List of Checks¶
General and Best Practice¶
- AST100 : Use of `assert` statement in non-test file
- EX100 : Use of builtin `exec()` function for non-string literal
- OS100 : Calls to `os.chmod()` with dangerous POSIX permissions
- PIC100 : Loading serialized data with the pickle module can expose arbitrary code execution using the __reduce__ method.
- TMP100 : Use of insecure `tempfile.mktemp`
- TMP101 : Use of hardcoded temporary file path
- TRY100 : Use of a `try` ... `except` block where the except block does not contain anything other than comments and a `pass` statement
- TRY101 : Use of a `try` ... `except` block where the except block does not contain anything other than comments and a `continue` statement
SQL¶
The SQL100 check will cover most SQL injection techniques using Python’s multiple string formatting methods.
Shell¶
Passwords and Security¶
Encryption and Hashing¶
Django Web Framework¶
- DJG100 : Setting `DEBUG = True` in a `settings.py` file (assumed Django project settings)
- DJG101 : Using quoted, parametrized literal will bypass Django SQL Injection protection
- DJG102 : Using safe strings bypasses the Django XSS protection
- DJG103 : Using quoted, parametrized literal in the query set `extra()` function will bypass Django SQL Injection protection
- DJG200 : Django middleware is missing `CsrfViewMiddleware`, which blocks cross-site request forgery
- DJG201 : Django middleware is missing `XFrameOptionsMiddleware`, which blocks clickjacking.
- DJG300 : Django PermissionRequiredMixin missing properties
- DJG301 : Django PermissionRequiredMixin inherited incorrectly
Deserialization¶
Flask Web Framework¶
SSL and Networking¶
- NET100 : Socket binding to unspecified IPv4 or IPv6 address
- PAR100 (`paramiko`) : Host key inspection bypass using the `paramiko` SSH library
- RQ100 (`requests`) : Use of `verify=False` when making HTTP requests using the `requests` package
- RQ101 (`httpx`) : Use of `verify=False` when making HTTP requests using the `httpx` package
- SSL100 : Use of insecure defaults in `ssl` module
- SSL101 : Use of insecure SSL versions in `ssl` module