bandit
Use Semgrep as a universal linter to identify vulnerabilities in your code base with the bandit (https://github.com/PyCQA/bandit) rule pack.
Run Locally
Rules (112)

Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.

Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.

Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.

The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service.

Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.

Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.

'mark_safe()' is used to mark a string as "safe" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use 'django.utils.html.format_html()' to build HTML for rendering instead.

Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.

Found 'subprocess' function '$FUNC' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.

Detected possible formatted SQL query. Use parameterized queries instead.

Insecure XML parsing functionality, prefer 'defusedxml'
Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
The use of `exec` is risky.
Chmod setting a permissive mask on file.
Running `socket.bind` to 0.0.0.0, ::, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file.
Possible hardcoded password
Possible hardcoded password
Hardcoded password is used as a default argument to '$FUNC'. This could be dangerous if a real password is not supplied.
Detected hardcoded temp directory. Consider using 'tempfile.TemporaryFile' instead.
Probable insecure usage of temp file/directory.
Try, Except, Pass
Try, Except, Continue
Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables.
Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.
Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.
Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.
Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.
The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security
Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Detected MD2 hash algorithm which is considered insecure. This algorithm has many known vulnerabilities and has been deprecated. Use SHA256 or SHA3 instead.
Detected MD4 hash algorithm which is considered insecure. This algorithm has many known vulnerabilities and has been deprecated. Use SHA256 or SHA3 instead.
Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Detected MD2 hash algorithm which is considered insecure. This algorithm has many known vulnerabilities and has been deprecated. Use SHA256 or SHA3 instead.
Detected RC4 cipher algorithm which is considered insecure. The algorithm has many known vulnerabilities. Use AES instead.
Detected Blowfish cipher algorithm which is considered insecure. The algorithm has many known vulnerabilities. Use AES instead.
Detected IDEA cipher algorithm which is considered insecure. The algorithm is considered weak and has been deprecated. Use AES instead.
Detected MD4 hash algorithm which is considered insecure. This algorithm has many known vulnerabilities and has been deprecated. Use SHA256 or SHA3 instead.
Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Detected RC2 cipher algorithm which is considered insecure. The algorithm has known vulnerabilities and is difficult to use securely. Use AES instead.
Detected RC4 cipher algorithm which is considered insecure. The algorithm has many known vulnerabilities. Use AES instead.
Detected Blowfish cipher algorithm which is considered insecure. The algorithm has many known vulnerabilities. Use AES instead.
Detected DES cipher algorithm which is considered insecure. The algorithm is considered weak and has been deprecated. Use AES instead.
Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.
Detected ECB cipher mode which is considered insecure. The algorithm can potentially leak information about the plaintext. Use CBC mode instead.
Use tempfile.NamedTemporaryFile instead. From the official Python documentation: THIS FUNCTION IS UNSAFE AND SHOULD NOT BE USED. The file name may refer to a file that did not exist at some point, but by the time you get around to creating it, someone else may have beaten you to the punch.
Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. Consider using safer ast.literal_eval.
'mark_safe()' is used to mark a string as "safe" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use 'django.utils.html.format_html()' to build HTML for rendering instead.
The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.
Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.
Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.
Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Telnet does not encrypt communications. Use SSH instead.
Found use of the native Python XML libraries, which is vulnerable to XML external entity (XXE) attacks. The Python documentation recommends the 'defusedxml' library instead. Use 'defusedxml'. See https://github.com/tiran/defusedxml for more information.
Insecure XML parsing functionality, prefer `defusedxml`
FTP does not encrypt communications by default. This can lead to sensitive data being exposed. Ensure use of FTP here does not expose sensitive data.
Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead.
Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using 'SHA256' or a similar function instead.
The Python 'os' tempnam|tmpnam functions are vulnerable to symlink attacks
Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.
functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol
Consider possible security implications associated with pickle module.
Consider possible security implications associated with subprocess module.
Consider possible security implications associated with xmlrpclib module.
Consider possible security implications associated with httpoxy module.
Consider possible security implications associated with pycrypto module.
Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.
An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher.
ssl.wrap_socket call with no SSL/TLS protocol version specified, the default SSLv23 could be insecure, possible security issue.
Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.
Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use 'ec.SECP256R1'.
Avoid using `load()`. `PyYAML.load` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrarycode. Use `safe_load()` instead. It is recommended to use `SafeLoader` when loading yaml.
Detected a paramiko host key policy that implicitly trusts a server's host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.
Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead.
Found 'subprocess' function '$FUNC' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.
Python possesses many mechanisms to invoke an external executable. However, doing so may present a security issue if appropriate care is not taken to sanitize any user provided or variable input. This plugin test is part of a family of tests built to check for process spawning and warn appropriately. Specifically, this test looks for the spawning of a subprocess without the use of a command shell. This type of subprocess invocation is not vulnerable to shell injection attacks, but care should still be taken to ensure validity of input.
subprocess call - check for execution of untrusted input
Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.
Starting a process with a shell; seems safe, but may be changed in the future, consider rewriting without shell
Detected possible formatted SQL query. Use parameterized queries instead.
Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.
This is a last resort. You should be careful when using `QuerySet.extra` due to SQLi.
You should be very careful whenever you write raw SQL. Consider using Django ORM before raw SQL. See https://docs.djangoproject.com/en/3.0/topics/db/sql/#passing-parameters-into-raw
Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.
Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.
'mark_safe()' is used to mark a string as "safe" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use 'django.utils.html.format_html()' to build HTML for rendering instead.
Detected hardcoded temp directory. Consider using 'tempfile.TemporaryFile' instead.
Requests call without timeout can cause your program to hang indefinitely.
tarfile.extractall used without any validation. You should check members and discard dangerous ones.
Found use of the native Python XML libraries, which is vulnerable to XML external entity (XXE) attacks. The Python documentation recommends the `defusedxml` library instead. Use 'defusedxml'. See https://github.com/tiran/defusedxml for more information.
Found use of the native Python XML libraries, which is vulnerable to XML external entity (XXE) attacks. The Python documentation recommends the `defusedxml` library instead. Use 'defusedxml'. See https://github.com/tiran/defusedxml for more information.
Insecure XML parsing functionality, prefer `defusedxml`
Insecure XML parsing functionality, prefer `defusedxml`
Found use of the native Python XML libraries, which is vulnerable to XML external entity (XXE) attacks. The Python documentation recommends the `defusedxml` library instead. Use 'defusedxml'. See https://github.com/tiran/defusedxml for more information.
Found use of the native Python XML libraries, which is vulnerable to XML external entity (XXE) attacks. The Python documentation recommends the `defusedxml` library instead. Use 'defusedxml'. See https://github.com/tiran/defusedxml for more information.
Found use of the native Python XML libraries, which is vulnerable to XML external entity (XXE) attacks. The Python documentation recommends the `defusedxml` library instead. Use 'defusedxml'. See https://github.com/tiran/defusedxml for more information.
Consider possible security implications associated with etree module.
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package.
An IPMI-related module is being imported. IPMI is considered insecure. Use an encrypted protocol.
An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher.
The use of SNMPv1 and SNMPv2 is insecure. You should use SNMPv3 if able.
You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure
The logging.config.listen function provides the ability to listen for external configuration files on a socket server. Because portions of the configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). logging.config.listen provides the ability to verify bytes received across the socket with signature verification or encryption/decryption.