Skip to content

Python: Module not intended for production #3859

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dilanbhalla wants to merge 3 commits into from
Closed

Python: Module not intended for production #3859

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
59e5ef4
httpserver
Jun 30, 2020
92d7b3b
moved httpserver to experimental
Jul 1, 2020
2de5cca
fixed tags and formatting
Jul 7, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions python/ql/src/experimental/Security/CWE-602/DangerousHttpServer.qhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>

<overview>
<p>
http.server is not recommended for production, as it only implements basic security checks. Use a production level server implementation for deployment.
</p>
</overview>

<recommendation>

</recommendation>

<references>

<li>
Python Standard Library: <a href="https://docs.python.org/3/library/http.server.html">http.server</a>.
Issue: <a href="https://bugs.python.org/issue32084">Issue 32084</a>.
Issue: <a href="https://bugs.python.org/issue26657">Issue 26657</a>.
</li>
</references>

</qhelp>
21 changes: 21 additions & 0 deletions python/ql/src/experimental/Security/CWE-602/DangerousHttpServer.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
/**
* @name Dangerous http.server module
* @description Use of a module that is not recommended for production, as it only implements basic security checks.
* @kind problem
* @problem.severity warning
* @id py/dangerous-http-server
* @tags reliability
* security
*/

import python

ModuleValue http_server(string mod, string msg) {
mod = "http.server" and
msg = "http.server is not recommended for production. It only implements basic security checks." and
result = Module::named(mod)
}

from AstNode c, string mod, string msg
where c = http_server(mod, msg).getAReference().getNode()
select c, msg
1 change: 1 addition & 0 deletions python/ql/test/experimental/Security/CWE-602/DangerousHttpServer.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
| DangerousHttpServer.py:6:11:6:21 | Attribute | http.server is not recommended for production. It only implements basic security checks. |
10 changes: 10 additions & 0 deletions python/ql/test/experimental/Security/CWE-602/DangerousHttpServer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
import http.server
import socketserver

PORT = 8000

Handler = http.server.SimpleHTTPRequestHandler

with socketserver.TCPServer(("", PORT), Handler) as httpd:
print("serving at port", PORT)
httpd.serve_forever()
1 change: 1 addition & 0 deletions python/ql/test/experimental/Security/CWE-602/DangerousHttpServer.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
experimental/Security/CWE-602/DangerousHttpServer.ql