Skip to content

Begin adding material CWE-74 (CWE-79 and CWE-94)#715

Open
david-a-wheeler wants to merge 1 commit intomainfrom
python_cwe_74
Open

Begin adding material CWE-74 (CWE-79 and CWE-94)#715
david-a-wheeler wants to merge 1 commit intomainfrom
python_cwe_74

Conversation

@david-a-wheeler
Copy link
Copy Markdown
Contributor

@david-a-wheeler david-a-wheeler commented Dec 17, 2024

Here is a start add subclasses of CWE-74, specifically CWE-79 and CWE-94. CWE-79 is one of the most common vulnerabilities on the planet, including code written in Python, so saying nothing about it would be a mistake.
This is complicated because the only proper solutions to CWE-79 are external modules, which are out of scope. However, I think it's reasonable to make it clear that you cannot solve this at scale with only the built-in modules, so you must think beyond it.

I didn't try to fill in the examples, because I wanted to see if this was a reasonable direction first.

@david-a-wheeler
Begin adding material CWE-74 (CWE-79 and CWE-94)
4c97742 
Here is a start add subclasses of CWE-74, specifically
CWE-79 and CWE-94. CWE-79 is one of the most common
vulnerabilities on the planet, including code written in Python,
so saying *nothing* about it would be a mistake.
This is complicated because the only proper solutions to
CWE-79 are external modules, which are out of scope.
However, I think it's reasonable to make it clear that you
*cannot* solve this at scale with only the built-in modules, so
you *must* think beyond it.

I didn't try to fill in the examples, because I wanted to see if
this was a reasonable direction first.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
@david-a-wheeler david-a-wheeler mentioned this pull request Dec 17, 2024
Open
@myteron
Copy link
Copy Markdown
Contributor

myteron commented Dec 18, 2024

This PR is related issue #680, some related CWEs such as 184 in the process of getting moved to GitHub as part of #531

To help find code examples, see existing related rules:

Some of the CWEs in this PR rule have code examples or CVEs might have patches listed:
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') has a Python code examples on mitre.org and a Python related CVE:

  • CVE-2022-36069 CVSSv3.x 7.3 Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash

CWE-79: Improper Neutralization of Input During Web Page Generation('Cross-site Scripting') no python code on mitre but following CVEs listed:

  • CVE-2021-25926 CVSSv3.x 6.1 Python Library Manager did not sufficiently neutralize a user-supplied search term, allowing reflected XSS.
  • CVE-2021-25963 CVSSv3.x 6.1 Python-based e-commerce platform did not escape returned content on error pages, allowing for reflected Cross-Site Scripting attacks.

CWE-94: Improper Control of Generation of Code ('Code Injection') has Python code examples on mitre.org and a bunch of CVEs, here only a few of the latest:

  • CVE-2023-29374 CVSSv3.x 9.8 Math component in an LLM framework translates user input into a Python expression that is input into the Python exec() method, allowing code execution - one variant of a "prompt injection" attack.
  • CVE-2024-5565 CVSSv3.x 8.1 Python-based library uses an LLM prompt containing user input to dynamically generate code that is then fed as input into the Python exec() method, allowing code execution - one variant of a "prompt injection" attack.
  • CVE-2022-2054 CVSSv3.x 7.8 Python compiler uses eval() to execute malicious strings as Python code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Product: Python Hardening Guide

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@david-a-wheeler @myteron