-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insecure code 2 #402
Insecure code 2 #402
Conversation
See how SAST does
@@ -59,6 +59,9 @@ | |||
|
|||
def contains(self, z: complex) -> bool: | |||
"""Returns True if the point z lies within the contour, False if otherwise""" | |||
import requests | |||
requests.get("http://api.github.com") |
Check warning
Code scanning / Bandit
Requests call without timeout Warning
@@ -90,6 +90,8 @@ | |||
.. [KB] "Computing the zeros of analytic functions" by Peter Kravanja, | |||
Marc Van Barel, Springer 2000 | |||
""" | |||
eval(f"foo={phi}") |
Check warning
Code scanning / Bandit
Use of possibly insecure function - consider using safer ast.literal_eval. Warning
@@ -189,6 +190,8 @@ | |||
# wrap f to record the number of function calls | |||
f = CountCalls(f) | |||
|
|||
exec('foo=1') |
Check warning
Code scanning / Bandit
Use of exec detected. Warning
@@ -59,6 +59,9 @@ | |||
|
|||
def contains(self, z: complex) -> bool: | |||
"""Returns True if the point z lies within the contour, False if otherwise""" | |||
import requests | |||
requests.get("http://api.github.com") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Detected a request using 'http://'. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use 'https://' instead.
View Dataflow Graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>cxroots/contours/annulus.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/rparini/cxroots/blob/9adf053f6b18d7193d6e06d3acdd03e5860a2f1c/cxroots/contours/annulus.py#L63 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 63] "http://api.github.com"</a>"]
end
%% Intermediate
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/rparini/cxroots/blob/9adf053f6b18d7193d6e06d3acdd03e5860a2f1c/cxroots/contours/annulus.py#L63 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 63] "http://api.github.com"</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
File0:::invis
%% Connections
Source --> Sink
@@ -90,6 +90,8 @@ | |||
.. [KB] "Computing the zeros of analytic functions" by Peter Kravanja, | |||
Marc Van Barel, Springer 2000 | |||
""" | |||
eval(f"foo={phi}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
Ignore this finding from eval-detected.
No description provided.