Blacklist various Python imports known to be dangerous¶
This blacklist data checks for a number of Python modules known to havepossible security implications. The following blacklist tests are run againstany import statements or calls encountered in the scanned code base.
Note that the XML rules listed here are mostly based off of Christian Heimes’work on defusedxml: https://pypi.org/project/defusedxml/
B401: import_telnetlib¶
A telnet-related module is being imported. Telnet is considered insecure. UseSSH or some other encrypted protocol.
ID | Name | Imports | Severity |
---|---|---|---|
B401 | import_telnetlib |
| high |
B402: import_ftplib¶
A FTP-related module is being imported. FTP is considered insecure. UseSSH/SFTP/SCP or some other encrypted protocol.
ID | Name | Imports | Severity |
---|---|---|---|
B402 | import_ftplib |
| high |
B403: import_pickle¶
Consider possible security implications associated with these modules.
ID | Name | Imports | Severity |
---|---|---|---|
B403 | import_pickle |
| low |
B404: import_subprocess¶
Consider possible security implications associated with these modules.
ID | Name | Imports | Severity |
---|---|---|---|
B404 | import_subprocess |
| low |
B405: import_xml_etree¶
Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.
ID | Name | Imports | Severity |
---|---|---|---|
B405 | import_xml_etree |
| low |
B406: import_xml_sax¶
Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.
ID | Name | Imports | Severity |
---|---|---|---|
B406 | import_xml_sax |
| low |
B407: import_xml_expat¶
Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.
ID | Name | Imports | Severity |
---|---|---|---|
B407 | import_xml_expat |
| low |
B408: import_xml_minidom¶
Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.
ID | Name | Imports | Severity |
---|---|---|---|
B408 | import_xml_minidom |
| low |
B409: import_xml_pulldom¶
Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.
ID | Name | Imports | Severity |
---|---|---|---|
B409 | import_xml_pulldom |
| low |
B410: import_lxml¶
Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package.
ID | Name | Imports | Severity |
---|---|---|---|
B410 | import_lxml |
| low |
B411: import_xmlrpclib¶
XMLRPC is particularly dangerous as it is also concerned with communicatingdata over a network. Use defused.xmlrpc.monkey_patch() function to monkey-patchxmlrpclib and mitigate remote XML attacks.
ID | Name | Imports | Severity |
---|---|---|---|
B411 | import_xmlrpclib |
| high |
B412: import_httpoxy¶
httpoxy is a set of vulnerabilities that affect application code running inCGI, or CGI-like environments. The use of CGI for web applications should beavoided to prevent this class of attack. More details are availableat https://httpoxy.org/.
ID | Name | Imports | Severity |
---|---|---|---|
B412 | import_httpoxy |
| high |
B413: import_pycrypto¶
pycrypto library is known to have publicly disclosed buffer overflowvulnerability https://github.com/dlitz/pycrypto/issues/176. It is no longeractively maintained and has been deprecated in favor of pyca/cryptographylibrary.
ID | Name | Imports | Severity |
---|---|---|---|
B413 | import_pycrypto |
| high |
B414: import_pycryptodome¶
This import blacklist has been removed. The information here has beenleft for historical purposes.
pycryptodome is a direct fork of pycrypto that has not fully addressedthe issues inherent in PyCrypto. It seems to exist, mainly, as an APIcompatible continuation of pycrypto and should be deprecated in favorof pyca/cryptography which has more support among the Python community.
ID | Name | Imports | Severity |
---|---|---|---|
B414 | import_pycryptodome |
| high |