mschwager
mschwager
The `openssl_verify` function has the unfortunate interface of returning `1` if the signature is correct, `0` if it is incorrect, and `-1` on error. This means if you do a...
"A group that contains a token with a quantifier must not have a quantifier of its own unless the quantified token inside the group can only be matched with something...
TODO: find all insecure example usage https://github.com/jpadilla/pyjwt
TODO: find all examples of insecure usage https://github.com/mpdavis/python-jose
Per the [OWASP API Security Top 10](https://owasp.org/www-project-api-security/), broken function level authorization is a big security concern. Adding a linter to detect this would be very useful. Most Python web application...
Bad: ```python input("Password: ") ``` Good: ```python getpass.getpass("Password: ") ``` See [getpass](https://docs.python.org/3/library/getpass.html). We can probably just look for `input` calls that contain the string literal `'password'`.
Per the [Python documentation](https://docs.python.org/3.8/library/xml.sax.html): > Changed in version 3.7.1: The SAX parser no longer processes general external entities by default to increase security. Before, the parser created network connections to...
The following `pyyaml` calls should be safe: ```python yaml.load(..., Loader=yaml.SafeLoader) yaml.load(..., Loader=yaml.CSafeLoader) ``` I believe this is equivalent to using `safe_load`, but I've encountered a few false positives in the...
Flake8 allows for custom formatters: [Developing a Formatting Plugin for Flake8](https://flake8.pycqa.org/en/latest/plugin-development/formatters.html). I think there's value in having an output mode where things are very dense, and there's one finding per...
`functools.lru_cache` was recently added to `dlint.namespace` which provided a great speed up. We should output [`functools.lru_cache.cache_info`](https://docs.python.org/3.8/library/functools.html#functools.lru_cache) information when benchmarking. We should be able to: * Run the benchmarking code over...