CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
  • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
        • Airflow
        • Attr
        • Aws-lambda
        • Bokeh
        • Boto3
        • Cassandra
        • Click
        • Correctness
        • Couchbase
        • Cryptography
        • Distributed
        • Django
        • Docker
        • Elasticsearch
        • Fastapi
        • Flask
        • Jinja2
        • Jwt
        • Lang
          • Best practice
          • Code
          • Compatibility
          • Correctness
          • Correctness
          • Deserialization
          • File
          • Hardcoded
          • Maintainability
          • Os
          • Security
          • Security
            • Audit
            • Audit
            • Deserialization
        • Ldap3
        • Mariadb
        • Mysql
        • Mysqlclient
        • Neo4j
        • Openai
        • Peewee
        • Pg8000
        • Psycopg2
        • Pycryptodome
        • Pyjwt
        • Pymongo
        • Pymssql
        • Pymysql
        • Pyramid
        • Redis
        • Requests
        • Sh
        • Sqlalchemy
        • Tormysql
        • Urllib3
        • Webrepl
        • Wtforms
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
    Security

    Audit

    Found dynamic content inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
    OWASP:
    - A03:2021 - Injection

    Detected subprocess function ‘$FUNC’ with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using ‘shlex.escape()’.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    Annotations passed to typing.get_type_hints are evaluated in globals and locals namespaces. Make sure that no arbitrary value can be written as the annotation and passed to typing.get_type_hints function.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
    OWASP:
    - A03:2021 - Injection

    Untrusted user input in importlib.import_module() function allows an attacker to load arbitrary code. Avoid dynamic values in importlib.import_module() or use a whitelist to prevent running untrusted code.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-706: Use of Incorrectly-Resolved Name or Reference
    OWASP:
    - A01:2021 - Broken Access Control

    Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
    OWASP:
    - A03:2021 - Injection

    Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    Detected subprocess function ‘$LOOP.subprocess_exec’ without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    Found user controlled content in run_string. This is dangerous because it allows a malicious actor to run arbitrary Python code.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
    OWASP:
    - A03:2021 - Injection

    Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use hashlib.scrypt.
    Likelihood: HIGH
    Confidence: MEDIUM
    CWE:
    - CWE-327: Use of a Broken or Risky Cryptographic Algorithm
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Detected a dynamic value being used with urllib. urllib supports ‘file://’ schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the ‘requests’ library instead.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-939: Improper Authorization in Handler for Custom URL Scheme
    OWASP:
    - A
    - 0
    - 1
    - :
    - 2
    - 0
    - 1
    - 7
    -

    - -
    -

    - I
    - n
    - j
    - e
    - c
    - t
    - i
    - o
    - n

    Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using ’| u’ for URL escaping or ’| h’ for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
    OWASP:
    - A07:2017 - Cross-Site Scripting (XSS)
    - A03:2021 - Injection

    Detected possible formatted SQL query. Use parameterized queries instead.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-502: Deserialization of Untrusted Data
    OWASP:
    - A08:2017 - Insecure Deserialization
    - A08:2021 - Software and Data Integrity Failures

    Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    Detected ‘create_subprocess_exec’ function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    Detected subprocess function ‘$LOOP.subprocess_exec’ with user controlled data. You may consider using ‘shlex.escape()’.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    Detected a paramiko host key policy that implicitly trusts a server’s host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-322: Key Exchange without Entity Authentication
    OWASP:
    - A02:2021 - Cryptographic Failures

    Detected asyncio subprocess function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    ‘ssl.wrap_socket()’ is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using ‘ssl.SSLContext()’ and use that to wrap a socket.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Found dynamic content in run_in_subinterp. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
    OWASP:
    - A03:2021 - Injection

    Detected subprocess function ‘$FUNC’ without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
    OWASP:
    - A03:2021 - Injection

    These permissions $BITS are widely permissive and grant access to more people than may be necessary. A good default is 0o644 which gives read and write access to yourself and read access to everyone else.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-276: Incorrect Default Permissions
    OWASP:
    - A01:2021 - Broken Access Control

    Hardcoded password is used as a default argument to ‘$FUNC’. This could be dangerous if a real password is not supplied.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-798: Use of Hard-coded Credentials
    OWASP:
    - A07:2021 - Identification and Authentication Failures

    Found ‘subprocess’ function ‘$FUNC’ with ‘shell=True’. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use ‘shell=False’ instead.
    Likelihood: HIGH
    Confidence: MEDIUM
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
    OWASP:
    - A03:2021 - Injection

    Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named ‘-e sh script.sh’ — this will execute a script when ‘rsync’ is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-155: Improper Neutralization of Wildcards or Matching Symbols
    OWASP:
    - A
    - 0
    - 1
    - :
    - 2
    - 0
    - 1
    - 7
    -

    - -
    -

    - I
    - n
    - j
    - e
    - c
    - t
    - i
    - o
    - n

    The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-295: Improper Certificate Validation
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A07:2021 - Identification and Authentication Failures

    Semgrep found a Python reverse shell using BINPATHtoBINPATH to BINPATHtoIP at $PORT
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-553: Command Shell in Externally Accessible Directory

    FTP does not encrypt communications by default. This can lead to sensitive data being exposed. Ensure use of FTP here does not expose sensitive data.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-319: Cleartext Transmission of Sensitive Information
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use ‘ssl.PROTOCOL_TLSv1_2’ or higher.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Detected usage of re.compile with an inefficient regular expression. This can lead to regular expression denial of service, which can result in service down time. Instead, check all regexes or use safer alternatives such as pyre2.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - C
    - W
    - E
    - -
    - 1
    - 3
    - 3
    - 3
    - :
    -

    - I
    - n
    - e
    - f
    - f
    - i
    - c
    - i
    - e
    - n
    - t
    -

    - R
    - e
    - g
    - u
    - l
    - a
    - r
    -

    - E
    - x
    - p
    - r
    - e
    - s
    - s
    - i
    - o
    - n
    -

    - C
    - o
    - m
    - p
    - l
    - e
    - x
    - i
    - t
    - y
    OWASP:
    - A
    - 0
    - 6
    - :
    - 2
    - 0
    - 1
    - 7
    -

    - -
    -

    - S
    - e
    - c
    - u
    - r
    - i
    - t
    - y
    -

    - M
    - i
    - s
    - c
    - o
    - n
    - f
    - i
    - g
    - u
    - r
    - a
    - t
    - i
    - o
    - n

    Detected ‘create_subprocess_exec’ function with user controlled data. You may consider using ‘shlex.escape()’.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    Found dynamic content used in a system call. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the ‘subprocess’ module instead, which is easier to use without accidentally exposing a command injection vulnerability.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the ‘subprocess’ module instead, which is easier to use without accidentally exposing a command injection vulnerability.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    Found dynamic content in run_string. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
    OWASP:
    - A03:2021 - Injection

    Found user controlled content in run_in_subinterp. This is dangerous because it allows a malicious actor to run arbitrary Python code.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
    OWASP:
    - A03:2021 - Injection

    The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-502: Deserialization of Untrusted Data
    OWASP:
    - A08:2017 - Insecure Deserialization
    - A08:2021 - Software and Data Integrity Failures

    Detected asyncio subprocess function with user controlled data. You may consider using ‘shlex.escape()’.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    Telnet does not encrypt communications. Use SSH instead.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-319: Cleartext Transmission of Sensitive Information
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    SecurityFtplib
    twitterlinkedin
    Powered by Mintlify