nozmore

Python tarfile appears to be vulnerable. https://bugs.python.org/issue17102 https://bugs.python.org/issue21109

Ok "simplify" is arguable and maybe the wrong choice. To capture valid applicable threats target type isn't enough so currently for some threats the threat condition is both a target...

Of course it could be a single field since that is the way it works today, using my example of INP01 I did split up its AND condition using the...

`{ "SID":"INP05", "target":[ "Server", "Process" ], "target_condition":"any(d.sink.isSQL for d in target.outputs)", "description":"Command Line Execution through SQL Injection", "details":"An attacker uses standard SQL injection methods to inject data into the command...

https://github.com/izar/pytm/compare/target_conditions

NOZ04 doesn't currently work `any(t.id == 'NOZ03' for t in target.mitigated_threats)` yet because mitigations are saved to the element after parsing all elements/threats. I need save them while parsing the...

If the complementary report could separate out 1. You are not doing a 'thing' and 2. You are doing a 'thing' and you are doing it correctly. You cannot do...

I separated this comment out since the above is directly related to this change and below is more where my head was at, what I could see in the future...

My logic isn't right on the second example but you get the idea.... its late ; )

Personally I like having 'Datastore.isLocalFile' for other threats but this does add complexity to Threat conditions, as you can see above. And would need to be more complicated as Server...