feat(python): extend and add rules following benchmarking #452

elsapet · 2024-06-14T14:51:31Z

Description

Some fixes, changes and additions to the Python rules following benchmarking, including:

Trigger on external input (not just user input) for code injection rule
Fix missing secure / httponly cookie rules
Adding some additional libraries or methods to existing rules
Add mark_safe and __html__ magic method rule (Django - they skip HTML escaping)
Add avoid pickle rule (it is vulnerable to XXE)
Add missing JWT verification rule

If this is your first time contributing please sign the CLA

elsapet added 14 commits June 12, 2024 12:14

feat(python): extend CWE 918 rule to include Django http location

6ab6e56

feat(python): extend CWE 94 rule to include import methods

715bc37

feat(python): extend user input shared rule to include stdin methods

f3ff49f

feat(python): add CWE 347 rule (jwt verification missing)

690dd7f

feat(python/django): add additional CWE 79 rule (usage of mark_safe)

1225454

feat(python): expand CWE 319 websocket rule

d45a264

feat(python): expand CWE 94 code injection rule

9378b74

feat(python): expand CWE 89 SQL injection rule

b619ffc

feat(python): expand CWE 532 logger rule

fa6f414

feat(python): add html magic method rule (CWE-79)

3ecc1e4

feat(python): extend allow-origin rules

0550f14

feat(python): add avoid pickle rule (CWE-501)

7c0d5c4

fix(python): code injection concerns extenral input

852f2bf

fix(python): cookie settings rules

300d6f1

elsapet requested a review from didroe June 14, 2024 14:51

elsapet added 2 commits June 14, 2024 17:13

fix: linter

6920f9d

fix: update tests following changes

e5ca5a4

elsapet force-pushed the feat/python/extend-and-add-rules branch from 9867b06 to e5ca5a4 Compare June 14, 2024 15:31

didroe approved these changes Jun 17, 2024

View reviewed changes

elsapet merged commit 483d3e9 into main Jun 18, 2024
25 checks passed

elsapet deleted the feat/python/extend-and-add-rules branch June 18, 2024 07:07