pySCG: Adding documentation to CWE-175 as part of #531 #687
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: edanhub <[email protected]>
myteron
reviewed
Nov 6, 2024
There was a problem hiding this comment.
code not working, line 12 and 15 are missing locale.CURRENT_LOCALE
docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-175/compliant03.py
Outdated
Show resolved
Hide resolved
docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-175/noncompliant03.py
Outdated
Show resolved
Hide resolved
myteron
changed the title
Signed-off-by: edanhub <[email protected]>
BartyBoi1128
reviewed
Nov 7, 2024
myteron
reviewed
Nov 7, 2024
BartyBoi1128
reviewed
Nov 7, 2024
docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-175/example03.py
Outdated
Show resolved
Hide resolved
BartyBoi1128
reviewed
Nov 7, 2024
BartyBoi1128
reviewed
Nov 7, 2024
Co-authored-by: myteron <[email protected]> Signed-off-by: Hubert Daniszewski <[email protected]>
Co-authored-by: myteron <[email protected]> Signed-off-by: Hubert Daniszewski <[email protected]>
docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-175/compliant01.py
Outdated
Show resolved
Hide resolved
docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-175/compliant02.py
Outdated
Show resolved
Hide resolved
docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-175/noncompliant01.py
Outdated
Show resolved
Hide resolved
docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-175/noncompliant02.py
Outdated
Show resolved
Hide resolved
BartyBoi1128
suggested changes
Nov 21, 2024
Co-authored-by: BartyBoi1128 <[email protected]> Signed-off-by: Hubert Daniszewski <[email protected]>
…1.py Co-authored-by: BartyBoi1128 <[email protected]> Signed-off-by: Hubert Daniszewski <[email protected]>
…2.py Co-authored-by: BartyBoi1128 <[email protected]> Signed-off-by: Hubert Daniszewski <[email protected]>
Co-authored-by: BartyBoi1128 <[email protected]> Signed-off-by: Hubert Daniszewski <[email protected]>
Co-authored-by: BartyBoi1128 <[email protected]> Signed-off-by: Hubert Daniszewski <[email protected]>
…nt01.py Co-authored-by: BartyBoi1128 <[email protected]> Signed-off-by: Hubert Daniszewski <[email protected]>
…nt01.py Co-authored-by: BartyBoi1128 <[email protected]> Signed-off-by: Hubert Daniszewski <[email protected]>
…nt02.py Co-authored-by: BartyBoi1128 <[email protected]> Signed-off-by: Hubert Daniszewski <[email protected]>
…nt01.py Co-authored-by: BartyBoi1128 <[email protected]> Signed-off-by: Hubert Daniszewski <[email protected]>
Thank you for the suggestions, I have now merged all of them. As for the "##" in comments, I will change them to a singular "#" and indicate if they are supposed to be console output or something else. |
Signed-off-by: edanhub <[email protected]>
Signed-off-by: Hubert Daniszewski <[email protected]>
myteron
requested changes
Nov 27, 2024
Comment on lines
+30
to
+32
| print(word.upper()) | ||
| locale.setlocale(locale.LC_ALL, "tr_TR.utf8") | ||
| print(word.upper()) |
There was a problem hiding this comment.
Suggested change
| print(word.upper()) | |
| locale.setlocale(locale.LC_ALL, "tr_TR.utf8") | |
| print(word.upper()) | |
| print(WORD.upper()) | |
| locale.setlocale(locale.LC_ALL, "tr_TR.utf8") | |
| print(WORD.upper()) |
Comment on lines
+6
to
+8
| print(word.upper()) | ||
| locale.setlocale(locale.LC_ALL, "tr_TR.utf8") | ||
| print(word.upper()) |
There was a problem hiding this comment.
Suggested change
| print(word.upper()) | |
| locale.setlocale(locale.LC_ALL, "tr_TR.utf8") | |
| print(word.upper()) | |
| print(WORD.upper()) | |
| locale.setlocale(locale.LC_ALL, "tr_TR.utf8") | |
| print(WORD.upper()) |
Comment on lines
+151
to
+175
| def compare_number(number): | ||
| input_number = locale.atof(input("Enter a number: ")) | ||
| # Test if inputted number equals current number | ||
| return number == input_number | ||
|
|
||
|
|
||
| print(f"Locale is {locale.getlocale()}") | ||
| print(f"Do the numbers match? {compare_number(ORIGINAL_NUMBER)}") | ||
|
|
||
| # Console output: | ||
| # Locale is ('English_Ireland', '1252') | ||
| # Enter a number: 12,345 | ||
| # Do the numbers match? False | ||
|
|
||
| # After setting the locale | ||
|
|
||
| locale.setlocale(locale.LC_ALL, 'de_DE.utf8') | ||
| print(f"Locale is {locale.getlocale()}") | ||
| print(f"Do the numbers match? {compare_number(ORIGINAL_NUMBER)}") | ||
|
|
||
| # Console output: | ||
| # Locale is ('de_DE', 'UTF-8') | ||
| # Enter a number: 12,345 | ||
| # Do the numbers match? True | ||
|
|
There was a problem hiding this comment.
I thinks it becomes self explaining what to do once we add the number to type in. output example should be below code
Suggested change
| def compare_number(number): | |
| input_number = locale.atof(input("Enter a number: ")) | |
| # Test if inputted number equals current number | |
| return number == input_number | |
| print(f"Locale is {locale.getlocale()}") | |
| print(f"Do the numbers match? {compare_number(ORIGINAL_NUMBER)}") | |
| # Console output: | |
| # Locale is ('English_Ireland', '1252') | |
| # Enter a number: 12,345 | |
| # Do the numbers match? False | |
| # After setting the locale | |
| locale.setlocale(locale.LC_ALL, 'de_DE.utf8') | |
| print(f"Locale is {locale.getlocale()}") | |
| print(f"Do the numbers match? {compare_number(ORIGINAL_NUMBER)}") | |
| # Console output: | |
| # Locale is ('de_DE', 'UTF-8') | |
| # Enter a number: 12,345 | |
| # Do the numbers match? True | |
| def compare_number(number): | |
| input_number = locale.atof(input(f"Enter a number {ORIGINAL_NUMBER}: ")) | |
| # Test if inputted number equals current number | |
| return number == input_number | |
| print(f"Locale is {locale.getlocale()}") | |
| print(f"Do the numbers match? {compare_number(ORIGINAL_NUMBER)}") | |
| # Setting the locale to German | |
| locale.setlocale(locale.LC_ALL, 'de_DE.utf8') | |
| print(f"Locale is {locale.getlocale()}") | |
| print(f"Do the numbers match? {compare_number(ORIGINAL_NUMBER)}") | |
Comment on lines
+8
to
+31
| def compare_number(number): | ||
| input_number = locale.atof(input("Enter a number: ")) | ||
| # Test if inputted number equals current number | ||
| return number == input_number | ||
|
|
||
|
|
||
| print(f"Locale is {locale.getlocale()}") | ||
| print(f"Do the numbers match? {compare_number(ORIGINAL_NUMBER)}") | ||
|
|
||
| # Console output: | ||
| # Locale is ('English_Ireland', '1252') | ||
| # Enter a number: 12,345 | ||
| # Do the numbers match? False | ||
|
|
||
| # After setting the locale | ||
|
|
||
| locale.setlocale(locale.LC_ALL, 'de_DE.utf8') | ||
| print(f"Locale is {locale.getlocale()}") | ||
| print(f"Do the numbers match? {compare_number(ORIGINAL_NUMBER)}") | ||
|
|
||
| # Console output: | ||
| # Locale is ('de_DE', 'UTF-8') | ||
| # Enter a number: 12,345 | ||
| # Do the numbers match? True |
There was a problem hiding this comment.
I think it becomes self explaining once we add the number to type in. Output should be below code example
Suggested change
| def compare_number(number): | |
| input_number = locale.atof(input("Enter a number: ")) | |
| # Test if inputted number equals current number | |
| return number == input_number | |
| print(f"Locale is {locale.getlocale()}") | |
| print(f"Do the numbers match? {compare_number(ORIGINAL_NUMBER)}") | |
| # Console output: | |
| # Locale is ('English_Ireland', '1252') | |
| # Enter a number: 12,345 | |
| # Do the numbers match? False | |
| # After setting the locale | |
| locale.setlocale(locale.LC_ALL, 'de_DE.utf8') | |
| print(f"Locale is {locale.getlocale()}") | |
| print(f"Do the numbers match? {compare_number(ORIGINAL_NUMBER)}") | |
| # Console output: | |
| # Locale is ('de_DE', 'UTF-8') | |
| # Enter a number: 12,345 | |
| # Do the numbers match? True | |
| def compare_number(number): | |
| input_number = locale.atof(input(f"Enter a number {ORIGINAL_NUMBER}: ")) | |
| # Test if inputted number equals current number | |
| return number == input_number | |
| print(f"Locale is {locale.getlocale()}") | |
| print(f"Do the numbers match? {compare_number(ORIGINAL_NUMBER)}") | |
| # Console output: | |
| # Locale is ('English_Ireland', '1252') | |
| # Enter a number: 12,345 | |
| # Do the numbers match? False | |
| # After setting the locale | |
| locale.setlocale(locale.LC_ALL, 'de_DE.utf8') | |
| print(f"Locale is {locale.getlocale()}") | |
| print(f"Do the numbers match? {compare_number(ORIGINAL_NUMBER)}") | |
| # Console output: | |
| # Locale is ('de_DE', 'UTF-8') | |
| # Enter a number: 12,345 | |
| # Do the numbers match? True |
|
|
||
| ## Non-Compliant Code Example (Encoding) | ||
|
|
||
| The developer should be aware of the text encoding that is used for input data and output data in the program. The code example attempts to use UTF-16 LE encoding to read the LOREM `TextIOWrapper` stream which raises a `UnicodeDecodeError` exception as it was created with UTF-8. |
There was a problem hiding this comment.
Suggested change
| The developer should be aware of the text encoding that is used for input data and output data in the program. The code example attempts to use UTF-16 LE encoding to read the LOREM `TextIOWrapper` stream which raises a `UnicodeDecodeError` exception as it was created with UTF-8. | |
| The developer should be aware of the text encoding that is used for input data and output data in the program. The code example attempts to use `UTF-16 LE` encoding to read the LOREM `TextIOWrapper` stream which raises a `UnicodeDecodeError` exception as it was created with `UTF-8`. |
|
|
||
| ## Compliant Solution (Encoding) | ||
|
|
||
| The correct text encoding, UTF-8 for the LOREM `TextIOWrapper` stream has been included in the program. Ensure the encoding of data is known and explicitly stated when parsing and creating data. |
There was a problem hiding this comment.
Suggested change
| The correct text encoding, UTF-8 for the LOREM `TextIOWrapper` stream has been included in the program. Ensure the encoding of data is known and explicitly stated when parsing and creating data. | |
| The correct text encoding, `UTF-8` for the LOREM `TextIOWrapper` stream has been included in the program. Ensure the encoding of data is known and explicitly stated when parsing and creating data. |
Comment on lines
+222
to
+226
| print(f"{len(output.getvalue().decode('utf-8'))} characters in string") | ||
| ##################### | ||
| # exploiting above code example | ||
| ##################### | ||
| # 1337 characters in string |
There was a problem hiding this comment.
We are not exploiting anything here, comment is enough
Suggested change
| print(f"{len(output.getvalue().decode('utf-8'))} characters in string") | |
| ##################### | |
| # exploiting above code example | |
| ##################### | |
| # 1337 characters in string | |
| # 1337 characters in string | |
| print(f"{len(output.getvalue().decode('utf-8'))} characters in string") |
Comment on lines
+14
to
+18
| print(f"{len(output.getvalue().decode('utf-8'))} characters in string") | ||
| ##################### | ||
| # exploiting above code example | ||
| ##################### | ||
| # 1337 characters in string |
There was a problem hiding this comment.
Not exploiting anything, comment is enough:
Suggested change
| print(f"{len(output.getvalue().decode('utf-8'))} characters in string") | |
| ##################### | |
| # exploiting above code example | |
| ##################### | |
| # 1337 characters in string | |
| # 1337 characters in string | |
| print(f"{len(output.getvalue().decode('utf-8'))} characters in string") |
Comment on lines
+14
to
+18
| print(f"{len(output.getvalue().decode('utf-16le'))} characters in string") | ||
| ##################### | ||
| # exploiting above code example | ||
| ##################### | ||
| # UnicodeDecodeError: 'utf-16-le' codec can't decode byte 0x2e in position 1336: truncated data |
There was a problem hiding this comment.
Not an exploit, comment is enough
Suggested change
| print(f"{len(output.getvalue().decode('utf-16le'))} characters in string") | |
| ##################### | |
| # exploiting above code example | |
| ##################### | |
| # UnicodeDecodeError: 'utf-16-le' codec can't decode byte 0x2e in position 1336: truncated data | |
| # Below outputs UnicodeDecodeError: 'utf-16-le' codec can't decode byte 0x2e in position 1336: truncated data | |
| print(f"{len(output.getvalue().decode('utf-16le'))} characters in string") |
Comment on lines
+196
to
+200
| print(f"{len(output.getvalue().decode('utf-16le'))} characters in string") | ||
| ##################### | ||
| # exploiting above code example | ||
| ##################### | ||
| # UnicodeDecodeError: 'utf-16-le' codec can't decode byte 0x2e in position 1336: truncated data |
There was a problem hiding this comment.
Not an exploit, comment is enough
Suggested change
| print(f"{len(output.getvalue().decode('utf-16le'))} characters in string") | |
| ##################### | |
| # exploiting above code example | |
| ##################### | |
| # UnicodeDecodeError: 'utf-16-le' codec can't decode byte 0x2e in position 1336: truncated data | |
| # Below outputs UnicodeDecodeError: 'utf-16-le' codec can't decode byte 0x2e in position 1336: truncated data | |
| print(f"{len(output.getvalue().decode('utf-16le'))} characters in string") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adding documentation to CWE-175 as part of #531