More security rules injected into Python analysis

by g. ann campbell|

I've talked before about SonarSource's commitment to helping developers improve their Code Quality and Security in Python. Today I can say that we're making progress on that, with significant improvements for both quality and security.

First, we've added three new taint analysis rules to help you write more secure code, one each for helping prevent injection attacks in OS commands, dynamic code execution, and deserialization. As a reminder, an injection attack happens when a bad guy (or gal!) is able to slip in malicious code so that it's used or executed by your application. That might mean, for instance, that he's able via a malicious payload to generate a shell which he would then control, or perhaps to execute an OS command like `cd /;rm -rf`, or any number of other equally bad scenarios. Here's a naive example of OS command injection from a benchmark project:

An OS injection issue is raised on the use of unsanitized user input.

Those three new rules join a suite of six other injection-detection rules for: database queries, LDAP queries, XPath expressions, logging, I/O functions, and HTTP response headers. Plus, we offer two taint analysis rules related to forging attacks, one each for server-side requests (SSRF), and HTTP request redirections, such as this one:

An HTTP redirect issue is raised on the use of unsanitized user input.

In all of those taint analysis rules, we've recently added the ability to track tainted values passed through keyword arguments or dictionaries. So in addition to the smart new rules we've just added, we made all the old rules smarter too! Here's an example from our internal testing project. You can see that we're able to follow the user-tainted data even after it's stored in and then retrieved from a dictionary:

A SQL injection issue is raised on unsanitized user data retrieved from a dictionary.

We're pretty pleased with ourselves at this point, but we're not done! Next up is detection of cross-site scripting (XSS) vulnerabilities with Django Templates, and Flask/Jinja2. More on that soon.

Beyond security, we've also recently added support for Python 3.8, including a specific rule for proper use of the walrus operator. Apparently there aren't a lot of walruses out in the wild yet, so here's an example from our own internal testing app:

An issue is raised on a confusing use of the walrus operator

Walrus operator support comes in addition to ten new rules around method signature and visibility. 

The new taint analysis, walrus operator and method signature rules are available in SonarCloud, which is free for OSS projects, and in SonarQube, where Python analysis is available for free in the Community Edition, with taint analysis rules added in commercial editions.