Secure Coding in Python
Kor son of Rynar
daharmasterkor at gmail.com
Sat Apr 25 19:30:16 EDT 2020
Dear Souvik,
On Fri, Apr 10, 2020 at 9:53 PM Souvik Dutta <souvik.viksou at gmail.com>
wrote:
> Is this what you are looking for?
> https://medium.com/@felsen88/python-secure-coding-guidelines-73c7ce1db86c
>
Thank you very much for the link. Yes, it is along those lines, although
the reference above has more links to good coding style practices (also
important, of course) than actual secure coding advice, IMHO.
For example, any idiom or library you would recommend for input validation?
[potentially malicious input from the cmdline arguments, Unix environment,
network socket, etc]
Thanks again,
--
Kor
> On Sat, 11 Apr, 2020, 3:54 am Kor son of Rynar, <daharmasterkor at gmail.com>
> wrote:
>
>> Dear list,
>>
>> As many of you know, SEI/CERT maintains a set of secure coding standards
>> for many languages like C/C++, Java and Perl:
>>
>> SEI CERT Coding Standards
>>
>>
>> https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards
>>
>> I'm looking for something similar, but with specific advice applicable to
>> Python. Books and online references are welcome.
>>
>> On the same topic: coming from Perl, I'm used to "Taint mode":
>> --
>> https://perldoc.perl.org/perlsec.html
>>
>> While in this mode, Perl takes special precautions called taint checks to
>> prevent both obvious and subtle traps. Some of these checks are reasonably
>> simple, such as verifying that path directories aren't writable by others;
>> careful programmers have always used checks like these. Other checks,
>> however, are best supported by the language itself, and it is these checks
>> especially that contribute to making a set-id Perl program more secure
>> than
>> the corresponding C program.
>>
>> You may not use data derived from outside your program to affect something
>> else outside your program--at least, not by accident. All command line
>> arguments, environment variables, locale information (see perllocale),
>> results of certain system calls (readdir(), readlink(), the variable of
>> shmread(), the messages returned by msgrcv(), the password, gcos and shell
>> fields returned by the getpwxxx() calls), and all file input are marked as
>> "tainted". Tainted data may not be used directly or indirectly in any
>> command that invokes a sub-shell, nor in any command that modifies files,
>> directories, or processes, ...
>> --
>>
>> Is there anything like this in Python? What would be your
>> recommendations? Thanks!
>>
>> Regards,
>> --
>> Kor.
>> --
>> https://mail.python.org/mailman/listinfo/python-list
>>
>
More information about the Python-list
mailing list