From 83b1f36103866fb80d11be7dcc33f8edc858c9de Mon Sep 17 00:00:00 2001 From: elsapet Date: Thu, 30 May 2024 17:33:06 +0200 Subject: [PATCH] feat(python): vulnerable pillow version --- rules/python/third_parties/pillow.yml | 30 ++++++++++++++++ tests/python/third_parties/pillow/test.js | 36 +++++++++++++++++++ .../pillow/testdata/insecure/insecure.py | 2 ++ .../pillow/testdata/insecure/requirements.txt | 1 + .../secure_dependency/requirements.txt | 1 + .../secure_dependency/secure_dependency.py | 1 + .../secure_no_dependency/requirements.txt | 1 + .../secure_no_dependency.py | 2 ++ 8 files changed, 74 insertions(+) create mode 100644 rules/python/third_parties/pillow.yml create mode 100644 tests/python/third_parties/pillow/test.js create mode 100644 tests/python/third_parties/pillow/testdata/insecure/insecure.py create mode 100644 tests/python/third_parties/pillow/testdata/insecure/requirements.txt create mode 100644 tests/python/third_parties/pillow/testdata/secure_dependency/requirements.txt create mode 100644 tests/python/third_parties/pillow/testdata/secure_dependency/secure_dependency.py create mode 100644 tests/python/third_parties/pillow/testdata/secure_no_dependency/requirements.txt create mode 100644 tests/python/third_parties/pillow/testdata/secure_no_dependency/secure_no_dependency.py diff --git a/rules/python/third_parties/pillow.yml b/rules/python/third_parties/pillow.yml new file mode 100644 index 00000000..166f149a --- /dev/null +++ b/rules/python/third_parties/pillow.yml @@ -0,0 +1,30 @@ +patterns: + - import pillow + - from pillow import $<_> +dependency_check: true +dependency: + name: pillow + min_version: 6.2.1 + filename: requirements.txt +languages: + - python +severity: medium +metadata: + description: Usage of vulnerable Pillow library + remediation_message: | + ## Description + + A vulnerability was identified in Pillow versions less than 6.2.2, meaning that the library may allocate excessive memory, or have unusually long time processing times, when processing certain (specially crafted, malformed) image files. + + ## Remediations + + - **Do** ensure that your application uses version 6.2.2 or greater of Pillow. + + ## References + + - [Pillow documentation](https://pillow.readthedocs.io/en/stable/) + - [NIST detail for vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2019-16865) + cwe_id: + - 770 + id: python_third_parties_pillow + documentation_url: https://docs.bearer.com/reference/rules/python_third_parties_pillow diff --git a/tests/python/third_parties/pillow/test.js b/tests/python/third_parties/pillow/test.js new file mode 100644 index 00000000..ce409e27 --- /dev/null +++ b/tests/python/third_parties/pillow/test.js @@ -0,0 +1,36 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("insecure", () => { + const testCase = "insecure" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + test("secure", () => { + const testCase = "secure_dependency" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) + + test("secure_dependency", () => { + const testCase = "secure_no_dependency" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) +}) \ No newline at end of file diff --git a/tests/python/third_parties/pillow/testdata/insecure/insecure.py b/tests/python/third_parties/pillow/testdata/insecure/insecure.py new file mode 100644 index 00000000..d5a0da92 --- /dev/null +++ b/tests/python/third_parties/pillow/testdata/insecure/insecure.py @@ -0,0 +1,2 @@ +# bearer:expected python_third_parties_pillow +import pillow \ No newline at end of file diff --git a/tests/python/third_parties/pillow/testdata/insecure/requirements.txt b/tests/python/third_parties/pillow/testdata/insecure/requirements.txt new file mode 100644 index 00000000..05ed06ff --- /dev/null +++ b/tests/python/third_parties/pillow/testdata/insecure/requirements.txt @@ -0,0 +1 @@ +pillow=6.2.0 \ No newline at end of file diff --git a/tests/python/third_parties/pillow/testdata/secure_dependency/requirements.txt b/tests/python/third_parties/pillow/testdata/secure_dependency/requirements.txt new file mode 100644 index 00000000..4f2331cb --- /dev/null +++ b/tests/python/third_parties/pillow/testdata/secure_dependency/requirements.txt @@ -0,0 +1 @@ +pillow=6.2.2 \ No newline at end of file diff --git a/tests/python/third_parties/pillow/testdata/secure_dependency/secure_dependency.py b/tests/python/third_parties/pillow/testdata/secure_dependency/secure_dependency.py new file mode 100644 index 00000000..feab093e --- /dev/null +++ b/tests/python/third_parties/pillow/testdata/secure_dependency/secure_dependency.py @@ -0,0 +1 @@ +import pillow \ No newline at end of file diff --git a/tests/python/third_parties/pillow/testdata/secure_no_dependency/requirements.txt b/tests/python/third_parties/pillow/testdata/secure_no_dependency/requirements.txt new file mode 100644 index 00000000..05ed06ff --- /dev/null +++ b/tests/python/third_parties/pillow/testdata/secure_no_dependency/requirements.txt @@ -0,0 +1 @@ +pillow=6.2.0 \ No newline at end of file diff --git a/tests/python/third_parties/pillow/testdata/secure_no_dependency/secure_no_dependency.py b/tests/python/third_parties/pillow/testdata/secure_no_dependency/secure_no_dependency.py new file mode 100644 index 00000000..fdccdd32 --- /dev/null +++ b/tests/python/third_parties/pillow/testdata/secure_no_dependency/secure_no_dependency.py @@ -0,0 +1,2 @@ +# not importing the dodgy library +import world from hello \ No newline at end of file