Audit required: Insecure cipher BAN-W1004
Cipher used is not secure. It is recommended to replace with a known secure cipher such as AES.
Audit required: Insecure hash function BAN-W1003
D2, MD4, MD5, SHA1 signature algorithms are known to be vulnerable to collision attacks. Attackers can exploit this to generate another certificate with the same digital signature, allowing them to masquerade as the affected service.
Detected calls to FTP-related functions BAN-B321
FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.
Use of an insecure expatreader method BAN-B315
Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml equivalents.
Audit required: Use of eval PYL-W0123
Use of possibly insecure function - consider using safer ast.literal_eval. Read more on why should eval be avoided here.
Insecure xmlrpclib import detected BAN-B411
XMLRPC is particularly dangerous as it is also concerned with communicating data over a network. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate remote XML attacks.
Use of an insecure method from xml.dom.pulldom detected BAN-B319
Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml equivalents.
Use of an insecure method from xml.dom.minidom detected BAN-B318
Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml equivalents.
Starting a process with a shell detected BAN-B605
Spawning of a subprocess using a command shell is dangerous as it is vulnerable to various shell injection attacks. Great care should be taken to sanitize all input in order to mitigate this risk. Calls of this type are identified by the use of certain commands which are known to use shells.
Insecure library imported BAN-B413
Libraries like crypto and pycrypto are no longer actively maintained and has been deprecated in favor of pyca/cryptography library. pycrypto library is also known to have publicly disclosed buffer overflow vulnerability.
Use of an insecure expatbuilder method BAN-B316
Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml equivalents.
Use of an insecure method from xml.sax detected BAN-B317
Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml equivalents.
Use of _create_unverified_context detected BAN-B323
By default, Python will create a secure, verified ssl context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks. It is recommended to replace this call with the default HTTPS context.
Audit: Binding to all interfaces detected with hardcoded values BAN-B104
Binding to all network interfaces can potentially open up a service to traffic on unintended interfaces, that may not be properly documented or secured. This can be prevented by changing the code so it explicitly only allows access from localhost.
Audit required: Potential SQL injection on RawSQL function BAN-B611
Use of extra in Django querysets should be audited, since unsanitized strings can open up security vulnerabilities.
Use of insecure input method detected PTC-W1002
The input method in Python 2 will read from standard input, evaluate and run the resulting string as python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3.
Unsafe parameter given to subprocess.Popen PYL-W1509
The preexec_fn parameter is not safe to use in the presence of threads in your application. The child process could deadlock before exec is called. If you must use it, keep it trivial. Minimize the number of libraries you call into. Ref: https://docs.python.org/3/library/subprocess.html#popen-constructor
Audit required: Use of marshal module BAN-B302
The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source.
Audit required: Risk of possible SQL injection vector through string-based query construction BAN-B608
Constructing SQL query using user provided data is insecure. It makes application vulnerable to SQL injection attacks.
Audit required: Possible wildcard injection in call: subprocess.Popen BAN-B609
The use of partially qualified paths may result in unintended consequences if an unexpected file or symlink is placed into the path location given. This becomes particularly dangerous when combined with commands used to manipulate file permissions or copy data off of a system.