Python Secure Coding
Last updated
Last updated
Language | Insecure Function/Practice | Vulnerability | Scenario | Remediation/Secure Function |
---|---|---|---|---|
Python
eval
with user input
Code Injection
A web application executes user input as code using eval
.
Avoid using eval
, use safer alternatives like ast.literal_eval
for parsing literals
Python
exec
with user input
Code Injection
A web application executes user input as code using exec
.
Avoid using exec
, use safer alternatives and validate input
Python
SQL queries without parameterized queries
SQL Injection
A web application constructs SQL queries using user input without parameterized queries.
Use parameterized queries with libraries like sqlite3
, psycopg2
, or SQLAlchemy
Python
input()
in versions < 3.0
Code Injection
In Python 2.x, input()
evaluates the input as Python code.
Use raw_input()
in Python 2.x, or use input()
in Python 3.x and validate input
Python
os.system
with user input
Command Injection
A web application constructs shell commands using user input with os.system
.
Use subprocess.run
with a list of arguments instead of os.system
, validate input
Python
pickle.loads
with untrusted data
Insecure Deserialization
A web application deserializes untrusted data using pickle.loads
, leading to remote code execution.
Avoid using pickle
with untrusted data, use safer alternatives like json
or yaml
Python
open
without validation
Path Traversal
A web application opens files using paths derived from user input without validation.
Validate and sanitize file paths, use a whitelist of allowed paths
Python
requests.get
without proper SSL verification
Insecure SSL Configuration
A web application makes HTTP requests without verifying SSL certificates.
Use requests.get(url, verify=True)
or configure SSL verification properly
Python
Logging sensitive information
Information Exposure
Sensitive information like passwords or tokens is logged.
Avoid logging sensitive information, use redaction if necessary
Python
flask.jsonpify
without validation
Cross-Site Scripting (XSS)
A Flask application returns user input directly in JSON responses without validation.
Validate and sanitize input, use proper encoding functions
Python
Unrestricted file upload
Unrestricted File Upload
A web application allows users to upload files without validation, leading to remote code execution or malware injection.
Validate file types, use a whitelist of allowed file types, scan for malicious content
Python
yaml.load
with untrusted data
Insecure Deserialization
A web application deserializes untrusted data using yaml.load
, leading to remote code execution.
Use yaml.safe_load
instead of yaml.load
Python
str.format
with untrusted data
Format String Vulnerability
A web application uses str.format
with untrusted user input.
Use f-strings or validate and sanitize input before using str.format
Python
json.loads
without validation
JSON Injection
A web application processes untrusted JSON data without validation.
Validate and sanitize JSON input before processing
Python
Using default flask
secret key
Weak Secret Key
A Flask application uses the default secret key for session management.
Generate and use a strong, unique secret key for each application