Comments (3)
Nice work! I'll spend some time tomorrow going through the list and defining what we can do :)
from pyre-check.
I can see CodeQL has support for the following:
-
CVE-2018-1281 (Bind To All Interfaces) (Not detected)
Possible way to tackle: Annote bind() as a sink for user controlled data (would never happen in almost all situations) -
CWE-020-ExternalAPIs (External APIs are marked as sinks and data from them as taint sources) (not detected) (Do we need such verbosity?)
-
CWE-020 (Regex serialisation, not definitely a vulnerability, but can be) (not detected)
Possible way to tackle: annote pattern.regexpMatch and other regex functions as taint sinks for user controlled data -
CWE-022 (File system read, write, and tar slip) (tar slip not detected)
Possible way to tackle: Add models for tar slip? Idk how Pysa detects vulnerabilities such as stored xss. If we do, the same model can be used -
CWE-078 (Command Line Injection) (Detected)
-
CWE-079 (plain XSS and XSS for jinja2) (XSS for jinja2 not detected)
Possible way to tackle: Tricky in sense that it only occurs when user controlled parameter flows to template called via an environment in which environment has auto_escape turned off (default is off). -
CWE-089 (SQL Injection) (Detected)
Possible way to improve: Add coverage for aiopg and cx_oracle (closed because we thought we need stubs, we can have another go by defining them as site packages).Checked, getting typing.any for aiopg and cx_oracle is written in Cpython. -
CWE-094 (Code Injection) (Detected)
-
CWE-209 (Stack Trace or Exception exposure) (Detected)
-
CWE-215 (Running flask app in debug mode) (Can Pysa detect this? I am not sure..)
-
CWE-295 (Missing host key validation) (Not detected)
Possible way to tackle: Solvable for paramiko library by tainting AutoAddPolicy as source and set_missing_host_key_policy as sink. (We have support for paramiko but not coverage for this vulnerability) -
CWE-312 (Putting unhashed values in cookies) (Not detected)
Possible way to tackle: One way would be to prevent user controlled parameters to reach cookies and add popular hashing functions as features. But the question is, is this necessarily great in impact that it should be added? -
CWE-326 (Weak encryption keys) (Pysa can't but how can we make this hit as an issue when we use implicit approach is a question)
-
CWE-327 (Insecure protocols) (Pysa can't but can be made to with implicit sources?)
-
CWE-377 (Insecure temporary files) (Pysa can't)
-
CWE-502 (unsafe deserialisations) (detected)
-
CWE-601 (Url redirection) (Detected for most popular libraries)
-
CWE-732 (Weak file permissions) (Pysa can't now, but coding implicit sources would fix this)
-
CWE-798 (Hardcoded credentials) (Pysa can with implicit sinks for common apis)
from pyre-check.
@r0rshark this is my preliminary analysis after checking the python security folder of CodeQL. Curious to know what you think and maybe, we can create issue for each issue we can possibly detect with Pysa
from pyre-check.
Related Issues (20)
- [Fall 2021] Step 1: Pyre - Fix type checking errors in Pytorch `torch/quantization/fx/fusion_patterns.py`
- [Fall 2021] Step 1: Pyre - Fix type checking errors in Pytorch `torch/quantization/fx/match_utils.py`
- [Fall 2021] Step 1: Pyre - Fix type checking errors in Pytorch `torch/quantization/fx/qconfig_utils.py` HOT 3
- [Fall 2021] Step 1: Pyre - Fix type checking errors in Pytorch `torch/quantization/fx/quantization_patterns.py`
- [Fall 2021] Step 1: Pyre - Fix type checking errors in Pytorch `torch/quantization/fx/utils.py` HOT 1
- [Fall 2021] Step 1: Pyre - Fix type checking errors in Pytorch `torch/quantization/quantize_fx.py` HOT 2
- [Fall 2021] Step 1: Pyre - Fix type checking errors in Pytorch `torch/storage.py`
- [Fall 2021] Step 1: Pyre - Fix type checking errors in Pytorch `torch/utils/hipify/hipify_python.py` HOT 1
- [Fall 2021] Step 3: Build a Pysa Playground/Sandbox to allow users to try out Pysa
- [Fall 2021] Step 3: Automate Pysa Quickstart guide for new users to quickly initialize a environment for Pysa HOT 4
- [Fall 2021] Step 3: Differentiate between module not being in environment and functions not being in environment errors HOT 1
- [Fall 2021] Step 3: Add a `pyre validate-taint-config` command and make errors in taintConfiguration.ml typed HOT 3
- [Fall 2021] Step 3: Add Python and third-party library version information to our Pysa models HOT 5
- [Fall 2021] Step 1: Pyre - Add explicit type annotations in Pytorch HOT 4
- [Fall 2021] Step 3: Clean up unclassified errors in the model parser HOT 2
- [Fall 2021] Step 3: Add an `AllOf` constraint to the Pysa DSL HOT 1
- [Fall 2021] Step 3: Add validation for taint.config files HOT 1
- [Fall 2021] Step 3: List running servers when `pyre` command is ambiguous
- [Fall 2021] Step 3: Run Pysa on open source projects HOT 2
- Log issues to .pyre/pyre.stderr
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pyre-check.