Skip to main content

Pylint plugin adding some checks to make Python code adhere to more secure coding standard

Project description

Pylint Secure Coding Standard Plugin

PyPI - Python Version PyPI version CI Build CodeQL pre-commit.ci status Coverage Status

pylint plugin that enforces some secure coding standards.

Installation

pip install pylint-secure-coding-standard

Pylint codes

Code Description
R8000 Use os.path.realpath() instead of os.path.abspath() and os.path.relpath()
E8001 Avoid using exec() and eval()
E8002 Avoid using os.sytem()
E8003 Avoid using shell=True in subprocess functions or using functions that internally set this
R8004 Avoid using tempfile.mktemp(), prefer tempfile.mkstemp() instead
E8005 Avoid using unsafe PyYAML loading functions
E8006 Avoid using jsonpickle.decode()
C8007 Avoid debug statement in production code
C8008 Avoid assert statements in production code
R8009 Use of builtin open for writing is discouraged in favor of os.open to allow for setting file permissions
E8010 Avoid using os.popen() as it internally uses subprocess.Popen with shell=True
E8011 Use of shlex.quote() should be avoided on non-POSIX platforms
W8012 Avoid using os.open() with unsafe permissions permissions
E8013 Avoid using pickle.load() and pickle.loads()
E8014 Avoid using marshal.load() and marshal.loads()
E8015 Avoid using shelve.open()
W8016 Avoid using os.mkdir and os.makedirs with unsafe file permissions
W8017 Avoid using os.mkfifo with unsafe file permissions
W8018 Avoid using os.mknod with unsafe file permissions
W8019 Avoid using os.chmod with unsafe permissions (W ^ X for group and others)

Plugin configuration options

This plugin supports some configuration options that may either be specified directly on the command line with a flag using the option name as --name or by specifying them in one of pylint's configuration files (ie. pyproject.toml, pylintrc, etc.).

Available options:

Option name Option type Default value Related error code
os-open-mode mode-like 0 (off) W8012
os-mkdir-mode mode-like 0 (off) E8016
os-mkfifo-mode mode-like 0 (off) E8017
os-mknod-mode mode-like 0 (off) E8018

Mode-like options

Mode-like options are configuration options for errors/warnings that relate to some function that accepts a mode parameter (or similar) that control some file or directory permissions. For those kind of options, the plugin understands a variety of values that must be specified as string. They will then be parsed into a list of allowed mode values:

  • Any positive, non-zero (octal or decimal) integer value specifies the maximum value for the mode value
  • A comma-separated list of (octal or decimal) integers indicates the list of allowed mode values
  • 'y', 'yes', 'true' (case-insensitive) will turn on the warnings using the default value of 0o755
  • 'n', 'no', 'false' (case-insensitive) will turn off the warnings

Example of values:

    [tool.pylint.plugins]
    os-open-mode = '0'            # check disabled
    os-open-mode = 'no'           # check disabled
    os-open-mode = '493'          # all modes from 0 to 493 (=0o755)
    os-open-mode = '0o755'        # all modes from 0 to 0o755
    os-open-mode = '0o755,'       # only 0o755 (notice the comma)
    os-open-mode = '0o644,0o755'  # only 0o644 and 0o755

You can also specify those options directly on the command line:

python3 -m pylint --load-plugins=pylint_secure_coding_standard --os-open-mode='0o755'

Pre-commit hook

See pre-commit for instructions

Sample .pre-commit-config.yaml:

  - repo: https://github.com/PyCQA/pylint/
    rev: pylint-2.6.0
    hooks:
    -   id: pylint
        args: [--load-plugins=pylint_secure_coding_standard]
        additional_dependencies: ['pylint-secure-coding-standard']

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pylint-secure-coding-standard-1.4.0.tar.gz (26.7 kB view details)

Uploaded Source

Built Distribution

pylint_secure_coding_standard-1.4.0-py2.py3-none-any.whl (13.6 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file pylint-secure-coding-standard-1.4.0.tar.gz.

File metadata

  • Download URL: pylint-secure-coding-standard-1.4.0.tar.gz
  • Upload date:
  • Size: 26.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.6.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.61.2 CPython/3.9.6

File hashes

Hashes for pylint-secure-coding-standard-1.4.0.tar.gz
Algorithm Hash digest
SHA256 b8dc3d3fd3494f28ac5b538d4b9d874bdcec97e69f0635cc6638fce215b5495c
MD5 2008d9d6bd9aa95f704a75450cf598a8
BLAKE2b-256 a222b3a305c3703f108d499969ecfeee38ac37686fed87066ec65cf781924f85

See more details on using hashes here.

File details

Details for the file pylint_secure_coding_standard-1.4.0-py2.py3-none-any.whl.

File metadata

  • Download URL: pylint_secure_coding_standard-1.4.0-py2.py3-none-any.whl
  • Upload date:
  • Size: 13.6 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.6.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.61.2 CPython/3.9.6

File hashes

Hashes for pylint_secure_coding_standard-1.4.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 fd3ba39d7ff3928e1d9e3cf123d0d68c31545b11d662a17262fd96313ca92f13
MD5 691e6a89b2409dc0622a16962b35c1ae
BLAKE2b-256 0d7d1a7679d1ade861cac5f6ec0195f15f5bc0ae31d15c406004868b845b792e

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page