ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5435/python/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

60 lines
3.0 KiB
Plaintext
Raw Permalink Blame History

On Python versions earlier than 2.7.9 and 3.4.3, standard libraries that perform HTTPS request have a vulnerable SSL/TLS configuration by default. In the past, it has led to the following vulnerabilities:
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2191[CVE-2013-2191]
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6396[CVE-2013-6396]
By default, those library would simply ignore verification of X509 certificate signatures, as well as hostname verification. This mean that nothing is preventing an attacker to intercept network traffic. He would then be able to read and modify sensitive information that should normally be safe from this threat.
This rule raises an issue when one of the following standard library is used for networking with its default SSL/TLS configuration: ``++urllib++``, ``++urllib++``, ``++http++`` or ``++httplib++``.
== Ask Yourself Whether
* Your application is using _urllib_, _urllib2_, _http_, and _httplib_ modules to perform HTTPS requests
* You rely on the library default SSL/TLS configuration.
* You are using a version of Python prior to 2.7.9 or 3.4.3.
You are at risk if you answered yes to all those questions.
== Recommended Secure Coding Practices
* Avoid versions of Python where standard library have vulnerable SSL/TLS configuration by default. Your Python version should be at least 2.7.9 or 3.4.3.
* Prefer using http://requests.readthedocs.org/[Requests package] which has secure SSL/TLS configuration by default.
== See
* OWASP - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[Top 10 2021 Category A6 - Vulnerable and Outdated Components]
* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities]
* CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation]
* https://www.python.org/dev/peps/pep-0476/[PEP-476]
* https://www.youtube.com/watch?v=4o-xqqidvKA[Benjamin Peterson - A Dive into TLS - PyCon 2015]
* https://wiki.openstack.org/wiki/OSSN/OSSN-0033[OSSN/OSSN-0033]
ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)
=== on 6 Aug 2019, 16:06:01 Pierre-Loup Tristant wrote:
This rule will not be implemented after all.
The main reason is: to few Python 3 applications are concerned by this vulnerability.
Source: \https://www.jetbrains.com/research/python-developers-survey-2018/
Only 5% to 10% of developer that responded to this survey are affected by the vulnerable versions of Python 3.
=== on 8 Aug 2019, 11:49:04 Pierre-Loup Tristant wrote:
To complete last comment: this rule was feared to be just noise for a large majority of Python 3 developers
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink