nan-injection
nan-injection
Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python’s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string ‘nan’.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-704: Incorrect Type Conversion or Cast
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-704: Incorrect Type Conversion or Cast
exec-injection
exec-injection
Detected user data flowing into exec. This is code injection and should be avoided.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
tainted-url-host
tainted-url-host
User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
subprocess-injection
subprocess-injection
Detected user input entering a
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
subprocess
call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
tainted-sql-string
tainted-sql-string
Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-704: Incorrect Type Conversion or Cast
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-704: Incorrect Type Conversion or Cast
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
ssrf-requests
ssrf-requests
Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
eval-injection
eval-injection
Detected user data flowing into eval. This is code injection and should be avoided.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
csv-writer-injection
csv-writer-injection
Detected user input into a generated CSV file using the built-in
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-1236: Improper Neutralization of Formula Elements in a CSV File
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
csv
module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user’s computer. defusedcsv
is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use defusedcsv
instead of csv
to safely generate CSVs.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-1236: Improper Neutralization of Formula Elements in a CSV File
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
path-traversal-open
path-traversal-open
Found request data in a call to ‘open’. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
os-system-injection
os-system-injection
User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the ‘subprocess’ module instead and pass the arguments as a list.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
raw-html-format
raw-html-format
Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
flask.render_template
) which will safely render HTML instead.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection