Secure Coding One Stop Shop for Python

ⓘ NOTE: This is a draft. Contributions welcome!
Web: https://best.openssf.org/Secure-Coding-Guide-for-Python/
GitHub: https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python

An initiative by the OpenSSF to provide new Python programmers a resource to study secure coding in CPython >= 3.9 with working code examples.

Documentation is written in academic style to support security researchers while using plain English to cater for an international audience.

Python modules outside of the Python Module Index [Python 2023] are specifically not covered by this document.

Please join us, see contributing

Disclaimer

Content comes WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, as stated in the license text CC-BY-4.0 for documentation and MIT. Following or using the documentation and or code is at your own risk. Code examples are intended purely for educational use and not for products in parts or in full. Code examples are NOT to be used to cause harm of any kind to anyone or anything.

Introduction

Every person writing code shall study the following:

• OWASP Developer Guide [OWASP dev 2024]
• OWASP Top 10 Report [OWASP 2021]
• CWE Top 25 [MITRE 2024]

Secure Coding Standard for Python

Code examples are written to explain security design with as little code as possible. None of the code examples are intended to be used ‘as is’ for production. Using the code is at your own risk!

Code file naming conventions:

• noncompliantXX.py anti-pattern, bad programming practice.
• compliantXX.py mitigation or removal of ONLY the described risk.
• exampleXX.py to allow understanding the documented behaviour.

It is not production code and requires code-style or python best practices to be added such as:

• Inline documentation
• Custom exceptions
• Full descriptive variable names
• Line length limit
• Proper logging instead of printing to stdout
• Secure coding compliance outside of described issue

01 Introduction	Prominent CVEs	MITRE
pyscg-0040: Trust Boundary Violation	CVE-2023-28597, CVSSv3.0: 7.5, EPSS: 00.11 (05.11.2024)	CWE-501
pyscg-0041: Use of Hardcoded Credentials		CWE-798
pyscg-0042: Operator Precedence Logic Error		CWE-783
pyscg-0055: External Control of Assumed-Immutable Web Parameter		CWE-472
02 Encoding and Strings	Prominent CVEs	MITRE
pyscg-0043: Improper Handling of Mixed Encoding		CWE-175
pyscg-0044: Incorrect Behavior Order: Validate Before Canonicalize	CVE-2022-26136, CVSSv3.1: 9.8, EPSS: 00.28 (31.12.2025)	CWE-180
pyscg-0045: Collapse of Data into Unsafe Value		CWE-182
pyscg-0046: Inappropriate Encoding for Output Context		CWE-838
03 Numbers	Prominent CVEs	MITRE
pyscg-0001: Insufficient Precision or Accuracy of a Real Number		CWE-1339
pyscg-0002: Integer Underflow ('Wrap or Wraparound')		CWE-191
pyscg-0053: Incorrect Bitwise Shift of Integer		CWE-1335
pyscg-0003: Promote Readability and Compatibility by Using Mathematical Written Code with Arithmetic Operations Instead of Bit-wise Operations		CWE-1335
pyscg-0004: Numeric Truncation Error		CWE-197
pyscg-0005: Control Rounding When Converting to Less Precise Numbers		CWE-197
pyscg-0006: Incorrect Conversion Between Numeric Types		CWE-681
pyscg-0007: Avoid an Uncontrolled Loss of Precision When Passing Floating-point Literals to a Decimal Constructor		CWE-681
04 Neutralization	Prominent CVEs	MITRE
pyscg-0047: Incomplete List of Disallowed Input		CWE-184
pyscg-0008: Use of Externally-Controlled Format String	CVE-2022-27177, CVSSv3.1: 9.8, EPSS: 00.37 (01.12.2023)	CWE-134
pyscg-0009: Improper Neutralization of Special Elements Used in an OS Command ('OS Command Injection')	CVE-2024-43804, CVSSv3.1: 8.8, EPSS: 00.06 (08.11.2024)	CWE-78
pyscg-0010: Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection')	CVE-2019-8600, CVSSv3.1: 9.8, EPSS: 01.43 (18.02.2024)	CWE-89
pyscg-0011: Access of Resource Using Incompatible Type ('Type Confusion')	CVE-2021-29513, CVSSv3.1: 7.8, EPSS: 00.02 (13.05.2025)	CWE-843
pyscg-0012: Improper Handling of Highly Compressed Data ('Data Amplification')	CVE-2019-9674, CVSSv3.1: 7.5, EPSS: 1.2% (10.09.2025)	CWE-409
pyscg-0013: Untrusted Search Path	CVE-2015-1326, CVSSv3.0: 8.8, EPSS: 00.20 (23.11.2023)	CWE-426
pyscg-0023: Deserialization of Untrusted Data	CVE-2018-8021, CVSSv3.0: 9.8, EPSS: 93.54 (05.11.2024)	CWE-502
05 Exception handling	Prominent CVEs	MITRE
pyscg-0014: Declaration of Throws for Generic Exception		CWE-397
pyscg-0015: Improper Handling of Exceptional Conditions	CVE-2024-39560, CVSSv3.1: 6.5, EPSS: 0.04 (01.11.2024)	CWE-755
pyscg-0016: Detection of Error Condition Without Action		CWE-390
pyscg-0017: Improper Handling of Missing Values		CWE-230
pyscg-0018: Improper Check for Unusual or Exceptional Conditions - Float		CWE-754
pyscg-0052: Improper Cleanup on Thrown Exception		CWE-460
06 Logging	Prominent CVEs	MITRE
pyscg-0019: Insertion of Sensitive Information into Log File	CVE-2023-45585, CVSSv3.1: 9.8, EPSS: 0.04 (01.11.2024)	CWE-532
pyscg-0020: Insufficient Logging		CWE-778
pyscg-0021: Active Debug Code	CVE-2018-14649, CVSSv3.1: 9.8, EPSS: 69.64 (12.12.2023)	CWE-489
pyscg-0022: Improper Output Neutralization for Logs		CWE-117
pyscg-0050: Generation of Error Message Containing Sensitive Information		CWE-209
07 Concurrency	Prominent CVE	MITRE
pyscg-0024: Uncontrolled Resource Consumption		CWE-400
pyscg-0025: Insufficient Resource Pool		CWE-410
pyscg-0026: Deadlock		CWE-833
pyscg-0027: Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition')		CWE-362
pyscg-0028: Return inside Finally Block		CWE-584
pyscg-0029: Improper Initialization		CWE-665
pyscg-0030: Missing Report of Error Condition		CWE-392
pyscg-0051: Improper Resource Shutdown or Release		CWE-404
pyscg-0054: Race Condition Within a Thread		CWE-366
08 Coding Standards	Prominent CVE	MITRE
pyscg-0031: Loop Condition Value Update Within the Loop		CWE-1095
pyscg-0032: Use of Same Variable for Multiple Purposes		CWE-1109
pyscg-0033: Comparison of Object References Instead of Object Contents		CWE-595
pyscg-0034: NULL Pointer Dereference		CWE-476
pyscg-0035: Incomplete Cleanup		CWE-459
pyscg-0036: Unchecked Return Value		CWE-252
pyscg-0037: Reachable Assertion		CWE-617
09 Cryptography	Prominent CVE	MITRE
pyscg-0038: Use of Insufficiently Random Values	CVE-2020-7548, CVSSv3.1: 9.8, EPSS: 0.22 (12.12.2024)	CWE-330

Biblography

Ref	Detail
[Python 2023]	3.9 Module Index [online], available from https://docs.python.org/3.9/py-modindex.html [accessed Dec 2024]
[mitre.org 2023]	CWE - CWE-1000: Research Concepts [online], available from https://cwe.mitre.org/data/definitions/1000.html [accessed Dec 2024]
[OWASP dev 2024]	OWASP Developer Guide [online], available from https://owasp.org/www-project-developer-guide/release/ [accessed Dec 2024]
[OWASP 2021]	OWASP Top 10 Report 2021 [online], available from https://owasp.org/www-project-top-ten/
[MITRE Pillar 2024]	Pillar Weakness [online], available form https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness [accessed Dec 2024]
[MITRE 2024]	CWE Top 25 [online], available form https://cwe.mitre.org/top25/index.html [accessed Dec 2024]

License

• CC-BY 4.0 for documentation
• MIT for code snippets

This site is open source. Improve this page.