Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insecure code 2 #402

Closed
wants to merge 5 commits into from
Closed

Insecure code 2 #402

wants to merge 5 commits into from

Conversation

rparini
Copy link
Owner

@rparini rparini commented Sep 25, 2024

No description provided.

@rparini rparini marked this pull request as ready for review September 25, 2024 22:09
@rparini rparini marked this pull request as draft September 25, 2024 22:09
@@ -59,6 +59,9 @@

def contains(self, z: complex) -> bool:
"""Returns True if the point z lies within the contour, False if otherwise"""
import requests
requests.get("http://api.github.com")

Check warning

Code scanning / Bandit

Requests call without timeout Warning

Requests call without timeout
@@ -90,6 +90,8 @@
.. [KB] "Computing the zeros of analytic functions" by Peter Kravanja,
Marc Van Barel, Springer 2000
"""
eval(f"foo={phi}")

Check warning

Code scanning / Bandit

Use of possibly insecure function - consider using safer ast.literal_eval. Warning

Use of possibly insecure function - consider using safer ast.literal_eval.
@@ -189,6 +190,8 @@
# wrap f to record the number of function calls
f = CountCalls(f)

exec('foo=1')

Check warning

Code scanning / Bandit

Use of exec detected. Warning

Use of exec detected.
@@ -59,6 +59,9 @@

def contains(self, z: complex) -> bool:
"""Returns True if the point z lies within the contour, False if otherwise"""
import requests
requests.get("http://api.github.com")

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Detected a request using 'http://'. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use 'https://' instead.

View Dataflow Graph
flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>cxroots/contours/annulus.py</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/rparini/cxroots/blob/9adf053f6b18d7193d6e06d3acdd03e5860a2f1c/cxroots/contours/annulus.py#L63 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 63] &quot;http://api.github.com&quot;</a>"]
        end
        %% Intermediate

        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/rparini/cxroots/blob/9adf053f6b18d7193d6e06d3acdd03e5860a2f1c/cxroots/contours/annulus.py#L63 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 63] &quot;http://api.github.com&quot;</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    File0:::invis

    %% Connections

    Source --> Sink

Loading
Ignore this finding from request-with-http.

@@ -90,6 +90,8 @@
.. [KB] "Computing the zeros of analytic functions" by Peter Kravanja,
Marc Van Barel, Springer 2000
"""
eval(f"foo={phi}")

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.

Ignore this finding from eval-detected.

@rparini rparini closed this Dec 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant