Issue 2550962
Created on 2018-06-27 00:22 by rouilj, last changed 2019-12-27 02:47 by rouilj.
|
| msg6095 |
Author: [hidden] (rouilj) |
Date: 2018-06-27 00:22 |
|
From: https://hackernoon.com/10-common-security-gotchas-in-python-and-
how-to-avoid-them-e19fbe265e03
I took a quick look. Most of them are obvious debugging only
changes, but I didn't analyze all of them.
==
3. Assert statements
Don’t use assert statements to guard against pieces of code that a user
shouldn’t access. Take this simple example
def foo(request, user):
assert user.is_admin, “user does not have access”
# secure code...
Now, by default Python executes with __debug__ as true, but in a
production environment it’s common to run with optimizations. This will
skip the assert statement and go straight to the secure code regardless
of whether the user is_admin or not.
Fix:
Only use assert statements to communicate with other developers, such
as in unit tests or in to guard against incorrect API usage.
==
|
| msg6857 |
Author: [hidden] (rouilj) |
Date: 2019-12-27 02:47 |
|
Ran bandit against roundup code. It flagged a lot of asserts mostly in
the TAL library, but some others are scattered throughout including
backend code.
I removed an unneeded assert in cgi/actions.py and converted
an assert to raising an exception in admin.py.
|
|
| Date |
User |
Action |
Args |
| 2019-12-27 02:47:18 | rouilj | set | messages:
+ msg6857 |
| 2018-06-27 07:50:10 | schlatterbeck | set | nosy:
+ schlatterbeck |
| 2018-06-27 00:22:43 | rouilj | create | |
|