It is flagging that the string formatting method is being used to construct a SQL query, rather than a method that might escape or encode parameters that may have SQL side-effects.
Ben On Mon, 17 Dec 2018 at 15:35, Adam Cox <[email protected]> wrote: > Thanks for sharing those results Ben. A number of the issues raised there > are also a matter of best practices not being followed (like using > non-typed try/except/pass blocks, or calling os.system) so it's good to see > them flagged. Also, though it would be really nice to get away from raw SQL > and rely more on the ORM, looking through those results I think that the > SQL may be the trickiest to remedy. At any rate, a very good roadmap for an > initial security update. > > Adam > > On Mon, Dec 17, 2018 at 5:07 PM Ben O'Steen <[email protected]> wrote: > >> I ran the project through the Bandit 'security linter' which flagged up a >> number of small issues https://pypi.org/project/bandit/ I've attached >> the result of this in case it is of interest (run on 4.3.1 so obviously run >> it against whatever you plan to deploy). >> >> It is just one tool to use to help gauge the relatively security of an >> app though. Fuzzing and django-tailored attacks should also be tried. >> >> Ben >> >> >> On Mon, 17 Dec 2018 at 14:55, Adam Cox <[email protected]> wrote: >> >>> Hi John, I have not had a security audit either, and would be very >>> interested in the results. I do have a pending deployment for the Bureau of >>> Land Management which will most likely require an audit, so I'm expecting >>> to do some prep work on Arches for that at some point. >>> >>> On Mon, Dec 17, 2018 at 5:14 AM Vincent Meijer <[email protected]> >>> wrote: >>> >>>> Hi John, >>>> >>>> I haven't heard of anyone doing a security audit for Arches, but if so >>>> I would also be quite interested in hearing about it. >>>> >>>> Best, >>>> Vincent >>>> >>>> On Monday, 17 December 2018 10:49:03 UTC+1, John Murphy wrote: >>>>> >>>>> Good morning everyone! >>>>> >>>>> I was wondering if has anyone has had to commission a security audit >>>>> of Arches yet and, if so, what have your experiences been? Our corporate >>>>> IT >>>>> are going to require one before they allow me to set this loose on our >>>>> network and it would be good to know what I need to look out for. >>>>> >>>>> Many thanks, >>>>> >>>>> John >>>>> >>>> -- >>>> -- To post, send email to [email protected]. To >>>> unsubscribe, send email to [email protected]. >>>> For more information, visit >>>> https://groups.google.com/d/forum/archesproject?hl=en >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "Arches Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >>> -- To post, send email to [email protected]. To >>> unsubscribe, send email to [email protected]. >>> For more information, visit >>> https://groups.google.com/d/forum/archesproject?hl=en >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Arches Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- -- To post, send email to [email protected]. To unsubscribe, send email to [email protected]. For more information, visit https://groups.google.com/d/forum/archesproject?hl=en --- You received this message because you are subscribed to the Google Groups "Arches Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
