Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 6 Dec 2016 10:26:14 -0800
From: Grant Murphy <grantcmurphy@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Opensource Python whitebox code analysis tool recommendations

On Tue, Dec 6, 2016 at 9:02 AM, Fiedler Roman <Roman.Fiedler@....ac.at>
wrote:

> Hello list,
>
> I just stubled over effects of following programming error due to unwanted
> singleton in Python, bypassing intended process restrictions (allowed
> number
> of elements in my case) and of course data corruption:
>
> class A:
>   def __init__(self, value=[]):
>     self.value=value
>     self.valueCloned=value[:]
>   def show(self):
>     print 'IDs value %x, cloned %x' % (id(self.value),
> id(self.valueCloned))
>   def append(self, data):
>     self.value.append(data)
>
> # Keep reference to avoid garbage collection interference.
> objFirst=A()
> objFirst.show()
> objNext=A()
> objNext.show()
> # Check references to prohibit optimization.
> if objFirst==objNext: raise Exception('Impossible')
>
>
>
> As this type of error seems to be more common in code, at least according
> to
> grep, are there tool recommendations to do automatic analysis of code?
>
> It should trace all non-trivial (not None, int, float, str, ...)
> constructor
> arguments assignments and catch at least problematic invocations like
> "self.value.append". A problem is, that in many cases just existence of
> constructor like the one before does not automatically lead to
> corruption/concurrency issues. For example the tool should not trigger on
> this
> (older but still in use) version of django_common/http.py or at least, when
> triggering, only at "json.dumps()".
>
> class JsonResponse(HttpResponse):
>   def __init__(self, data={ }, errors=[ ], success=True):
>     """
>     data is a map, errors a list
>     """
>     json = json_response(data=data, errors=errors, success=success)
>     super(JsonResponse, self).__init__(json, content_type='application/
> json')
>
> def json_response(data={ }, errors=[ ], success=True):
>   data.update({
>     'errors': errors,
>     'success': len(errors) == 0 and success,
>   })
>   return json.dumps(data)
>
> Due to weak typing, it might be too hard to catch all problematic
> locations,
> e.g. field modified in subclass. Without source code analysis tools
> available
> to do such checks, I would also try out any approaches where the argument
> value is made immutable thus leading to crash in testbed.
>
> It would be great, if the tool would do the whole analysis more from the
> security than code quality perspective: it is more interesting to audit own
> code and referenced/redistributed third party stuff for things that "are
> very
> likely to be problematic/vulnerable" than have a quality tool recommending
> to
> change all those lines, which is not quite realistic.
>
> Kind regards,
> Roman
>

You could check out Bandit:
https://security.openstack.org/#bandit-static-analysis-for-python

I'm not sure it quite fits what you're after could be worth a look.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.