Python Analyzer Updates – May 2021

After the recent releases, the Python analyzer can detect 5 new security issues and can automatically fix 4 more issues now. We have improved descriptions of security and bug-risk category issues. We have also fixed some autofix failures and false positives that you reported to us.

Here is the detailed changelog:

New Security Issues:

PY-S0909 - Missing Security Middleware

This issue is raised when a Django project is missing security middleware. Django’s security middleware provides several security enhancements to the request/response cycle.

If provided, it enables the following security features like X-XSS-Protection, SSL Redirect, X-Content-Type-Options, and HTTP Strict Transport Security.

PY-S6008 - Setting loose POSIX file permissions is security-sensitive

Every file in the POSIX file system has the following permissions:

  • Owner permissions - Determines what actions the owner of the file can perform on the file.
  • Group permissions - Determines what actions a user who is a member of the group that a file belongs to can perform on the file.
  • Other permissions − Determines what action all other users can perform on the file.

Granting permissions to Others can lead to unintended access and modification to files.

Example:

import os, stat

r = os.umask(0) # read, write permission granted to Others
os.fchmod(f, stat.S_IWOTH) # Others have write permission

PY-S0900: Django app detected with DEBUG mode enabled

Running a Django application with debug mode enabled may allow an attacker to gain access to sensitive information.

Example:

import django
from django.conf import settings

settings.configure(DEBUG=True)  # Sensitive
settings.configure(DEBUG_PROPAGATE_EXCEPTIONS=True)  # Sensitive

Ensure that Django applications that are run in a production environment have DEBUG set to False.

PY-S6007: Use of both safe and unsafe HTTP methods for a view

An HTTP method is safe if it doesn’t alter the state of the server i.e it leads to a read-only operation. The use of both safe and unsafe HTTP methods on a view makes the application vulnerable to Cross-Site Request Forgery (CSRF). CSRF protections are responsible for protecting operations performed by unsafe HTTP methods. They do not protect if safe HTTP methods used for a route that can change the state of an application

Examples:

For Django:

from django.views.decorators.http import require_http_methods

@require_http_methods(["GET", "POST"]) # Sensitive
def register(request):
    ...

For Flask:

import flask

from flask import Flask

app = Flask(__name__)

@app.route('/sensitive', methods=['GET', 'POST'])  # Sensitive
def register():
    ...

5. PY-A6006: Audit required: Configuring loggers can be security-sensitive

This issue higlights code that initiates loggers configuration. This should be audited to make sure no sensitive information is being logged.

Example:

import logging
import os

from logging.config import fileConfig, dictConfig

logging.basicConfig(level=os.environ.get("LOG_LEVEL", "INFO"))
fileConfig(fname='file.conf', disable_existing_loggers=False)  # Sensitve
dictConfig(config) # Sensitive

Since this is an audit issue, some occurrences may be harmless here. The goal is to bring the issue to your attention and ensure safe practices when logging information.

New Autofixes

PYL-R1713 - Consider using Join

Before Autofix:

my_string = ""
for element in data:
    my_string = ", " + my_string

After Autofix:

my_string = ", ".join(data)

PYL-R1718 - Consider using Set comprehension

Before Autofix:

mapping = set([num for num in my_magic_nums])

After Autofix:

mapping = {num for num in my_magic_nums}

PY-S0900: Django app detected with DEBUG mode enabled

The autofix will disable debug mode for the django application wherever it is enabled…

PY-S0909 - Missing Security Middleware

The autofix will add django.middleware.security.SecurityMiddleware to the middleware list.

Analyzer Improvements:

  • Improved issue description for security and bug-risks category.
  • Suppressed PYL-E0105 for lines where PTC-W0025 or PTC-W0026 is raised.
  • Fixed false positives for PY-D0003.
  • Suppressed PTC-W0034 when attribute name is an invalid Python string.

Autofix Improvements:

  • Fixed autofix failures in PYL-C0325 when there is no whitespace after return or yield.
  • Fixed incorrect autofix for PY-C0325.
1 Like