Audit

dangerous-interactive-code-run-audit

Found dynamic content inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection

dangerous-subprocess-use-tainted-env-args

Detected subprocess function ‘$FUNC’ with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using ‘shlex.escape()’.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

dangerous-spawn-process-audit

Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

dangerous-annotations-usage

Annotations passed to typing.get_type_hints are evaluated in globals and locals namespaces. Make sure that no arbitrary value can be written as the annotation and passed to typing.get_type_hints function.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection

non-literal-import

Untrusted user input in importlib.import_module() function allows an attacker to load arbitrary code. Avoid dynamic values in importlib.import_module() or use a whitelist to prevent running untrusted code.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-706: Use of Incorrectly-Resolved Name or Reference
OWASP:
- A01:2021 - Broken Access Control

exec-detected

Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection

dangerous-os-exec-audit

dangerous-asyncio-exec-audit

Detected subprocess function ‘$LOOP.subprocess_exec’ without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

dangerous-subinterpreters-run-string-tainted-env-args

Found user controlled content in run_string. This is dangerous because it allows a malicious actor to run arbitrary Python code.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection

dangerous-spawn-process-tainted-env-args

Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

md5-used-as-password

It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use hashlib.scrypt.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

dynamic-urllib-use-detected

Detected a dynamic value being used with urllib. urllib supports ‘file://’ schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the ‘requests’ library instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-939: Improper Authorization in Handler for Custom URL Scheme
OWASP:
- A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-

- -
-

- I
- n
- j
- e
- c
- t
- i
- o
- n

mako-templates-detected

Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using ’| u’ for URL escaping or ’| h’ for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection

formatted-sql-query

Detected possible formatted SQL query. Use parameterized queries instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

multiprocessing-recv

The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures

dangerous-os-exec-tainted-env-args

dangerous-asyncio-create-exec-audit

Detected ‘create_subprocess_exec’ function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

dangerous-asyncio-exec-tainted-env-args

Detected subprocess function ‘$LOOP.subprocess_exec’ with user controlled data. You may consider using ‘shlex.escape()’.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

paramiko-implicit-trust-host-key

Detected a paramiko host key policy that implicitly trusts a server’s host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-322: Key Exchange without Entity Authentication
OWASP:
- A02:2021 - Cryptographic Failures

dangerous-asyncio-shell-audit

Detected asyncio subprocess function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

ssl-wrap-socket-is-deprecated

‘ssl.wrap_socket()’ is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using ‘ssl.SSLContext()’ and use that to wrap a socket.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

dangerous-testcapi-run-in-subinterp-audit

Found dynamic content in run_in_subinterp. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection

dangerous-subprocess-use-audit

Detected subprocess function ‘$FUNC’ without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

eval-detected

Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection

insecure-file-permissions

These permissions $BITS are widely permissive and grant access to more people than may be necessary. A good default is 0o644 which gives read and write access to yourself and read access to everyone else.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-276: Incorrect Default Permissions
OWASP:
- A01:2021 - Broken Access Control

hardcoded-password-default-argument

Hardcoded password is used as a default argument to ‘$FUNC’. This could be dangerous if a real password is not supplied.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-798: Use of Hard-coded Credentials
OWASP:
- A07:2021 - Identification and Authentication Failures

subprocess-shell-true

Found ‘subprocess’ function ‘$FUNC’ with ‘shell=True’. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use ‘shell=False’ instead.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

dangerous-interactive-code-run-tainted-env-args

Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection

system-wildcard-detected

Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named ‘-e sh script.sh’ — this will execute a script when ‘rsync’ is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-155: Improper Neutralization of Wildcards or Matching Symbols
OWASP:
- A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-

- -
-

- I
- n
- j
- e
- c
- t
- i
- o
- n

httpsconnection-detected

The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-295: Improper Certificate Validation
OWASP:
- A03:2017 - Sensitive Data Exposure
- A07:2021 - Identification and Authentication Failures

python-reverse-shell

Semgrep found a Python reverse shell using

BINPATH to

IP at $PORT
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-553: Command Shell in Externally Accessible Directory

ftplib

FTP does not encrypt communications by default. This can lead to sensitive data being exposed. Ensure use of FTP here does not expose sensitive data.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-319: Cleartext Transmission of Sensitive Information
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

weak-ssl-version

An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use ‘ssl.PROTOCOL_TLSv1_2’ or higher.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

regex_dos

Detected usage of re.compile with an inefficient regular expression. This can lead to regular expression denial of service, which can result in service down time. Instead, check all regexes or use safer alternatives such as pyre2.
Likelihood: LOW
Confidence: LOW
CWE:
- C
- W
- E
- -
- 1
- 3
- 3
- 3
- :
-

- I
- n
- e
- f
- f
- i
- c
- i
- e
- n
- t
-

- R
- e
- g
- u
- l
- a
- r
-

- E
- x
- p
- r
- e
- s
- s
- i
- o
- n
-

- C
- o
- m
- p
- l
- e
- x
- i
- t
- y
OWASP:
- A
- 0
- 6
- :
- 2
- 0
- 1
- 7
-

- -
-

- S
- e
- c
- u
- r
- i
- t
- y
-

- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n

dangerous-asyncio-create-exec-tainted-env-args

Detected ‘create_subprocess_exec’ function with user controlled data. You may consider using ‘shlex.escape()’.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

dangerous-system-call-audit

Found dynamic content used in a system call. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the ‘subprocess’ module instead, which is easier to use without accidentally exposing a command injection vulnerability.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

dangerous-system-call-tainted-env-args

Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the ‘subprocess’ module instead, which is easier to use without accidentally exposing a command injection vulnerability.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

dangerous-subinterpreters-run-string-audit

Found dynamic content in run_string. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection

dangerous-testcapi-run-in-subinterp-tainted-env-args

Found user controlled content in run_in_subinterp. This is dangerous because it allows a malicious actor to run arbitrary Python code.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection

marshal-usage

The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures

dangerous-asyncio-shell-tainted-env-args

Detected asyncio subprocess function with user controlled data. You may consider using ‘shlex.escape()’.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

telnetlib

Telnet does not encrypt communications. Use SSH instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-319: Cleartext Transmission of Sensitive Information
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

Start Here

Setup

Pull Request Review

Scan center

Integrations

IDE

Rule Reference

Resources