Found dynamic content inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here. Likelihood: LOW Confidence: LOW CWE: - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP: - A03:2021 - Injection
dangerous-subprocess-use-tainted-env-args
Detected subprocess function ‘$FUNC’ with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using ‘shlex.escape()’. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
dangerous-spawn-process-audit
Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here. Likelihood: LOW Confidence: LOW CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
dangerous-annotations-usage
Annotations passed to typing.get_type_hints are evaluated in globals and locals namespaces. Make sure that no arbitrary value can be written as the annotation and passed to typing.get_type_hints function. Likelihood: LOW Confidence: LOW CWE: - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP: - A03:2021 - Injection
non-literal-import
Untrusted user input in importlib.import_module() function allows an attacker to load arbitrary code. Avoid dynamic values in importlib.import_module() or use a whitelist to prevent running untrusted code. Likelihood: LOW Confidence: LOW CWE: - CWE-706: Use of Incorrectly-Resolved Name or Reference
OWASP: - A01:2021 - Broken Access Control
exec-detected
Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. Likelihood: LOW Confidence: LOW CWE: - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP: - A03:2021 - Injection
dangerous-os-exec-audit
Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here. Likelihood: LOW Confidence: LOW CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
dangerous-asyncio-exec-audit
Detected subprocess function ‘$LOOP.subprocess_exec’ without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’. Likelihood: LOW Confidence: LOW CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
Found user controlled content in run_string. This is dangerous because it allows a malicious actor to run arbitrary Python code. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP: - A03:2021 - Injection
dangerous-spawn-process-tainted-env-args
Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
md5-used-as-password
It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use hashlib.scrypt. Likelihood: HIGH Confidence: MEDIUM CWE: - CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP: - A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
dynamic-urllib-use-detected
Detected a dynamic value being used with urllib. urllib supports ‘file://’ schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the ‘requests’ library instead. Likelihood: LOW Confidence: LOW CWE: - CWE-939: Improper Authorization in Handler for Custom URL Scheme
OWASP: - A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-
- -
-
- I
- n
- j
- e
- c
- t
- i
- o
- n
mako-templates-detected
Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using ’| u’ for URL escaping or ’| h’ for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping. Likelihood: LOW Confidence: LOW CWE: - CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP: - A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
formatted-sql-query
Detected possible formatted SQL query. Use parameterized queries instead. Likelihood: LOW Confidence: LOW CWE: - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
multiprocessing-recv
The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection Likelihood: LOW Confidence: LOW CWE: - CWE-502: Deserialization of Untrusted Data
OWASP: - A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
dangerous-os-exec-tainted-env-args
Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
dangerous-asyncio-create-exec-audit
Detected ‘create_subprocess_exec’ function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’. Likelihood: LOW Confidence: LOW CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
dangerous-asyncio-exec-tainted-env-args
Detected subprocess function ‘$LOOP.subprocess_exec’ with user controlled data. You may consider using ‘shlex.escape()’. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
paramiko-implicit-trust-host-key
Detected a paramiko host key policy that implicitly trusts a server’s host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead. Likelihood: LOW Confidence: LOW CWE: - CWE-322: Key Exchange without Entity Authentication
OWASP: - A02:2021 - Cryptographic Failures
dangerous-asyncio-shell-audit
Detected asyncio subprocess function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’. Likelihood: LOW Confidence: LOW CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
ssl-wrap-socket-is-deprecated
‘ssl.wrap_socket()’ is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using ‘ssl.SSLContext()’ and use that to wrap a socket. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-326: Inadequate Encryption Strength
OWASP: - A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
dangerous-testcapi-run-in-subinterp-audit
Found dynamic content in run_in_subinterp. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here. Likelihood: LOW Confidence: LOW CWE: - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP: - A03:2021 - Injection
dangerous-subprocess-use-audit
Detected subprocess function ‘$FUNC’ without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’. Likelihood: LOW Confidence: LOW CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
eval-detected
Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. Likelihood: LOW Confidence: LOW CWE: - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP: - A03:2021 - Injection
insecure-file-permissions
These permissions $BITS are widely permissive and grant access to more people than may be necessary. A good default is 0o644 which gives read and write access to yourself and read access to everyone else. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-276: Incorrect Default Permissions
OWASP: - A01:2021 - Broken Access Control
hardcoded-password-default-argument
Hardcoded password is used as a default argument to ‘$FUNC’. This could be dangerous if a real password is not supplied. Likelihood: LOW Confidence: LOW CWE: - CWE-798: Use of Hard-coded Credentials
OWASP: - A07:2021 - Identification and Authentication Failures
subprocess-shell-true
Found ‘subprocess’ function ‘$FUNC’ with ‘shell=True’. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use ‘shell=False’ instead. Likelihood: HIGH Confidence: MEDIUM CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
dangerous-interactive-code-run-tainted-env-args
Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP: - A03:2021 - Injection
system-wildcard-detected
Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named ‘-e sh script.sh’ — this will execute a script when ‘rsync’ is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information. Likelihood: LOW Confidence: LOW CWE: - CWE-155: Improper Neutralization of Wildcards or Matching Symbols
OWASP: - A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-
- -
-
- I
- n
- j
- e
- c
- t
- i
- o
- n
httpsconnection-detected
The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information. Likelihood: LOW Confidence: LOW CWE: - CWE-295: Improper Certificate Validation
OWASP: - A03:2017 - Sensitive Data Exposure
- A07:2021 - Identification and Authentication Failures
python-reverse-shell
Semgrep found a Python reverse shell using BINPATHtoIP at $PORT Likelihood: LOW Confidence: LOW CWE: - CWE-553: Command Shell in Externally Accessible Directory
ftplib
FTP does not encrypt communications by default. This can lead to sensitive data being exposed. Ensure use of FTP here does not expose sensitive data. Likelihood: LOW Confidence: LOW CWE: - CWE-319: Cleartext Transmission of Sensitive Information
OWASP: - A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
weak-ssl-version
An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use ‘ssl.PROTOCOL_TLSv1_2’ or higher. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-326: Inadequate Encryption Strength
OWASP: - A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
regex_dos
Detected usage of re.compile with an inefficient regular expression. This can lead to regular expression denial of service, which can result in service down time. Instead, check all regexes or use safer alternatives such as pyre2. Likelihood: LOW Confidence: LOW CWE: - C
- W
- E
- -
- 1
- 3
- 3
- 3
- :
-
- I
- n
- e
- f
- f
- i
- c
- i
- e
- n
- t
-
- R
- e
- g
- u
- l
- a
- r
-
- E
- x
- p
- r
- e
- s
- s
- i
- o
- n
-
- C
- o
- m
- p
- l
- e
- x
- i
- t
- y
OWASP: - A
- 0
- 6
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- c
- u
- r
- i
- t
- y
-
- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n
dangerous-asyncio-create-exec-tainted-env-args
Detected ‘create_subprocess_exec’ function with user controlled data. You may consider using ‘shlex.escape()’. Likelihood: LOW Confidence: LOW CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
dangerous-system-call-audit
Found dynamic content used in a system call. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the ‘subprocess’ module instead, which is easier to use without accidentally exposing a command injection vulnerability. Likelihood: LOW Confidence: LOW CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
dangerous-system-call-tainted-env-args
Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the ‘subprocess’ module instead, which is easier to use without accidentally exposing a command injection vulnerability. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
dangerous-subinterpreters-run-string-audit
Found dynamic content in run_string. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here. Likelihood: LOW Confidence: LOW CWE: - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP: - A03:2021 - Injection
Found user controlled content in run_in_subinterp. This is dangerous because it allows a malicious actor to run arbitrary Python code. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP: - A03:2021 - Injection
marshal-usage
The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security Likelihood: LOW Confidence: LOW CWE: - CWE-502: Deserialization of Untrusted Data
OWASP: - A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
dangerous-asyncio-shell-tainted-env-args
Detected asyncio subprocess function with user controlled data. You may consider using ‘shlex.escape()’. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
telnetlib
Telnet does not encrypt communications. Use SSH instead. Likelihood: LOW Confidence: LOW CWE: - CWE-319: Cleartext Transmission of Sensitive Information
OWASP: - A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures