On Mon, 5 Apr 2010 11:08:47 -0500 "Matt Parsons" <mparsons1...@gmail.com> wrote:
> Has anyone completed a python security code review? What would you > look for besides inputs, outputs and dangerous functions? Do any of > the commercial static code analysis vendors scan that code? I would > think not because python is not compiled at run time like the other > languages that static analysis tools can scan. Any help would be > greatly appreciated. > I have, on software needing to run with elevated privileges at times. All the well-known issues with filesystem operations are still there (symlink attacks, file permissions). As with any program, a Python program operating with elevated privileges in a shared folder (/tmp) or folder under another user's control is a dangerous proposition. There can be bugs that in some circumstances can become resource exhaustion vulnerabilities, for example a file descriptor leak if you use the low level file operations (in os). There can also be log pollution issues and poor randomness issues (sometimes not in the Python code itself, but in SQL). On a server-type system, multiple similar commands can create concurrency issues (race conditions), and the absence of rate limitation on expensive operations can create DoS vulnerabilities. All these were found the old fashioned way, with a code audit. Pascal Meunier _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________