# Python Secure Coding

| Language | Insecure Function/Practice                     | Vulnerability               | Scenario                                                                                                                  | Remediation/Secure Function                                                             |
| -------- | ---------------------------------------------- | --------------------------- | ------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- |
| Python   | `eval` with user input                         | Code Injection              | A web application executes user input as code using `eval`.                                                               | Avoid using `eval`, use safer alternatives like `ast.literal_eval` for parsing literals |
| Python   | `exec` with user input                         | Code Injection              | A web application executes user input as code using `exec`.                                                               | Avoid using `exec`, use safer alternatives and validate input                           |
| Python   | SQL queries without parameterized queries      | SQL Injection               | A web application constructs SQL queries using user input without parameterized queries.                                  | Use parameterized queries with libraries like `sqlite3`, `psycopg2`, or `SQLAlchemy`    |
| Python   | `input()` in versions < 3.0                    | Code Injection              | In Python 2.x, `input()` evaluates the input as Python code.                                                              | Use `raw_input()` in Python 2.x, or use `input()` in Python 3.x and validate input      |
| Python   | `os.system` with user input                    | Command Injection           | A web application constructs shell commands using user input with `os.system`.                                            | Use `subprocess.run` with a list of arguments instead of `os.system`, validate input    |
| Python   | `pickle.loads` with untrusted data             | Insecure Deserialization    | A web application deserializes untrusted data using `pickle.loads`, leading to remote code execution.                     | Avoid using `pickle` with untrusted data, use safer alternatives like `json` or `yaml`  |
| Python   | `open` without validation                      | Path Traversal              | A web application opens files using paths derived from user input without validation.                                     | Validate and sanitize file paths, use a whitelist of allowed paths                      |
| Python   | `requests.get` without proper SSL verification | Insecure SSL Configuration  | A web application makes HTTP requests without verifying SSL certificates.                                                 | Use `requests.get(url, verify=True)` or configure SSL verification properly             |
| Python   | Logging sensitive information                  | Information Exposure        | Sensitive information like passwords or tokens is logged.                                                                 | Avoid logging sensitive information, use redaction if necessary                         |
| Python   | `flask.jsonpify` without validation            | Cross-Site Scripting (XSS)  | A Flask application returns user input directly in JSON responses without validation.                                     | Validate and sanitize input, use proper encoding functions                              |
| Python   | Unrestricted file upload                       | Unrestricted File Upload    | A web application allows users to upload files without validation, leading to remote code execution or malware injection. | Validate file types, use a whitelist of allowed file types, scan for malicious content  |
| Python   | `yaml.load` with untrusted data                | Insecure Deserialization    | A web application deserializes untrusted data using `yaml.load`, leading to remote code execution.                        | Use `yaml.safe_load` instead of `yaml.load`                                             |
| Python   | `str.format` with untrusted data               | Format String Vulnerability | A web application uses `str.format` with untrusted user input.                                                            | Use f-strings or validate and sanitize input before using `str.format`                  |
| Python   | `json.loads` without validation                | JSON Injection              | A web application processes untrusted JSON data without validation.                                                       | Validate and sanitize JSON input before processing                                      |
| Python   | Using default `flask` secret key               | Weak Secret Key             | A Flask application uses the default secret key for session management.                                                   | Generate and use a strong, unique secret key for each application                       |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/devsecops/secure-coding/python-secure-coding.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.