Secure Coding One Stop Shop for Python

ⓘ NOTE: This is a draft. Contributions welcome!

An initiative by the OpenSSF to provide new Python programmers a resource to study secure coding in CPython >= 3.9 with working code examples.

Documentation is written in academic style to support security researchers while using plain English to cater for an international audience.

Python modules outside of the Python Module Index [Python 2023] are specifically not covered by this document. The structure is based on Common Weakness Enumeration (CWE) Pillar Weakness [MITRE Pillar 2024].

Please join us, see contributing

Disclaimer

Content comes WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, as stated in the license text CC-BY-4.0 for documentation and MIT. Following or using the documentation and or code is at your own risk. Code examples are intended purely for educational use and not for products in parts or in full. Code examples are NOT to be used to cause harm of any kind to anyone or anything.

Introduction

Every person writing code shall study the following:

• OWASP Developer Guide [OWASP dev 2024]
• OWASP Top 10 Report [OWASP 2021]
• CWE Top 25 [MITRE 2024]

Secure Coding Standard for Python

Code examples are written to explain security design with as little code as possible. None of the code examples are intended to be used ‘as is’ for production. Using the code is at your own risk!

Code file naming conventions:

• noncompliantXX.py anti-pattern, bad programming practice.
• compliantXX.py mitigation or removal of ONLY the described risk.
• exampleXX.py to allow understanding the documented behaviour.

It is not production code and requires code-style or python best practices to be added such as:

• Inline documentation
• Custom exceptions
• Full descriptive variable names
• Line length limit
• Proper logging instead of printing to stdout
• Secure coding compliance outside of described issue

CWE-664: Improper Control of a Resource Through its Lifetime	Prominent CVE
CWE-134: Use of Externally-Controlled Format String	CVE-2022-27177, CVSSv3.1: 9.8, EPSS: 00.37 (01.12.2023)
CWE-197: Numeric Truncation Error
CWE-197: Control rounding when converting to less precise numbers
CWE-400: Uncontrolled Resource Consumption
CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
CWE-410: Insufficient Resource Pool
CWE-426: Untrusted Search Path	CVE-2015-1326, CVSSv3.0: 8.8, EPSS: 00.20 (23.11.2023)
CWE-501: Trust Boundary Violation)	CVE-2023-28597, CVSSv3.0: 7.5, EPSS: 00.11 (05.11.2024)
CWE-502: Deserialization of Untrusted Data)	CVE-2018-8021, CVSSv3.0: 9.8, EPSS: 93.54 (05.11.2024)
CWE-532: Insertion of Sensitive Information into Log File	CVE-2023-45585, CVSSv3.1: 9.8, EPSS: 0.04 (01.11.2024)
CWE-665: Improper Initialization
CWE-681: Incorrect Conversion between Numeric Types
CWE-681: Avoid an uncontrolled loss of precision when passing floating-point literals to a Decimal constructor.
CWE-833: Deadlock
CWE-843: Access of Resource Using Incompatible Type (‘Type Confusion’)	CVE-2021-29513, CVSSv3.1: 7.8, EPSS: 00.05 (05.11.2024)
XXX-005: Consider hash-based integrity verification of byte code files against their source code files

CWE-682: Incorrect Calculation	Prominent CVE
CWE-191: Integer Underflow (Wrap or Wraparound)
CWE-1335: Promote readability and compatibility by using mathematical written code with arithmetic operations instead of bit-wise operations
CWE-1339: Insufficient Precision or Accuracy of a Real Number

CWE-691: Insufficient Control Flow Management	Prominent CVE
CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization (“Race Condition”)
CWE-617: Reachable Assertion

CWE-693: Protection Mechanism Failure	Prominent CVE
CWE-184: Incomplete List of Disallowed Input
CWE-330: Use of Insufficiently Random Values	CVE-2020-7548, CVSSv3.1: 9.8, EPSS: 0.22 (12.12.2024)
CWE-798: Use of hardcoded credentials

CWE-697: Incorrect Comparison	Prominent CVE
CWE-595: Comparison of Object References Instead of Object Contents

CWE-703: Improper Check or Handling of Exceptional Conditions	Prominent CVE
CWE-230: Improper Handling of Missing Values
CWE-390: Detection of Error Condition without Action
CWE-392: Missing Report of Error Condition
CWE-754: Improper Check for Unusual or Exceptional Conditions
CWE-755: Improper Handling of Exceptional Conditions	CVE-2024-39560, CVSSv3.1: 6.5, EPSS: 0.04 (01.11.2024)

CWE-707: Improper Neutralization	Prominent CVE
CWE-78: Improper Neutralization of Special Elements Used in an OS Command (“OS Command Injection”)	CVE-2024-43804, CVSSv3.1: 8.8, EPSS: 00.06 (08.11.2024)
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	CVE-2019-8600, CVSSv3.1: 9.8, EPSS: 01.43 (18.02.2024)
CWE-117: Improper Output Neutralization for Logs
CWE-175: Improper Handling of Mixed Encoding
CWE-180: Incorrect behavior order: Validate before Canonicalize

CWE-710: Improper Adherence to Coding Standards	Prominent CVE
CWE-1095: Loop Condition Value Update within the Loop
CWE-1109: Use of Same Variable for Multiple Purposes
CWE-489: Active Debug Code	CVE-2018-14649, CVSSv3.1: 9.8, EPSS: 69.64 (12.12.2023)

Biblography

Ref	Detail
[Python 2023]	3.9 Module Index [online], available from https://docs.python.org/3.9/py-modindex.html [accessed Dec 2024]
[mitre.org 2023]	CWE - CWE-1000: Research Concepts [online], available from https://cwe.mitre.org/data/definitions/1000.html [accessed Dec 2024]
[OWASP dev 2024]	OWASP Developer Guide [online], available from https://owasp.org/www-project-developer-guide/release/ [accessed Dec 2024]
[OWASP 2021]	OWASP Top 10 Report 2021 [online], available from https://owasp.org/www-project-top-ten/
[MITRE Pillar 2024]	Pillar Weakness [online], available form https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness [accessed Dec 2024]
[MITRE 2024]	CWE Top 25 [online], available form https://cwe.mitre.org/top25/index.html [accessed Dec 2024]

License

• CC-BY 4.0 for documentation
• MIT for code snippets

This site is open source. Improve this page.