List of Checks ============== General and Best Practice ~~~~~~~~~~~~~~~~~~~~~~~~~ .. toctree:: :maxdepth: 1 AST100 : Use of `assert` statement in non-test file EX100 : Use of builtin `exec()` function for non-string literal OS100 : Calls to `os.chmod()` with dangerous POSIX permissions PIC100 : Loading serialized data with the pickle module can expose arbitrary code execution using the __reduce__ method. TMP100 : Use of insecure `tempfile.mktemp` TMP101 : Use of hardcoded temporary file path TRY100 : Use of a `try` ... `except` block where the except block does not contain anything other than comments and a `pass` statement TRY101 : Use of a `try` ... `except` block where the except block does not contain anything other than comments and a `continue` statement SQL ~~~ The SQL100 check will cover most SQL injection techniques using Python's multiple string formatting methods. .. toctree:: :maxdepth: 1 SQL100 : Possible SQL injection with Python string formatting SQL200 : Possible SQL injection with SQLalchemy Shell ~~~~~ .. toctree:: :maxdepth: 1 PR100 : Use of `shell=True` when running `subprocess.call` from the standard library PAR101 : Possible shell injection on remote host with paramiko library SH100 : Possible shell injection on local host with standard library functions SH101 : Potentially risky call to spawned process Passwords and Security ~~~~~~~~~~~~~~~~~~~~~~ .. toctree:: :maxdepth: 1 PW100 : Matching inputs, secrets or tokens using the == operator is vulnerable to timing attacks. Use compare_digest() instead. PW101 : Hardcoded passwords, secrets or keys detected Encryption and Hashing ~~~~~~~~~~~~~~~~~~~~~~ .. toctree:: :maxdepth: 1 HL100 : MD4, MD5, SHA, and SHA1 hashing algorithms should not be used for obfuscating or protecting data HL101 : MD5, SHA-1, RIPEMD-160, Whirlpool and the SHA-256 / SHA-512 hash algorithms all vulnerable to length-extension attacks and should not be used for obfuscating or protecting data Django Web Framework ~~~~~~~~~~~~~~~~~~~~ .. toctree:: :maxdepth: 1 DJG100 : Setting `DEBUG = True` in a `settings.py` file (assumed Django project settings) DJG101 : Using quoted, parametrized literal will bypass Django SQL Injection protection DJG102 : Using safe strings bypasses the Django XSS protection DJG103 : Using quoted, parametrized literal in the query set `extra()` function will bypass Django SQL Injection protection DJG200 : Django middleware is missing `CsrfViewMiddleware`, which blocks cross-site request forgery DJG201 : Django middleware is missing `XFrameOptionsMiddleware`, which blocks clickjacking. DJG300 : Django PermissionRequiredMixin missing properties DJG301 : Django PermissionRequiredMixin inherited incorrectly Deserialization ~~~~~~~~~~~~~~~ .. toctree:: :maxdepth: 1 YML100 (`pyyaml`) : Use of `yaml.load()` can cause arbitrary code execution. Suggests and has a "Quick Fix" to replace with `safe_load()` using existing arguments Flask Web Framework ~~~~~~~~~~~~~~~~~~~ .. toctree:: :maxdepth: 1 FLK100 : Use of `debug=True` when instantiating flask applications SSL and Networking ~~~~~~~~~~~~~~~~~~ .. toctree:: :maxdepth: 1 NET100 : Socket binding to unspecified IPv4 or IPv6 address PAR100 (`paramiko`) : Host key inspection bypass using the `paramiko` SSH library RQ100 (`requests`) : Use of `verify=False` when making HTTP requests using the `requests` package RQ101 (`httpx`) : Use of `verify=False` when making HTTP requests using the `httpx` package SSL100 : Use of insecure defaults in `ssl` module SSL101 : Use of insecure SSL versions in `ssl` module Templating Engines ~~~~~~~~~~~~~~~~~~ .. toctree:: :maxdepth: 1 JJ100 (`jinja2`) : Use of Jinja2 without autoescaped input MK100 (`mako`) : Use of Mako template without escaped input XML ~~~ .. toctree:: :maxdepth: 1 XML100 : Use of standard library XML modules that are vulnerable to entity expansion DoS XML200 : Use of `allow_dotted_names` with XML RPC Simple Server allows remote code execution