ebranca / owasp-pysec Goto Github PK
View Code? Open in Web Editor NEWOWASP Python Security Project
License: Apache License 2.0
OWASP Python Security Project
License: Apache License 2.0
https://github.com/ebranca/owasp-pysec/wiki/Unrestricted-code-execution-using-pickle
(โ This article should also mention that cPickle is also affected!)
As a workaround I implemented this solution:
fd = StringIO(data)
unpickler = cPickle.Unpickler(fd)
unpickler.find_global = None
return unpickler.load()
It could be suggested as an hotfix for currently vulnerable projects which need to support the current API's. This is probably not 100% save (I can't proove), but increases security a lot.
Remove unused module in 'entropy.py'
owasp-pysec/pysec/entropy.py:23: 'Object' imported but unused
Impossible to import module "pysec.kv"
ImportError
Imported 'partial' but unused in 'owasp-pysec/pysec/net/pop.py'
owasp-pysec/pysec/net/pop.py:22: 'partial' imported but unused
Need to use pysec.io.fd functions
File handled with python and not pysec primitives
"./pysec/io/fs.py:24: with open('/proc/sys/fs/file-nr', 'rb') as fnr:"
Undefined name in 'load.py'
owasp-pysec/pysec/load.py:49: undefined name 'import_lib' in all
What if i want to use this library with Python3, as Python2 is reaching EoL ?
https://github.com/ebranca/owasp-pysec/wiki/Subprocess-exception-on-terminate
The "Description" contains twice "p = Popen(['/bin/sleep', '1'])" while the second time it should be "time.sleep(1)"
Remove unused modules in 'owasp-pysec/pysec/net/init.py'
owasp-pysec/pysec/net/init.py:21: 'smtp' imported but unused
owasp-pysec/pysec/net/init.py:21: 'pop' imported but unused
owasp-pysec/pysec/net/init.py:21: 'error' imported but unused
Not possible to set mode when creating temp file o temp folder
./pysec/io/temp.py:27 def mkstemp(dir, prefix, suffix)
Missing check for mode option in touch in "./pysec/io/fd.py"
./pysec/io/fd.py def touch(fpath, mode=0666)
Fix line74:
Fresh storage dirp created
Why create a different python? Why not submit the fixes to the main cpython repo?
https://github.com/ebranca/owasp-pysec/wiki/Statement-%27if-0:-yield%27-not-failing-with-error contains a typo:
'sintax' instead of 'syntax' in the comment.
Remove unused modules in 'owasp-pysec/pysec/core/init.py'
owasp-pysec/pysec/core/init.py:20: 'monotonic' imported but unused
owasp-pysec/pysec/core/init.py:20: 'unistd' imported but unused
owasp-pysec/pysec/core/init.py:20: 'memory' imported but unused
https://github.com/ebranca/owasp-pysec/wiki/Readline-input-loss
suggests as workaround to use "input()" instead of "raw_input" which opens new security issues.
Missing check for mode option in "./pysec/io/fd.py"
./pysec/io/fd.py def open(fpath, oflag, mode=0666)
It is very hard to understand without any documentation or videos how to use this tool
Remove unused modules in 'owasp-pysec/pysec/io/init.py'
owasp-pysec/pysec/io/init.py:20: 'fs' imported but unused
owasp-pysec/pysec/io/init.py:20: 'utils' imported but unused
owasp-pysec/pysec/io/init.py:20: 'fcheck' imported but unused
owasp-pysec/pysec/io/init.py:20: 'temp' imported but unused
owasp-pysec/pysec/io/init.py:20: 'fd' imported but unused
Hi, so you've posted some material about Python security, and you have a nice review of various Python functions, but then all of the "Secure Implementation" sections say "Work in progress"; I don't really feel like you've answered what seems to be the main point of your posting, which is Python security, which I imagine is implementing Python securely. I liked your lists "Security IN Python" and "Security OF Python", but I don't seem to be able to find much about these topics and how to implement them. Are you planning to update this repository at some point? Or could you point us to some other resources if you're going to leave this topic incomplete? Thanks.
running install
running build
running build_py
running build_ext
building 'pysec.core.unistd' extension
cc -fno-strict-aliasing -fno-common -dynamic -arch i386 -arch x86_64 -g -Os -pipe -fno-common -fno-strict-aliasing -fwrapv -DENABLE_DTRACE -DMACOSX -DNDEBUG -Wall -Wstrict-prototypes -Wshorten-64-to-32 -DNDEBUG -g -fwrapv -Os -Wall -Wstrict-prototypes -DENABLE_DTRACE -arch i386 -arch x86_64 -pipe -I/System/Library/Frameworks/Python.framework/Versions/2.7/include/python2.7 -c pysec/core/unistd.c -o build/temp.macosx-10.11-intel-2.7/pysec/core/unistd.o
pysec/core/unistd.c:547:27: warning: implicit declaration of function
'fdatasync' is invalid in C99 [-Wimplicit-function-declaration]
return PyInt_FromLong(fdatasync(fildes) == 0 ? 0 : errno);
^
1 warning generated.
pysec/core/unistd.c:317:13: warning: implicit conversion loses integer
precision: 'unsigned long' to 'int' [-Wshorten-64-to-32]
if((end=strspn(salt, VALID_SALT_CHARS)) != strlen(salt))
~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pysec/core/unistd.c:436:21: warning: implicit conversion loses integer
precision: 'unsigned long' to 'int' [-Wshorten-64-to-32]
if((block_len = strlen(block)) != 64)
~ ^~~~~~~~~~~~~
pysec/core/unistd.c:439:13: warning: implicit conversion loses integer
precision: 'unsigned long' to 'int' [-Wshorten-64-to-32]
if((end=strspn(block, "01")) != strlen(block))
~^~~~~~~~~~~~~~~~~~~
pysec/core/unistd.c:547:27: warning: implicit declaration of function
'fdatasync' is invalid in C99 [-Wimplicit-function-declaration]
return PyInt_FromLong(fdatasync(fildes) == 0 ? 0 : errno);
^
pysec/core/unistd.c:1171:11: warning: implicit conversion loses integer
precision: 'long' to 'int' [-Wshorten-64-to-32]
res = sysconf(name);
~ ^~~~~~~~~~~~~
5 warnings generated.
cc -bundle -undefined dynamic_lookup -arch i386 -arch x86_64 -Wl,-F. build/temp.macosx-10.11-intel-2.7/pysec/core/unistd.o -lcrypt -o build/lib.macosx-10.11-intel-2.7/pysec/core/unistd.so
ld: library not found for -lcrypt
clang: error: linker command failed with exit code 1 (use -v to see invocation)
error: command 'cc' failed with exit status 1
Logical problem
temp file has to be deleted if not used and at exit
"./pysec/io/temp.py"
Option to Open and create or raise in "./pysec/io/fd.py"
Logical error
Missing checks for inode and free space during file operations
"./pysec/io/fd.py"
Remove unused module in 'string.py'
owasp-pysec/pysec/string.py:23: 'xbounds' imported but unused
Need to use pysec.io.fd functions
File handled with python and not pysec primitives
"./build/lib/pysec/load.py:90: with open(path, 'rb') as fmod:"
Option to Open and create if missing in "./pysec/io/fd.py"
Fix following problems in memory.c library.
Line 69:
|---> Initial value of MemoryType_members[0].offset is type int, expects Py_ssize_t: ((int)&((MemoryObject *)0)->size
Line 70:
|---> 70|Initializer block for MemoryType_members[1] has 1 field, but PyMemberDef has 5 fields
Line 96:
|---> Initializer block for MemoryType_members[1] has 1 field, but PyMethodDef has 4 fields
Line 257:
|---> Assignment of ssize_t to size_t
Line 266:
|---> Parameter end not used
Missing control for value of pos in fd function in "./pysec/io/fd.py"
./pysec/io/fd.py def moveto(self, pos):
impossible ti import module core
ImportError
Define and build a set of tests to validate basic functionality of existing code.
Error with module "pysec/alg.py" returns -1 if does not find the pattern
This is not correct as returns always true
Imported 'partial' but unused in 'owasp-pysec/pysec/net/smtp.py'
owasp-pysec/pysec/net/smtp.py:3: 'partial' imported but unused
Remove unused modules in 'owasp-pysec/pysec/init.py'
owasp-pysec/pysec/init.py:21: 'alg' imported but unused
owasp-pysec/pysec/init.py:21: 'net' imported but unused
owasp-pysec/pysec/init.py:21: 'log' imported but unused
owasp-pysec/pysec/init.py:21: 'xsplit' imported but unused
owasp-pysec/pysec/init.py:21: 'load' imported but unused
owasp-pysec/pysec/init.py:21: 'kv' imported but unused
owasp-pysec/pysec/init.py:21: 'expr' imported but unused
owasp-pysec/pysec/init.py:21: 'stats' imported but unused
owasp-pysec/pysec/init.py:21: 'core' imported but unused
owasp-pysec/pysec/init.py:21: 'entropy' imported but unused
Not possible to set mode when creating temp file o temp folder
./pysec/io/temp.py:59 def mkdtemp(dir, prefix, suffix)
Option to Open and truncate in "./pysec/io/fd.py"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.