90 Security Hotspots to review
- Review priority:Medium
- Weak Cryptography5
- Make sure that using this pseudorandom number generator is safe here.To review
- Make sure that using this pseudorandom number generator is safe here.To review
- Make sure that using this pseudorandom number generator is safe here.To review
- Make sure that using this pseudorandom number generator is safe here.To review
- Make sure that using this pseudorandom number generator is safe here.To review
- Review priority:Low
- Insecure Configuration5
- Make sure this debug feature is deactivated before delivering the code in production.To review
- Make sure this debug feature is deactivated before delivering the code in production.To review
- Make sure this debug feature is deactivated before delivering the code in production.To review
- Make sure this debug feature is deactivated before delivering the code in production.To review
- Make sure this debug feature is deactivated before delivering the code in production.To review
- Log Injection43
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Make sure that this logger's configuration is safe.To review
- Others36
- Make sure using this hardcoded IP address "192.168.1.1" is safe here.To review
- Make sure using this hardcoded IP address "192.168.1.1" is safe here.To review
- Make sure using this hardcoded IP address "192.168.1.1" is safe here.To review
- Make sure using this hardcoded IP address "192.168.1.1" is safe here.To review
- Make sure using this hardcoded IP address "192.168.1.1" is safe here.To review
- Make sure using this hardcoded IP address "192.168.1.1" is safe here.To review
- Make sure using this hardcoded IP address "192.168.1.1" is safe here.To review
- Make sure using this hardcoded IP address "192.168.1.2" is safe here.To review
- Make sure using this hardcoded IP address "192.168.1.3" is safe here.To review
- Make sure using this hardcoded IP address "192.168.1.1" is safe here.To review
- Make sure using this hardcoded IP address "192.168.1.2" is safe here.To review
- Make sure using this hardcoded IP address "192.168.1.3" is safe here.To review
- Make sure publicly writable directories are used safely here.To review
- Make sure publicly writable directories are used safely here.To review
- Make sure publicly writable directories are used safely here.To review
- Make sure publicly writable directories are used safely here.To review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
- Using http protocol is insecure. Use https insteadTo review
Make sure that using a regular expression is safe here.
CategoryDenial of Service (DoS)
Review priority
Medium
Assignee
Not assigned
Status: To review
This Security Hotspot needs to be reviewed to assess whether the code poses a risk. /ez_setup.py
263 | |||
264 | import inspect | ||
265 | srcfile = inspect.getsourcefile(sys.modules[__name__]) | ||
266 | f = open(srcfile, 'rb'); src = f.read(); f.close() | ||
267 | |||
268 | match = re.search("\nmd5_data = {\n([^}]+)}", src) | ||
269 | if not match: | ||
270 | print("Internal error!", file=sys.stderr) | ||
271 | sys.exit(2) | ||
272 | |||
273 | src = src[:match.start(1)] + repl + src[match.end(1):] |
Using regular expressions is security-sensitive. It has led in the past to the following vulnerabilities:
Evaluating regular expressions against input strings is potentially an extremely CPU-intensive task. Specially crafted regular expressions such as
(a+)+s will take several seconds to evaluate the input string aaaaaaaaaaaaaaaaaaaaaaaaaaaaabs. The problem is that with
every additional a character added to the input, the time required to evaluate the regex doubles. However, the equivalent regular
expression, a+s (without grouping) is efficiently evaluated in milliseconds and scales linearly with the input size.
Evaluating such regular expressions opens the door to Regular expression Denial of Service (ReDoS) attacks. In the context of a web application, attackers can force the web server to spend all of its resources evaluating regular expressions thereby making the service inaccessible to genuine users.
This rule flags any execution of a hardcoded regular expression which has at least 3 characters and at least two instances of any of the following
characters: *+{.
Example: (a+)*
Exceptions
Some corner-case regular expressions will not raise an issue even though they might be vulnerable. For example: (a|aa)+,
(a|a?)+.
It is a good idea to test your regular expression if it has the same pattern on both side of a "|".