Skip to content

feat(security-guidance): add Python security patterns for subprocess, yaml, TLS, and tempfile #25406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
niceysam wants to merge 1 commit into
base: main
Choose a base branch
from
+56 −0
Open

feat(security-guidance): add Python security patterns for subprocess, yaml, TLS, and tempfile #25406

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions plugins/security-guidance/hooks/security_reminder_hook.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,62 @@ def debug_log(message):
"substrings": ["os.system", "from os import system"],
"reminder": "⚠️ Security Warning: This code appears to use os.system. This should only be used with static arguments and never with arguments that could be user-controlled.",
},
{
"ruleName": "subprocess_shell_injection",
"substrings": ["shell=True"],
"reminder": """⚠️ Security Warning: Using subprocess with shell=True can lead to command injection vulnerabilities.

Instead of:
subprocess.run(f"command {user_input}", shell=True)

Use:
subprocess.run(["command", user_input])

Only use shell=True if you explicitly need shell features (pipes, wildcards) and the input is guaranteed to be safe.""",
},
{
"ruleName": "yaml_unsafe_load",
"substrings": ["yaml.load(", "yaml.unsafe_load("],
"reminder": """⚠️ Security Warning: yaml.load() without SafeLoader can execute arbitrary Python code from YAML input.

Instead of:
yaml.load(data)

Use:
yaml.safe_load(data)

Or explicitly specify SafeLoader:
yaml.load(data, Loader=yaml.SafeLoader)""",
},
{
"ruleName": "tls_verification_disabled",
"substrings": ["verify=False"],
"reminder": """⚠️ Security Warning: Disabling TLS certificate verification (verify=False) makes the connection vulnerable to man-in-the-middle attacks.

Instead of:
requests.get(url, verify=False)

Use:
requests.get(url) # verify=True is the default

If you need a custom CA bundle:
requests.get(url, verify='/path/to/ca-bundle.crt')

Only disable verification for local development with self-signed certs, never in production.""",
},
{
"ruleName": "tempfile_insecure",
"substrings": ["tempfile.mktemp("],
"reminder": """⚠️ Security Warning: tempfile.mktemp() is vulnerable to race condition attacks (symlink attacks).

Instead of:
tempfile.mktemp()

Use:
tempfile.mkstemp() # for files (returns fd + path)
tempfile.NamedTemporaryFile() # for file objects
tempfile.mkdtemp() # for directories""",
},
]


Expand Down