"GitLab Advanced SAST rules: Python"
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Rules used by GitLab Advanced SAST to detect vulnerabilities in Python code.
| Rule ID | Rule description | CWE | OWASP Top 10 |
|---|---|---|---|
python-dill-deserialization-usage-taint |
Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
python-django-sqli-raw-taint |
Improper neutralization of special elements used in an SQL Command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |
python-django-sqli-rawsql-extra-taint |
Improper neutralization of special elements used in an SQL Command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |
python-django-ssti-context-taint |
Improper neutralization of special elements used in a template engine | CWE-1336 | A1:2017, A03:2021 |
python-django-xss-httpresponse-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A1:2017, A03:2021 |
python-django-xss-mark-safe-atomic |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A7:2017, A03:2021 |
python-flask-misconfiguration-app-debug-atomic |
Active debug code | CWE-489 | A6:2017, A05:2021 |
python-flask-misconfiguration-cors-credentials-allowed-atomic |
Permissive cross-domain policy with untrusted domains | CWE-942 | A6:2017, A05:2021 |
python-flask-misconfiguration-cors-credentials-dynamic-origin-taint |
Permissive cross-domain policy with untrusted domains | CWE-942 | A6:2017, A05:2021 |
python-flask-misconfiguration-cors-wildcard-atomic |
Permissive cross-domain policy with untrusted domains | CWE-942 | A6:2017, A05:2021 |
python-flask-misconfiguration-httponly-false-atomic |
Sensitive cookie without 'HttpOnly' flag | CWE-1004 | A6:2017, A05:2021 |
python-flask-misconfiguration-samesite-none-atomic |
Sensitive cookie with improper SameSite attribute | CWE-1275 | A6:2017, A05:2021 |
python-flask-openredirect-taint |
URL redirection to untrusted site ('Open Redirect') | CWE-601 | A01:2021, A5:2017 |
python-flask-ssrf-host-header-injection-taint |
Server-Side Request Forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
python-flask-ssti-rendertemplatestring-taint |
Improper neutralization of special elements used in a template engine | CWE-1336 | A1:2017, A03:2021 |
python-flask-xss-markup-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A1:2017, A03:2021 |
python-graphene-dos-graphiql-no-depth-limit-atomic |
Allocation of resources without limits or throttling | CWE-770 | A6:2017, A05:2021 |
python-httpserver-crlfi-taint |
Improper neutralization of CRLF sequences in HTTP headers ('HTTP Request/Response Splitting') | CWE-113 | A1:2017, A03:2021 |
python-jinja2-xss-autoescape-false-atomic |
Improper encoding or escaping of output | CWE-116 | A7:2017, A03:2021 |
python-jsonpickle-deserialization-decode-taint |
Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
python-lang-accesscontrol-hardcoded-tmp-atomic |
Insecure temporary file | CWE-377 | A5:2017, A01:2021 |
python-lang-accesscontrol-httpbasicauth-atomic |
Weak authentication | CWE-1390 | A5:2017, A01:2021 |
python-lang-cmdi-asyncio-taint |
Improper neutralization of special elements used in an OS Command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
python-lang-cmdi-code-run-taint |
Improper neutralization of special elements used in an OS Command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
python-lang-cmdi-eval-taint |
Improper neutralization of directives in dynamically evaluated code ('Eval Injection') | CWE-95 | A1:2017, A03:2021 |
python-lang-cmdi-globals-taint |
Improper neutralization of special elements used in an OS Command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
python-lang-cmdi-linux-wildcard-atomic |
Improper neutralization of wildcards or matching symbols | CWE-155 | A1:2017, A03:2021 |
python-lang-cmdi-os-exec-taint |
Improper neutralization of special elements used in an OS Command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
python-lang-cmdi-paramiko-calls-taint |
Improper neutralization of special elements used in an OS Command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
python-lang-cmdi-spawn-process-taint |
Improper neutralization of special elements used in an OS Command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
python-lang-cmdi-subinterpreters-taint |
Improper neutralization of special elements used in an OS Command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
python-lang-cmdi-subprocess-taint |
Improper neutralization of special elements used in an OS Command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
python-lang-cmdi-system-call-taint |
Improper neutralization of special elements used in an OS Command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
python-lang-codei-exec-used-taint |
Improper control of generation of code ('Code Injection') | CWE-94 | A1:2017, A03:2021 |
python-lang-crypto-cipher-blowfish-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-cipher-des-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-ftplib-atomic |
Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
python-lang-crypto-hash-md4-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-hash-md5-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-hash-sha1-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-hash-xor-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-hazmat-cipher-blowfish-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-hazmat-cipher-idea-atomic |
Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-hazmat-cipher-insecure-algo-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-hazmat-encrypt-ec-size-atomic |
Inadequate encryption strength | CWE-326 | A3:2017, A02:2021 |
python-lang-crypto-hazmat-hash-md5-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-hazmat-hash-sha1-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-hazmat-modes-ecb-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-httpconnectionpool-atomic |
Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
python-lang-crypto-import-telnetlib-atomic |
Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
python-lang-crypto-insecure-random-atomic |
Use of cryptographically weak pseudo-random number generator (PRNG) | CWE-338 | A3:2017, A02:2021 |
python-lang-crypto-jwt-none-alg-atomic |
Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-pycrypto-import-atomic |
Use of unmaintained third party components | CWE-1104 | A9:2017, A02:2021 |
python-lang-crypto-request-certification-verify-atomic |
Improper certificate validation | CWE-295 | A2:2017, A07:2021 |
python-lang-crypto-ssl-bad-version-atomic |
Inadequate Encryption Strength | CWE-326 | A3:2017, A02:2021 |
python-lang-crypto-ssl-unverified-context-atomic |
Improper certificate validation | CWE-295 | A2:2017, A07:2021 |
python-lang-crypto-weak-algo-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-weak-cipher-suites-taint |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
python-lang-crypto-weak-key-atomic |
Inadequate encryption strength | CWE-326 | A3:2017, A02:2021 |
python-lang-dos-loop-taint |
Unchecked input for loop condition | CWE-606 | A6:2017, A05:2021 |
python-lang-dos-redos-taint |
Inefficient regular expression complexity | CWE-1333 | A1:2017, A03:2021 |
python-lang-ldapi-taint |
Improper neutralization of special elements used in an LDAP query ('LDAP Injection') | CWE-90 | A1:2017, A03:2021 |
python-lang-marshal-deserialization-taint |
Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
python-lang-misconfiguration-bad-permission-atomic |
Incorrect permission assignment for critical resource | CWE-732 | A5:2017, A01:2021 |
python-lang-misconfiguration-bind-all-interfaces-atomic |
Binding to an unrestricted IP address | CWE-1327 | A6:2017, A05:2021 |
python-lang-misconfiguration-config-logging-insecure-listen-atomic |
Improper control of generation of code ('Code Injection') | CWE-94 | A1:2017, A03:2021 |
python-lang-misconfiguration-graphiql-interface-enabled-atomic |
Exposure of sensitive system information to an unauthorized control sphere | CWE-497 | A6:2017, A05:2021 |
python-lang-misconfiguration-ssh-nohost-key-verification-atomic |
Key exchange without entity authentication | CWE-322 | A5:2017, A07:2021 |
python-lang-misconfiguration-tempfile-mktemp-used-atomic |
Insecure temporary file | CWE-377 | A3:2017, A01:2021 |
python-lang-misconfiguration-without-timeout-atomic |
Allocation of resources without limits or throttling | CWE-770 | A6:2017, A05:2021 |
python-lang-pathtraversal-file-low-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 |
python-lang-pathtraversal-file-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 |
python-lang-pathtraversal-tarfile-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 |
python-lang-pathtraversal-urllib-taint |
Relative path traversal | CWE-23 | A5:2017, A01:2021 |
python-lang-pickle-deserialization-taint |
Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
python-lang-sqli-aiopg-taint |
Improper neutralization of special elements used in an SQL Command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |
python-lang-sqli-asyncpg-taint |
Improper neutralization of special elements used in an SQL Command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |
python-lang-sqli-hardcoded-sql-expression-taint |
Improper neutralization of special elements used in an SQL Command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |
python-lang-sqli-pg8000-taint |
Improper neutralization of special elements used in an SQL Command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |
python-lang-sqli-psycopg-taint |
Improper neutralization of special elements used in an SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |
python-lang-ssrf-aiohttp-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
python-lang-ssrf-ftplib-smtplib-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
python-lang-ssrf-httpx-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
python-lang-ssrf-requests-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
python-lang-ssrf-socket-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
python-lang-xpathi-taint |
Improper neutralization of data within XPath expressions (XPath Injection) | CWE-643 | A1:2017, A03:2021 |
python-lang-xxe-xml-expatbuilder-taint |
Improper restriction of XML external entity reference ('XXE') | CWE-611 | A4:2017, A03:2021 |
python-lang-xxe-xml-expatreader-taint |
Improper restriction of XML external entity reference ('XXE') | CWE-611 | A4:2017, A03:2021 |
python-lang-xxe-xml-minidom-taint |
Improper restriction of XML external entity reference ('XXE') | CWE-611 | A4:2017, A03:2021 |
python-lang-xxe-xml-pulldom-taint |
Improper restriction of XML external entity reference ('XXE') | CWE-611 | A4:2017, A03:2021 |
python-lang-xxe-xml-sax-taint |
Improper restriction of XML external entity reference ('XXE') | CWE-611 | A4:2017, A03:2021 |
python-lang-xxe-xml-taint |
Improper restriction of XML external entity reference ('XXE') | CWE-611 | A4:2017, A03:2021 |
python-mako-xss-template-atomic |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A7:2017, A03:2021 |
python-mako-xss-template-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A7:2017, A03:2021 |
python-pyjwt-crypto-jwt-signature-verification-disabled-atomic |
Improper verification of cryptographic signature | CWE-347 | A3:2017, A02:2021 |
python-pyramid-csrf-origin-check-atomic |
Cross-site request forgery (CSRF) | CWE-352 | A5:2017, A01:2021 |
python-pysnmp-crypto-insecure-version-atomic |
Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
python-pysnmp-crypto-weak-cryptography-atomic |
Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
python-pyyaml-deserialization-load-taint |
Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
python-ruamel-deserialization-yaml-taint |
Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
python-shelve-deserialization-usage-taint |
Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
python-sqlalchemy-sqli-execute-taint |
Improper neutralization of special elements used in an SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |
python-sqlalchemy-sqli-raw-functions-taint |
Improper neutralization of special elements used in an SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |
python-webserver-asyncio-ssrf-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
python-webserver-http-httplib-client-ssrf-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
python-webserver-paramiko-ssrf-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
python-webserver-pycurl-ssrf-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
python-webserver-urllib3-ssrf-taint |
Server-side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |