgValue("verify", "False") ): reportError(
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/djangoXssVulnerability.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/djangoXssVulnerability.py Tue Sep 13 20:00:55 2022 +0200 @@ -200,7 +200,7 @@ if isinstance(target, ast.Name): if target.id == self.__varName.id: assigned = node.value - elif isinstance(target, ast.Tuple): + elif isinstance(target, ast.Tuple) and isinstance(node.value, ast.Tuple): for pos, name in enumerate(target.elts): if name.id == self.__varName.id: assigned = node.value.elts[pos]
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/generalFilePermissions.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/generalFilePermissions.py Tue Sep 13 20:00:55 2022 +0200 @@ -33,6 +33,23 @@ } +def _statIsDangerous(mode): + """ + Function to check for dangerous stat values. + + @param mode file mode to be checked + @type int + @return mode with masked dangerous values + @rtype int + """ + return ( + mode & stat.S_IWOTH + or mode & stat.S_IWGRP + or mode & stat.S_IXGRP + or mode & stat.S_IXOTH + ) + + def checkFilePermissions(reportError, context, config): """ Function to check for setting too permissive file permissions. @@ -47,11 +64,7 @@ if "chmod" in context.callFunctionName and context.callArgsCount == 2: mode = context.getCallArgAtPosition(1) - if ( - mode is not None - and isinstance(mode, int) - and (mode & stat.S_IWOTH or mode & stat.S_IXGRP) - ): + if mode is not None and isinstance(mode, int) and _statIsDangerous(mode): # world writable is an HIGH, group executable is a MEDIUM if mode & stat.S_IWOTH: severity = "H"
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionShell.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionShell.py Tue Sep 13 20:00:55 2022 +0200 @@ -70,15 +70,12 @@ @param context context to be inspected @type SecurityContext - @return tuple containing a flag indicating the presence of the 'shell' - argument and flag indicating the value of the 'shell' argument - @rtype tuple of (bool, bool) + @return flag indicating the value of the 'shell' argument + @rtype bool """ keywords = context.node.keywords result = False - shell = False if "shell" in context.callKeywords: - shell = True for key in keywords: if key.arg == "shell": val = key.value @@ -95,7 +92,7 @@ else: result = True - return shell, result + return result def checkSubprocessPopenWithShell(reportError, context, config): @@ -115,26 +112,28 @@ else SecurityDefaults["shell_injection_subprocess"] ) - if context.callFunctionNameQual in functionNames: - shell, shellValue = hasShell(context) - if shell and shellValue and len(context.callArgs) > 0: - sev = _evaluateShellCall(context) - if sev == "L": - reportError( - context.getLinenoForCallArg("shell") - 1, - context.getOffsetForCallArg("shell"), - "S602.L", - sev, - "H", - ) - else: - reportError( - context.getLinenoForCallArg("shell") - 1, - context.getOffsetForCallArg("shell"), - "S602.H", - sev, - "H", - ) + if ( + context.callFunctionNameQual in functionNames + and hasShell(context) + and len(context.callArgs) > 0 + ): + sev = _evaluateShellCall(context) + if sev == "L": + reportError( + context.getLinenoForCallArg("shell") - 1, + context.getOffsetForCallArg("shell"), + "S602.L", + sev, + "H", + ) + else: + reportError( + context.getLinenoForCallArg("shell") - 1, + context.getOffsetForCallArg("shell"), + "S602.H", + sev, + "H", + ) def checkSubprocessPopenWithoutShell(reportError, context, config): @@ -154,7 +153,7 @@ else SecurityDefaults["shell_injection_subprocess"] ) - if context.callFunctionNameQual in functionNames and not hasShell(context)[0]: + if context.callFunctionNameQual in functionNames and not hasShell(context): reportError( context.node.lineno - 1, context.node.col_offset, @@ -181,16 +180,14 @@ else SecurityDefaults["shell_injection_subprocess"] ) - if context.callFunctionNameQual not in functionNames: - shell, shellValue = hasShell(context) - if shell and shellValue: - reportError( - context.getLinenoForCallArg("shell") - 1, - context.getOffsetForCallArg("shell"), - "S604", - "M", - "L", - ) + if context.callFunctionNameQual not in functionNames and hasShell(context): + reportError( + context.getLinenoForCallArg("shell") - 1, + context.getOffsetForCallArg("shell"), + "S604", + "M", + "L", + ) def checkStartProcessWithShell(reportError, context, config):
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureHashlibNew.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/insecureHashlibNew.py Tue Sep 13 20:00:55 2022 +0200 @@ -8,6 +8,8 @@ functions in hashlib.new(). """ +import sys + # # This is a modified version of the one found in the bandit package. # @@ -29,14 +31,67 @@ """ return { "Call": [ - (checkHashlibNew, ("S331",)), + (checkHashlib, ("S331",)), ], } -def checkHashlibNew(reportError, context, config): +def _hashlibFunc(reportError, context, config): + """ + Function to check for use of insecure md4, md5, sha or sha1 hash functions + in hashlib.new() if 'usedforsecurity' is not set to 'False'. + + @param reportError function to be used to report errors + @type func + @param context security context object + @type SecurityContext + @param config dictionary with configuration data + @type dict """ - Function to check for use of insecure md4, md5, or sha1 hash functions + insecureHashes = ( + [h.lower() for h in config["insecure_hashes"]] + if config and "insecure_hashes" in config + else SecurityDefaults["insecure_hashes"] + ) + + if isinstance(context.callFunctionNameQual, str): + qualnameList = context.callFunctionNameQual.split(".") + + if "hashlib" in qualnameList: + func = qualnameList[-1] + keywords = context.callKeywords + + if func in insecureHashes: + if keywords.get("usedforsecurity", "True") == "True": + reportError( + context.node.lineno - 1, + context.node.col_offset, + "S332", + "H", + "H", + func.upper(), + ) + elif func == "new": + args = context.callArgs + name = args[0] if args else keywords.get("name", None) + if ( + isinstance(name, str) + and name.lower() in insecureHashes + and keywords.get("usedforsecurity", "True") == "True" + ): + reportError( + context.node.lineno - 1, + context.node.col_offset, + "S332", + "H", + "H", + name.upper(), + ) + + +def _hashlibNew(reportError, context, config): + """ + Function to check for use of insecure md4, md5, sha or sha1 hash functions in hashlib.new(). @param reportError function to be used to report errors @@ -58,7 +113,7 @@ if "hashlib" in qualnameList and func == "new": args = context.callArgs keywords = context.callKeywords - name = args[0] if args else keywords["name"] + name = args[0] if args else keywords.get("name", None) if isinstance(name, str) and name.lower() in insecureHashes: reportError( context.node.lineno - 1, @@ -68,3 +123,21 @@ "H", name.upper(), ) + + +def checkHashlib(reportError, context, config): + """ + Function to check for use of insecure md4, md5, sha or sha1 hash functions + in hashlib.new(). + + @param reportError function to be used to report errors + @type func + @param context security context object + @type SecurityContext + @param config dictionary with configuration data + @type dict + """ + if sys.version_info >= (3, 9): + _hashlibFunc(reportError, context, config) + else: + _hashlibNew(reportError, context, config)
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/jinja2Templates.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/jinja2Templates.py Tue Sep 13 20:00:55 2022 +0200 @@ -73,7 +73,9 @@ or ( isinstance(value, ast.Call) and ( - getattr(value.func, "id", None) + getattr(value.func, "attr", None) + == "select_autoescape" + or getattr(value.func, "id", None) == "select_autoescape" ) )
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/requestWithoutTimeout.py Tue Sep 13 20:00:55 2022 +0200 @@ -0,0 +1,66 @@ +# -*- coding: utf-8 -*- + +# Copyright (c) 2022 Detlev Offenbach <detlev@die-offenbachs.de> +# + +""" +Module implementing checks for using requests without timeout. +""" + +# +# This is a modified version of the one found in the bandit package. +# +# SPDX-License-Identifier: Apache-2.0 +# + + +def getChecks(): + """ + Public method to get a dictionary with checks handled by this module. + + @return dictionary containing checker lists containing checker function and + list of codes + @rtype dict + """ + return { + "Call": [ + (checkRequestWithouTimeout, ("S114",)), + ], + } + + +def checkRequestWithouTimeout(reportError, context, config): + """ + Function to check for use of requests without timeout. + + @param reportError function to be used to report errors + @type func + @param context security context object + @type SecurityContext + @param config dictionary with configuration data + @type dict + """ + httpVerbs = ("get", "options", "head", "post", "put", "patch", "delete") + if ( + "requests" in context.callFunctionNameQual + and context.callFunctionName in httpVerbs + ): + # check for missing timeout + if context.checkCallArgValue("timeout") is None: + reportError( + context.node.lineno - 1, + context.node.col_offset, + "S114.1", + "M", + "L", + ) + + # check for timeout=None + if context.checkCallArgValue("timeout", "None"): + reportError( + context.node.lineno - 1, + context.node.col_offset, + "S114.2", + "M", + "L", + )
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/snmpSecurity.py Tue Sep 13 20:00:55 2022 +0200 @@ -0,0 +1,77 @@ +# -*- coding: utf-8 -*- + +# Copyright (c) 2022 Detlev Offenbach <detlev@die-offenbachs.de> +# + +""" +Module implementing checks for the insecure use of SNMP. +""" + +# +# This is a modified version of the one found in the bandit package. +# +# Original Copyright (c) 2018 SolarWinds, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + + +def getChecks(): + """ + Public method to get a dictionary with checks handled by this module. + + @return dictionary containing checker lists containing checker function and + list of codes + @rtype dict + """ + return { + "Call": [ + (checkInsecureVersion, ("S508",)), + (checkWeakCryptography, ("S509",)), + ], + } + + +def checkInsecureVersion(reportError, context, config): + """ + Function to check for the use of insecure SNMP version like + v1, v2c. + + @param reportError function to be used to report errors + @type func + @param context security context object + @type SecurityContext + @param config dictionary with configuration data + @type dict + """ + if context.callFunctionNameQual == "pysnmp.hlapi.CommunityData" and ( + context.checkCallArgValue("mpModel", 0) + or context.check_call_arg_value("mpModel", 1) + ): + # We called community data. Lets check our args + reportError( + context.node.lineno - 1, + context.node.col_offset, + "S508", + "M", + "H", + ) + + +def checkWeakCryptography(reportError, context, config): + """ + Function to check for the use of insecure SNMP cryptography + (i.e. v3 using noAuthNoPriv). + + @param reportError function to be used to report errors + @type func + @param context security context object + @type SecurityContext + @param config dictionary with configuration data + @type dict + """ + if ( + context.callFunctionNameQual == "pysnmp.hlapi.UsmUserData" + and context.callArgsCount < 3 + ): + reportError(context.node.lineno - 1, context.node.col_offset, "S509", "M", "H")
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/tarfileUnsafeMembers.py Tue Sep 13 20:00:55 2022 +0200 @@ -0,0 +1,95 @@ +# -*- coding: utf-8 -*- + +# Copyright (c) 2022 Detlev Offenbach <detlev@die-offenbachs.de> +# + +""" +Module implementing checks for insecure use of 'tarfile.extracall()'. +""" + +# +# This is a modified version of the one found in the bandit package. +# +# SPDX-License-Identifier: Apache-2.0 +# + +import ast + + +def getChecks(): + """ + Public method to get a dictionary with checks handled by this module. + + @return dictionary containing checker lists containing checker function and + list of codes + @rtype dict + """ + return { + "Call": [ + (checkTarfileUnsafeMembers, ("S202",)), + ], + } + + +def _getMembersValue(context): + """ + Function to extract the value of the 'members' argument. + + @param context security context object + @type SecurityContext + @return dictionary containing the argument value + @rtype dict + """ + for kw in context.node.keywords: + if kw.arg == "members": + arg = kw.value + if isinstance(arg, ast.Call): + return {"Function": arg.func.id} + else: + value = arg.id if isinstance(arg, ast.Name) else arg + return {"Other": value} + + return {} + + +def checkTarfileUnsafeMembers(reportError, context, config): + """ + Function to check for insecure use of 'tarfile.extracall()'. + + @param reportError function to be used to report errors + @type func + @param context security context object + @type SecurityContext + @param config dictionary with configuration data + @type dict + """ + if all( + [ + context.isModuleImportedExact("tarfile"), + "extractall" in context.callFunctionName, + ] + ): + if "members" in context.callKeywords: + members = _getMembersValue(context) + if "Function" in members: + reportError( + context.node.lineno - 1, + context.node.col_offset, + "S202.1", + "L", + "L", + str(members), + ) + else: + reportError( + context.node.lineno - 1, + context.node.col_offset, + "S202.2", + "M", + "M", + str(members), + ) + else: + reportError( + context.node.lineno - 1, context.node.col_offset, "S202.3", "H", "H" + )
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/tryExcept.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/tryExcept.py Tue Sep 13 20:00:55 2022 +0200 @@ -33,6 +33,9 @@ (checkTryExceptPass, ("S110",)), (checkTryExceptContinue, ("S112",)), ], + "Call": [ + (checkContextlibSuppress, ("S113",)), + ], } @@ -106,3 +109,40 @@ "L", "H", ) + + +def checkContextlibSuppress(reportError, context, config): + """ + Function to check for a contextlib.suppress with a non-specific Exception. + + @param reportError function to be used to report errors + @type func + @param context security context object + @type SecurityContext + @param config dictionary with configuration data + @type dict + """ + checkTypedException = ( + config["check_typed_exception"] + if config and "check_typed_exception" in config + else SecurityDefaults["check_typed_exception"] + ) + + imported = context.isModuleImportedExact("contextlib") + qualname = context.callFunctionNameQual + if not imported and isinstance(qualname, str): + return + + qualnameList = qualname.split(".") + func = qualnameList[-1] + if func == "suppress": + if not checkTypedException and "Exception" not in context.callArgs: + return + + reportError( + context.node.lineno - 1, + context.node.col_offset, + "S113", + "L", + "H", + )
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/weakCryptographicKey.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/weakCryptographicKey.py Tue Sep 13 20:00:55 2022 +0200 @@ -102,9 +102,9 @@ @rtype bool """ funcKeyType = { - "cryptography.hazmat.primitives.asymmetric.dsa." "generate_private_key": "DSA", - "cryptography.hazmat.primitives.asymmetric.rsa." "generate_private_key": "RSA", - "cryptography.hazmat.primitives.asymmetric.ec." "generate_private_key": "EC", + "cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key": "DSA", + "cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key": "RSA", + "cryptography.hazmat.primitives.asymmetric.ec.generate_private_key": "EC", } argPosition = { "DSA": 0, @@ -122,12 +122,29 @@ elif keyType == "EC": curveKeySizes = { + "SECT571K1": 571, + "SECT571R1": 570, + "SECP521R1": 521, + "BrainpoolP512R1": 512, + "SECT409K1": 409, + "SECT409R1": 409, + "BrainpoolP384R1": 384, + "SECP384R1": 384, + "SECT283K1": 283, + "SECT283R1": 283, + "BrainpoolP256R1": 256, + "SECP256K1": 256, + "SECP256R1": 256, + "SECT233K1": 233, + "SECT233R1": 233, + "SECP224R1": 224, "SECP192R1": 192, "SECT163K1": 163, "SECT163R2": 163, } - curve = ( - context.getCallArgValue("curve") or context.callArgs[argPosition[keyType]] + curve = context.getCallArgValue("curve") or ( + len(context.callArgs) > argPosition[keyType] + and context.callArgs[argPosition[keyType]] ) keySize = curveKeySizes[curve] if curve in curveKeySizes else 224 return _classifyKeySize(reportError, config, keyType, keySize, context.node) @@ -161,6 +178,7 @@ context.getCallArgValue("bits") or context.getCallArgAtPosition(0) or 2048 ) return _classifyKeySize(reportError, config, keyType, keySize, context.node) + return False
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/yamlLoad.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/yamlLoad.py Tue Sep 13 20:00:55 2022 +0200 @@ -33,7 +33,7 @@ def checkYamlLoad(reportError, context, config): """ - Function to check for the use of of yaml load functions. + Function to check for the use of yaml load functions. @param reportError function to be used to report errors @type func @@ -55,6 +55,8 @@ func == "load", not context.checkCallArgValue("Loader", "SafeLoader"), not context.checkCallArgValue("Loader", "CSafeLoader"), + context.getCallArgAtPosition(1) != "SafeLoader", + context.getCallArgAtPosition(1) != "CSafeLoader", ] ): reportError(context.node.lineno - 1, context.node.col_offset, "S506", "M", "H")
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/SecurityContext.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/SecurityContext.py Tue Sep 13 20:00:55 2022 +0200 @@ -345,7 +345,8 @@ """ maxArgs = self.callArgsCount if maxArgs and positionNum < maxArgs: - return self.__getLiteralValue(self.__context["call"].args[positionNum]) + arg = self.__context["call"].args[positionNum] + return getattr(arg, "attr", None) or self.__getLiteralValue(arg) else: return None
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/SecurityDefaults.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/SecurityDefaults.py Tue Sep 13 20:00:55 2022 +0200 @@ -65,8 +65,10 @@ "SSLv23_METHOD", "PROTOCOL_SSLv3", "PROTOCOL_TLSv1", + "PROTOCOL_TLSv1_1", "SSLv3_METHOD", "TLSv1_METHOD", + "TLSv1_1_METHOD", ], # tryExcept.py "check_typed_exception": False,
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/__init__.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/__init__.py Tue Sep 13 20:00:55 2022 +0200 @@ -6,3 +6,7 @@ """ Package implementing the security checker. """ + +# +# The security checker is based on Bandit v1.7.5 +#
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py Tue Sep 13 20:00:55 2022 +0200 @@ -42,15 +42,38 @@ "S108": QCoreApplication.translate( "Security", "Probable insecure usage of temp file/directory." ), - # try-except + # try-except and contextlib.suppress "S110": QCoreApplication.translate("Security", "Try, Except, Pass detected."), "S112": QCoreApplication.translate("Security", "Try, Except, Continue detected."), + "S113": QCoreApplication.translate("Security", "'contextlib.suppress()' detected."), + # request without timeout + "S114.1": QCoreApplication.translate("Security", "Requests call without timeout."), + "S114.2": QCoreApplication.translate( + "Security", + "Requests call with timeout set to None.", + ), # flask app "S201": QCoreApplication.translate( "Security", "A Flask app appears to be run with debug=True, which exposes the" " Werkzeug debugger and allows the execution of arbitrary code.", ), + # tarfile.extractall + "S202.1": QCoreApplication.translate( + "Security", + "Usage of 'tarfile.extractall(members=function(tarfile))'. " + "Make sure your function properly discards dangerous members ({0}).", + ), + "S202.2": QCoreApplication.translate( + "Security", + "Found 'tarfile.extractall(members=?)' but couldn't identify the type of" + " members. Check if the members were properly validated ({0}).", + ), + "S202.3": QCoreApplication.translate( + "Security", + "'tarfile.extractall()' used without any validation. Please check and" + " discard dangerous members.", + ), # blacklisted calls "S301": QCoreApplication.translate( "Security", @@ -76,7 +99,7 @@ ), "S307": QCoreApplication.translate( "Security", - "Use of possibly insecure function - consider using safer" " ast.literal_eval.", + "Use of possibly insecure function - consider using safer ast.literal_eval.", ), "S308": QCoreApplication.translate( "Security", @@ -181,6 +204,10 @@ "S331": QCoreApplication.translate( "Security", "Use of insecure {0} hash function." ), + "S332": QCoreApplication.translate( + "Security", + "Use of insecure {0} hash for security. Consider" " 'usedforsecurity=False'.", + ), # blacklisted imports "S401": QCoreApplication.translate( "Security", @@ -194,11 +221,11 @@ ), "S403": QCoreApplication.translate( "Security", - "Consider possible security implications associated with the '{0}'" " module.", + "Consider possible security implications associated with the '{0}' module.", ), "S404": QCoreApplication.translate( "Security", - "Consider possible security implications associated with the '{0}'" " module.", + "Consider possible security implications associated with the '{0}' module.", ), "S405": QCoreApplication.translate( "Security", @@ -244,7 +271,7 @@ ), "S412": QCoreApplication.translate( "Security", - "Consider possible security implications associated with '{0}'" " module.", + "Consider possible security implications associated with '{0}' module.", ), "S413": QCoreApplication.translate( "Security", @@ -252,6 +279,11 @@ " maintained and have been deprecated. Consider using" " pyca/cryptography library.", ), + "S414": QCoreApplication.translate( + "Security", + "An IPMI-related module is being imported. IPMI is considered " + "insecure. Use an encrypted protocol.", + ), # insecure certificate usage "S501": QCoreApplication.translate( "Security", @@ -297,7 +329,17 @@ # SSH host key verification "S507": QCoreApplication.translate( "Security", - "Paramiko call with policy set to automatically trust the unknown" " host key.", + "Paramiko call with policy set to automatically trust the unknown host key.", + ), + # insecure SNMP + "S508": QCoreApplication.translate( + "Security", + "The use of SNMPv1 and SNMPv2 is insecure. You should use SNMPv3 if possible.", + ), + "S509": QCoreApplication.translate( + "Security", + "You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is" + " insecure.", ), # Shell injection "S601": QCoreApplication.translate( @@ -340,7 +382,7 @@ # SQL injection "S608": QCoreApplication.translate( "Security", - "Possible SQL injection vector through string-based query" " construction.", + "Possible SQL injection vector through string-based query construction.", ), # Wildcard injection "S609": QCoreApplication.translate( @@ -392,6 +434,8 @@ "S105": ["password"], "S106": ["password"], "S107": ["password"], + "S202.1": ["members_filter(tar)"], + "S202.2": ["tar"], "S304": ["Crypto.Cipher.DES"], "S305": ["cryptography.hazmat.primitives.ciphers.modes.ECB"], "S313": ["xml.etree.cElementTree.parse"],
--- a/src/eric7/i18n/eric7_cs.ts Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/i18n/eric7_cs.ts Tue Sep 13 20:00:55 2022 +0200 @@ -65801,293 +65801,343 @@ <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="49" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="48" /> + <source>'contextlib.suppress()' detected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="50" /> + <source>Requests call without timeout.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="51" /> + <source>Requests call with timeout set to None.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="56" /> <source>A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="55" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="62" /> + <source>Usage of 'tarfile.extractall(members=function(tarfile))'. Make sure your function properly discards dangerous members ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="67" /> + <source>Found 'tarfile.extractall(members=?)' but couldn't identify the type of members. Check if the members were properly validated ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="72" /> + <source>'tarfile.extractall()' used without any validation. Please check and discard dangerous members.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="78" /> <source>Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="60" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="83" /> <source>Deserialization with the marshal module is possibly dangerous.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="63" /> - <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="66" /> - <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="71" /> - <source>Use of insecure cipher mode '{0}'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="74" /> - <source>Use of insecure and deprecated function (mktemp).</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="77" /> - <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="81" /> - <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="86" /> - <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="92" /> - <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="89" /> + <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="94" /> + <source>Use of insecure cipher mode '{0}'.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="97" /> + <source>Use of insecure and deprecated function (mktemp).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="100" /> + <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="104" /> + <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="109" /> + <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="115" /> + <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="120" /> <source>Standard pseudo-random generators are not suitable for security/cryptographic purposes.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="102" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> <source>Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="143" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="137" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="131" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="119" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="113" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="107" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="166" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="154" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="148" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="142" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="136" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="130" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="149" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="172" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="155" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="178" /> <source>FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="183" /> <source>The input method in Python 2 will read from standard input, evaluate and run the resulting string as Python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="167" /> - <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="175" /> - <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="181" /> - <source>Use of insecure {0} hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="185" /> - <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="190" /> + <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="198" /> + <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="204" /> + <source>Use of insecure {0} hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="207" /> + <source>Use of insecure {0} hash for security. Consider 'usedforsecurity=False'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="212" /> + <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="217" /> <source>A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="199" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="195" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="226" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="222" /> <source>Consider possible security implications associated with the '{0}' module.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="227" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="221" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="215" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="209" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="203" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="254" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="248" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="242" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="236" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="230" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="233" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="260" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="239" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="266" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="245" /> - <source>Consider possible security implications associated with '{0}' module.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="249" /> - <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="256" /> - <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="262" /> - <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="267" /> - <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="272" /> - <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="277" /> - <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <source>Consider possible security implications associated with '{0}' module.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="276" /> + <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="282" /> - <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <source>An IPMI-related module is being imported. IPMI is considered insecure. Use an encrypted protocol.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="288" /> + <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="294" /> + <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="299" /> + <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="304" /> + <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="309" /> + <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="314" /> + <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="320" /> <source>{0} key sizes below {1:d} bits are considered breakable.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="292" /> - <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="298" /> - <source>Paramiko call with policy set to automatically trust the unknown host key.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="303" /> - <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="308" /> - <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="313" /> - <source>'subprocess' call with shell=True identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="316" /> - <source>'subprocess' call - check for execution of untrusted input.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="319" /> - <source>Function call with shell=True parameter identified, possible security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="324" /> - <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="329" /> - <source>Starting a process with a shell, possible injection detected, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="334" /> - <source>Starting a process without a shell.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="337" /> - <source>Starting a process with a partial executable path.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="341" /> - <source>Possible SQL injection vector through string-based query construction.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="346" /> - <source>Possible wildcard injection in call: {0}</source> + <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="330" /> + <source>Paramiko call with policy set to automatically trust the unknown host key.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="335" /> + <source>The use of SNMPv1 and SNMPv2 is insecure. You should use SNMPv3 if possible.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="339" /> + <source>You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="345" /> + <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="350" /> + <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="355" /> + <source>'subprocess' call with shell=True identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="358" /> + <source>'subprocess' call - check for execution of untrusted input.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="361" /> + <source>Function call with shell=True parameter identified, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="366" /> + <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="371" /> + <source>Starting a process with a shell, possible injection detected, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="376" /> + <source>Starting a process without a shell.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="379" /> + <source>Starting a process with a partial executable path.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="383" /> + <source>Possible SQL injection vector through string-based query construction.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="388" /> + <source>Possible wildcard injection in call: {0}</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="392" /> <source>Use of 'extra()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="353" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="395" /> <source>Use of 'RawSQL()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="357" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="399" /> <source>Using jinja2 templates with 'autoescape=False' is dangerous and can lead to XSS. Use 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="363" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="405" /> <source>By default, jinja2 sets 'autoescape' to False. Consider using 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="370" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="412" /> <source>Mako templates allow HTML/JS rendering by default and are inherently open to XSS attacks. Ensure variables in all templates are properly sanitized via the 'n', 'h' or 'x' flags (depending on context). For example, to HTML escape the variable 'data' do ${{ data |h }}.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="378" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="420" /> <source>Potential XSS on 'mark_safe()' function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="382" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="424" /> <source>Possible hardcoded AWS access key ID: {0}</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="385" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="427" /> <source>Possible hardcoded AWS secret access key: {0}</source> <translation type="unfinished" /> </message>
--- a/src/eric7/i18n/eric7_de.ts Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/i18n/eric7_de.ts Tue Sep 13 20:00:55 2022 +0200 @@ -65978,293 +65978,343 @@ <translation>Try, Except, Continue entdeckt.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="49" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="48" /> + <source>'contextlib.suppress()' detected.</source> + <translation>'contextlib.suppress()' entdeckt.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="50" /> + <source>Requests call without timeout.</source> + <translation>Requests Aufruf ohne Timeout.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="51" /> + <source>Requests call with timeout set to None.</source> + <translation>Requests Aufruf mit Timeout auf None gesetzt.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="56" /> <source>A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code.</source> <translation>Eine Flask Anwendung scheint mit debug=True ausgeführt zu werden. Dies öffnet den Werkzeug Debugger und erlaubt die Ausführung beliebigen Codes.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="55" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="62" /> + <source>Usage of 'tarfile.extractall(members=function(tarfile))'. Make sure your function properly discards dangerous members ({0}).</source> + <translation>Verwendung von 'tarfile.extractall(members=function(tarfile))'. Stelle sicher, dass die Funktion gefährliche Elemente ordnungsgemäß aussortiert ({0}).</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="67" /> + <source>Found 'tarfile.extractall(members=?)' but couldn't identify the type of members. Check if the members were properly validated ({0}).</source> + <translation>'tarfile.extractall(members=?)' gefunden, konnte aber den Typ der Elemente nicht identifizieren. Prüfe, ob die Elemente ordnungsgemäß validiert wurden ({0}).</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="72" /> + <source>'tarfile.extractall()' used without any validation. Please check and discard dangerous members.</source> + <translation>'tarfile.extractall()' ohne jegliche Validierung verwendet. Bitte überprüfe und verwerfe gefährliche Elemente.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="78" /> <source>Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.</source> <translation>Pickle und Module, die es einbinden, können unsicher sein, wenn es verwendet wird, um nicht vertrauenswürdige Daten zu deserialisieren; mögliches Sicherheitsproblemk.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="60" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="83" /> <source>Deserialization with the marshal module is possibly dangerous.</source> <translation>Deserialisierung mit dem marshal Modul ist möglicherweise unsicher.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="63" /> - <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> - <translation>Verwendung einer unsicheren MD2, MD4, MD5 oder SHA1 Hashfunktion.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="66" /> - <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> - <translation>Verwendung der unsicheren Verschlüsselung '{0}'. Ersetze sie durch eine bekannt sichere Verschlüsselung wie z.B. AES.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="71" /> - <source>Use of insecure cipher mode '{0}'.</source> - <translation>Verwendung des unsicheren Verschlüsselungsmodus '{0}'.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="74" /> - <source>Use of insecure and deprecated function (mktemp).</source> - <translation>Verwendung einer unsicher und abgekündigten Funktion (mktemp).</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="77" /> - <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> - <translation>Verwendung einer möglicherweise unsicheren Funktion - verwende besser ast.literal_eval.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="81" /> - <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> - <translation>Verwendung von mark_safe() kann eine Cross Site Scripting Schwäche eröffnen und sollte vermieden werden.</translation> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="86" /> - <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> - <translation>Verwendung von HTTPSConnection unter alten Python versionen vor 2.7.9 und 3.4.3 ist nicht sicher; siehe https://wiki.openstack.org/wiki/OSSN/OSSN-0033</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="92" /> - <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> - <translation>Überprüfe 'url open' auf zugelassene Schemata. Das Zulassen von file:/ oder eigenen Schemata ist oft unerwartet.</translation> + <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> + <translation>Verwendung einer unsicheren MD2, MD4, MD5 oder SHA1 Hashfunktion.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="89" /> + <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> + <translation>Verwendung der unsicheren Verschlüsselung '{0}'. Ersetze sie durch eine bekannt sichere Verschlüsselung wie z.B. AES.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="94" /> + <source>Use of insecure cipher mode '{0}'.</source> + <translation>Verwendung des unsicheren Verschlüsselungsmodus '{0}'.</translation> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="97" /> + <source>Use of insecure and deprecated function (mktemp).</source> + <translation>Verwendung einer unsicher und abgekündigten Funktion (mktemp).</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="100" /> + <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> + <translation>Verwendung einer möglicherweise unsicheren Funktion - verwende besser ast.literal_eval.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="104" /> + <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> + <translation>Verwendung von mark_safe() kann eine Cross Site Scripting Schwäche eröffnen und sollte vermieden werden.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="109" /> + <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> + <translation>Verwendung von HTTPSConnection unter alten Python versionen vor 2.7.9 und 3.4.3 ist nicht sicher; siehe https://wiki.openstack.org/wiki/OSSN/OSSN-0033</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="115" /> + <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <translation>Überprüfe 'url open' auf zugelassene Schemata. Das Zulassen von file:/ oder eigenen Schemata ist oft unerwartet.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="120" /> <source>Standard pseudo-random generators are not suitable for security/cryptographic purposes.</source> <translation>Standardzufallszahlengeneratoren sind ungeeignet für den Einsatz im Bereich Sicherheit/Kryptographie.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="102" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> <source>Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> <translation>Telnet-Funktionen werden verwendet. Telnet wird als unsicher angesehen. Verwende SSH oder ein anderes verschlüsseltes Protokoll.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="143" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="137" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="131" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="119" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="113" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="107" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="166" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="154" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="148" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="142" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="136" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="130" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called.</source> <translation>Verwendung von '{0}', um nicht vertrauenswürdige XML Daten zu parsen, ist bekannt für XML Attacken. Ersetze '{0}' mit ihrer äquivalenten defusedxml Funktion oder stelle den Aufruf von defusedxml.defuse_stdlib() sicher.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="149" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="172" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function.</source> <translation>Verwendung von '{0}', um nicht vertrauenswürdige XML Daten zu parsen, ist bekannt für XML Attacken. Ersetze '{0}' mit ihrer äquivalenten defusedxml Funktion.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="155" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="178" /> <source>FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation>FTP-Funktionen werden verwendet. FTP wird als unsicher angesehen. Verwende SSH/SFTP/SCP oder ein anderes verschlüsseltes Protokoll.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="183" /> <source>The input method in Python 2 will read from standard input, evaluate and run the resulting string as Python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3.</source> <translation>Die input Method von Python 2 liest Eingaben von der Standardeingabe, verarbeitet sie und führt die resultierende Zeichenkette als Python Quelltext aus. Dies ist vergleichbat und in manchen Fällen schlimmer als die Verwendung von eval(). Verwende mit Python 2 raw_input(). input() ist in Python3 sicher.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="167" /> - <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> - <translation>Standardmäßig erzeugt Python einen sicheren, verifizierten SSL Kontext zur Verwendung in Klassen wie HTTPSConnection. Allerdings ist immer noch die Verwendung eines unsicheren Kontextes via _create_unverified_context() möglich. Dies kehrt zum alten Verhalten ohne Validierung von Zertifikaten und Prüfung des Hostnamens zurück.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="175" /> - <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> - <translation>Verwendung von os.tempnam() und os.tmpnam() ist anfällig für Symlink Attacken. Verwende stattdessen tmpfile().</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="181" /> - <source>Use of insecure {0} hash function.</source> - <translation>Verwendung der unsicheren Hashfunktion {0}.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="185" /> - <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> - <translation>Ein telnet verwandtes Modul wird eingebunden. Telnet wird als unsicher angesehen. Verwende SSH oder ein anderes verschlüsseltes Protokoll.</translation> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="190" /> + <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> + <translation>Standardmäßig erzeugt Python einen sicheren, verifizierten SSL Kontext zur Verwendung in Klassen wie HTTPSConnection. Allerdings ist immer noch die Verwendung eines unsicheren Kontextes via _create_unverified_context() möglich. Dies kehrt zum alten Verhalten ohne Validierung von Zertifikaten und Prüfung des Hostnamens zurück.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="198" /> + <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> + <translation>Verwendung von os.tempnam() und os.tmpnam() ist anfällig für Symlink Attacken. Verwende stattdessen tmpfile().</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="204" /> + <source>Use of insecure {0} hash function.</source> + <translation>Verwendung der unsicheren Hashfunktion {0}.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="207" /> + <source>Use of insecure {0} hash for security. Consider 'usedforsecurity=False'.</source> + <translation>Verwendung eines unsicheren {0}-Hashes für die Sicherheit. Verwende 'usedforsecurity=False'.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="212" /> + <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> + <translation>Ein telnet verwandtes Modul wird eingebunden. Telnet wird als unsicher angesehen. Verwende SSH oder ein anderes verschlüsseltes Protokoll.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="217" /> <source>A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation>Ein FTP verwandtes Modul wird eingebunden. FTP wird als unsicher angesehen. Verwende SSH/SFTP/SCP oder ein anderes verschlüsseltes Protokoll.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="199" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="195" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="226" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="222" /> <source>Consider possible security implications associated with the '{0}' module.</source> <translation>Überprüfe mögliche Sicherheitsauswirkungen, die mit dem '{0}' Modul verbunden sind.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="227" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="221" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="215" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="209" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="203" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="254" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="248" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="242" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="236" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="230" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.</source> <translation>Verwendung von '{0}', um nicht vertrauenswürdige XML Daten zu parsen, ist bekannt für XML Attacken. Ersetze '{0}' mit ihrer äquivalenten defusedxml Paket oder stelle den Aufruf von defusedxml.defuse_stdlib() sicher.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="233" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="260" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package.</source> <translation>Verwendung von '{0}', um nicht vertrauenswürdige XML Daten zu parsen, ist bekannt für XML Attacken. Ersetze '{0}' mit ihrer äquivalenten defusedxml Paket.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="239" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="266" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.</source> <translation>Verwendung von '{0}', um nicht vertrauenswürdige XML Daten zu parsen, ist bekannt für XML Attacken. Verwende die defused.xmlrpc.monkey_patch().Funktion, um die xmlrpclib zu patchen und XML Verwundbarkeiten abzuschwächen.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="245" /> - <source>Consider possible security implications associated with '{0}' module.</source> - <translation>Überprüfe mögliche Sicherheitsauswirkungen, die mit dem '{0}' Modul verbunden sind.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="249" /> - <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> - <translation>Die pyCrypto Bibliothek und ihr Modul '{0}' werden nicht mehr länger gepflegt und sind veraltet. Setze die pyca/cryptography Bibliothek ein.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="256" /> - <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> - <translation>'requests' Aufruf mit verify=False schaltet SSL Zertifikatsprüfungen aus; Sicherheitsproblem.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="262" /> - <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation>'ssl.wrap_socket' Aufruf mit unsicherer SSL/TLS Protokollversion erkannt; Sicherheitsproblem.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="267" /> - <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation>'SSL.Context' Aufruf mit unsicherer SSL/TLS Protokollversion erkannt; Sicherheitsproblem.</translation> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="272" /> - <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation>Funktionsaufruf mit unsicherer SSL/TLS Protokollversion erkannt; Sicherheitsproblem.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="277" /> - <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> - <translation>Funktionsdefinition mit unsicherer SSL/TLS Protokollversion als Standardwert; Sicherheitsproblem.</translation> + <source>Consider possible security implications associated with '{0}' module.</source> + <translation>Überprüfe mögliche Sicherheitsauswirkungen, die mit dem '{0}' Modul verbunden sind.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="276" /> + <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> + <translation>Die pyCrypto Bibliothek und ihr Modul '{0}' werden nicht mehr länger gepflegt und sind veraltet. Setze die pyca/cryptography Bibliothek ein.</translation> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="282" /> - <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> - <translation>'ssl.wrap_socket' Aufruf mit keiner Angabe der SSL/TLS Protokollversion. Der Standardwert 'SSLv23' könnte unsicher sein. Mögliches Sicherheitsproblem.</translation> + <source>An IPMI-related module is being imported. IPMI is considered insecure. Use an encrypted protocol.</source> + <translation>Es wird ein IPMI-bezogenes Modul importiert. IPMI gilt als unsicher. Verwende ein verschlüsseltes Protokoll.</translation> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="288" /> + <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> + <translation>'requests' Aufruf mit verify=False schaltet SSL Zertifikatsprüfungen aus; Sicherheitsproblem.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="294" /> + <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation>'ssl.wrap_socket' Aufruf mit unsicherer SSL/TLS Protokollversion erkannt; Sicherheitsproblem.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="299" /> + <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation>'SSL.Context' Aufruf mit unsicherer SSL/TLS Protokollversion erkannt; Sicherheitsproblem.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="304" /> + <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation>Funktionsaufruf mit unsicherer SSL/TLS Protokollversion erkannt; Sicherheitsproblem.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="309" /> + <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <translation>Funktionsdefinition mit unsicherer SSL/TLS Protokollversion als Standardwert; Sicherheitsproblem.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="314" /> + <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <translation>'ssl.wrap_socket' Aufruf mit keiner Angabe der SSL/TLS Protokollversion. Der Standardwert 'SSLv23' könnte unsicher sein. Mögliches Sicherheitsproblem.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="320" /> <source>{0} key sizes below {1:d} bits are considered breakable.</source> <translation>{0} Schlüssellängen kleiner {1:d} Bit werden als knackbar angesehen.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="292" /> - <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> - <translation>Verwendung der unsicheren 'yaml.load()' Funktion. Sie erlaubt die Erzeugung beliebiger Objekte. Verwende 'yaml.safe_load()'.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="298" /> - <source>Paramiko call with policy set to automatically trust the unknown host key.</source> - <translation>Paramiko Aufruf mit einer gesetzte Policy, die automatisch einem unbekannten Host vertraut.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="303" /> - <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> - <translation>Mögliche Shell Injection über einen 'Paramiko' Aufruf. Prüfe, dass Eingaben korrekt abgesichert werden.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="308" /> - <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation>'subprocess' Aufruf mit shell=True erscheint sicher, mag sich aber zukünftig ändern. Schreibe ihn ohne shell um</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="313" /> - <source>'subprocess' call with shell=True identified, security issue.</source> - <translation>'subprocess' Aufruf mit shell=True erkannt; Sicherheitsproblem.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="316" /> - <source>'subprocess' call - check for execution of untrusted input.</source> - <translation>'subprocess' Aufruf - überprüfe auf Ausführung nicht vertrauenswürdiger Eingaben.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="319" /> - <source>Function call with shell=True parameter identified, possible security issue.</source> - <translation>Funktionsaufruf mit shell=True erkannt; mögliches Sicherheitsproblem.</translation> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="324" /> - <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation>Erzeugung eines Prozesses mit einer Shell: erscheint sicher, mag sich aber in Zukunft ändern. Schreibe ihn ohne Shell Verwendung um</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="329" /> - <source>Starting a process with a shell, possible injection detected, security issue.</source> - <translation>Erzeugung eines Prozesses mit einer Shell, mögliche Injektion erkannt; Sicherheitsproblem.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="334" /> - <source>Starting a process without a shell.</source> - <translation>Starten eines Prozesses ohne Shell.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="337" /> - <source>Starting a process with a partial executable path.</source> - <translation>Starten eines Prozesses mit einem teilweisen Programmpfad.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="341" /> - <source>Possible SQL injection vector through string-based query construction.</source> - <translation>Mögliche SQL Injektion durch Zeichenketten basierten Aufbau einer Abfrage.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="346" /> - <source>Possible wildcard injection in call: {0}</source> - <translation>Mögliche Wildcard Injektion im Aufruf: {0}</translation> + <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> + <translation>Verwendung der unsicheren 'yaml.load()' Funktion. Sie erlaubt die Erzeugung beliebiger Objekte. Verwende 'yaml.safe_load()'.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="330" /> + <source>Paramiko call with policy set to automatically trust the unknown host key.</source> + <translation>Paramiko Aufruf mit einer gesetzte Policy, die automatisch einem unbekannten Host vertraut.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="335" /> + <source>The use of SNMPv1 and SNMPv2 is insecure. You should use SNMPv3 if possible.</source> + <translation>Die Verwendung von SNMPv1 und SNMPv2 ist unsicher. Wenn möglich sollte SNMPv3 verwendet werden.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="339" /> + <source>You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure.</source> + <translation>SNMPv3 sollte nicht ohne Verschlüsselung verwendet werden. noAuthNoPriv & authNoPriv ist unsicher.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="345" /> + <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> + <translation>Mögliche Shell Injection über einen 'Paramiko' Aufruf. Prüfe, dass Eingaben korrekt abgesichert werden.</translation> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="350" /> + <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation>'subprocess' Aufruf mit shell=True erscheint sicher, mag sich aber zukünftig ändern. Schreibe ihn ohne shell um</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="355" /> + <source>'subprocess' call with shell=True identified, security issue.</source> + <translation>'subprocess' Aufruf mit shell=True erkannt; Sicherheitsproblem.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="358" /> + <source>'subprocess' call - check for execution of untrusted input.</source> + <translation>'subprocess' Aufruf - überprüfe auf Ausführung nicht vertrauenswürdiger Eingaben.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="361" /> + <source>Function call with shell=True parameter identified, possible security issue.</source> + <translation>Funktionsaufruf mit shell=True erkannt; mögliches Sicherheitsproblem.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="366" /> + <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation>Erzeugung eines Prozesses mit einer Shell: erscheint sicher, mag sich aber in Zukunft ändern. Schreibe ihn ohne Shell Verwendung um</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="371" /> + <source>Starting a process with a shell, possible injection detected, security issue.</source> + <translation>Erzeugung eines Prozesses mit einer Shell, mögliche Injektion erkannt; Sicherheitsproblem.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="376" /> + <source>Starting a process without a shell.</source> + <translation>Starten eines Prozesses ohne Shell.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="379" /> + <source>Starting a process with a partial executable path.</source> + <translation>Starten eines Prozesses mit einem teilweisen Programmpfad.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="383" /> + <source>Possible SQL injection vector through string-based query construction.</source> + <translation>Mögliche SQL Injektion durch Zeichenketten basierten Aufbau einer Abfrage.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="388" /> + <source>Possible wildcard injection in call: {0}</source> + <translation>Mögliche Wildcard Injektion im Aufruf: {0}</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="392" /> <source>Use of 'extra()' opens a potential SQL attack vector.</source> <translation>Verwendung von 'extra()' eröffnet einen möglichen SQL Angriffsvektor.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="353" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="395" /> <source>Use of 'RawSQL()' opens a potential SQL attack vector.</source> <translation>Verwendung von 'RawSQL()' eröffnet einen möglichen SQL Angriffsvektor.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="357" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="399" /> <source>Using jinja2 templates with 'autoescape=False' is dangerous and can lead to XSS. Use 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation>Verwendung von Jinja Templates mit 'autoescape=False' ist gefährlich und führt zu XSS. Verwende 'autoescaoe=True' oder wähle die 'select_autoescape' Funktion zur Abschwächung von XSS Verwundbarkeiten.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="363" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="405" /> <source>By default, jinja2 sets 'autoescape' to False. Consider using 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation>Als Standard setzt Jinja2 'autoescape' auf False. Verwende 'autoescaoe=True' oder wähle die 'select_autoescape' Funktion zur Abschwächung von XSS Verwundbarkeiten.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="370" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="412" /> <source>Mako templates allow HTML/JS rendering by default and are inherently open to XSS attacks. Ensure variables in all templates are properly sanitized via the 'n', 'h' or 'x' flags (depending on context). For example, to HTML escape the variable 'data' do ${{ data |h }}.</source> <translation>Mako Templates als Standard das Rendering von HTML/JS und sind damit offen für XSS Angriffe. Stelle sicher, dass alle in Templates verwendeten Variablen über die 'n', 'h' oder 'x' Flags abgesichert sind (abhängig vom Kontext). Verwende z.B. zur Absicherung der HTML Variablen 'data' den Ausdruck '${{ data |h }}.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="378" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="420" /> <source>Potential XSS on 'mark_safe()' function.</source> <translation>Potentielle XSS auf die 'mark_safe()' Funktion.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="382" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="424" /> <source>Possible hardcoded AWS access key ID: {0}</source> <translation>Mögliche einprogrammierte AWS Zugriffsschlüssel-ID: {0}</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="385" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="427" /> <source>Possible hardcoded AWS secret access key: {0}</source> <translation>Möglicher einprogrammierter geheimer AWS Zugriffsschlüssel: {0}</translation> </message>
--- a/src/eric7/i18n/eric7_empty.ts Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/i18n/eric7_empty.ts Tue Sep 13 20:00:55 2022 +0200 @@ -65534,293 +65534,343 @@ <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="49" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="48" /> + <source>'contextlib.suppress()' detected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="50" /> + <source>Requests call without timeout.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="51" /> + <source>Requests call with timeout set to None.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="56" /> <source>A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="55" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="62" /> + <source>Usage of 'tarfile.extractall(members=function(tarfile))'. Make sure your function properly discards dangerous members ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="67" /> + <source>Found 'tarfile.extractall(members=?)' but couldn't identify the type of members. Check if the members were properly validated ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="72" /> + <source>'tarfile.extractall()' used without any validation. Please check and discard dangerous members.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="78" /> <source>Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="60" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="83" /> <source>Deserialization with the marshal module is possibly dangerous.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="63" /> - <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="66" /> - <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="71" /> - <source>Use of insecure cipher mode '{0}'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="74" /> - <source>Use of insecure and deprecated function (mktemp).</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="77" /> - <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="81" /> - <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="86" /> - <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="92" /> - <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="89" /> + <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="94" /> + <source>Use of insecure cipher mode '{0}'.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="97" /> + <source>Use of insecure and deprecated function (mktemp).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="100" /> + <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="104" /> + <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="109" /> + <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="115" /> + <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="120" /> <source>Standard pseudo-random generators are not suitable for security/cryptographic purposes.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="102" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> <source>Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="143" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="137" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="131" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="119" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="113" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="107" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="166" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="154" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="148" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="142" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="136" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="130" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="149" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="172" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="155" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="178" /> <source>FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="183" /> <source>The input method in Python 2 will read from standard input, evaluate and run the resulting string as Python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="167" /> - <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="175" /> - <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="181" /> - <source>Use of insecure {0} hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="185" /> - <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="190" /> + <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="198" /> + <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="204" /> + <source>Use of insecure {0} hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="207" /> + <source>Use of insecure {0} hash for security. Consider 'usedforsecurity=False'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="212" /> + <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="217" /> <source>A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="199" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="195" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="226" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="222" /> <source>Consider possible security implications associated with the '{0}' module.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="227" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="221" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="215" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="209" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="203" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="254" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="248" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="242" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="236" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="230" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="233" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="260" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="239" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="266" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="245" /> - <source>Consider possible security implications associated with '{0}' module.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="249" /> - <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="256" /> - <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="262" /> - <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="267" /> - <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="272" /> - <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="277" /> - <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <source>Consider possible security implications associated with '{0}' module.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="276" /> + <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="282" /> - <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <source>An IPMI-related module is being imported. IPMI is considered insecure. Use an encrypted protocol.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="288" /> + <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="294" /> + <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="299" /> + <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="304" /> + <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="309" /> + <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="314" /> + <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="320" /> <source>{0} key sizes below {1:d} bits are considered breakable.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="292" /> - <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="298" /> - <source>Paramiko call with policy set to automatically trust the unknown host key.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="303" /> - <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="308" /> - <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="313" /> - <source>'subprocess' call with shell=True identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="316" /> - <source>'subprocess' call - check for execution of untrusted input.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="319" /> - <source>Function call with shell=True parameter identified, possible security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="324" /> - <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="329" /> - <source>Starting a process with a shell, possible injection detected, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="334" /> - <source>Starting a process without a shell.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="337" /> - <source>Starting a process with a partial executable path.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="341" /> - <source>Possible SQL injection vector through string-based query construction.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="346" /> - <source>Possible wildcard injection in call: {0}</source> + <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="330" /> + <source>Paramiko call with policy set to automatically trust the unknown host key.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="335" /> + <source>The use of SNMPv1 and SNMPv2 is insecure. You should use SNMPv3 if possible.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="339" /> + <source>You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="345" /> + <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="350" /> + <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="355" /> + <source>'subprocess' call with shell=True identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="358" /> + <source>'subprocess' call - check for execution of untrusted input.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="361" /> + <source>Function call with shell=True parameter identified, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="366" /> + <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="371" /> + <source>Starting a process with a shell, possible injection detected, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="376" /> + <source>Starting a process without a shell.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="379" /> + <source>Starting a process with a partial executable path.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="383" /> + <source>Possible SQL injection vector through string-based query construction.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="388" /> + <source>Possible wildcard injection in call: {0}</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="392" /> <source>Use of 'extra()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="353" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="395" /> <source>Use of 'RawSQL()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="357" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="399" /> <source>Using jinja2 templates with 'autoescape=False' is dangerous and can lead to XSS. Use 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="363" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="405" /> <source>By default, jinja2 sets 'autoescape' to False. Consider using 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="370" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="412" /> <source>Mako templates allow HTML/JS rendering by default and are inherently open to XSS attacks. Ensure variables in all templates are properly sanitized via the 'n', 'h' or 'x' flags (depending on context). For example, to HTML escape the variable 'data' do ${{ data |h }}.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="378" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="420" /> <source>Potential XSS on 'mark_safe()' function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="382" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="424" /> <source>Possible hardcoded AWS access key ID: {0}</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="385" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="427" /> <source>Possible hardcoded AWS secret access key: {0}</source> <translation type="unfinished" /> </message>
--- a/src/eric7/i18n/eric7_en.ts Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/i18n/eric7_en.ts Tue Sep 13 20:00:55 2022 +0200 @@ -65582,293 +65582,343 @@ <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="49" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="48" /> + <source>'contextlib.suppress()' detected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="50" /> + <source>Requests call without timeout.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="51" /> + <source>Requests call with timeout set to None.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="56" /> <source>A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="55" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="62" /> + <source>Usage of 'tarfile.extractall(members=function(tarfile))'. Make sure your function properly discards dangerous members ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="67" /> + <source>Found 'tarfile.extractall(members=?)' but couldn't identify the type of members. Check if the members were properly validated ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="72" /> + <source>'tarfile.extractall()' used without any validation. Please check and discard dangerous members.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="78" /> <source>Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="60" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="83" /> <source>Deserialization with the marshal module is possibly dangerous.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="63" /> - <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="66" /> - <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="71" /> - <source>Use of insecure cipher mode '{0}'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="74" /> - <source>Use of insecure and deprecated function (mktemp).</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="77" /> - <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="81" /> - <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="86" /> - <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="92" /> - <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="89" /> + <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="94" /> + <source>Use of insecure cipher mode '{0}'.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="97" /> + <source>Use of insecure and deprecated function (mktemp).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="100" /> + <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="104" /> + <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="109" /> + <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="115" /> + <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="120" /> <source>Standard pseudo-random generators are not suitable for security/cryptographic purposes.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="102" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> <source>Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="143" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="137" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="131" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="119" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="113" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="107" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="166" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="154" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="148" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="142" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="136" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="130" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="149" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="172" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="155" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="178" /> <source>FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="183" /> <source>The input method in Python 2 will read from standard input, evaluate and run the resulting string as Python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="167" /> - <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="175" /> - <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="181" /> - <source>Use of insecure {0} hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="185" /> - <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="190" /> + <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="198" /> + <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="204" /> + <source>Use of insecure {0} hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="207" /> + <source>Use of insecure {0} hash for security. Consider 'usedforsecurity=False'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="212" /> + <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="217" /> <source>A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="199" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="195" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="226" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="222" /> <source>Consider possible security implications associated with the '{0}' module.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="227" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="221" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="215" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="209" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="203" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="254" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="248" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="242" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="236" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="230" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="233" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="260" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="239" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="266" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="245" /> - <source>Consider possible security implications associated with '{0}' module.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="249" /> - <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="256" /> - <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="262" /> - <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="267" /> - <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="272" /> - <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="277" /> - <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <source>Consider possible security implications associated with '{0}' module.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="276" /> + <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="282" /> - <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <source>An IPMI-related module is being imported. IPMI is considered insecure. Use an encrypted protocol.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="288" /> + <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="294" /> + <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="299" /> + <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="304" /> + <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="309" /> + <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="314" /> + <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="320" /> <source>{0} key sizes below {1:d} bits are considered breakable.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="292" /> - <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="298" /> - <source>Paramiko call with policy set to automatically trust the unknown host key.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="303" /> - <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="308" /> - <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="313" /> - <source>'subprocess' call with shell=True identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="316" /> - <source>'subprocess' call - check for execution of untrusted input.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="319" /> - <source>Function call with shell=True parameter identified, possible security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="324" /> - <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="329" /> - <source>Starting a process with a shell, possible injection detected, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="334" /> - <source>Starting a process without a shell.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="337" /> - <source>Starting a process with a partial executable path.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="341" /> - <source>Possible SQL injection vector through string-based query construction.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="346" /> - <source>Possible wildcard injection in call: {0}</source> + <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="330" /> + <source>Paramiko call with policy set to automatically trust the unknown host key.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="335" /> + <source>The use of SNMPv1 and SNMPv2 is insecure. You should use SNMPv3 if possible.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="339" /> + <source>You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="345" /> + <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="350" /> + <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="355" /> + <source>'subprocess' call with shell=True identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="358" /> + <source>'subprocess' call - check for execution of untrusted input.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="361" /> + <source>Function call with shell=True parameter identified, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="366" /> + <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="371" /> + <source>Starting a process with a shell, possible injection detected, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="376" /> + <source>Starting a process without a shell.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="379" /> + <source>Starting a process with a partial executable path.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="383" /> + <source>Possible SQL injection vector through string-based query construction.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="388" /> + <source>Possible wildcard injection in call: {0}</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="392" /> <source>Use of 'extra()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="353" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="395" /> <source>Use of 'RawSQL()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="357" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="399" /> <source>Using jinja2 templates with 'autoescape=False' is dangerous and can lead to XSS. Use 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="363" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="405" /> <source>By default, jinja2 sets 'autoescape' to False. Consider using 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="370" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="412" /> <source>Mako templates allow HTML/JS rendering by default and are inherently open to XSS attacks. Ensure variables in all templates are properly sanitized via the 'n', 'h' or 'x' flags (depending on context). For example, to HTML escape the variable 'data' do ${{ data |h }}.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="378" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="420" /> <source>Potential XSS on 'mark_safe()' function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="382" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="424" /> <source>Possible hardcoded AWS access key ID: {0}</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="385" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="427" /> <source>Possible hardcoded AWS secret access key: {0}</source> <translation type="unfinished" /> </message>
--- a/src/eric7/i18n/eric7_es.ts Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/i18n/eric7_es.ts Tue Sep 13 20:00:55 2022 +0200 @@ -65960,293 +65960,343 @@ <translation>Detectado Try, Except, Continue.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="49" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="48" /> + <source>'contextlib.suppress()' detected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="50" /> + <source>Requests call without timeout.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="51" /> + <source>Requests call with timeout set to None.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="56" /> <source>A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code.</source> <translation>Una apliación Flask parece ejecutada con debug=True, lo que expone la herramienta de depuración y permite la ejecución de código arbitrario.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="55" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="62" /> + <source>Usage of 'tarfile.extractall(members=function(tarfile))'. Make sure your function properly discards dangerous members ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="67" /> + <source>Found 'tarfile.extractall(members=?)' but couldn't identify the type of members. Check if the members were properly validated ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="72" /> + <source>'tarfile.extractall()' used without any validation. Please check and discard dangerous members.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="78" /> <source>Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.</source> <translation>Pickle y módulos que lo envuelven puede ser inseguro cuando se utiliza para deserializar datos no confiables, posible problema de seguridad.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="60" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="83" /> <source>Deserialization with the marshal module is possibly dangerous.</source> <translation>La deserialización con el módulo marshal es posiblemente peligrosa.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="63" /> - <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> - <translation>Uso de función de hash MD2, MD4, MD5, o SHA1 inseguro.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="66" /> - <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> - <translation>Uso de cifrado '{0}' inseguro. Reemplazar con un cifrado seguro conocido como AES.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="71" /> - <source>Use of insecure cipher mode '{0}'.</source> - <translation>Uso de modo de cifrado inseguro '{0}'.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="74" /> - <source>Use of insecure and deprecated function (mktemp).</source> - <translation>Uso de función insegura y deprecada (mktemp).</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="77" /> - <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> - <translation>Uso de función posiblemente insegura - considerar uso más seguro de ast.literal_eval.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="81" /> - <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> - <translation>El uso de mark_safe() puede exponer vulnerabilidades de cross-site scripting y debería revisarse.</translation> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="86" /> - <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> - <translation>El uso de HTTPSConnection en versionesde Python más antiguas que 2.7.9 y 3.4.3 no proporciona seguridad, ver https://wiki.openstack.org/wiki/OSSN/OSSN-0033</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="92" /> - <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> - <translation>Auditar url abierta a esquemas permitidos. PErmitir el uso de file:// o esquemas personalizados es a menudo inesperado.</translation> + <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> + <translation>Uso de función de hash MD2, MD4, MD5, o SHA1 inseguro.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="89" /> + <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> + <translation>Uso de cifrado '{0}' inseguro. Reemplazar con un cifrado seguro conocido como AES.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="94" /> + <source>Use of insecure cipher mode '{0}'.</source> + <translation>Uso de modo de cifrado inseguro '{0}'.</translation> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="97" /> + <source>Use of insecure and deprecated function (mktemp).</source> + <translation>Uso de función insegura y deprecada (mktemp).</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="100" /> + <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> + <translation>Uso de función posiblemente insegura - considerar uso más seguro de ast.literal_eval.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="104" /> + <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> + <translation>El uso de mark_safe() puede exponer vulnerabilidades de cross-site scripting y debería revisarse.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="109" /> + <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> + <translation>El uso de HTTPSConnection en versionesde Python más antiguas que 2.7.9 y 3.4.3 no proporciona seguridad, ver https://wiki.openstack.org/wiki/OSSN/OSSN-0033</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="115" /> + <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <translation>Auditar url abierta a esquemas permitidos. PErmitir el uso de file:// o esquemas personalizados es a menudo inesperado.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="120" /> <source>Standard pseudo-random generators are not suitable for security/cryptographic purposes.</source> <translation>Los generadores pseudo-random estándar no son adecuados para propósitos de seguridad/criptografía.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="102" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> <source>Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> <translation>Invocación de funciones relacionadas con Telner. Telnet se considera como inseguro. Utilizar SSH o algún otro protocolo encriptado.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="143" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="137" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="131" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="119" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="113" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="107" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="166" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="154" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="148" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="142" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="136" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="130" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called.</source> <translation>El uso de '{0}' para interpretar datos XML no fiables es conocido como vector de ataques XML. Reemplazar '{0}' con su función equivalente defusedxml o asegurar que se está invocando defusedxml.defuse_stdlib().</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="149" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="172" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function.</source> <translation>El uso de '{0}' para interpretar datos XML no fiables es conocido como vector de ataques XML. Reemplazar '{0}' con su función equivalente defusedxml.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="155" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="178" /> <source>FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation>Invocación de funciones relacionadas con FTP. FTP se considera inseguro. Utilizar SSH/SFTP/SCP u otro protocolo encriptado.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="183" /> <source>The input method in Python 2 will read from standard input, evaluate and run the resulting string as Python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3.</source> <translation>El método input en Python 2 lee desde el input estándar, evaluando y ejecutando la cadena resultante como código fuente Python. Esto es similar, aunque peor, al uso de eval. Con Python 2, utilizar raw_input en su logar, input es seguro con Python 3.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="167" /> - <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> - <translation>Por defecto Python creará un contexto SSL seguro y verificado para utilizar en clases como HTTPSConnection. Sin embargo, aún así permite el uso de contextos inseguros a través de _create_unverified_context que revierte al comportamient anterior sin validación de certificados o comprobación de hostname.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="175" /> - <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> - <translation>Uso de os.tempnam() y os.tmpnam() es vulnerable a ataques symlink. Considerar el uso de tmpfile() en su lugar.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="181" /> - <source>Use of insecure {0} hash function.</source> - <translation>Uso de función de hash {0} insegura.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="185" /> - <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> - <translation>Se está importando un módulo relacionado con telnet. Telnet se considera inseguro. Utilizar SSH u otro protocolo encriptado.</translation> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="190" /> + <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> + <translation>Por defecto Python creará un contexto SSL seguro y verificado para utilizar en clases como HTTPSConnection. Sin embargo, aún así permite el uso de contextos inseguros a través de _create_unverified_context que revierte al comportamient anterior sin validación de certificados o comprobación de hostname.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="198" /> + <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> + <translation>Uso de os.tempnam() y os.tmpnam() es vulnerable a ataques symlink. Considerar el uso de tmpfile() en su lugar.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="204" /> + <source>Use of insecure {0} hash function.</source> + <translation>Uso de función de hash {0} insegura.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="207" /> + <source>Use of insecure {0} hash for security. Consider 'usedforsecurity=False'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="212" /> + <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> + <translation>Se está importando un módulo relacionado con telnet. Telnet se considera inseguro. Utilizar SSH u otro protocolo encriptado.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="217" /> <source>A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation>Se está importando un módulo relacionado con FTP. FTP se considera inseguro. Usar SSH/SFTP/SCP u otro protocolo encriptado.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="199" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="195" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="226" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="222" /> <source>Consider possible security implications associated with the '{0}' module.</source> <translation>Considerar las posibles implicaciones de seguridad asociadas con el módulo '{0}'.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="227" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="221" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="215" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="209" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="203" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="254" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="248" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="242" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="236" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="230" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.</source> <translation>El uso de '{0}' para interpretar datos XML no fiables es conocido como vector de ataques XML. Reemplazar '{0}' con su package equivalente defusedxml o asegurar que se está invocando defusedxml.defuse_stdlib().</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="233" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="260" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package.</source> <translation>El uso de '{0}' para interpretar datos XML no fiables es conocido como vector de ataques XML. Reemplazar '{0}' con package equivalente defusedxml.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="239" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="266" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.</source> <translation>El uso de '{0}' para interpretar datos XML no fiables es conocido como vector de ataques XML. Utilizar la función defused.xmlrpc.monkey_patch() para hacer 'monkey patch' con xmlrpclib y mitigar las vulnerabilidades XML.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="245" /> - <source>Consider possible security implications associated with '{0}' module.</source> - <translation>Considerar las posibles implicaciones de seguridad asociadas con el módulo '{0}'.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="249" /> - <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> - <translation>La biblioteca pyCrypto y su módulo '{0}' ya no tienen mantenimiento y se han deprecado. Considerar el uso de la biblioteca pyca/cryptography.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="256" /> - <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> - <translation>Llamada 'requests' con verify=False deshabilitando comprobaciones de certificado SSL, problema de seguridad.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="262" /> - <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation>Llamada 'ssl.wrap_socket' con versión de protocolo SSL/TLS insegura identificada, problema de seguridad.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="267" /> - <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation>Llamada 'SSL.Context' con versión de protocolo SSL/TLS insegura identificada, problema de seguridad.</translation> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="272" /> - <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation>Llamada a Function con versión de protocolo SSL/TLS insegura identificada, problema de seguridad.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="277" /> - <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> - <translation>Definición de función con versión de protocolo SSL/TLS insegura identificada, posible problema de seguridad.</translation> + <source>Consider possible security implications associated with '{0}' module.</source> + <translation>Considerar las posibles implicaciones de seguridad asociadas con el módulo '{0}'.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="276" /> + <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> + <translation>La biblioteca pyCrypto y su módulo '{0}' ya no tienen mantenimiento y se han deprecado. Considerar el uso de la biblioteca pyca/cryptography.</translation> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="282" /> - <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> - <translation>Llamada 'ssl.wrap_socket' sin versión de protocolo SSL/TLS especificada, el valor por defecto 'SSLv23' puede ser inseguro, posible problema de seguridad.</translation> + <source>An IPMI-related module is being imported. IPMI is considered insecure. Use an encrypted protocol.</source> + <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="288" /> + <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> + <translation>Llamada 'requests' con verify=False deshabilitando comprobaciones de certificado SSL, problema de seguridad.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="294" /> + <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation>Llamada 'ssl.wrap_socket' con versión de protocolo SSL/TLS insegura identificada, problema de seguridad.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="299" /> + <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation>Llamada 'SSL.Context' con versión de protocolo SSL/TLS insegura identificada, problema de seguridad.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="304" /> + <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation>Llamada a Function con versión de protocolo SSL/TLS insegura identificada, problema de seguridad.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="309" /> + <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <translation>Definición de función con versión de protocolo SSL/TLS insegura identificada, posible problema de seguridad.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="314" /> + <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <translation>Llamada 'ssl.wrap_socket' sin versión de protocolo SSL/TLS especificada, el valor por defecto 'SSLv23' puede ser inseguro, posible problema de seguridad.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="320" /> <source>{0} key sizes below {1:d} bits are considered breakable.</source> <translation>Tamaños {0} de clave por debajo de {1:d} bits se consideran frágiles.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="292" /> - <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> - <translation>Uso de 'yaml.load()' no seguro. Permite la instanciación de objetos arbitrarios. Considerar 'yaml.safe_load()'.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="298" /> - <source>Paramiko call with policy set to automatically trust the unknown host key.</source> - <translation>Llamada Paramiko con política de asignar automáticamente relación de confianza a una clave de host desconocido.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="303" /> - <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> - <translation>Posible inyección de shell vía llamada 'Paramiko', comprobar que las entradas se han sanitizado adecuadamente.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="308" /> - <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation>La llamada 'subprocess' con shell=True parece segura, pero puede cambiar en el futuro, considerar reimplementación sin shell</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="313" /> - <source>'subprocess' call with shell=True identified, security issue.</source> - <translation>Llamada 'subprocess' sin shell=True identificada, problema de seguridad.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="316" /> - <source>'subprocess' call - check for execution of untrusted input.</source> - <translation>Llamada 'subprocess' - comprobar la ejecución de inputs de no confianza.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="319" /> - <source>Function call with shell=True parameter identified, possible security issue.</source> - <translation>Llamada a función con parámetro shell=True identificada, posible problema de seguridad.</translation> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="324" /> - <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation>Inicio de un proceso con una shell: Aparentemente seguro, pero esto puede cambiar en el futuro, considerar reimplementación sin shell</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="329" /> - <source>Starting a process with a shell, possible injection detected, security issue.</source> - <translation>Iniciar un proceso con una shell, posible inyeción detectada, problema de seguridad.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="334" /> - <source>Starting a process without a shell.</source> - <translation>Iniciar un proceso sin una shell.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="337" /> - <source>Starting a process with a partial executable path.</source> - <translation>Iniciar un proceso con una ruta parcialmente ejecutable.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="341" /> - <source>Possible SQL injection vector through string-based query construction.</source> - <translation>Posible vector de inyección de SQL a través de construcción de query basada en cadenas.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="346" /> - <source>Possible wildcard injection in call: {0}</source> - <translation>Posible inyección de wildcard en llamada: {0}</translation> + <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> + <translation>Uso de 'yaml.load()' no seguro. Permite la instanciación de objetos arbitrarios. Considerar 'yaml.safe_load()'.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="330" /> + <source>Paramiko call with policy set to automatically trust the unknown host key.</source> + <translation>Llamada Paramiko con política de asignar automáticamente relación de confianza a una clave de host desconocido.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="335" /> + <source>The use of SNMPv1 and SNMPv2 is insecure. You should use SNMPv3 if possible.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="339" /> + <source>You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="345" /> + <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> + <translation>Posible inyección de shell vía llamada 'Paramiko', comprobar que las entradas se han sanitizado adecuadamente.</translation> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="350" /> + <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation>La llamada 'subprocess' con shell=True parece segura, pero puede cambiar en el futuro, considerar reimplementación sin shell</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="355" /> + <source>'subprocess' call with shell=True identified, security issue.</source> + <translation>Llamada 'subprocess' sin shell=True identificada, problema de seguridad.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="358" /> + <source>'subprocess' call - check for execution of untrusted input.</source> + <translation>Llamada 'subprocess' - comprobar la ejecución de inputs de no confianza.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="361" /> + <source>Function call with shell=True parameter identified, possible security issue.</source> + <translation>Llamada a función con parámetro shell=True identificada, posible problema de seguridad.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="366" /> + <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation>Inicio de un proceso con una shell: Aparentemente seguro, pero esto puede cambiar en el futuro, considerar reimplementación sin shell</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="371" /> + <source>Starting a process with a shell, possible injection detected, security issue.</source> + <translation>Iniciar un proceso con una shell, posible inyeción detectada, problema de seguridad.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="376" /> + <source>Starting a process without a shell.</source> + <translation>Iniciar un proceso sin una shell.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="379" /> + <source>Starting a process with a partial executable path.</source> + <translation>Iniciar un proceso con una ruta parcialmente ejecutable.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="383" /> + <source>Possible SQL injection vector through string-based query construction.</source> + <translation>Posible vector de inyección de SQL a través de construcción de query basada en cadenas.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="388" /> + <source>Possible wildcard injection in call: {0}</source> + <translation>Posible inyección de wildcard en llamada: {0}</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="392" /> <source>Use of 'extra()' opens a potential SQL attack vector.</source> <translation>Uso de'extra()' abre un vector potencial de ataque SQL.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="353" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="395" /> <source>Use of 'RawSQL()' opens a potential SQL attack vector.</source> <translation>El uso de 'RawSQL()' abre un vector potencial de ataque SQL.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="357" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="399" /> <source>Using jinja2 templates with 'autoescape=False' is dangerous and can lead to XSS. Use 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation>El uso de plantillas jinja2 con 'autoescape=False' es peligroso y puede conducir a XSS. Usar 'autoescape=True' o usar la función 'select_autoescape' para mitigar vulnerabilidades XSS.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="363" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="405" /> <source>By default, jinja2 sets 'autoescape' to False. Consider using 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation>Por defecto, jinja2 establece 'autoescape' a False. Considerar el uso de 'autoescape=True' o de la función 'select_autoescape' para mitigar vulnerabilidades XSS.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="370" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="412" /> <source>Mako templates allow HTML/JS rendering by default and are inherently open to XSS attacks. Ensure variables in all templates are properly sanitized via the 'n', 'h' or 'x' flags (depending on context). For example, to HTML escape the variable 'data' do ${{ data |h }}.</source> <translation>Las plantillas Mako permiten dibujado de HTML/JS por defecto y son inherentemente abiertas a ataques XSS. Asegurar que las variables en todas las plantillas se sanitizan apropiadamente con la flags 'n', 'h' o 'x' (dependiendo del contexto). Por ejemplo, para hacer un HTML escape de la avariable 'data', hacer ${{ data |h }}.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="378" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="420" /> <source>Potential XSS on 'mark_safe()' function.</source> <translation>Potencial XSS en la función 'mark_safe()'.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="382" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="424" /> <source>Possible hardcoded AWS access key ID: {0}</source> <translation>Posible clave de acceso a AWS con código duro: {0}</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="385" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="427" /> <source>Possible hardcoded AWS secret access key: {0}</source> <translation>Posible clave secreta de acceso a AWS con código duro: {0}</translation> </message>
--- a/src/eric7/i18n/eric7_fr.ts Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/i18n/eric7_fr.ts Tue Sep 13 20:00:55 2022 +0200 @@ -65892,293 +65892,343 @@ <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="49" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="48" /> + <source>'contextlib.suppress()' detected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="50" /> + <source>Requests call without timeout.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="51" /> + <source>Requests call with timeout set to None.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="56" /> <source>A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="55" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="62" /> + <source>Usage of 'tarfile.extractall(members=function(tarfile))'. Make sure your function properly discards dangerous members ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="67" /> + <source>Found 'tarfile.extractall(members=?)' but couldn't identify the type of members. Check if the members were properly validated ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="72" /> + <source>'tarfile.extractall()' used without any validation. Please check and discard dangerous members.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="78" /> <source>Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="60" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="83" /> <source>Deserialization with the marshal module is possibly dangerous.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="63" /> - <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="66" /> - <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="71" /> - <source>Use of insecure cipher mode '{0}'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="74" /> - <source>Use of insecure and deprecated function (mktemp).</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="77" /> - <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="81" /> - <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="86" /> - <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="92" /> - <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="89" /> + <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="94" /> + <source>Use of insecure cipher mode '{0}'.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="97" /> + <source>Use of insecure and deprecated function (mktemp).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="100" /> + <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="104" /> + <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="109" /> + <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="115" /> + <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="120" /> <source>Standard pseudo-random generators are not suitable for security/cryptographic purposes.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="102" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> <source>Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="143" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="137" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="131" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="119" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="113" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="107" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="166" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="154" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="148" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="142" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="136" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="130" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="149" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="172" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="155" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="178" /> <source>FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="183" /> <source>The input method in Python 2 will read from standard input, evaluate and run the resulting string as Python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="167" /> - <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="175" /> - <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="181" /> - <source>Use of insecure {0} hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="185" /> - <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="190" /> + <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="198" /> + <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="204" /> + <source>Use of insecure {0} hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="207" /> + <source>Use of insecure {0} hash for security. Consider 'usedforsecurity=False'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="212" /> + <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="217" /> <source>A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="199" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="195" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="226" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="222" /> <source>Consider possible security implications associated with the '{0}' module.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="227" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="221" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="215" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="209" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="203" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="254" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="248" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="242" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="236" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="230" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="233" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="260" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="239" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="266" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="245" /> - <source>Consider possible security implications associated with '{0}' module.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="249" /> - <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="256" /> - <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="262" /> - <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="267" /> - <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="272" /> - <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="277" /> - <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <source>Consider possible security implications associated with '{0}' module.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="276" /> + <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="282" /> - <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <source>An IPMI-related module is being imported. IPMI is considered insecure. Use an encrypted protocol.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="288" /> + <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="294" /> + <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="299" /> + <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="304" /> + <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="309" /> + <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="314" /> + <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="320" /> <source>{0} key sizes below {1:d} bits are considered breakable.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="292" /> - <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="298" /> - <source>Paramiko call with policy set to automatically trust the unknown host key.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="303" /> - <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="308" /> - <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="313" /> - <source>'subprocess' call with shell=True identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="316" /> - <source>'subprocess' call - check for execution of untrusted input.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="319" /> - <source>Function call with shell=True parameter identified, possible security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="324" /> - <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="329" /> - <source>Starting a process with a shell, possible injection detected, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="334" /> - <source>Starting a process without a shell.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="337" /> - <source>Starting a process with a partial executable path.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="341" /> - <source>Possible SQL injection vector through string-based query construction.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="346" /> - <source>Possible wildcard injection in call: {0}</source> + <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="330" /> + <source>Paramiko call with policy set to automatically trust the unknown host key.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="335" /> + <source>The use of SNMPv1 and SNMPv2 is insecure. You should use SNMPv3 if possible.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="339" /> + <source>You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="345" /> + <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="350" /> + <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="355" /> + <source>'subprocess' call with shell=True identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="358" /> + <source>'subprocess' call - check for execution of untrusted input.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="361" /> + <source>Function call with shell=True parameter identified, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="366" /> + <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="371" /> + <source>Starting a process with a shell, possible injection detected, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="376" /> + <source>Starting a process without a shell.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="379" /> + <source>Starting a process with a partial executable path.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="383" /> + <source>Possible SQL injection vector through string-based query construction.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="388" /> + <source>Possible wildcard injection in call: {0}</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="392" /> <source>Use of 'extra()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="353" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="395" /> <source>Use of 'RawSQL()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="357" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="399" /> <source>Using jinja2 templates with 'autoescape=False' is dangerous and can lead to XSS. Use 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="363" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="405" /> <source>By default, jinja2 sets 'autoescape' to False. Consider using 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="370" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="412" /> <source>Mako templates allow HTML/JS rendering by default and are inherently open to XSS attacks. Ensure variables in all templates are properly sanitized via the 'n', 'h' or 'x' flags (depending on context). For example, to HTML escape the variable 'data' do ${{ data |h }}.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="378" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="420" /> <source>Potential XSS on 'mark_safe()' function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="382" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="424" /> <source>Possible hardcoded AWS access key ID: {0}</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="385" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="427" /> <source>Possible hardcoded AWS secret access key: {0}</source> <translation type="unfinished" /> </message>
--- a/src/eric7/i18n/eric7_it.ts Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/i18n/eric7_it.ts Tue Sep 13 20:00:55 2022 +0200 @@ -65841,293 +65841,343 @@ <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="49" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="48" /> + <source>'contextlib.suppress()' detected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="50" /> + <source>Requests call without timeout.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="51" /> + <source>Requests call with timeout set to None.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="56" /> <source>A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="55" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="62" /> + <source>Usage of 'tarfile.extractall(members=function(tarfile))'. Make sure your function properly discards dangerous members ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="67" /> + <source>Found 'tarfile.extractall(members=?)' but couldn't identify the type of members. Check if the members were properly validated ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="72" /> + <source>'tarfile.extractall()' used without any validation. Please check and discard dangerous members.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="78" /> <source>Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="60" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="83" /> <source>Deserialization with the marshal module is possibly dangerous.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="63" /> - <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="66" /> - <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="71" /> - <source>Use of insecure cipher mode '{0}'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="74" /> - <source>Use of insecure and deprecated function (mktemp).</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="77" /> - <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="81" /> - <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="86" /> - <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="92" /> - <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="89" /> + <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="94" /> + <source>Use of insecure cipher mode '{0}'.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="97" /> + <source>Use of insecure and deprecated function (mktemp).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="100" /> + <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="104" /> + <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="109" /> + <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="115" /> + <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="120" /> <source>Standard pseudo-random generators are not suitable for security/cryptographic purposes.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="102" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> <source>Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="143" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="137" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="131" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="119" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="113" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="107" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="166" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="154" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="148" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="142" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="136" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="130" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="149" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="172" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="155" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="178" /> <source>FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="183" /> <source>The input method in Python 2 will read from standard input, evaluate and run the resulting string as Python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="167" /> - <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="175" /> - <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="181" /> - <source>Use of insecure {0} hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="185" /> - <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="190" /> + <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="198" /> + <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="204" /> + <source>Use of insecure {0} hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="207" /> + <source>Use of insecure {0} hash for security. Consider 'usedforsecurity=False'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="212" /> + <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="217" /> <source>A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="199" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="195" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="226" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="222" /> <source>Consider possible security implications associated with the '{0}' module.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="227" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="221" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="215" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="209" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="203" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="254" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="248" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="242" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="236" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="230" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="233" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="260" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="239" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="266" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="245" /> - <source>Consider possible security implications associated with '{0}' module.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="249" /> - <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="256" /> - <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="262" /> - <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="267" /> - <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="272" /> - <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="277" /> - <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <source>Consider possible security implications associated with '{0}' module.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="276" /> + <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="282" /> - <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <source>An IPMI-related module is being imported. IPMI is considered insecure. Use an encrypted protocol.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="288" /> + <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="294" /> + <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="299" /> + <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="304" /> + <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="309" /> + <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="314" /> + <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="320" /> <source>{0} key sizes below {1:d} bits are considered breakable.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="292" /> - <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="298" /> - <source>Paramiko call with policy set to automatically trust the unknown host key.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="303" /> - <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="308" /> - <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="313" /> - <source>'subprocess' call with shell=True identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="316" /> - <source>'subprocess' call - check for execution of untrusted input.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="319" /> - <source>Function call with shell=True parameter identified, possible security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="324" /> - <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="329" /> - <source>Starting a process with a shell, possible injection detected, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="334" /> - <source>Starting a process without a shell.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="337" /> - <source>Starting a process with a partial executable path.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="341" /> - <source>Possible SQL injection vector through string-based query construction.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="346" /> - <source>Possible wildcard injection in call: {0}</source> + <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="330" /> + <source>Paramiko call with policy set to automatically trust the unknown host key.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="335" /> + <source>The use of SNMPv1 and SNMPv2 is insecure. You should use SNMPv3 if possible.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="339" /> + <source>You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="345" /> + <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="350" /> + <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="355" /> + <source>'subprocess' call with shell=True identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="358" /> + <source>'subprocess' call - check for execution of untrusted input.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="361" /> + <source>Function call with shell=True parameter identified, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="366" /> + <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="371" /> + <source>Starting a process with a shell, possible injection detected, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="376" /> + <source>Starting a process without a shell.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="379" /> + <source>Starting a process with a partial executable path.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="383" /> + <source>Possible SQL injection vector through string-based query construction.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="388" /> + <source>Possible wildcard injection in call: {0}</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="392" /> <source>Use of 'extra()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="353" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="395" /> <source>Use of 'RawSQL()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="357" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="399" /> <source>Using jinja2 templates with 'autoescape=False' is dangerous and can lead to XSS. Use 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="363" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="405" /> <source>By default, jinja2 sets 'autoescape' to False. Consider using 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="370" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="412" /> <source>Mako templates allow HTML/JS rendering by default and are inherently open to XSS attacks. Ensure variables in all templates are properly sanitized via the 'n', 'h' or 'x' flags (depending on context). For example, to HTML escape the variable 'data' do ${{ data |h }}.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="378" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="420" /> <source>Potential XSS on 'mark_safe()' function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="382" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="424" /> <source>Possible hardcoded AWS access key ID: {0}</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="385" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="427" /> <source>Possible hardcoded AWS secret access key: {0}</source> <translation type="unfinished" /> </message>
--- a/src/eric7/i18n/eric7_pt.ts Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/i18n/eric7_pt.ts Tue Sep 13 20:00:55 2022 +0200 @@ -65743,293 +65743,343 @@ <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="49" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="48" /> + <source>'contextlib.suppress()' detected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="50" /> + <source>Requests call without timeout.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="51" /> + <source>Requests call with timeout set to None.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="56" /> <source>A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="55" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="62" /> + <source>Usage of 'tarfile.extractall(members=function(tarfile))'. Make sure your function properly discards dangerous members ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="67" /> + <source>Found 'tarfile.extractall(members=?)' but couldn't identify the type of members. Check if the members were properly validated ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="72" /> + <source>'tarfile.extractall()' used without any validation. Please check and discard dangerous members.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="78" /> <source>Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="60" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="83" /> <source>Deserialization with the marshal module is possibly dangerous.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="63" /> - <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="66" /> - <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="71" /> - <source>Use of insecure cipher mode '{0}'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="74" /> - <source>Use of insecure and deprecated function (mktemp).</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="77" /> - <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="81" /> - <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="86" /> - <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="92" /> - <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="89" /> + <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="94" /> + <source>Use of insecure cipher mode '{0}'.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="97" /> + <source>Use of insecure and deprecated function (mktemp).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="100" /> + <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="104" /> + <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="109" /> + <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="115" /> + <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="120" /> <source>Standard pseudo-random generators are not suitable for security/cryptographic purposes.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="102" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> <source>Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="143" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="137" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="131" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="119" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="113" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="107" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="166" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="154" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="148" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="142" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="136" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="130" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="149" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="172" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="155" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="178" /> <source>FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="183" /> <source>The input method in Python 2 will read from standard input, evaluate and run the resulting string as Python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="167" /> - <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="175" /> - <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="181" /> - <source>Use of insecure {0} hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="185" /> - <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="190" /> + <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="198" /> + <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="204" /> + <source>Use of insecure {0} hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="207" /> + <source>Use of insecure {0} hash for security. Consider 'usedforsecurity=False'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="212" /> + <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="217" /> <source>A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="199" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="195" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="226" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="222" /> <source>Consider possible security implications associated with the '{0}' module.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="227" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="221" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="215" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="209" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="203" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="254" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="248" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="242" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="236" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="230" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="233" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="260" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="239" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="266" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="245" /> - <source>Consider possible security implications associated with '{0}' module.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="249" /> - <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="256" /> - <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="262" /> - <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="267" /> - <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="272" /> - <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="277" /> - <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <source>Consider possible security implications associated with '{0}' module.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="276" /> + <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="282" /> - <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <source>An IPMI-related module is being imported. IPMI is considered insecure. Use an encrypted protocol.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="288" /> + <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="294" /> + <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="299" /> + <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="304" /> + <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="309" /> + <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="314" /> + <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="320" /> <source>{0} key sizes below {1:d} bits are considered breakable.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="292" /> - <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="298" /> - <source>Paramiko call with policy set to automatically trust the unknown host key.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="303" /> - <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="308" /> - <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="313" /> - <source>'subprocess' call with shell=True identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="316" /> - <source>'subprocess' call - check for execution of untrusted input.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="319" /> - <source>Function call with shell=True parameter identified, possible security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="324" /> - <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="329" /> - <source>Starting a process with a shell, possible injection detected, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="334" /> - <source>Starting a process without a shell.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="337" /> - <source>Starting a process with a partial executable path.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="341" /> - <source>Possible SQL injection vector through string-based query construction.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="346" /> - <source>Possible wildcard injection in call: {0}</source> + <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="330" /> + <source>Paramiko call with policy set to automatically trust the unknown host key.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="335" /> + <source>The use of SNMPv1 and SNMPv2 is insecure. You should use SNMPv3 if possible.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="339" /> + <source>You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="345" /> + <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="350" /> + <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="355" /> + <source>'subprocess' call with shell=True identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="358" /> + <source>'subprocess' call - check for execution of untrusted input.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="361" /> + <source>Function call with shell=True parameter identified, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="366" /> + <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="371" /> + <source>Starting a process with a shell, possible injection detected, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="376" /> + <source>Starting a process without a shell.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="379" /> + <source>Starting a process with a partial executable path.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="383" /> + <source>Possible SQL injection vector through string-based query construction.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="388" /> + <source>Possible wildcard injection in call: {0}</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="392" /> <source>Use of 'extra()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="353" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="395" /> <source>Use of 'RawSQL()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="357" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="399" /> <source>Using jinja2 templates with 'autoescape=False' is dangerous and can lead to XSS. Use 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="363" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="405" /> <source>By default, jinja2 sets 'autoescape' to False. Consider using 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="370" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="412" /> <source>Mako templates allow HTML/JS rendering by default and are inherently open to XSS attacks. Ensure variables in all templates are properly sanitized via the 'n', 'h' or 'x' flags (depending on context). For example, to HTML escape the variable 'data' do ${{ data |h }}.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="378" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="420" /> <source>Potential XSS on 'mark_safe()' function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="382" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="424" /> <source>Possible hardcoded AWS access key ID: {0}</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="385" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="427" /> <source>Possible hardcoded AWS secret access key: {0}</source> <translation type="unfinished" /> </message>
--- a/src/eric7/i18n/eric7_ru.ts Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/i18n/eric7_ru.ts Tue Sep 13 20:00:55 2022 +0200 @@ -66121,293 +66121,343 @@ <translation>Try, Except, Continue обнаружены.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="49" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="48" /> + <source>'contextlib.suppress()' detected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="50" /> + <source>Requests call without timeout.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="51" /> + <source>Requests call with timeout set to None.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="56" /> <source>A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code.</source> <translation>Приложение Flask запускается с параметром 'debug=True', который предоставляет отладчик Werkzeug и позволяет выполнять произвольный код.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="55" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="62" /> + <source>Usage of 'tarfile.extractall(members=function(tarfile))'. Make sure your function properly discards dangerous members ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="67" /> + <source>Found 'tarfile.extractall(members=?)' but couldn't identify the type of members. Check if the members were properly validated ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="72" /> + <source>'tarfile.extractall()' used without any validation. Please check and discard dangerous members.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="78" /> <source>Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.</source> <translation>Pickle и модули, которые служат его оберткой, могут быть небезопасны, когда используются для десериализации ненадежных данных, возможная проблема безопасности.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="60" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="83" /> <source>Deserialization with the marshal module is possibly dangerous.</source> <translation>Десериализация с помощью модуля marshal, возможно опасна.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="63" /> - <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> - <translation>Использование небезопасной хеш-функции MD2, MD4, MD5 или SHA1.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="66" /> - <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> - <translation>Использование небезопасного шифра '{0}'. Замените известным безопасным шифром, таким как AES.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="71" /> - <source>Use of insecure cipher mode '{0}'.</source> - <translation>Использование небезопасного режима шифрования '{0}'.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="74" /> - <source>Use of insecure and deprecated function (mktemp).</source> - <translation>Использование небезопасной и устаревшей функции (mktemp).</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="77" /> - <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> - <translation>Использование возможно небезопасной функции - рассмотрите возможность использования более безопасного ast.literal_eval.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="81" /> - <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> - <translation>Использование mark_safe () может проявить уязвимости межсайтового скриптинга и должно быть пересмотрено.</translation> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="86" /> - <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> - <translation>Использование HTTPSConnection в старых версиях Python до 2.7.9 и 3.4.3 не обеспечивает безопасность, см. https://wiki.openstack.org/wiki/OSSN/OSSN-0033</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="92" /> - <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> - <translation>Аудит url открыт для разрешенных схем. Разрешение использования file:/ или пользовательских схем часто бывает неожиданным.</translation> + <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> + <translation>Использование небезопасной хеш-функции MD2, MD4, MD5 или SHA1.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="89" /> + <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> + <translation>Использование небезопасного шифра '{0}'. Замените известным безопасным шифром, таким как AES.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="94" /> + <source>Use of insecure cipher mode '{0}'.</source> + <translation>Использование небезопасного режима шифрования '{0}'.</translation> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="97" /> + <source>Use of insecure and deprecated function (mktemp).</source> + <translation>Использование небезопасной и устаревшей функции (mktemp).</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="100" /> + <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> + <translation>Использование возможно небезопасной функции - рассмотрите возможность использования более безопасного ast.literal_eval.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="104" /> + <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> + <translation>Использование mark_safe () может проявить уязвимости межсайтового скриптинга и должно быть пересмотрено.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="109" /> + <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> + <translation>Использование HTTPSConnection в старых версиях Python до 2.7.9 и 3.4.3 не обеспечивает безопасность, см. https://wiki.openstack.org/wiki/OSSN/OSSN-0033</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="115" /> + <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <translation>Аудит url открыт для разрешенных схем. Разрешение использования file:/ или пользовательских схем часто бывает неожиданным.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="120" /> <source>Standard pseudo-random generators are not suitable for security/cryptographic purposes.</source> <translation>Стандартные псевдослучайные генераторы не подходят для целей безопасности/криптографии.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="102" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> <source>Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> <translation>Вызваны функции, связанные с Telnet. Telnet считается небезопасным. Используйте SSH или другой протокол шифрования.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="143" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="137" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="131" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="119" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="113" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="107" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="166" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="154" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="148" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="142" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="136" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="130" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called.</source> <translation>Известно, что использование '{0}' для анализа ненадежных данных XML уязвимо для атак XML. Замените '{0}' его эквивалентной функцией defusedxml или убедитесь, что вызывается defusedxml.defuse_stdlib().</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="149" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="172" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function.</source> <translation>Известно, что использование '{0}' для анализа ненадежных данных XML уязвимо для атак XML. Замените '{0}' его эквивалентной функцией defusedxml.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="155" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="178" /> <source>FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation>Вызваны связанные с FTP функции. FTP считается небезопасным. Используйте SSH/SFTP/SCP или другой протокол шифрования.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="183" /> <source>The input method in Python 2 will read from standard input, evaluate and run the resulting string as Python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3.</source> <translation>The input method in Python 2 will read from standard input, evaluate and run the resulting string as Python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="167" /> - <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> - <translation>По умолчанию Python создаст безопасный проверенный контекст SSL для использования в таких классах, как HTTPSConnection. Но, тем не менее, он все еще позволяет использовать незащищенный контекст через _create_unverified_context, который возвращается к предыдущему поведению, которое не проверяет сертификаты или не выполняет проверки имени хоста.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="175" /> - <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> - <translation>Использование os.tempnam() и os.tmpnam() уязвимо для атак через символические ссылки. Попробуйте вместо этого использовать tmpfile().</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="181" /> - <source>Use of insecure {0} hash function.</source> - <translation>Использование небезопасной хэш-функции {0}.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="185" /> - <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> - <translation>Импортируется модуль, связанный с telnet. Telnet считается небезопасным. Используйте SSH или другой протокол шифрования.</translation> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="190" /> + <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> + <translation>По умолчанию Python создаст безопасный проверенный контекст SSL для использования в таких классах, как HTTPSConnection. Но, тем не менее, он все еще позволяет использовать незащищенный контекст через _create_unverified_context, который возвращается к предыдущему поведению, которое не проверяет сертификаты или не выполняет проверки имени хоста.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="198" /> + <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> + <translation>Использование os.tempnam() и os.tmpnam() уязвимо для атак через символические ссылки. Попробуйте вместо этого использовать tmpfile().</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="204" /> + <source>Use of insecure {0} hash function.</source> + <translation>Использование небезопасной хэш-функции {0}.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="207" /> + <source>Use of insecure {0} hash for security. Consider 'usedforsecurity=False'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="212" /> + <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> + <translation>Импортируется модуль, связанный с telnet. Telnet считается небезопасным. Используйте SSH или другой протокол шифрования.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="217" /> <source>A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation>Импортируется модуль, связанный с FTP. FTP считается небезопасным. Используйте SSH/SFTP/SCP или другой протокол шифрования.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="199" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="195" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="226" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="222" /> <source>Consider possible security implications associated with the '{0}' module.</source> <translation>Учитывайте возможные последствия для безопасности, связанные с модулем {0}.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="227" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="221" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="215" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="209" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="203" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="254" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="248" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="242" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="236" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="230" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.</source> <translation>Известно, что использование '{0}' для анализа ненадежных данных XML уязвимо для атак XML. Замените '{0}' эквивалентным пакетом defusedxml или убедитесь, что вызывается defusedxml.defuse_stdlib ().</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="233" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="260" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package.</source> <translation>Известно, что использование '{0}' для анализа ненадежных данных XML уязвимо для XML-атак. Замените '{0}' эквивалентным пакетом defusedxml.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="239" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="266" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.</source> <translation>Известно, что использование '{0}' для анализа ненадежных данных XML уязвимо для XML-атак. Используйте функцию defused.xmlrpc.monkey_patch(), чтобы обезопасить xmlrpclib и устранить уязвимости XML.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="245" /> - <source>Consider possible security implications associated with '{0}' module.</source> - <translation>Учтитывайте возможные последствия для безопасности, связанные с модулем '{0}'.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="249" /> - <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> - <translation>Библиотека pyCrypto и ее модуль '{0}' больше не поддерживаются и не рекомендуются к использованию. Подумайте об использовании библиотеки pyca/cryptography.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="256" /> - <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> - <translation>Вызов 'request' с параметром verify = False отключает проверку SSL-сертификатов, проблема безопасности.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="262" /> - <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation>Вызов 'ssl.wrap_socket' с идентификацией небезопасной версии протокола SSL/TLS, проблема безопасности.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="267" /> - <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation>Вызов 'SSL.Context' с идентификацией небезопасной версии протокола SSL/TLS, проблема безопасности.</translation> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="272" /> - <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation>Вызов функции с идентификацией небезопасной версии протокола SSL/TLS, проблема безопасности.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="277" /> - <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> - <translation>Определение функции с идентификацией небезопасной версии протокола SSL/TLS по умолчанию, возможная проблема безопасности.</translation> + <source>Consider possible security implications associated with '{0}' module.</source> + <translation>Учтитывайте возможные последствия для безопасности, связанные с модулем '{0}'.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="276" /> + <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> + <translation>Библиотека pyCrypto и ее модуль '{0}' больше не поддерживаются и не рекомендуются к использованию. Подумайте об использовании библиотеки pyca/cryptography.</translation> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="282" /> - <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> - <translation>Вызов 'ssl.wrap_socket' без указания версии протокола SSL/TLS, по умолчанию 'SSLv23', может быть небезопасным, возможна проблема безопасности.</translation> + <source>An IPMI-related module is being imported. IPMI is considered insecure. Use an encrypted protocol.</source> + <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="288" /> + <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> + <translation>Вызов 'request' с параметром verify = False отключает проверку SSL-сертификатов, проблема безопасности.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="294" /> + <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation>Вызов 'ssl.wrap_socket' с идентификацией небезопасной версии протокола SSL/TLS, проблема безопасности.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="299" /> + <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation>Вызов 'SSL.Context' с идентификацией небезопасной версии протокола SSL/TLS, проблема безопасности.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="304" /> + <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation>Вызов функции с идентификацией небезопасной версии протокола SSL/TLS, проблема безопасности.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="309" /> + <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <translation>Определение функции с идентификацией небезопасной версии протокола SSL/TLS по умолчанию, возможная проблема безопасности.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="314" /> + <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <translation>Вызов 'ssl.wrap_socket' без указания версии протокола SSL/TLS, по умолчанию 'SSLv23', может быть небезопасным, возможна проблема безопасности.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="320" /> <source>{0} key sizes below {1:d} bits are considered breakable.</source> <translation>Размеры ключей {0} меньше {1:d} битов считаются разрушаемыми.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="292" /> - <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> - <translation>Использование небезопасного 'yaml.load()'. Позволяет создавать экземпляры произвольных объектов. Рассмотрите yaml.safe_load().</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="298" /> - <source>Paramiko call with policy set to automatically trust the unknown host key.</source> - <translation>Вызов Paramiko с установленной политикой автоматического доверия неизвестному ключу хоста.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="303" /> - <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> - <translation>Возможно введение оболочки через вызов 'Paramiko', проверьте правильность санации входов.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="308" /> - <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation>Вызов 'subprocess' с параметром shell=True кажется безопасным, но может быть изменен в будущем, подумайте о перезаписи без shell</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="313" /> - <source>'subprocess' call with shell=True identified, security issue.</source> - <translation>Идентифицирован вызов 'subprocess' с параметром shell = True, проблема безопасности.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="316" /> - <source>'subprocess' call - check for execution of untrusted input.</source> - <translation>вызов 'subprocess' - проверка выполнения ненадежного ввода.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="319" /> - <source>Function call with shell=True parameter identified, possible security issue.</source> - <translation>Идентифицирован вызов функции с параметром shell = True, возможна проблема безопасности.</translation> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="324" /> - <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation>Запуск процесса с shell: кажется безопасным, но в будущем может быть изменен, подумайте о переписывании без shell</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="329" /> - <source>Starting a process with a shell, possible injection detected, security issue.</source> - <translation>Запуск процесса с shell, обнаружение возможного внедрения, проблема безопасности.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="334" /> - <source>Starting a process without a shell.</source> - <translation>Запуск процесса без shell.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="337" /> - <source>Starting a process with a partial executable path.</source> - <translation>Запуск процесса с частичным исполняемым путем.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="341" /> - <source>Possible SQL injection vector through string-based query construction.</source> - <translation>Возможный вектор внедрения SQL через построение строки на основе запроса.</translation> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="346" /> - <source>Possible wildcard injection in call: {0}</source> - <translation>Возможно введение символа подстановки при вызове: {0}</translation> + <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> + <translation>Использование небезопасного 'yaml.load()'. Позволяет создавать экземпляры произвольных объектов. Рассмотрите yaml.safe_load().</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="330" /> + <source>Paramiko call with policy set to automatically trust the unknown host key.</source> + <translation>Вызов Paramiko с установленной политикой автоматического доверия неизвестному ключу хоста.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="335" /> + <source>The use of SNMPv1 and SNMPv2 is insecure. You should use SNMPv3 if possible.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="339" /> + <source>You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="345" /> + <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> + <translation>Возможно введение оболочки через вызов 'Paramiko', проверьте правильность санации входов.</translation> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="350" /> + <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation>Вызов 'subprocess' с параметром shell=True кажется безопасным, но может быть изменен в будущем, подумайте о перезаписи без shell</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="355" /> + <source>'subprocess' call with shell=True identified, security issue.</source> + <translation>Идентифицирован вызов 'subprocess' с параметром shell = True, проблема безопасности.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="358" /> + <source>'subprocess' call - check for execution of untrusted input.</source> + <translation>вызов 'subprocess' - проверка выполнения ненадежного ввода.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="361" /> + <source>Function call with shell=True parameter identified, possible security issue.</source> + <translation>Идентифицирован вызов функции с параметром shell = True, возможна проблема безопасности.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="366" /> + <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation>Запуск процесса с shell: кажется безопасным, но в будущем может быть изменен, подумайте о переписывании без shell</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="371" /> + <source>Starting a process with a shell, possible injection detected, security issue.</source> + <translation>Запуск процесса с shell, обнаружение возможного внедрения, проблема безопасности.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="376" /> + <source>Starting a process without a shell.</source> + <translation>Запуск процесса без shell.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="379" /> + <source>Starting a process with a partial executable path.</source> + <translation>Запуск процесса с частичным исполняемым путем.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="383" /> + <source>Possible SQL injection vector through string-based query construction.</source> + <translation>Возможный вектор внедрения SQL через построение строки на основе запроса.</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="388" /> + <source>Possible wildcard injection in call: {0}</source> + <translation>Возможно введение символа подстановки при вызове: {0}</translation> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="392" /> <source>Use of 'extra()' opens a potential SQL attack vector.</source> <translation>Использование 'extra()' открывает потенциальный вектор атаки SQL.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="353" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="395" /> <source>Use of 'RawSQL()' opens a potential SQL attack vector.</source> <translation>Использование «RawSQL()» открывает потенциальный вектор атаки SQL.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="357" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="399" /> <source>Using jinja2 templates with 'autoescape=False' is dangerous and can lead to XSS. Use 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation>Использование шаблонов jinja2 с 'autoescape=False' опасно и может привести к XSS. Используйте 'autoescape=True' или используйте функцию 'select_autoescape' для устранения уязвимостей XSS.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="363" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="405" /> <source>By default, jinja2 sets 'autoescape' to False. Consider using 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation>По умолчанию jinja2 устанавливает для 'autoescape' значение False. Рекомендуется использовать 'autoescape=True' или использовать функцию 'select_autoescape' для устранения уязвимостей XSS.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="370" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="412" /> <source>Mako templates allow HTML/JS rendering by default and are inherently open to XSS attacks. Ensure variables in all templates are properly sanitized via the 'n', 'h' or 'x' flags (depending on context). For example, to HTML escape the variable 'data' do ${{ data |h }}.</source> <translation>Шаблоны Mako разрешают рендеринг HTML/JS по умолчанию и по своей природе открыты для атак XSS. Убедитесь, что переменные во всех шаблонах должным образом очищены с помощью флагов 'n', 'h' или 'x' (в зависимости от контекста). Например, для экранирования HTML используйте переменную 'data', выполните ${{ data |h }}.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="378" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="420" /> <source>Potential XSS on 'mark_safe()' function.</source> <translation>Потенциальный XSS на функцию 'mark_safe()'.</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="382" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="424" /> <source>Possible hardcoded AWS access key ID: {0}</source> <translation>Возможный жестко закодированный идентификатор ключа доступа AWS: {0}</translation> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="385" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="427" /> <source>Possible hardcoded AWS secret access key: {0}</source> <translation>Возможный жестко закодированный секретный ключ доступа AWS: {0}</translation> </message>
--- a/src/eric7/i18n/eric7_tr.ts Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/i18n/eric7_tr.ts Tue Sep 13 20:00:55 2022 +0200 @@ -65692,293 +65692,343 @@ <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="49" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="48" /> + <source>'contextlib.suppress()' detected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="50" /> + <source>Requests call without timeout.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="51" /> + <source>Requests call with timeout set to None.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="56" /> <source>A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="55" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="62" /> + <source>Usage of 'tarfile.extractall(members=function(tarfile))'. Make sure your function properly discards dangerous members ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="67" /> + <source>Found 'tarfile.extractall(members=?)' but couldn't identify the type of members. Check if the members were properly validated ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="72" /> + <source>'tarfile.extractall()' used without any validation. Please check and discard dangerous members.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="78" /> <source>Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="60" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="83" /> <source>Deserialization with the marshal module is possibly dangerous.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="63" /> - <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="66" /> - <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="71" /> - <source>Use of insecure cipher mode '{0}'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="74" /> - <source>Use of insecure and deprecated function (mktemp).</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="77" /> - <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="81" /> - <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="86" /> - <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="92" /> - <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="89" /> + <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="94" /> + <source>Use of insecure cipher mode '{0}'.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="97" /> + <source>Use of insecure and deprecated function (mktemp).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="100" /> + <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="104" /> + <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="109" /> + <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="115" /> + <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="120" /> <source>Standard pseudo-random generators are not suitable for security/cryptographic purposes.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="102" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> <source>Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="143" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="137" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="131" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="119" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="113" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="107" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="166" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="154" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="148" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="142" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="136" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="130" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="149" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="172" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="155" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="178" /> <source>FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="183" /> <source>The input method in Python 2 will read from standard input, evaluate and run the resulting string as Python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="167" /> - <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="175" /> - <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="181" /> - <source>Use of insecure {0} hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="185" /> - <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="190" /> + <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="198" /> + <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="204" /> + <source>Use of insecure {0} hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="207" /> + <source>Use of insecure {0} hash for security. Consider 'usedforsecurity=False'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="212" /> + <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="217" /> <source>A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="199" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="195" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="226" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="222" /> <source>Consider possible security implications associated with the '{0}' module.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="227" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="221" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="215" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="209" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="203" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="254" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="248" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="242" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="236" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="230" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="233" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="260" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="239" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="266" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="245" /> - <source>Consider possible security implications associated with '{0}' module.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="249" /> - <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="256" /> - <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="262" /> - <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="267" /> - <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="272" /> - <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="277" /> - <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <source>Consider possible security implications associated with '{0}' module.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="276" /> + <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="282" /> - <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <source>An IPMI-related module is being imported. IPMI is considered insecure. Use an encrypted protocol.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="288" /> + <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="294" /> + <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="299" /> + <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="304" /> + <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="309" /> + <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="314" /> + <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="320" /> <source>{0} key sizes below {1:d} bits are considered breakable.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="292" /> - <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="298" /> - <source>Paramiko call with policy set to automatically trust the unknown host key.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="303" /> - <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="308" /> - <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="313" /> - <source>'subprocess' call with shell=True identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="316" /> - <source>'subprocess' call - check for execution of untrusted input.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="319" /> - <source>Function call with shell=True parameter identified, possible security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="324" /> - <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="329" /> - <source>Starting a process with a shell, possible injection detected, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="334" /> - <source>Starting a process without a shell.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="337" /> - <source>Starting a process with a partial executable path.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="341" /> - <source>Possible SQL injection vector through string-based query construction.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="346" /> - <source>Possible wildcard injection in call: {0}</source> + <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="330" /> + <source>Paramiko call with policy set to automatically trust the unknown host key.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="335" /> + <source>The use of SNMPv1 and SNMPv2 is insecure. You should use SNMPv3 if possible.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="339" /> + <source>You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="345" /> + <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="350" /> + <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="355" /> + <source>'subprocess' call with shell=True identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="358" /> + <source>'subprocess' call - check for execution of untrusted input.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="361" /> + <source>Function call with shell=True parameter identified, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="366" /> + <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="371" /> + <source>Starting a process with a shell, possible injection detected, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="376" /> + <source>Starting a process without a shell.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="379" /> + <source>Starting a process with a partial executable path.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="383" /> + <source>Possible SQL injection vector through string-based query construction.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="388" /> + <source>Possible wildcard injection in call: {0}</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="392" /> <source>Use of 'extra()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="353" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="395" /> <source>Use of 'RawSQL()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="357" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="399" /> <source>Using jinja2 templates with 'autoescape=False' is dangerous and can lead to XSS. Use 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="363" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="405" /> <source>By default, jinja2 sets 'autoescape' to False. Consider using 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="370" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="412" /> <source>Mako templates allow HTML/JS rendering by default and are inherently open to XSS attacks. Ensure variables in all templates are properly sanitized via the 'n', 'h' or 'x' flags (depending on context). For example, to HTML escape the variable 'data' do ${{ data |h }}.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="378" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="420" /> <source>Potential XSS on 'mark_safe()' function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="382" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="424" /> <source>Possible hardcoded AWS access key ID: {0}</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="385" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="427" /> <source>Possible hardcoded AWS secret access key: {0}</source> <translation type="unfinished" /> </message>
--- a/src/eric7/i18n/eric7_zh_CN.ts Tue Sep 13 19:46:19 2022 +0200 +++ b/src/eric7/i18n/eric7_zh_CN.ts Tue Sep 13 20:00:55 2022 +0200 @@ -65797,293 +65797,343 @@ <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="49" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="48" /> + <source>'contextlib.suppress()' detected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="50" /> + <source>Requests call without timeout.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="51" /> + <source>Requests call with timeout set to None.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="56" /> <source>A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="55" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="62" /> + <source>Usage of 'tarfile.extractall(members=function(tarfile))'. Make sure your function properly discards dangerous members ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="67" /> + <source>Found 'tarfile.extractall(members=?)' but couldn't identify the type of members. Check if the members were properly validated ({0}).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="72" /> + <source>'tarfile.extractall()' used without any validation. Please check and discard dangerous members.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="78" /> <source>Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="60" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="83" /> <source>Deserialization with the marshal module is possibly dangerous.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="63" /> - <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="66" /> - <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="71" /> - <source>Use of insecure cipher mode '{0}'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="74" /> - <source>Use of insecure and deprecated function (mktemp).</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="77" /> - <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="81" /> - <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="86" /> - <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="92" /> - <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <source>Use of insecure MD2, MD4, MD5, or SHA1 hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="89" /> + <source>Use of insecure cipher '{0}'. Replace with a known secure cipher such as AES.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="94" /> + <source>Use of insecure cipher mode '{0}'.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="97" /> + <source>Use of insecure and deprecated function (mktemp).</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="100" /> + <source>Use of possibly insecure function - consider using safer ast.literal_eval.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="104" /> + <source>Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="109" /> + <source>Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="115" /> + <source>Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="120" /> <source>Standard pseudo-random generators are not suitable for security/cryptographic purposes.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="102" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> <source>Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="143" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="137" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="131" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="125" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="119" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="113" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="107" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="166" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="154" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="148" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="142" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="136" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="130" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="149" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="172" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with its defusedxml equivalent function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="155" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="178" /> <source>FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="160" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="183" /> <source>The input method in Python 2 will read from standard input, evaluate and run the resulting string as Python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="167" /> - <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="175" /> - <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="181" /> - <source>Use of insecure {0} hash function.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="185" /> - <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="190" /> + <source>By default, Python will create a secure, verified SSL context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="198" /> + <source>Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="204" /> + <source>Use of insecure {0} hash function.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="207" /> + <source>Use of insecure {0} hash for security. Consider 'usedforsecurity=False'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="212" /> + <source>A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="217" /> <source>A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="199" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="195" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="226" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="222" /> <source>Consider possible security implications associated with the '{0}' module.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="227" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="221" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="215" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="209" /> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="203" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="254" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="248" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="242" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="236" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="230" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="233" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="260" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Replace '{0}' with the equivalent defusedxml package.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="239" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="266" /> <source>Using '{0}' to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="245" /> - <source>Consider possible security implications associated with '{0}' module.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="249" /> - <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="256" /> - <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="262" /> - <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="267" /> - <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="272" /> - <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="277" /> - <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <source>Consider possible security implications associated with '{0}' module.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="276" /> + <source>The pyCrypto library and its module '{0}' are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="282" /> - <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <source>An IPMI-related module is being imported. IPMI is considered insecure. Use an encrypted protocol.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="288" /> + <source>'requests' call with verify=False disabling SSL certificate checks, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="294" /> + <source>'ssl.wrap_socket' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="299" /> + <source>'SSL.Context' call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="304" /> + <source>Function call with insecure SSL/TLS protocol version identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="309" /> + <source>Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="314" /> + <source>'ssl.wrap_socket' call with no SSL/TLS protocol version specified, the default 'SSLv23' could be insecure, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="320" /> <source>{0} key sizes below {1:d} bits are considered breakable.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="292" /> - <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="298" /> - <source>Paramiko call with policy set to automatically trust the unknown host key.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="303" /> - <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="308" /> - <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="313" /> - <source>'subprocess' call with shell=True identified, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="316" /> - <source>'subprocess' call - check for execution of untrusted input.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="319" /> - <source>Function call with shell=True parameter identified, possible security issue.</source> - <translation type="unfinished" /> - </message> - <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="324" /> - <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="329" /> - <source>Starting a process with a shell, possible injection detected, security issue.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="334" /> - <source>Starting a process without a shell.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="337" /> - <source>Starting a process with a partial executable path.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="341" /> - <source>Possible SQL injection vector through string-based query construction.</source> - <translation type="unfinished" /> - </message> - <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="346" /> - <source>Possible wildcard injection in call: {0}</source> + <source>Use of unsafe 'yaml.load()'. Allows instantiation of arbitrary objects. Consider 'yaml.safe_load()'.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="330" /> + <source>Paramiko call with policy set to automatically trust the unknown host key.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="335" /> + <source>The use of SNMPv1 and SNMPv2 is insecure. You should use SNMPv3 if possible.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="339" /> + <source>You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="345" /> + <source>Possible shell injection via 'Paramiko' call, check inputs are properly sanitized.</source> <translation type="unfinished" /> </message> <message> <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="350" /> + <source>'subprocess' call with shell=True seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="355" /> + <source>'subprocess' call with shell=True identified, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="358" /> + <source>'subprocess' call - check for execution of untrusted input.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="361" /> + <source>Function call with shell=True parameter identified, possible security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="366" /> + <source>Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="371" /> + <source>Starting a process with a shell, possible injection detected, security issue.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="376" /> + <source>Starting a process without a shell.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="379" /> + <source>Starting a process with a partial executable path.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="383" /> + <source>Possible SQL injection vector through string-based query construction.</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="388" /> + <source>Possible wildcard injection in call: {0}</source> + <translation type="unfinished" /> + </message> + <message> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="392" /> <source>Use of 'extra()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="353" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="395" /> <source>Use of 'RawSQL()' opens a potential SQL attack vector.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="357" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="399" /> <source>Using jinja2 templates with 'autoescape=False' is dangerous and can lead to XSS. Use 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="363" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="405" /> <source>By default, jinja2 sets 'autoescape' to False. Consider using 'autoescape=True' or use the 'select_autoescape' function to mitigate XSS vulnerabilities.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="370" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="412" /> <source>Mako templates allow HTML/JS rendering by default and are inherently open to XSS attacks. Ensure variables in all templates are properly sanitized via the 'n', 'h' or 'x' flags (depending on context). For example, to HTML escape the variable 'data' do ${{ data |h }}.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="378" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="420" /> <source>Potential XSS on 'mark_safe()' function.</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="382" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="424" /> <source>Possible hardcoded AWS access key ID: {0}</source> <translation type="unfinished" /> </message> <message> - <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="385" /> + <location filename="../Plugins/CheckerPlugins/CodeStyleChecker/Security/translations.py" line="427" /> <source>Possible hardcoded AWS secret access key: {0}</source> <translation type="unfinished" /> </message>
