SonarSource · andrea-guarino-sonarsource · Jun 11, 2020 · Jun 10, 2020 · Jun 10, 2020
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/ClassComplexity.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/ClassComplexity.json
@@ -1,5 +1,5 @@
 {
-  "title": "Classes should not be too complex",
+  "title": "Cyclomatic Complexity of classes should not be too high",
  "type": "CODE_SMELL",
  "status": "deprecated",
  "remediation": {

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/FunctionComplexity.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/FunctionComplexity.json
@@ -1,5 +1,5 @@
 {
-  "title": "Functions should not be too complex",
+  "title": "Cyclomatic Complexity of functions should not be too high",
  "type": "CODE_SMELL",
  "status": "ready",
  "remediation": {

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1313.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1313.html
@@ -13,11 +13,16 @@
 <p>Last but not least it has an effect on application security. Attackers might be able to decompile the code and thereby discover a potentially
 sensitive address. They can perform a Denial of Service attack on the service at this address or spoof the IP address. Such an attack is always
 possible, but in the case of a hardcoded IP address the fix will be much slower, which will increase an attack's impact.</p>
-<h2>Recommended Secure Coding Practices</h2>
+<h2>Ask Yourself Whether</h2>
+<p>The disclosed IP address is sensitive, eg:</p>
 <ul>
-  <li> make the IP address configurable. </li>
+  <li> Can give information to an attacker about the network topology. </li>
+  <li> It's a personal (assigned to an identifiable person) IP address. </li>
 </ul>
-<h2>Noncompliant Code Example</h2>
+<p>There is a risk if you answered yes to any of these questions.</p>
+<h2>Recommended Secure Coding Practices</h2>
+<p>Don't hard-code the IP address in the source code, instead make it configurable.</p>
+<h2>Sensitive Code Example</h2>
 <pre>
 ip = '192.168.12.42'
 sock = socket.socket()

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1523.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1523.html
@@ -14,8 +14,7 @@ <h2>Ask Yourself Whether</h2>
  <li> the executed code may come from an untrusted source and hasn't been sanitized. </li>
  <li> you really need to run code dynamically. </li>
 </ul>
-<p>You are at risk if you answered yes to the first question. You are increasing the security risks for no reason if you answered yes to the second
-question.</p>
+<p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <p>Regarding the execution of unknown code, the best solution is to not run code provided by an untrusted source. If you really need to do it, run the
 code in a <a href="https://en.wikipedia.org/wiki/Sandbox_(computer_security)">sandboxed</a> environment. Use jails, firewalls and whatever means your

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2068.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2068.html
@@ -15,7 +15,7 @@ <h2>Ask Yourself Whether</h2>
  <li> Credentials are used in production environments. </li>
  <li> Application re-distribution is required before updating the credentials. </li>
 </ul>
-<p>You are at risk, if you answered yes to any of these questions.</p>
+<p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
  <li> Store the credentials in a configuration file that is not pushed to the code repository. </li>

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2077.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2077.html
@@ -23,7 +23,7 @@ <h2>Ask Yourself Whether</h2>
  <li> the SQL query is built using string formatting technics, such as concatenating variables. </li>
  <li> some of the values are coming from an untrusted source and are not sanitized. </li>
 </ul>
-<p>You may be at risk if you answered yes to this question.</p>
+<p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
  <li> Avoid building queries manually using formatting. If you do it anyway, do not include user input in this building process. </li>
@@ -65,6 +65,16 @@ <h2>Sensitive Code Example</h2>
        },
    )
 </pre>
+<h2>Compliant Solution</h2>
+<pre>
+cursor = connection.cursor(prepared=True)
+sql_insert_query = """ select col from sometable here mycol = %s and othercol = %s """
+
+select_tuple = (1, value)
+
+cursor.execute(sql_insert_query, select_tuple) # Compliant, the query is parameterized
+connection.commit()
+</pre>
 <h2>See</h2>
 <ul>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP Top 10 2017 Category A1</a> - Injection </li>

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2092.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2092.html
@@ -6,14 +6,14 @@ <h2>Ask Yourself Whether</h2>
  <li> it's not sure that the website contains <a href="https://developer.mozilla.org/fr/docs/S%C3%A9curit%C3%A9/MixedContent">mixed content</a> or
  not (ie HTTPS everywhere or not) </li>
 </ul>
-<p>You are at risk if you answered yes to any of those questions.</p>
+<p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
  <li> It is recommended to use <code>HTTPs</code> everywhere so setting the <code>secure</code> flag to <em>true</em> should be the default behaviour
  when creating cookies. </li>
  <li> Set the <code>secure</code> flag to <em>true</em> for session-cookies. </li>
 </ul>
-<h2>Sensitive Code Examples</h2>
+<h2>Sensitive Code Example</h2>
 <p>Flask</p>
 <pre>
 from flask import Response

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2245.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2245.html
@@ -14,7 +14,7 @@ <h2>Ask Yourself Whether</h2>
  <li> the generated value is used multiple times. </li>
  <li> an attacker can access the generated value. </li>
 </ul>
-<p>You are at risk if you answered yes to the first question and any of the following ones.</p>
+<p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
  <li> Only use random number generators which are <a

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2275.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2275.html
@@ -18,8 +18,10 @@ <h2>Compliant Solution</h2>

 print('User {a} has not been able to access {b}'.format(a='Alice', b='MyFile'))
 </pre>
-<h2>See also</h2>
+<h2>See</h2>
 <ul>
-  <li> {rule:python:S3457} - Strings should be formatted correctly. </li>
+  <li> <a href="https://docs.python.org/3/library/string.html#format-string-syntax">Python documentation - Format String Syntax</a> </li>
+  <li> <a href="https://docs.python.org/3/library/stdtypes.html#printf-style-string-formatting">Python documentation - printf-style String
+  Formatting</a> </li>
 </ul>

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3330.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3330.html
@@ -9,13 +9,13 @@ <h2>Ask Yourself Whether</h2>
  <li> the <code>HttpOnly</code> attribute offer an additional protection (not the case for an <em>XSRF-TOKEN cookie</em> / CSRF token for example)
  </li>
 </ul>
-<p>You are at risk if you answered yes to any of those questions.</p>
+<p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
  <li> By default the <code>HttpOnly</code> flag should be set to <em>true</em> for most of the cookies and it's mandatory for session /
  sensitive-security cookies. </li>
 </ul>
-<h2>Sensitive Code Examples</h2>
+<h2>Sensitive Code Example</h2>
 <p>Flask:</p>
 <pre>
 from flask import Response

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3457.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3457.html
@@ -8,7 +8,6 @@
 <ul>
  <li> A string formatted with <code>%</code> will not return the expected string because some arguments are not used. </li>
  <li> A string formatted with <code>str.format</code> will not return the expected string because some arguments are not used. </li>
-  <li> An "f-string" doesn't contain any replacement field, which probably means that some curly braces are missing. </li>
  <li> Loggers will log an error because their message is not formatted properly. </li>
 </ul>
 <p>Rule {rule:python:S2275} covers cases where formatting a string will raise an exception.</p>
@@ -18,10 +17,6 @@ <h2>Noncompliant Code Example</h2>

 "Error: User {} has not been able to access []".format("Alice", "MyFile")  # Noncompliant. Remove 1 unexpected argument or add a replacement field.

-user = "Alice"
-resource = "MyFile"
-message = f"Error: User [user] has not been able to access [resource]"  # Noncompliant. Add replacement fields or use a normal string instead of an f-string.
-
 import logging
 logging.error("Error: User %s has not been able to access %s", "Alice")  # Noncompliant. Add 1 missing argument.
 </pre>
@@ -31,10 +26,6 @@ <h2>Compliant Solution</h2>

 "Error: User {} has not been able to access {}".format("Alice", "MyFile")

-user = "Alice"
-resource = "MyFile"
-message = f"Error: User {user} has not been able to access {resource}"
-
 import logging
 logging.error("Error: User %s has not been able to access %s", "Alice", "MyFile")
 </pre>

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4423.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4423.json
@@ -20,7 +20,8 @@
  "securityStandards": {
    "CWE": [
      327,
-      326
+      326,
+      295
    ],
    "OWASP": [
      "A3",

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4502.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4502.html
@@ -17,7 +17,7 @@ <h2>Ask Yourself Whether</h2>
  <li> The state / resources of the web application could be modified by doing HTTP POST or HTTP DELETE requests for example. </li>
  <li> The web application is not only a public API designed to be requested by external websites. </li>
 </ul>
-<p>You are at risk if you answered yes to any of those questions.</p>
+<p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
  <li> Protection against CSRF attacks is strongly recommended:

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4507.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4507.html
@@ -11,11 +11,9 @@ <h2>Ask Yourself Whether</h2>
  <li> the code or configuration enabling the application debug features is deployed on production servers. </li>
  <li> the application runs by default with debug features activated. </li>
 </ul>
-<p>You are at risk if you answered yes to any of these questions.</p>
+<p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
-<ul>
-  <li> Do not enable debug features on production servers. </li>
-</ul>
+<p>Do not enable debug features on production servers.</p>
 <h2>Sensitive Code Example</h2>
 <p>Django</p>
 <pre>

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4721.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4721.html
@@ -1,106 +1,94 @@
-<p>OS commands are security-sensitive. For example, their use has led in the past to the following vulnerabilities:</p>
+<p>Arbitrary OS commands can be executed by an attacker when:</p>
 <ul>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12465">CVE-2018-12465</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7187">CVE-2018-7187</a> </li>
+  <li> The OS command name to execute is user-controlled. </li>
+  <li> A shell is spawn rather than a new process, in this case shell meta-chars can be used (when parameters are user-controlled for instance) to
+  inject OS commands. </li>
+  <li> The executable is searched in the directories specified by the PATH variable (which can contain user-controlled or malicious directories).
+  </li>
 </ul>
-<p>Applications that execute operating system commands or execute commands that interact with the underlying system should neutralize any
-externally-provided input used to construct those commands. Failure to do so could allow an attacker to execute unexpected or dangerous commands,
-potentially leading to loss of confidentiality, integrity or availability.</p>
-<p> </p>
-<p>This rule flags code that specifies the name of the command to run. The goal is to guide security code reviews.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
-  <li> the executed command is constructed by input that is externally-influenced, for example, user input (attacker). (*) </li>
-  <li> the command execution is not restricted to the right users. (*) </li>
-  <li> the application can be redesigned to not rely on external input to execute the command. </li>
+  <li> OS command name or parameters are user-controlled. </li>
+  <li> The relative path of the OS command is specified. </li>
+  <li> OS commands are not executed in an isolated/sandboxed environment. </li>
+  <li> OS command are executed with high privileges. </li>
 </ul>
-<p>(*) You are at risk if you answered yes to any of those questions.</p>
+<p>There is a risk if you answered yes to any of those questions.</p>
 <p> </p>
 <h2>Recommended Secure Coding Practices</h2>
-<p>Restrict the control given to the user over the executed command:</p>
-<ul>
-  <li> make the executed command part of a whitelist and reject all commands not part of this list. </li>
-  <li> sanitize the user input. </li>
-</ul>
-<p> </p>
-<p>Restrict which users can have access to the command:</p>
-<ul>
-  <li> use a firewall to protect the process running the code, and to protect the network from the command. </li>
-  <li> authenticate the user and allow only some users to run the command. </li>
-</ul>
-<p>Reduce the damage the command can do:</p>
 <ul>
-  <li> execute the code in a sandbox environment that enforces strict boundaries between the operating system and the process. For example: a "jail".
-  </li>
-  <li> refuse to run the command if the process has too many privileges. For example: forbid running the code as "root". </li>
+  <li> User-controlled inputs should not be used, for any reasons, to build a dynamically OS command (command name or even parameters when shell is
+  used). </li>
+  <li> Fully qualified/absolute path should be used to specify the OS command to execute. </li>
+  <li> If possible, set the lowest privileges to the new process/shell in which commands are executed. </li>
+  <li> If possible, execute the OS commands in an isolated environment. </li>
 </ul>
-<p> </p>
 <h2>Sensitive Code Example</h2>
 <p>Python 3</p>
 <pre>
-import subprocess
-import os
-
-params = ["ls", "-l"]
-
-subprocess.run(params)  # Sensitive
-subprocess.Popen(params)  # Sensitive
-
-# Older API
-
-subprocess.call(params)  # Sensitive
-subprocess.check_call(params)  # Sensitive
-subprocess.check_output(params)  # Sensitive
-
-cmd = "ls -l"
-os.system(cmd)  # Sensitive
-
-mode = os.P_WAIT
-file = "ls"
-path = "/bin/ls"
-env = os.environ
-os.spawnl(mode, path, *params)  # Sensitive
-os.spawnle(mode, path, *params, env)  # Sensitive
-os.spawnlp(mode, file, *params)  # Sensitive
-os.spawnlpe(mode, file, *params, env)  # Sensitive
-os.spawnv(mode, path, params)  # Sensitive
-os.spawnve(mode, path, params, env)  # Sensitive
-os.spawnvp(mode, file, params)  # Sensitive
-os.spawnvpe(mode, file, params, env)  # Sensitive
-
-mode = 'r'
-(child_stdout) = os.popen(cmd, mode, 1)  # Sensitive
-# print(child_stdout.read())
+subprocess.run(cmd, shell=True)  # Sensitive
+subprocess.Popen(cmd, shell=True)  # Sensitive
+subprocess.call(cmd, shell=True)  # Sensitive
+subprocess.check_call(cmd, shell=True)  # Sensitive
+subprocess.check_output(cmd, shell=True)  # Sensitive
+os.system(cmd)  # Sensitive: a shell is always spawn
+</pre>
+<p>Python 2</p>
+<pre>
+cmd = "when a string is passed through these function, a shell is spawn"
+(_, child_stdout, _) = os.popen2(cmd)  # Sensitive
+(_, child_stdout, _) = os.popen3(cmd)  # Sensitive
+(_, child_stdout) = os.popen4(cmd)  # Sensitive

-(_, output) = subprocess.getstatusoutput(cmd)  # Sensitive

-out = subprocess.getoutput(cmd)  # Sensitive
+(child_stdout, _) = popen2.popen2(cmd)  # Sensitive
+(child_stdout, _, _) = popen2.popen3(cmd)  # Sensitive
+(child_stdout, _) = popen2.popen4(cmd)  # Sensitive
+</pre>
+<h2>Compliant Solution</h2>
+<p>Python 3</p>
+<pre>
+# by default shell=False, a shell is not spawn
+subprocess.run(cmd)  # Compliant
+subprocess.Popen(cmd)  # Compliant
+subprocess.call(cmd)  # Compliant
+subprocess.check_call(cmd)  # Compliant
+subprocess.check_output(cmd)  # Compliant

-os.startfile(path)  # Sensitive
+# always in a subprocess:
+os.spawnl(mode, path, *cmd)  # Compliant
+os.spawnle(mode, path, *cmd, env)  # Compliant
+os.spawnlp(mode, file, *cmd)  # Compliant
+os.spawnlpe(mode, file, *cmd, env)  # Compliant
+os.spawnv(mode, path, cmd)  # Compliant
+os.spawnve(mode, path, cmd, env)  # Compliant
+os.spawnvp(mode, file, cmd)  # Compliant
+os.spawnvpe(mode, file, cmd, env)  # Compliant

-os.execl(path, *params)  # Sensitive
-os.execle(path, *params, env)  # Sensitive
-os.execlp(file, *params)  # Sensitive
-os.execlpe(file, *params, env)  # Sensitive
-os.execv(path, params)  # Sensitive
-os.execve(path, params, env)  # Sensitive
-os.execvp(file, params)  # Sensitive
-os.execvpe(file, params, env)  # Sensitive
+(child_stdout) = os.popen(cmd, mode, 1)  # Compliant
+(_, output) = subprocess.getstatusoutput(cmd)  # Compliant
+out = subprocess.getoutput(cmd)  # Compliant
+os.startfile(path)  # Compliant
+os.execl(path, *cmd)  # Compliant
+os.execle(path, *cmd, env)  # Compliant
+os.execlp(file, *cmd)  # Compliant
+os.execlpe(file, *cmd, env)  # Compliant
+os.execv(path, cmd)  # Compliant
+os.execve(path, cmd, env)  # Compliant
+os.execvp(file, cmd)  # Compliant
+os.execvpe(file, cmd, env)  # Compliant
 </pre>
 <p>Python 2</p>
 <pre>
-import os
-import popen2
+cmdsargs = ("use", "a", "sequence", "to", "directly", "start", "a", "subprocess")

-cmd = "ls -l"
-mode = "r"
-(_, child_stdout) = os.popen2(cmd, mode)  # Sensitive
-(_, child_stdout, _) = os.popen3(cmd, mode)  # Sensitive
-(_, child_stdout) = os.popen4(cmd, mode)  # Sensitive
+(_, child_stdout) = os.popen2(cmdsargs)  # Compliant
+(_, child_stdout, _) = os.popen3(cmdsargs)  # Compliant
+(_, child_stdout) = os.popen4(cmdsargs)  # Compliant

-(child_stdout, _) = popen2.popen2(cmd)  # Sensitive
-(child_stdout, _, _) = popen2.popen3(cmd)  # Sensitive
-(child_stdout, _) = popen2.popen4(cmd)  # Sensitive
+(child_stdout, _) = popen2.popen2(cmdsargs)  # Compliant
+(child_stdout, _, _) = popen2.popen3(cmdsargs)  # Compliant
+(child_stdout, _) = popen2.popen4(cmdsargs)  # Compliant
 </pre>
 <h2>See</h2>
 <ul>

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4784.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4784.html
@@ -19,7 +19,7 @@ <h2>Ask Yourself Whether</h2>
  <li> the executed regular expression is sensitive and a user can provide a string which will be analyzed by this regular expression. </li>
  <li> your regular expression engine performance decrease with specially crafted inputs and regular expressions. </li>
 </ul>
-<p>You may be at risk if you answered yes to any of those questions.</p>
+<p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <p>Check whether your regular expression engine (the algorithm executing your regular expression) has any known vulnerabilities. Search for
 vulnerability reports mentioning the one engine you're are using.</p>

diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4787.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4787.html
@@ -101,4 +101,6 @@ <h2>See</h2>
  <li> <a href="http://cwe.mitre.org/data/definitions/327.html">MITRE, CWE-327</a> - Use of a Broken or Risky Cryptographic Algorithm </li>
  <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
 </ul>
+<h2>Deprecated</h2>
+<p>This rule is deprecated, and will eventually be removed.</p>