Oh I see that now, good point. I guess I just got excited about more incentives to use the ORM.
On Mon, Dec 17, 2018 at 5:38 PM Ben O'Steen <[email protected]> wrote: > It is flagging that the string formatting method is being used to > construct a SQL query, rather than a method that might escape or encode > parameters that may have SQL side-effects. > > Ben > > On Mon, 17 Dec 2018 at 15:35, Adam Cox <[email protected]> wrote: > >> Thanks for sharing those results Ben. A number of the issues raised there >> are also a matter of best practices not being followed (like using >> non-typed try/except/pass blocks, or calling os.system) so it's good to see >> them flagged. Also, though it would be really nice to get away from raw SQL >> and rely more on the ORM, looking through those results I think that the >> SQL may be the trickiest to remedy. At any rate, a very good roadmap for an >> initial security update. >> >> Adam >> >> On Mon, Dec 17, 2018 at 5:07 PM Ben O'Steen <[email protected]> wrote: >> >>> I ran the project through the Bandit 'security linter' which flagged up >>> a number of small issues https://pypi.org/project/bandit/ I've attached >>> the result of this in case it is of interest (run on 4.3.1 so obviously run >>> it against whatever you plan to deploy). >>> >>> It is just one tool to use to help gauge the relatively security of an >>> app though. Fuzzing and django-tailored attacks should also be tried. >>> >>> Ben >>> >>> >>> On Mon, 17 Dec 2018 at 14:55, Adam Cox <[email protected]> wrote: >>> >>>> Hi John, I have not had a security audit either, and would be very >>>> interested in the results. I do have a pending deployment for the Bureau of >>>> Land Management which will most likely require an audit, so I'm expecting >>>> to do some prep work on Arches for that at some point. >>>> >>>> On Mon, Dec 17, 2018 at 5:14 AM Vincent Meijer < >>>> [email protected]> wrote: >>>> >>>>> Hi John, >>>>> >>>>> I haven't heard of anyone doing a security audit for Arches, but if so >>>>> I would also be quite interested in hearing about it. >>>>> >>>>> Best, >>>>> Vincent >>>>> >>>>> On Monday, 17 December 2018 10:49:03 UTC+1, John Murphy wrote: >>>>>> >>>>>> Good morning everyone! >>>>>> >>>>>> I was wondering if has anyone has had to commission a security audit >>>>>> of Arches yet and, if so, what have your experiences been? Our corporate >>>>>> IT >>>>>> are going to require one before they allow me to set this loose on our >>>>>> network and it would be good to know what I need to look out for. >>>>>> >>>>>> Many thanks, >>>>>> >>>>>> John >>>>>> >>>>> -- >>>>> -- To post, send email to [email protected]. To >>>>> unsubscribe, send email to [email protected]. >>>>> For more information, visit >>>>> https://groups.google.com/d/forum/archesproject?hl=en >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Arches Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>>> -- To post, send email to [email protected]. To >>>> unsubscribe, send email to [email protected]. >>>> For more information, visit >>>> https://groups.google.com/d/forum/archesproject?hl=en >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "Arches Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- -- To post, send email to [email protected]. To unsubscribe, send email to [email protected]. For more information, visit https://groups.google.com/d/forum/archesproject?hl=en --- You received this message because you are subscribed to the Google Groups "Arches Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
