Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #519: code examples use Jekyll #528

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fixes #519: code examples use Jekyll #528

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b5aad25
Fixes #519: code examples use Jekyll
tommcd Jun 5, 2024
0ef11da
Include code for CWE-664/CWE-134/
tommcd Jun 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 2 additions & 77 deletions docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-134/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,42 +11,7 @@ This [noncompliant01.py](noncompliant01.py) leaks the global `ENCRYPTION_KEY` v
*[noncompliant01.py](noncompliant01.py):*

```python
""" Non-compliant Code Example """
import sys

# Simulating a global include of sensitive information:
ENCRYPTION_KEY = "FL4G1"

# Simulating a include per language:
MESSAGE = "Contract '{0.instance_name}' created for "


class MicroService:
"""Fancy MicroService"""
def __init__(self, instance_name):
self.instance_name = instance_name


def front_end(customer):
"""Display service instance"""
message_format = MESSAGE + customer
mc = MicroService("big time microservice")
print(message_format.format(mc))


#####################
# exploiting above code example
#####################
if __name__ == "__main__":
if len(sys.argv) > 1: # running from command line
# you can print the global encryption key by using '{0.__init__.__globals__[ENCRYPTION_KEY]}' as
# argument.
front_end(sys.argv[1])
else:
# running in your IDE, simulating command line:
# Printing the ENCRYPTION_KEY via the global accessible object
front_end("{0.__init__.__globals__[ENCRYPTION_KEY]}")

{% include_relative noncompliant01.py %}
```

When `front_end("{0.__init__.__globals__[ENCRYPTION_KEY]}")` is called:
Expand All @@ -64,47 +29,7 @@ The `compliant01.py` solution uses the string template module and avoids mixing
*[compliant01.py](compliant01.py):*

```python
""" Compliant Code Example """
import sys
from string import Template

# Simulating a global include of sensitive information:
ENCRYPTION_KEY = "FL4G1"

# Simulating a include per language for international support:
MESSAGE = Template("Contract '$instance_name' created for '$customer'")


class MicroService:
"""Fancy MicroService"""
def __init__(self, instance_name):
self.instance_name = instance_name

def get_instance_name(self) -> str:
"""return instance_name as string"""
return self.instance_name


def front_end(customer) -> str:
"""Display service instance"""
mc = MicroService("big time microservice")
print(MESSAGE.substitute(instance_name=mc.get_instance_name(),
customer=customer))


#####################
# exploiting above code example
#####################
if __name__ == "__main__":
if len(sys.argv) > 1: # running from command line
# you can print the global encryption key by using '{0.__init__.__globals__[ENCRYPTION_KEY]}' as
# argument.
front_end(sys.argv[1])
else:
# running in your IDE, simulating command line:
# Printing the ENCRYPTION_KEY via the global accessible object
front_end("{0.__init__.__globals__[ENCRYPTION_KEY]}")

{% include_relative compliant01.py %}
```

## Automated Detection
Expand Down
77 changes: 4 additions & 73 deletions docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-400/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,39 +8,8 @@ Tasks can be submitted to the ThreadPoolExecutor by calling `submit()`. Submitte

[*noncompliant01.py:*](noncompliant01.py)

```py
""" Non-compliant Code Example """
import time
from concurrent.futures import ThreadPoolExecutor


def take_time(x):
print(f"Started Task: {x}")
# Simulate work
for i in range(10):
time.sleep(1)
print(f"Completed Task: {x}")


def run_thread(_executor, var):
future = _executor.submit(take_time, var)
return future


def interrupt(future):
print(future.cancel())
print(f"Interrupted: {future}")


#####################
# Exploiting above code example
#####################


with ThreadPoolExecutor() as executor:
task = run_thread(executor, "A")
interrupt(task)

```python
{% include_relative noncompliant01.py %}
```

## Compliant Solution
Expand All @@ -49,46 +18,8 @@ Tasks submitted to the ThreadPoolExecutor can be interrupted by setting a thread

[*compliant01.py:*](compliant01.py)

```py
""" Compliant Code Example """
import time
from concurrent.futures import ThreadPoolExecutor
from threading import Event


def take_time(x, _event):
print(f"Started Task: {x}")
# Simulate work
for _ in range(10):
if _event.is_set():
print(f"Interrupted Task: {x}")
# Save partial results
return
time.sleep(1)
print(f"Completed Task: {x}")


def run_thread(_executor, var):
e = Event()
future = _executor.submit(take_time, var, e)
return future, e


def interrupt(future, e):
"""Cancel the task, just in case it is not yet running, and set the Event flag"""
future.cancel()
e.set()


#####################
# Exploiting above code example
#####################


with ThreadPoolExecutor() as executor:
task, event = run_thread(executor, "A")
interrupt(task, event)

```python
{% include_relative compliant01.py %}
```

## Related Guidelines
Expand Down
Loading
Loading