Blacklist various Python calls known to be dangerous

This blacklist data checks for a number of Python calls known to have possible security implications. The following blacklist tests are run against any function calls encoutered in the scanned code base, triggered by encoutering ast.Call nodes.

B301: pickle

Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.

ID Name Calls Severity
B301 pickle
  • pickle.loads
  • pickle.load
  • pickle.Unpickler
  • cPickle.loads
  • cPickle.load
  • cPickle.Unpickler
  • dill.loads
  • dill.load
  • dill.Unpickler
  • shelve.DbfilenameShelf

B302: marshal

Deserialization with the marshal module is possibly dangerous.

ID Name Calls Severity
B302 marshal
  • marshal.load
  • marshal.loads

B303: md5

Use of insecure MD2, MD4, MD5, or SHA1 hash function.

ID Name Calls Severity
B303 md5
  • hashlib.md5
  • hashlib.sha1
  • cryptography.hazmat.primitives .hashes.MD5
  • cryptography.hazmat.primitives .hashes.SHA1

B304 - B305: ciphers and modes

Use of insecure cipher or cipher mode. Replace with a known secure cipher such as AES.

ID Name Calls Severity
B304 ciphers
  • cryptography.hazmat.primitives .ciphers.algorithms.ARC4
  • cryptography.hazmat.primitives .ciphers.algorithms.Blowfish
  • cryptography.hazmat.primitives .ciphers.algorithms.IDEA
B305 cipher_modes
  • cryptography.hazmat.primitives .ciphers.modes.ECB

B306: mktemp_q

Use of insecure and deprecated function (mktemp).

ID Name Calls Severity
B306 mktemp_q
  • tempfile.mktemp

B307: eval

Use of possibly insecure function - consider using safer ast.literal_eval.

ID Name Calls Severity
B307 eval
  • eval

B308: mark_safe

Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.

ID Name Calls Severity
B308 mark_safe
  • django.utils.safestring.mark_safe

B309: httpsconnection

Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see

ID Name Calls Severity
B309 httpsconnection
  • httplib.HTTPSConnection
  • http.client.HTTPSConnection
  • six.moves.http_client .HTTPSConnection

B310: urllib_urlopen

Audit url open for permitted schemes. Allowing use of ‘file:’’ or custom schemes is often unexpected.

ID Name Calls Severity
B310 urllib_urlopen
  • urllib.urlopen
  • urllib.request.urlopen
  • urllib.urlretrieve
  • urllib.request.urlretrieve
  • urllib.URLopener
  • urllib.request.URLopener
  • urllib.FancyURLopener
  • urllib.request.FancyURLopener
  • urllib2.urlopen
  • urllib2.Request
  • six.moves.urllib.request.urlopen
  • six.moves.urllib.request .urlretrieve
  • six.moves.urllib.request .URLopener
  • six.moves.urllib.request .FancyURLopener

B311: random

Standard pseudo-random generators are not suitable for security/cryptographic purposes.

ID Name Calls Severity
B311 random
  • random.random
  • random.randrange
  • random.randint
  • random.choice
  • random.uniform
  • random.triangular

B312: telnetlib

Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.

ID Name Calls Severity
B312 telnetlib
  • telnetlib.*

B313 - B320: XML

Most of this is based off of Christian Heimes’ work on defusedxml:

Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents.

ID Name Calls Severity
B313 xml_bad_cElementTree
  • xml.etree.cElementTree.parse
  • xml.etree.cElementTree.iterparse
  • xml.etree.cElementTree.fromstring
  • xml.etree.cElementTree.XMLParser
B314 xml_bad_ElementTree
  • xml.etree.ElementTree.parse
  • xml.etree.ElementTree.iterparse
  • xml.etree.ElementTree.fromstring
  • xml.etree.ElementTree.XMLParser
B315 xml_bad_expatreader
  • xml.sax.expatreader.create_parser
B316 xml_bad_expatbuilder
  • xml.dom.expatbuilder.parse
  • xml.dom.expatbuilder.parseString
B317 xml_bad_sax
  • xml.sax.parse
  • xml.sax.parseString
  • xml.sax.make_parser
B318 xml_bad_minidom
  • xml.dom.minidom.parse
  • xml.dom.minidom.parseString
B319 xml_bad_pulldom
  • xml.dom.pulldom.parse
  • xml.dom.pulldom.parseString
B320 xml_bad_etree
  • lxml.etree.parse
  • lxml.etree.fromstring
  • lxml.etree.RestrictedElement
  • lxml.etree.GlobalParserTLS
  • lxml.etree.getDefaultParser
  • lxml.etree.check_docinfo

B321: ftplib

FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.

ID Name Calls Severity
B321 ftplib
  • ftplib.*

B322: input

The input method in Python 2 will read from standard input, evaluate and run the resulting string as python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3.

ID Name Calls Severity
B322 input
  • input

B323: unverified_context

By default, Python will create a secure, verified ssl context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.

ID Name Calls Severity
B323 unverified_context
  • ssl._create_unverified_context

B325: tempnam

Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead.

For further information:
ID Name Calls Severity
B325 tempnam
  • os.tempnam
  • os.tmpnam