blacklist_imports

Blacklist various Python imports known to be dangerous

This blacklist data checks for a number of Python modules known to have possible security implications. The following blacklist tests are run against any import statements or calls encountered in the scanned code base.

Note that the XML rules listed here are mostly based off of Christian Heimes’ work on defusedxml: https://pypi.org/project/defusedxml/

B401: import_telnetlib

A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.

ID

Name

Imports

Severity

B401

import_telnetlib

  • telnetlib

high

B402: import_ftplib

A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.

ID

Name

Imports

Severity

B402

import_ftplib

  • ftplib

high

B403: import_pickle

Consider possible security implications associated with these modules.

ID

Name

Imports

Severity

B403

import_pickle

  • pickle

  • cPickle

  • dill

  • shelve

low

B404: import_subprocess

Consider possible security implications associated with these modules.

ID

Name

Imports

Severity

B404

import_subprocess

  • subprocess

low

B405: import_xml_etree

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID

Name

Imports

Severity

B405

import_xml_etree

  • xml.etree.cElementTree

  • xml.etree.ElementTree

low

B406: import_xml_sax

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID

Name

Imports

Severity

B406

import_xml_sax

  • xml.sax

low

B407: import_xml_expat

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID

Name

Imports

Severity

B407

import_xml_expat

  • xml.dom.expatbuilder

low

B408: import_xml_minidom

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID

Name

Imports

Severity

B408

import_xml_minidom

  • xml.dom.minidom

low

B409: import_xml_pulldom

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID

Name

Imports

Severity

B409

import_xml_pulldom

  • xml.dom.pulldom

low

B410: import_lxml

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package.

ID

Name

Imports

Severity

B410

import_lxml

  • lxml

low

B411: import_xmlrpclib

XMLRPC is particularly dangerous as it is also concerned with communicating data over a network. Use defusedxml.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate remote XML attacks.

ID

Name

Imports

Severity

B411

import_xmlrpclib

  • xmlrpc

high

B412: import_httpoxy

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. The use of CGI for web applications should be avoided to prevent this class of attack. More details are available at https://httpoxy.org/.

ID

Name

Imports

Severity

B412

import_httpoxy

  • wsgiref.handlers.CGIHandler

  • twisted.web.twcgi.CGIScript

high

B413: import_pycrypto

pycrypto library is known to have publicly disclosed buffer overflow vulnerability https://github.com/dlitz/pycrypto/issues/176. It is no longer actively maintained and has been deprecated in favor of pyca/cryptography library.

ID

Name

Imports

Severity

B413

import_pycrypto

  • Crypto.Cipher

  • Crypto.Hash

  • Crypto.IO

  • Crypto.Protocol

  • Crypto.PublicKey

  • Crypto.Random

  • Crypto.Signature

  • Crypto.Util

high

B414: import_pycryptodome

This import blacklist has been removed. The information here has been left for historical purposes.

pycryptodome is a direct fork of pycrypto that has not fully addressed the issues inherent in PyCrypto. It seems to exist, mainly, as an API compatible continuation of pycrypto and should be deprecated in favor of pyca/cryptography which has more support among the Python community.

ID

Name

Imports

Severity

B414

import_pycryptodome

  • Cryptodome.Cipher

  • Cryptodome.Hash

  • Cryptodome.IO

  • Cryptodome.Protocol

  • Cryptodome.PublicKey

  • Cryptodome.Random

  • Cryptodome.Signature

  • Cryptodome.Util

high

B415: import_pyghmi

An IPMI-related module is being imported. IPMI is considered insecure. Use an encrypted protocol.

ID

Name

Imports

Severity

B415

import_pyghmi

  • pyghmi

high