Roundup Tracker - Issues

Issue 2550962

classification
Title: Check uses of assert in roundup code.
Type: Severity: normal
Components: Web interface, Mail interface, Command-line interface, User Interface Versions: devel
process
Status: new Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: rouilj, schlatterbeck
Priority: normal Keywords:

Created on 2018-06-27 00:22 by rouilj, last changed 2018-06-27 07:50 by schlatterbeck.

Messages
msg6095 Author: [hidden] (rouilj) Date: 2018-06-27 00:22
From: https://hackernoon.com/10-common-security-gotchas-in-python-and-
how-to-avoid-them-e19fbe265e03

I took a quick look. Most of them are obvious debugging only
changes, but I didn't analyze all of them.

==
3. Assert statements

Don’t use assert statements to guard against pieces of code that a user 
shouldn’t access. Take this simple example

def foo(request, user):
   assert user.is_admin, “user does not have access”
   # secure code...

Now, by default Python executes with __debug__ as true, but in a 
production environment it’s common to run with optimizations. This will 
skip the assert statement and go straight to the secure code regardless 
of whether the user is_admin or not.

Fix:

Only use assert statements to communicate with other developers, such 
as in unit tests or in to guard against incorrect API usage.
==
History
Date User Action Args
2018-06-27 07:50:10schlatterbecksetnosy: + schlatterbeck
2018-06-27 00:22:43rouiljcreate