blacklist_calls

Blacklist various Python calls known to be dangerous

This blacklist data checks for a number of Python calls known to have possible security implications. The following blacklist tests are run against any function calls encoutered in the scanned code base, triggered by encoutering ast.Call nodes.

B301: pickle

Pickle library appears to be in use, possible security issue.

ID Name Calls Severity
B301 pickle
  • pickle.loads
  • pickle.load
  • pickle.Unpickler
  • cPickle.loads
  • cPickle.load
  • cPickle.Unpickler
Medium

B302: marshal

Deserialization with the marshal module is possibly dangerous.

ID Name Calls Severity
B302 marshal
  • marshal.load
  • marshal.loads
Medium

B303: md5

Use of insecure MD2, MD4, or MD5 hash function.

ID Name Calls Severity
B303 md5
  • hashlib.md5
  • Crypto.Hash.MD2.new
  • Crypto.Hash.MD4.new
  • Crypto.Hash.MD5.new
  • Cryptodome.Hash.MD2.new
  • Cryptodome.Hash.MD4.new
  • Cryptodome.Hash.MD5.new
  • cryptography.hazmat.primitives .hashes.MD5
Medium

B304 - B305: ciphers and modes

Use of insecure cipher or cipher mode. Replace with a known secure cipher such as AES.

ID Name Calls Severity
B304 ciphers
  • Crypto.Cipher.ARC2.new
  • Crypto.Cipher.ARC4.new
  • Crypto.Cipher.Blowfish.new
  • Crypto.Cipher.DES.new
  • Crypto.Cipher.XOR.new
  • Cryptodome.Cipher.ARC2.new
  • Cryptodome.Cipher.ARC4.new
  • Cryptodome.Cipher.Blowfish.new
  • Cryptodome.Cipher.DES.new
  • Cryptodome.Cipher.XOR.new
  • cryptography.hazmat.primitives .ciphers.algorithms.ARC4
  • cryptography.hazmat.primitives .ciphers.algorithms.Blowfish
  • cryptography.hazmat.primitives .ciphers.algorithms.IDEA
High
B305 cipher_modes
  • cryptography.hazmat.primitives .ciphers.modes.ECB
Medium

B306: mktemp_q

Use of insecure and deprecated function (mktemp).

ID Name Calls Severity
B306 mktemp_q
  • tempfile.mktemp
Medium

B307: eval

Use of possibly insecure function - consider using safer ast.literal_eval.

ID Name Calls Severity
B307 eval
  • eval
Medium

B308: mark_safe

Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.

ID Name Calls Severity
B308 mark_safe
  • django.utils.safestring.mark_safe
Medium

B309: httpsconnection

Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033

ID Name Calls Severity
B309 httpsconnection
  • httplib.HTTPSConnection
  • http.client.HTTPSConnection
  • six.moves.http_client .HTTPSConnection
Medium

B310: urllib_urlopen

Audit url open for permitted schemes. Allowing use of ‘file:” or custom schemes is often unexpected.

ID Name Calls Severity
B310 urllib_urlopen
  • urllib.urlopen
  • urllib.request.urlopen
  • urllib.urlretrieve
  • urllib.request.urlretrieve
  • urllib.URLopener
  • urllib.request.URLopener
  • urllib.FancyURLopener
  • urllib.request.FancyURLopener
  • urllib2.urlopen
  • urllib2.Request
  • six.moves.urllib.request.urlopen
  • six.moves.urllib.request .urlretrieve
  • six.moves.urllib.request .URLopener
  • six.moves.urllib.request .FancyURLopener
Medium

B311: random

Standard pseudo-random generators are not suitable for security/cryptographic purposes.

ID Name Calls Severity
B311 random
  • random.random
  • random.randrange
  • random.randint
  • random.choice
  • random.uniform
  • random.triangular
Low

B312: telnetlib

Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.

ID Name Calls Severity
B312 telnetlib
  • telnetlib.*
High

B313 - B320: XML

Most of this is based off of Christian Heimes’ work on defusedxml: https://pypi.python.org/pypi/defusedxml/#defusedxml-sax

Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents.

ID Name Calls Severity
B313 xml_bad_cElementTree
  • xml.etree.cElementTree.parse
  • xml.etree.cElementTree.iterparse
  • xml.etree.cElementTree.fromstring
  • xml.etree.cElementTree.XMLParser
Medium
B314 xml_bad_ElementTree
  • xml.etree.ElementTree.parse
  • xml.etree.ElementTree.iterparse
  • xml.etree.ElementTree.fromstring
  • xml.etree.ElementTree.XMLParser
Medium
B315 xml_bad_expatreader
  • xml.sax.expatreader.create_parser
Medium
B316 xml_bad_expatbuilder
  • xml.dom.expatbuilder.parse
  • xml.dom.expatbuilder.parseString
Medium
B317 xml_bad_sax
  • xml.sax.parse
  • xml.sax.parseString
  • xml.sax.make_parser
Medium
B318 xml_bad_minidom
  • xml.dom.minidom.parse
  • xml.dom.minidom.parseString
Medium
B319 xml_bad_pulldom
  • xml.dom.pulldom.parse
  • xml.dom.pulldom.parseString
Medium
B320 xml_bad_etree
  • lxml.etree.parse
  • lxml.etree.fromstring
  • lxml.etree.RestrictedElement
  • lxml.etree.GlobalParserTLS
  • lxml.etree.getDefaultParser
  • lxml.etree.check_docinfo
Medium

B321: ftplib

FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.

ID Name Calls Severity
B321 ftplib
  • ftplib.*
High

B322: input

The input method in Python 2 will read from standard input, evaluate and run the resulting string as python source code. This is similar, though in many ways worse, then using eval. On Python 2, use raw_input instead, input is safe in Python 3.

ID Name Calls Severity
B322 input
  • input
High

B323: unverified_context

By default, Python will create a secure, verified ssl context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.

ID Name Calls Severity
B322 unverified_context
  • ssl._create_unverified_context
Medium