has any one completed a python security code review`

[pmeunier at cerias.net (Pascal Meunier)]

On Mon, 5 Apr 2010 11:08:47 -0500
"Matt Parsons" <mparsons1980 at gmail.com> wrote:

> Has anyone completed a python security code review?  What would you
> look for besides inputs, outputs and dangerous functions?   Do any of
> the commercial static code analysis vendors scan that code?  I would
> think not because python is not compiled at run time like the other
> languages that static analysis tools can scan.  Any help would be
> greatly appreciated.   

I have, on software needing to run with elevated privileges at times.
All the well-known issues with filesystem operations are still there
(symlink attacks, file permissions).  As with any program, a Python
program operating with elevated privileges in a shared folder (/tmp) or
folder under another user's control is a dangerous proposition.  There
can be bugs that in some circumstances can become resource exhaustion
vulnerabilities, for example a file descriptor leak if you use the low
level file operations (in os).  There can also be log pollution issues
and poor randomness issues (sometimes not in the Python code itself,
but in SQL). On a server-type system, multiple similar commands can
create concurrency issues (race conditions), and the absence of rate
limitation on expensive operations can create DoS vulnerabilities. All
these were found the old fashioned way, with a code audit.

Pascal Meunier