blacklist_imports

Blacklist various Python imports known to be dangerous

This blacklist data checks for a number of Python modules known to have possible security implications. The following blacklist tests are run against any import statements or calls encountered in the scanned code base.

Note that the XML rules listed here are mostly based off of Christian Heimes’ work on defusedxml: https://pypi.python.org/pypi/defusedxml

B401: import_telnetlib

A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.

ID	Name	Imports	Severity
B401	import_telnetlib	telnetlib	high

B402: import_ftplib

A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.

ID	Name	Imports	Severity
B402	inport_ftplib	ftplib	high

B403: import_pickle

Consider possible security implications associated with these modules.

ID	Name	Imports	Severity
B403	import_pickle	pickle cPickle	low

B404: import_subprocess

Consider possible security implications associated with these modules.

ID	Name	Imports	Severity
B404	import_subprocess	subprocess	low

B405: import_xml_etree

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID	Name	Imports	Severity
B405	import_xml_etree	xml.etree.cElementTree xml.etree.ElementTree	low

B406: import_xml_sax

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID	Name	Imports	Severity
B406	import_xml_sax	xml.sax	low

B407: import_xml_expat

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID	Name	Imports	Severity
B407	import_xml_expat	xml.dom.expatbuilder	low

B408: import_xml_minidom

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID	Name	Imports	Severity
B408	import_xml_minidom	xml.dom.minidom	low

B409: import_xml_pulldom

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID	Name	Imports	Severity
B409	import_xml_pulldom	xml.dom.pulldom	low

B410: import_lxml

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package.

ID	Name	Imports	Severity
B410	import_lxml	lxml	low

B411: import_xmlrpclib

XMLRPC is particularly dangerous as it is also concerned with communicating data over a network. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate remote XML attacks.

ID	Name	Imports	Severity
B411	import_xmlrpclib	xmlrpclib	high

B412: import_httpoxy

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. The use of CGI for web applications should be avoided to prevent this class of attack. More details are available at https://httpoxy.org/.

ID	Name	Imports	Severity
B412	import_httpoxy	wsgiref.handlers.CGIHandler twisted.web.twcgi.CGIScript	high

B413: import_pycrypto

pycrypto library is known to have publicly disclosed buffer overflow vulnerability https://github.com/dlitz/pycrypto/issues/176. It is no longer actively maintained and has been deprecated in favor of pyca/cryptography library.

ID	Name	Imports	Severity
B413	import_pycrypto	Crypto.Cipher Crypto.Hash Crypto.IO Crypto.Protocol Crypto.PublicKey Crypto.Random Crypto.Signature Crypto.Util	high