ebranca / owasp-pysec Goto Github PK

View Code? Open in Web Editor NEW

403.0 403.0 109.0 1.82 MB

OWASP Python Security Project

License: Apache License 2.0

Python 59.16% C 40.57% Shell 0.27%

owasp-pysec's People

Contributors

Stargazers

Watchers

Forkers

abshkd rvelea pillaiarunsasidharan xch89820 sheldonpatnett chencoyote dpnishant soledge nikolayvoronchikhin marioskourtesis nomad-vino riverworks cocheok jackfill benluteijn congnghia0609 securextools shengqi158 blabla1337 dipsec vyelanin multitic tobal poornagurram linearregression nehajaiswal5 seriousalpha lmokto legendarynacar pombredanne sonseungho hawk0p expdb2015 shaikhsardar gamehacker himanshuraja jijicanyu security-prince ed00m spaceone weeshlow makakin coldsmoke627 icewayne iicoming khkaminska ll2b anotherancientalien sleevs magma2 ismailbozkurt nucleoos irivera007 susanstdemos jrajesh jerusalemsbell mohisen ssameerr dothackaway benhunter edwinlu actus10 rainser irrasoft ofinley davismathew fdulzm wsbespalov szliuyujie shezdev kranthiyarlagadda enarendar9 htallur chandu-infosec001 vinayasathyanarayana kakuye jguerra7 repson dewankpant ro9ueadmin zombieraven haohao201100 5l1v3r1 lcaoppit scorpio-net lleon1435 isp1r0 vpnj012k kksi76 gh0stlykn1ght bdsimpteam shakyasaijal jsecfan eitangayor vikrant1717 pooja0509 pacificdynamics aoloriz oananbeh timgates42

owasp-pysec's Issues

Workaround for pickle load

https://github.com/ebranca/owasp-pysec/wiki/Unrestricted-code-execution-using-pickle
(→ This article should also mention that cPickle is also affected!)

As a workaround I implemented this solution:

fd = StringIO(data)
unpickler = cPickle.Unpickler(fd)
unpickler.find_global = None
return unpickler.load()

It could be suggested as an hotfix for currently vulnerable projects which need to support the current API's. This is probably not 100% save (I can't proove), but increases security a lot.

Remove unused module in 'entropy.py'

Remove unused module in 'entropy.py'
owasp-pysec/pysec/entropy.py:23: 'Object' imported but unused

Error "ImportError" trying to use "pysec.kv"

Impossible to import module "pysec.kv"
ImportError

Imported 'partial' but unused in 'owasp-pysec/pysec/net/pop.py'

owasp-pysec/pysec/net/pop.py:22: 'partial' imported but unused

File not handled with pysec primitives in "./pysec/io/fs.py:24"

Need to use pysec.io.fd functions
File handled with python and not pysec primitives
"./pysec/io/fs.py:24: with open('/proc/sys/fs/file-nr', 'rb') as fnr:"

Undefined name in 'load.py'

Undefined name in 'load.py'
owasp-pysec/pysec/load.py:49: undefined name 'import_lib' in all

Python 3 compatibility to this lib ?

What if i want to use this library with Python3, as Python2 is reaching EoL ?

Subprocess-exception-on-terminate error in Description

https://github.com/ebranca/owasp-pysec/wiki/Subprocess-exception-on-terminate

The "Description" contains twice "p = Popen(['/bin/sleep', '1'])" while the second time it should be "time.sleep(1)"

Remove unused modules in 'owasp-pysec/pysec/net/init.py'

Remove unused modules in 'owasp-pysec/pysec/net/init.py'

owasp-pysec/pysec/net/init.py:21: 'smtp' imported but unused
owasp-pysec/pysec/net/init.py:21: 'pop' imported but unused
owasp-pysec/pysec/net/init.py:21: 'error' imported but unused

No mode in temp file creation call in "./pysec/io/temp.py:27"

Not possible to set mode when creating temp file o temp folder
./pysec/io/temp.py:27 def mkstemp(dir, prefix, suffix)

Missing check for mode option in touch in "./pysec/io/fd.py"

Missing check for mode option in touch in "./pysec/io/fd.py"
./pysec/io/fd.py def touch(fpath, mode=0666)

Fix code in 'dirent.c' library

Fix line74:
Fresh storage dirp created

Why create a different python?

Why create a different python? Why not submit the fixes to the main cpython repo?

typo

https://github.com/ebranca/owasp-pysec/wiki/Statement-%27if-0:-yield%27-not-failing-with-error contains a typo:

'sintax' instead of 'syntax' in the comment.

Remove unused modules in 'owasp-pysec/pysec/core/init.py'

Remove unused modules in 'owasp-pysec/pysec/core/init.py'

owasp-pysec/pysec/core/init.py:20: 'monotonic' imported but unused
owasp-pysec/pysec/core/init.py:20: 'unistd' imported but unused
owasp-pysec/pysec/core/init.py:20: 'memory' imported but unused

input() suggested as workaround

https://github.com/ebranca/owasp-pysec/wiki/Readline-input-loss
suggests as workaround to use "input()" instead of "raw_input" which opens new security issues.

Missing check for mode option in open in "./pysec/io/fd.py"

Missing check for mode option in "./pysec/io/fd.py"
./pysec/io/fd.py def open(fpath, oflag, mode=0666)

Does this project is published ??

It is very hard to understand without any documentation or videos how to use this tool

Remove unused modules in 'owasp-pysec/pysec/io/init.py'

Remove unused modules in 'owasp-pysec/pysec/io/init.py'

owasp-pysec/pysec/io/init.py:20: 'fs' imported but unused
owasp-pysec/pysec/io/init.py:20: 'utils' imported but unused
owasp-pysec/pysec/io/init.py:20: 'fcheck' imported but unused
owasp-pysec/pysec/io/init.py:20: 'temp' imported but unused
owasp-pysec/pysec/io/init.py:20: 'fd' imported but unused

Content for "Secure Implementation": Incomplete?

Hi, so you've posted some material about Python security, and you have a nice review of various Python functions, but then all of the "Secure Implementation" sections say "Work in progress"; I don't really feel like you've answered what seems to be the main point of your posting, which is Python security, which I imagine is implementing Python securely. I liked your lists "Security IN Python" and "Security OF Python", but I don't seem to be able to find much about these topics and how to implement them. Are you planning to update this repository at some point? Or could you point us to some other resources if you're going to leave this topic incomplete? Thanks.

Build failed in mac os x

running install
running build
running build_py
running build_ext
building 'pysec.core.unistd' extension
cc -fno-strict-aliasing -fno-common -dynamic -arch i386 -arch x86_64 -g -Os -pipe -fno-common -fno-strict-aliasing -fwrapv -DENABLE_DTRACE -DMACOSX -DNDEBUG -Wall -Wstrict-prototypes -Wshorten-64-to-32 -DNDEBUG -g -fwrapv -Os -Wall -Wstrict-prototypes -DENABLE_DTRACE -arch i386 -arch x86_64 -pipe -I/System/Library/Frameworks/Python.framework/Versions/2.7/include/python2.7 -c pysec/core/unistd.c -o build/temp.macosx-10.11-intel-2.7/pysec/core/unistd.o
pysec/core/unistd.c:547:27: warning: implicit declaration of function
'fdatasync' is invalid in C99 [-Wimplicit-function-declaration]
return PyInt_FromLong(fdatasync(fildes) == 0 ? 0 : errno);
^
1 warning generated.
pysec/core/unistd.c:317:13: warning: implicit conversion loses integer
precision: 'unsigned long' to 'int' [-Wshorten-64-to-32]
if((end=strspn(salt, VALID_SALT_CHARS)) != strlen(salt))
~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pysec/core/unistd.c:436:21: warning: implicit conversion loses integer
precision: 'unsigned long' to 'int' [-Wshorten-64-to-32]
if((block_len = strlen(block)) != 64)
~ ^~~~~~~~~~~~~
pysec/core/unistd.c:439:13: warning: implicit conversion loses integer
precision: 'unsigned long' to 'int' [-Wshorten-64-to-32]
if((end=strspn(block, "01")) != strlen(block))
~^~~~~~~~~~~~~~~~~~~
pysec/core/unistd.c:547:27: warning: implicit declaration of function
'fdatasync' is invalid in C99 [-Wimplicit-function-declaration]
return PyInt_FromLong(fdatasync(fildes) == 0 ? 0 : errno);
^
pysec/core/unistd.c:1171:11: warning: implicit conversion loses integer
precision: 'long' to 'int' [-Wshorten-64-to-32]
res = sysconf(name);
~ ^~~~~~~~~~~~~
5 warnings generated.
cc -bundle -undefined dynamic_lookup -arch i386 -arch x86_64 -Wl,-F. build/temp.macosx-10.11-intel-2.7/pysec/core/unistd.o -lcrypt -o build/lib.macosx-10.11-intel-2.7/pysec/core/unistd.so
ld: library not found for -lcrypt
clang: error: linker command failed with exit code 1 (use -v to see invocation)
error: command 'cc' failed with exit status 1

Temp file has to be deleten if not used and at exit in "./pysec/io/temp.py"

Logical problem
temp file has to be deleted if not used and at exit
"./pysec/io/temp.py"

Option to Open and create or raise in "./pysec/io/fd.py"

Need option to create a file if not exist
try to read the file and if does not exists raise exception

Missing checks for inode and freespace during file operations in "./pysec/io/fd.py"

Logical error
Missing checks for inode and free space during file operations
"./pysec/io/fd.py"

Remove unused module in 'string.py'

Remove unused module in 'string.py'
owasp-pysec/pysec/string.py:23: 'xbounds' imported but unused

File not handled with pysec primitives in "./build/lib/pysec/load.py:90"

Need to use pysec.io.fd functions
File handled with python and not pysec primitives
"./build/lib/pysec/load.py:90: with open(path, 'rb') as fmod:"

Option to Open and create if missing in "./pysec/io/fd.py"

try to open a file as read-only
-- if file is missing create the file
try to write a file as write-only
-- if file is missing create the file
try to append to file as write-only
-- if file is missing create the file

Fix probelms in 'memory.c' library

Fix following problems in memory.c library.
Line 69:
|---> Initial value of MemoryType_members[0].offset is type int, expects Py_ssize_t: ((int)&((MemoryObject *)0)->size
Line 70:
|---> 70|Initializer block for MemoryType_members[1] has 1 field, but PyMemberDef has 5 fields
Line 96:
|---> Initializer block for MemoryType_members[1] has 1 field, but PyMethodDef has 4 fields
Line 257:
|---> Assignment of ssize_t to size_t
Line 266:
|---> Parameter end not used

Missing control for value of pos in fd function in "./pysec/io/fd.py"

Missing control for value of pos in fd function in "./pysec/io/fd.py"
./pysec/io/fd.py def moveto(self, pos):

Error "ImportError" trying to use module "core"

impossible ti import module core
ImportError

Core library tests

Define and build a set of tests to validate basic functionality of existing code.

Error with module "pysec/alg.py" returns -1

Error with module "pysec/alg.py" returns -1 if does not find the pattern
This is not correct as returns always true

Imported 'partial' but unused in 'owasp-pysec/pysec/net/smtp.py'

owasp-pysec/pysec/net/smtp.py:3: 'partial' imported but unused

Remove unused modules in 'owasp-pysec/pysec/init.py'

Remove unused modules in 'owasp-pysec/pysec/init.py'

owasp-pysec/pysec/init.py:21: 'alg' imported but unused
owasp-pysec/pysec/init.py:21: 'net' imported but unused
owasp-pysec/pysec/init.py:21: 'log' imported but unused
owasp-pysec/pysec/init.py:21: 'xsplit' imported but unused
owasp-pysec/pysec/init.py:21: 'load' imported but unused
owasp-pysec/pysec/init.py:21: 'kv' imported but unused
owasp-pysec/pysec/init.py:21: 'expr' imported but unused
owasp-pysec/pysec/init.py:21: 'stats' imported but unused
owasp-pysec/pysec/init.py:21: 'core' imported but unused
owasp-pysec/pysec/init.py:21: 'entropy' imported but unused

No mode in temp file creation call in "./pysec/io/temp.py:59"

Not possible to set mode when creating temp file o temp folder
./pysec/io/temp.py:59 def mkdtemp(dir, prefix, suffix)

Option to Open and truncate in "./pysec/io/fd.py"

try to open a file as read-only
-- if file exists close read only
--- then open as write only
---- and if file exists truncate the file to size (x)
try to write to a file as write-only
-- if file exists truncate the file to size (x)
try to append to file as write-only
-- if file exists truncate the file to size (x)