Secure Coding mailing list archives
has any one completed a python security code review`
From: pmeunier at cerias.net (Pascal Meunier)
Date: Wed, 7 Apr 2010 14:14:35 -0400
On Mon, 5 Apr 2010 11:08:47 -0500 "Matt Parsons" <mparsons1980 at gmail.com> wrote:
Has anyone completed a python security code review? What would you look for besides inputs, outputs and dangerous functions? Do any of the commercial static code analysis vendors scan that code? I would think not because python is not compiled at run time like the other languages that static analysis tools can scan. Any help would be greatly appreciated.
I have, on software needing to run with elevated privileges at times. All the well-known issues with filesystem operations are still there (symlink attacks, file permissions). As with any program, a Python program operating with elevated privileges in a shared folder (/tmp) or folder under another user's control is a dangerous proposition. There can be bugs that in some circumstances can become resource exhaustion vulnerabilities, for example a file descriptor leak if you use the low level file operations (in os). There can also be log pollution issues and poor randomness issues (sometimes not in the Python code itself, but in SQL). On a server-type system, multiple similar commands can create concurrency issues (race conditions), and the absence of rate limitation on expensive operations can create DoS vulnerabilities. All these were found the old fashioned way, with a code audit. Pascal Meunier
Current thread:
- has any one completed a python security code review` Matt Parsons (Apr 05)
- has any one completed a python security code review` Romain Gaucher (Apr 06)
- has any one completed a python security code review` Paul Powenski (Apr 06)
- has any one completed a python security code review` James Walden (Apr 06)
- has any one completed a python security code review` Pascal Meunier (Apr 07)
- has any one completed a python security code review` Florian Weimer (Apr 22)
- <Possible follow-ups>
- has any one completed a python security code review` Peter G. Neumann (Apr 06)
- has any one completed a python security code review` Peter G. Neumann (Apr 08)