After the recent releases, the Python analyzer can detect 5 new security issues and can automatically fix 4 more issues now. We have improved descriptions of security and bug-risk category issues. We have also fixed some autofix failures and false positives that you reported to us.
Here is the detailed changelog:
New Security Issues:
PY-S0909 - Missing Security Middleware
This issue is raised when a Django project is missing security middleware. Django’s security middleware provides several security enhancements to the request/response cycle.
If provided, it enables the following security features like X-XSS-Protection, SSL Redirect, X-Content-Type-Options, and HTTP Strict Transport Security.
PY-S6008 - Setting loose POSIX file permissions is security-sensitive
Every file in the POSIX file system has the following permissions:
- Owner permissions - Determines what actions the owner of the file can perform on the file.
- Group permissions - Determines what actions a user who is a member of the group that a file belongs to can perform on the file.
- Other permissions − Determines what action all other users can perform on the file.
Granting permissions to Others can lead to unintended access and modification to files.
Example:
import os, stat
r = os.umask(0) # read, write permission granted to Others
os.fchmod(f, stat.S_IWOTH) # Others have write permission
PY-S0900: Django app detected with DEBUG mode enabled
Running a Django application with debug mode enabled may allow an attacker to gain access to sensitive information.
Example:
import django
from django.conf import settings
settings.configure(DEBUG=True) # Sensitive
settings.configure(DEBUG_PROPAGATE_EXCEPTIONS=True) # Sensitive
Ensure that Django applications that are run in a production environment have DEBUG set to False.
PY-S6007: Use of both safe and unsafe HTTP methods for a view
An HTTP method is safe if it doesn’t alter the state of the server i.e it leads to a read-only operation. The use of both safe and unsafe HTTP methods on a view makes the application vulnerable to Cross-Site Request Forgery (CSRF). CSRF protections are responsible for protecting operations performed by unsafe HTTP methods. They do not protect if safe HTTP methods used for a route that can change the state of an application
Examples:
For Django:
from django.views.decorators.http import require_http_methods
@require_http_methods(["GET", "POST"]) # Sensitive
def register(request):
...
For Flask:
import flask
from flask import Flask
app = Flask(__name__)
@app.route('/sensitive', methods=['GET', 'POST']) # Sensitive
def register():
...
5. PY-A6006: Audit required: Configuring loggers can be security-sensitive
This issue higlights code that initiates loggers configuration. This should be audited to make sure no sensitive information is being logged.
Example:
import logging
import os
from logging.config import fileConfig, dictConfig
logging.basicConfig(level=os.environ.get("LOG_LEVEL", "INFO"))
fileConfig(fname='file.conf', disable_existing_loggers=False) # Sensitve
dictConfig(config) # Sensitive
Since this is an audit issue, some occurrences may be harmless here. The goal is to bring the issue to your attention and ensure safe practices when logging information.
New Autofixes
PYL-R1713 - Consider using Join
Before Autofix:
my_string = ""
for element in data:
my_string = ", " + my_string
After Autofix:
my_string = ", ".join(data)
PYL-R1718 - Consider using Set comprehension
Before Autofix:
mapping = set([num for num in my_magic_nums])
After Autofix:
mapping = {num for num in my_magic_nums}
PY-S0900: Django app detected with DEBUG mode enabled
The autofix will disable debug mode for the django application wherever it is enabled…
PY-S0909 - Missing Security Middleware
The autofix will add django.middleware.security.SecurityMiddleware to the middleware list.
Analyzer Improvements:
- Improved issue description for security and bug-risks category.
- Suppressed PYL-E0105 for lines where PTC-W0025 or PTC-W0026 is raised.
- Fixed false positives for PY-D0003.
- Suppressed PTC-W0034 when attribute name is an invalid Python string.
Autofix Improvements:
- Fixed autofix failures in PYL-C0325 when there is no whitespace after
returnoryield. - Fixed incorrect autofix for PY-C0325.