From a0b55bbc86edb29cb71c5ae5a76da76d89e6a3db Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Tue, 17 Dec 2024 10:54:10 +0000 Subject: [PATCH 1/6] pySCG: updated scope to address Davids feedback, removed some duplicated wording and fixed formatting Signed-off-by: Helge Wehder --- docs/Secure-Coding-Guide-for-Python/readme.md | 59 ++++++++++--------- 1 file changed, 30 insertions(+), 29 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index 3af8a416..ca904b86 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -1,18 +1,15 @@ # Secure Coding One Stop Shop for Python -Promote secure products by knowing the difference between secure compliant -and non-compliant code with `CPython >= 3.9` using modules listed on +An initiative by the OpenSSF to provide new Python programmers a resource to study secure coding in `CPython >= 3.9` with working code examples. -[Python Module Index](https://docs.python.org/3.9/py-modindex.html) [Python 2023]. +Documentation is written in academic style to support security researchers while using in plain English to cater for an international audience. -This page is an initiative by the OpenSSF to improve secure coding in Python by providing a location for study. Its structure is based on -Common Weakness Enamurator (CWE) [Pillar Weakness](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness) [mitre.org 2023]. - -Some rules only contain code examples, documentation will follow. +Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)], languages such as `HTML` and `JavaScript` are avoided. +The structure is based on Common Weakness Enamurator (CWE) _Pillar Weakness_ [[MTRE 2024][](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness)]. ## Disclaimer -Content comes WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, as stated in the license text [CC-BY-4.0](LICENSE/CC-BY-4.0.txt) for documentation and [MIT](LICENSE/MIT.txt). +Content comes __WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED__, as stated in the license text [CC-BY-4.0](LICENSE/CC-BY-4.0.txt) for documentation and [MIT](LICENSE/MIT.txt). Following or using the documentation and or code is at your own risk. Code examples are intended purely for educational use and not for products in parts or in full. Code examples are NOT to be used to cause harm of any kind to anyone or anything. @@ -20,17 +17,21 @@ Code examples are NOT to be used to cause harm of any kind to anyone or anything Every person writing code shall study the following: -* OWASP Secure Coding [Practices-Quick Reference Guide](https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/) [OWASP 2022] -* OWASP Top 10 Report [OWASP 2022](https://owasp.org/www-project-top-ten/) [OWASP 2022] -* CWE Top 25 2022 [CWE 2022](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html) [MITRE 2023] +* _OWASP Developer Guide_ [[OWASP dev 2024](https://owasp.org/www-project-developer-guide/release/)] +* _OWASP Top 10 Report_ [[OWASP 2021](https://owasp.org/www-project-top-ten/)] +* _CWE Top 25_ [[MITRE 2024](https://cwe.mitre.org/top25/index.html)] ## Secure Coding Standard for Python -Code examples are written to explain security design with as little code as possible demonstrating the issue in the `noncompliantXX.py` titled Python file. -The `compliantXX.py` file demonstrates only the mitigation or removal of the described risk. -None of the code examples are intendet to be used 'as is' for production. Using the code is at your own risk. +Code examples are written to explain security design with as little code as possible. __None__ of the code examples are intendet to be used 'as is' for production. Using the code is at your own risk! + +__Code file naminng conventions:__ + +* `noncompliantXX.py` anti-pattern. +* `compliantXX.py` mitigation for mitigating or removal of __ONLY__ the described risk. +* `exampleXX.py` to allow understanding the documented behaviour. -It is **not production code** and requires code-style or python best practices to be added such as: +It is __not production code__ and requires code-style or python best practices to be added such as: * Inline documentation * Custom exceptions @@ -41,20 +42,20 @@ It is **not production code** and requires code-style or python best practices t |[CWE-664: Improper Control of a Resource Through its Lifetime](https://cwe.mitre.org/data/definitions/664.html)|Prominent CVE| |:-----------------------------------------------------------------------------------------------------------------------------------------------|:----| -|[CWE-134: Use of Externally-Controlled Format String](CWE-664/CWE-134/README.md)|[CVE-2022-27177](https://www.cvedetails.com/cve/CVE-2022-27177/),
CVSSv3.1: **9.8**,
EPSS: **00.37** (01.12.2023)| +|[CWE-134: Use of Externally-Controlled Format String](CWE-664/CWE-134/README.md)|[CVE-2022-27177](https://www.cvedetails.com/cve/CVE-2022-27177/),
CVSSv3.1: __9.8__,
EPSS: __00.37__ (01.12.2023)| |[CWE-197: Numeric Truncation Error](CWE-664/CWE-197/README.md)|| |[CWE-197: Control rounding when converting to less precise numbers](CWE-664/CWE-197/01/README.md)|| |[CWE-400: Uncontrolled Resource Consumption](CWE-664/CWE-400/README.md)|| |[CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)](CWE-664/CWE-409/.)|| |[CWE-410: Insufficient Resource Pool](CWE-664/CWE-410/README.md)|| -|[CWE-426: Untrusted Search Path](CWE-664/CWE-426/README.md)|[CVE-2015-1326](https://www.cvedetails.com/cve/CVE-2015-1326),
CVSSv3.0: **8.8**,
EPSS: **00.20** (23.11.2023)| -|[CWE-501: Trust Boundary Violation)](CWE-664/CWE-501/README.md)|[CVE-2023-28597](https://www.cvedetails.com/cve/CVE-2023-28597),
CVSSv3.0: **7.5**,
EPSS: **00.11** (05.11.2024)| -|[CWE-502: Deserialization of Untrusted Data)](CWE-664/CWE-502/.)|[CVE-2018-8021](https://www.cvedetails.com/cve/CVE-2018-8021),
CVSSv3.0: **9.8**,
EPSS: **93.54** (05.11.2024)| -|[CWE-532: Insertion of Sensitive Information into Log File](CWE-664/CWE-532/README.md)|[CVE-2023-45585](https://www.cvedetails.com/cve/CVE-2023-45585),
CVSSv3.1: **9.8**,
EPSS: **0.04** (01.11.2024)| +|[CWE-426: Untrusted Search Path](CWE-664/CWE-426/README.md)|[CVE-2015-1326](https://www.cvedetails.com/cve/CVE-2015-1326),
CVSSv3.0: __8.8__,
EPSS: __00.20__ (23.11.2023)| +|[CWE-501: Trust Boundary Violation)](CWE-664/CWE-501/README.md)|[CVE-2023-28597](https://www.cvedetails.com/cve/CVE-2023-28597),
CVSSv3.0: __7.5__,
EPSS: __00.11__ (05.11.2024)| +|[CWE-502: Deserialization of Untrusted Data)](CWE-664/CWE-502/.)|[CVE-2018-8021](https://www.cvedetails.com/cve/CVE-2018-8021),
CVSSv3.0: __9.8__,
EPSS: __93.54__ (05.11.2024)| +|[CWE-532: Insertion of Sensitive Information into Log File](CWE-664/CWE-532/README.md)|[CVE-2023-45585](https://www.cvedetails.com/cve/CVE-2023-45585),
CVSSv3.1: __9.8__,
EPSS: __0.04__ (01.11.2024)| |[CWE-665: Improper Initialization](CWE-664/CWE-665/README.md)|| |[CWE-681: Incorrect Conversion between Numeric Types](CWE-664/CWE-681/README.md)|| |[CWE-833: Deadlock](CWE-664/CWE-833/README.md)|| -|[CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')](CWE-664/CWE-843/.)|[CVE-2021-29513](https://www.cvedetails.com/cve/CVE-2021-29513),
CVSSv3.1: **7.8**,
EPSS: **00.05** (05.11.2024)| +|[CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')](CWE-664/CWE-843/.)|[CVE-2021-29513](https://www.cvedetails.com/cve/CVE-2021-29513),
CVSSv3.1: __7.8__,
EPSS: __00.05__ (05.11.2024)| |[XXX-005: Consider hash-based integrity verification of byte code files against their source code files](CWE-664/XXX-005/.)|| |[CWE-682: Incorrect Calculation](https://cwe.mitre.org/data/definitions/682.html)|Prominent CVE| @@ -83,12 +84,12 @@ It is **not production code** and requires code-style or python best practices t |[CWE-390: Detection of Error Condition without Action](CWE-703/CWE-390/)|| |[CWE-392: Missing Report of Error Condition](CWE-703/CWE-392/README.md)|| |[CWE-754: Improper Check for Unusual or Exceptional Conditions](CWE-703/CWE-754/.)|| -|[CWE-755: Improper Handling of Exceptional Conditions](CWE-703/CWE-755/README.md)|[CVE-2024-39560](https://www.cvedetails.com/cve/CVE-2024-39560),
CVSSv3.1: **6.5**,
EPSS: **0.04** (01.11.2024)| +|[CWE-755: Improper Handling of Exceptional Conditions](CWE-703/CWE-755/README.md)|[CVE-2024-39560](https://www.cvedetails.com/cve/CVE-2024-39560),
CVSSv3.1: __6.5__,
EPSS: __0.04__ (01.11.2024)| |[CWE-707: Improper Neutralization](https://cwe.mitre.org/data/definitions/707.html)|Prominent CVE| |:----------------------------------------------------------------|:----| -|[CWE-78: Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection")](CWE-707/CWE-78/README.md)|[CVE-2024-43804](https://www.cvedetails.com/cve/CVE-2024-43804/),
CVSSv3.1: **8.8**,
EPSS: **00.06** (08.11.2024)| -|[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](CWE-707/CWE-89/README.md)|[CVE-2019-8600](https://www.cvedetails.com/cve/CVE-2019-8600/),
CVSSv3.1: **9.8**,
EPSS: **01.43** (18.02.2024)| +|[CWE-78: Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection")](CWE-707/CWE-78/README.md)|[CVE-2024-43804](https://www.cvedetails.com/cve/CVE-2024-43804/),
CVSSv3.1: __8.8__,
EPSS: __00.06__ (08.11.2024)| +|[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](CWE-707/CWE-89/README.md)|[CVE-2019-8600](https://www.cvedetails.com/cve/CVE-2019-8600/),
CVSSv3.1: __9.8__,
EPSS: __01.43__ (18.02.2024)| |[CWE-117: Improper Output Neutralization for Logs](CWE-707/CWE-117/.)|| |[CWE-175: Improper Handling of Mixed Encoding](CWE-707/CWE-175/README.md)|| |[CWE-180: Incorrect behavior order: Validate before Canonicalize](CWE-707/CWE-180/.)|| @@ -102,11 +103,11 @@ It is **not production code** and requires code-style or python best practices t |Ref|Detail| |-----|-----| -|[Python 2023]|[3.9 Module Index](https://docs.python.org/3.9/py-modindex.html)| -|[mitre.org 2023]|[CWE - CWE-1000: Research Concepts](https://cwe.mitre.org/data/definitions/1000.html)| -|[OWASP 2022]|[Secure Coding Practices-Quick Reference Guide](https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/)| -|[OWASP 2022]|[OWASP Top 10 Report 2022](https://owasp.org/www-project-top-ten/)| -|[MITRE 2023]|[CWE Top 25 2022](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html)| +|[Python 2023]|3.9 Module Index [online], available from [https://docs.python.org/3.9/py-modindex.html](https://docs.python.org/3.9/py-modindex.html) [accessed Dec 2024]| +|[mitre.org 2023]|CWE - CWE-1000: Research Concepts [online], available from [https://cwe.mitre.org/data/definitions/1000.html](https://cwe.mitre.org/data/definitions/1000.html) [accessed Dec 2024]| +|[OWASP dev 2024]|OWASP Developer Guide [online], available from [https://owasp.org/www-project-developer-guide/release/](https://owasp.org/www-project-developer-guide/release/) [accessed Dec 2024]| +|[OWASP 2021]|OWASP Top 10 Report 2021 [online], available from [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/)| +|[MITRE 2024]|CWE Top 25 [online], available form [https://cwe.mitre.org/top25/index.html](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html) [accessed Dec 2024]| ## License From 5e8887eda9d7eb7f1cb88c8329d926b9c98cd072 Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Tue, 17 Dec 2024 11:09:43 +0000 Subject: [PATCH 2/6] pySCG: fixed lint issue Signed-off-by: Helge Wehder --- docs/Secure-Coding-Guide-for-Python/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index ca904b86..efa74cb4 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -5,7 +5,7 @@ An initiative by the OpenSSF to provide new Python programmers a resource to stu Documentation is written in academic style to support security researchers while using in plain English to cater for an international audience. Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)], languages such as `HTML` and `JavaScript` are avoided. -The structure is based on Common Weakness Enamurator (CWE) _Pillar Weakness_ [[MTRE 2024][](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness)]. +The structure is based on Common Weakness Enamurator (CWE) _Pillar Weakness_ [[MITRE 2024](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness)]. ## Disclaimer From 7d43fe4abbcdbb5eb69c6f643e0e22c458cff604 Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Tue, 17 Dec 2024 11:31:36 +0000 Subject: [PATCH 3/6] pySCG: fixed typo and missing ref Signed-off-by: Helge Wehder --- docs/Secure-Coding-Guide-for-Python/readme.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index efa74cb4..03fc82b9 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -5,7 +5,7 @@ An initiative by the OpenSSF to provide new Python programmers a resource to stu Documentation is written in academic style to support security researchers while using in plain English to cater for an international audience. Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)], languages such as `HTML` and `JavaScript` are avoided. -The structure is based on Common Weakness Enamurator (CWE) _Pillar Weakness_ [[MITRE 2024](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness)]. +The structure is based on Common Weakness Enumeration (CWE) _Pillar Weakness_ [[MITRE Pillar 2024](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness)]. ## Disclaimer @@ -107,6 +107,7 @@ It is __not production code__ and requires code-style or python best practices t |[mitre.org 2023]|CWE - CWE-1000: Research Concepts [online], available from [https://cwe.mitre.org/data/definitions/1000.html](https://cwe.mitre.org/data/definitions/1000.html) [accessed Dec 2024]| |[OWASP dev 2024]|OWASP Developer Guide [online], available from [https://owasp.org/www-project-developer-guide/release/](https://owasp.org/www-project-developer-guide/release/) [accessed Dec 2024]| |[OWASP 2021]|OWASP Top 10 Report 2021 [online], available from [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/)| +|[MITRE Pillar 2024]|_Pillar Weakness_ [online], available form [https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness) [accessed Dec 2024]| |[MITRE 2024]|CWE Top 25 [online], available form [https://cwe.mitre.org/top25/index.html](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html) [accessed Dec 2024]| ## License From 915175a4ad60033062be4ab994c35784e8dfd47e Mon Sep 17 00:00:00 2001 From: myteron Date: Mon, 13 Jan 2025 16:42:01 +0000 Subject: [PATCH 4/6] Update docs/Secure-Coding-Guide-for-Python/readme.md Discussed with another native English speaking and "specifically" feels more correct then "avoid" :D Co-authored-by: David A. Wheeler Signed-off-by: myteron --- docs/Secure-Coding-Guide-for-Python/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index 03fc82b9..9d62bc79 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -4,7 +4,7 @@ An initiative by the OpenSSF to provide new Python programmers a resource to stu Documentation is written in academic style to support security researchers while using in plain English to cater for an international audience. -Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)], languages such as `HTML` and `JavaScript` are avoided. +Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)] are not specifically covered by this document. The structure is based on Common Weakness Enumeration (CWE) _Pillar Weakness_ [[MITRE Pillar 2024](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness)]. ## Disclaimer From 6b7c8253729d2a20f697f888b204bb7182583de5 Mon Sep 17 00:00:00 2001 From: myteron Date: Wed, 29 Jan 2025 16:25:59 +0000 Subject: [PATCH 5/6] Update docs/Secure-Coding-Guide-for-Python/readme.md Co-authored-by: Georg Kunz Signed-off-by: myteron --- docs/Secure-Coding-Guide-for-Python/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index 9d62bc79..9f116e60 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -2,7 +2,7 @@ An initiative by the OpenSSF to provide new Python programmers a resource to study secure coding in `CPython >= 3.9` with working code examples. -Documentation is written in academic style to support security researchers while using in plain English to cater for an international audience. +Documentation is written in academic style to support security researchers while using plain English to cater for an international audience. Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)] are not specifically covered by this document. The structure is based on Common Weakness Enumeration (CWE) _Pillar Weakness_ [[MITRE Pillar 2024](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness)]. From 383cfb144929e5ca44bb3b05d6f959b940268675 Mon Sep 17 00:00:00 2001 From: myteron Date: Wed, 29 Jan 2025 16:26:09 +0000 Subject: [PATCH 6/6] Update docs/Secure-Coding-Guide-for-Python/readme.md Co-authored-by: Georg Kunz Signed-off-by: myteron --- docs/Secure-Coding-Guide-for-Python/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index 9f116e60..055541ae 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -4,7 +4,7 @@ An initiative by the OpenSSF to provide new Python programmers a resource to stu Documentation is written in academic style to support security researchers while using plain English to cater for an international audience. -Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)] are not specifically covered by this document. +Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)] are specifically not covered by this document. The structure is based on Common Weakness Enumeration (CWE) _Pillar Weakness_ [[MITRE Pillar 2024](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness)]. ## Disclaimer