34
- any_other_function_with_shell_equals_true
37
- blacklist_import_func
40
- execute_with_run_as_root_equals_true
41
- hardcoded_bind_all_interfaces
43
- hardcoded_sql_expressions
44
- hardcoded_tmp_directory
45
- jinja2_autoescape_false
46
- linux_commands_wildcard_injection
48
- password_config_option_not_marked_secret
49
- request_with_no_cert_validation
50
- set_bad_file_permissions
51
- subprocess_popen_with_shell_equals_true
52
- subprocess_without_shell_equals_true
53
- start_process_with_a_shell
54
- start_process_with_no_shell
55
- start_process_with_partial_path
56
- ssl_with_bad_defaults
57
- ssl_with_bad_version
60
- use_of_mako_templates
33
64
- jinja2_autoescape_false
56
88
qualnames: [marshal.load, marshal.loads]
57
89
message: "Deserialization with the marshal module is possibly dangerous."
59
qualnames: [hashlib.md5]
60
message: "Use of insecure MD5 hash function."
91
qualnames: [hashlib.md5, Crypto.Hash.MD2.new, Crypto.Hash.MD4.new, Crypto.Hash.MD5.new, cryptography.hazmat.primitives.hashes.MD5]
92
message: "Use of insecure MD2, MD4, or MD5 hash function."
62
94
qualnames: [tempfile.mktemp]
63
95
message: "Use of insecure and deprecated function (mktemp)."
77
109
qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request]
78
110
message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected."
112
qualnames: [random.random, random.randrange, random.randint, random.choice, random.uniform, random.triangular]
113
message: "Standard pseudo-random generators are not suitable for security/cryptographic purposes."
116
# Most of this is based off of Christian Heimes' work on defusedxml:
117
# https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
119
- xml_bad_cElementTree:
120
qualnames: [xml.etree.cElementTree.parse,
121
xml.etree.cElementTree.iterparse,
122
xml.etree.cElementTree.fromstring,
123
xml.etree.cElementTree.XMLParser]
124
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
125
- xml_bad_ElementTree:
126
qualnames: [xml.etree.ElementTree.parse,
127
xml.etree.ElementTree.iterparse,
128
xml.etree.ElementTree.fromstring,
129
xml.etree.ElementTree.XMLParser]
130
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
131
- xml_bad_expatreader:
132
qualnames: [xml.sax.expatreader.create_parser]
133
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
134
- xml_bad_expatbuilder:
135
qualnames: [xml.dom.expatbuilder.parse,
136
xml.dom.expatbuilder.parseString]
137
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
139
qualnames: [xml.sax.parse,
142
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
144
qualnames: [xml.dom.minidom.parse,
145
xml.dom.minidom.parseString]
146
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
148
qualnames: [xml.dom.pulldom.parse,
149
xml.dom.pulldom.parseString]
150
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
152
qualnames: [lxml.etree.parse,
153
lxml.etree.fromstring,
154
lxml.etree.RestrictedElement,
155
lxml.etree.GlobalParserTLS,
156
lxml.etree.getDefaultParser,
157
lxml.etree.check_docinfo]
158
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
81
162
# Start a process using the subprocess module, or one of its wrappers.
97
178
imports: [telnetlib]
99
180
message: "Telnet is considered insecure. Use SSH or some other encrypted protocol."
101
182
imports: [pickle, cPickle, subprocess, Crypto]
103
184
message: "Consider possible security implications associated with {module} module."
186
# Most of this is based off of Christian Heimes' work on defusedxml:
187
# https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
190
imports: [xml.etree.cElementTree,
191
xml.etree.ElementTree,
194
xml.dom.expatbuilder,
199
message: "Using {module} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {module} with the equivilent defusedxml package."
203
message: "Using {module} to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities."
206
hardcoded_tmp_directory:
207
tmp_dirs: ['/tmp', '/var/tmp', '/dev/shm']
105
209
hardcoded_password:
106
word_list: "wordlist/default-passwords"
210
# Support for full path, relative path and special "%(site_data_dir)s"
211
# substitution (/usr/{local}/share)
212
word_list: "%(site_data_dir)s/wordlist/default-passwords"
108
214
ssl_with_bad_version:
109
215
bad_protocol_versions: