Python Secure Coding

Language Insecure Function/Practice Vulnerability Scenario Remediation/Secure Function

Language	Insecure Function/Practice	Vulnerability	Scenario	Remediation/Secure Function
Python	`eval` with user input	Code Injection	A web application executes user input as code using `eval`.	Avoid using `eval`, use safer alternatives like `ast.literal_eval` for parsing literals
Python	`exec` with user input	Code Injection	A web application executes user input as code using `exec`.	Avoid using `exec`, use safer alternatives and validate input
Python	SQL queries without parameterized queries	SQL Injection	A web application constructs SQL queries using user input without parameterized queries.	Use parameterized queries with libraries like `sqlite3`, `psycopg2`, or `SQLAlchemy`
Python	`input()` in versions < 3.0	Code Injection	In Python 2.x, `input()` evaluates the input as Python code.	Use `raw_input()` in Python 2.x, or use `input()` in Python 3.x and validate input
Python	`os.system` with user input	Command Injection	A web application constructs shell commands using user input with `os.system`.	Use `subprocess.run` with a list of arguments instead of `os.system`, validate input
Python	`pickle.loads` with untrusted data	Insecure Deserialization	A web application deserializes untrusted data using `pickle.loads`, leading to remote code execution.	Avoid using `pickle` with untrusted data, use safer alternatives like `json` or `yaml`
Python	`open` without validation	Path Traversal	A web application opens files using paths derived from user input without validation.	Validate and sanitize file paths, use a whitelist of allowed paths
Python	`requests.get` without proper SSL verification	Insecure SSL Configuration	A web application makes HTTP requests without verifying SSL certificates.	Use `requests.get(url, verify=True)` or configure SSL verification properly
Python	Logging sensitive information	Information Exposure	Sensitive information like passwords or tokens is logged.	Avoid logging sensitive information, use redaction if necessary
Python	`flask.jsonpify` without validation	Cross-Site Scripting (XSS)	A Flask application returns user input directly in JSON responses without validation.	Validate and sanitize input, use proper encoding functions
Python	Unrestricted file upload	Unrestricted File Upload	A web application allows users to upload files without validation, leading to remote code execution or malware injection.	Validate file types, use a whitelist of allowed file types, scan for malicious content
Python	`yaml.load` with untrusted data	Insecure Deserialization	A web application deserializes untrusted data using `yaml.load`, leading to remote code execution.	Use `yaml.safe_load` instead of `yaml.load`
Python	`str.format` with untrusted data	Format String Vulnerability	A web application uses `str.format` with untrusted user input.	Use f-strings or validate and sanitize input before using `str.format`
Python	`json.loads` without validation	JSON Injection	A web application processes untrusted JSON data without validation.	Validate and sanitize JSON input before processing
Python	Using default `flask` secret key	Weak Secret Key	A Flask application uses the default secret key for session management.	Generate and use a strong, unique secret key for each application

Python

eval with user input

Code Injection

A web application executes user input as code using eval.

Avoid using eval, use safer alternatives like ast.literal_eval for parsing literals

Python

exec with user input

Code Injection

A web application executes user input as code using exec.

Avoid using exec, use safer alternatives and validate input

Python

SQL queries without parameterized queries

SQL Injection

A web application constructs SQL queries using user input without parameterized queries.

Use parameterized queries with libraries like sqlite3, psycopg2, or SQLAlchemy

Python

input() in versions < 3.0

Code Injection

In Python 2.x, input() evaluates the input as Python code.

Use raw_input() in Python 2.x, or use input() in Python 3.x and validate input

Python

os.system with user input

Command Injection

A web application constructs shell commands using user input with os.system.

Use subprocess.run with a list of arguments instead of os.system, validate input

Python

pickle.loads with untrusted data

Insecure Deserialization

A web application deserializes untrusted data using pickle.loads, leading to remote code execution.

Avoid using pickle with untrusted data, use safer alternatives like json or yaml

Python

open without validation

Path Traversal

A web application opens files using paths derived from user input without validation.

Validate and sanitize file paths, use a whitelist of allowed paths

Python

requests.get without proper SSL verification

Insecure SSL Configuration

A web application makes HTTP requests without verifying SSL certificates.

Use requests.get(url, verify=True) or configure SSL verification properly

Python

Logging sensitive information

Information Exposure

Sensitive information like passwords or tokens is logged.

Avoid logging sensitive information, use redaction if necessary

Python

flask.jsonpify without validation

Cross-Site Scripting (XSS)

A Flask application returns user input directly in JSON responses without validation.

Validate and sanitize input, use proper encoding functions

Python

Unrestricted file upload

Unrestricted File Upload

A web application allows users to upload files without validation, leading to remote code execution or malware injection.

Validate file types, use a whitelist of allowed file types, scan for malicious content

Python

yaml.load with untrusted data

Insecure Deserialization

A web application deserializes untrusted data using yaml.load, leading to remote code execution.

Use yaml.safe_load instead of yaml.load

Python

str.format with untrusted data

Format String Vulnerability

A web application uses str.format with untrusted user input.

Use f-strings or validate and sanitize input before using str.format

Python

json.loads without validation

JSON Injection

A web application processes untrusted JSON data without validation.

Validate and sanitize JSON input before processing

Python

Using default flask secret key

Weak Secret Key

A Flask application uses the default secret key for session management.

Generate and use a strong, unique secret key for each application

PreviousJava/JS Secure Coding NextMalware Dev

Last updated 3 months ago