From 40bb510e0d0397c701c340675b20818cd08bdd5e Mon Sep 17 00:00:00 2001 From: myteron Date: Tue, 7 May 2024 12:19:47 +0100 Subject: [PATCH 1/2] Adding CWE-400 README.md and updated main README.md fixed known linting issues Fixed linting issues --- CWE-664/CWE-400/README.md | 107 ++++++++++++++++++++++++++++++++++++++ README.md | 32 ++++++------ 2 files changed, 123 insertions(+), 16 deletions(-) create mode 100644 CWE-664/CWE-400/README.md diff --git a/CWE-664/CWE-400/README.md b/CWE-664/CWE-400/README.md new file mode 100644 index 0000000..746f39c --- /dev/null +++ b/CWE-664/CWE-400/README.md @@ -0,0 +1,107 @@ +# CWE-400: Uncontrolled Resource Consumption + +Canceling the task in a thread pool only prevents it from being executed if it has not started yet. For the task to be interruptible, it must handle the `threading.Event` flag. + +## Non-Compliant Code Example + +Tasks can be submitted to the ThreadPoolExecutor by calling `submit()`. Submitted tasks can be canceled by calling `cancel()` on the Future object returned by `submit()`. Calling this method will return True and stop the task from being executed if it has not started yet. However, if its execution has already started, calling `cancel()` will instead return False and will not stop the task [Python 3.10 docs on Future.cancel]. + +[*noncompliant01.py:*](noncompliant01.py) + +```py +""" Non-compliant Code Example """ +import time +from concurrent.futures import ThreadPoolExecutor + + +def take_time(x): + print(f"Started Task: {x}") + # Simulate work + for i in range(10): + time.sleep(1) + print(f"Completed Task: {x}") + + +def run_thread(_executor, var): + future = _executor.submit(take_time, var) + return future + + +def interrupt(future): + print(future.cancel()) + print(f"Interrupted: {future}") + + +##################### +# Exploiting above code example +##################### + + +with ThreadPoolExecutor() as executor: + task = run_thread(executor, "A") + interrupt(task) + +``` + +## Compliant Solution + +Tasks submitted to the ThreadPoolExecutor can be interrupted by setting a thread-safe flag, such as `threading.Event` [Python 3.10 docs on threading.Event]. An Event object should be passed as an argument to the submitted task. From within the task function, we need to manually check the flag status by calling `event.is_set()` and handling the interruption. In order to set the Event flag, we can call `event.set()` on the event object. + +[*compliant01.py:*](compliant01.py) + +```py +""" Compliant Code Example """ +import time +from concurrent.futures import ThreadPoolExecutor +from threading import Event + + +def take_time(x, _event): + print(f"Started Task: {x}") + # Simulate work + for _ in range(10): + if _event.is_set(): + print(f"Interrupted Task: {x}") + # Save partial results + return + time.sleep(1) + print(f"Completed Task: {x}") + + +def run_thread(_executor, var): + e = Event() + future = _executor.submit(take_time, var, e) + return future, e + + +def interrupt(future, e): + """Cancel the task, just in case it is not yet running, and set the Event flag""" + future.cancel() + e.set() + + +##################### +# Exploiting above code example +##################### + + +with ThreadPoolExecutor() as executor: + task, event = run_thread(executor, "A") + interrupt(task, event) + +``` + +## Related Guidelines + +||| +|:---|:---| +|[MITRE CWE](http://cwe.mitre.org/)|Pillar [CWE-664: Improper Control of a Resource Through its Lifetime (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/664.html)| +|[MITRE CWE](http://cwe.mitre.org/)|Class [CWE-400: Uncontrolled Resource Consumption (4.12)](https://cwe.mitre.org/data/definitions/400.html)| +|[SEI CERT Coding Standard for Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[TPS02-J. Ensure that tasks submitted to a thread pool are interruptible](https://wiki.sei.cmu.edu/confluence/display/java/TPS02-J.+Ensure+that+tasks+submitted+to+a+thread+pool+are+interruptible)| + +## Biblography + +||| +|:---|:---| +|[[Python 3.10.4 docs Future.cancel]](https://docs.python.org/)|concurrent.futures — Launching parallel tasks — Python 3.10.4 documentation. Available from: \[Last Accessed May 2024]| +|[[Python 3.10.4 docs on threading.Event]](https://docs.python.org/)|threading — Thread-based parallelism - Event Objects. Available from: \[Last Accessed May 2024]| diff --git a/README.md b/README.md index 3ff923f..c55551a 100644 --- a/README.md +++ b/README.md @@ -1,32 +1,35 @@ # Secure Coding One Stop Shop for Python -Promote secure products by knowing the difference between secure compliant -and non-compliant code with `CPython >= 3.9` using modules listed on -[Python Module Index](https://docs.python.org/3.9/py-modindex.html)[Python 2023]. +Promote secure products by knowing the difference between secure compliant +and non-compliant code with `CPython >= 3.9` using modules listed on +[Python Module Index](https://docs.python.org/3.9/py-modindex.html)[Python 2023]. -This page is in initiative by Ericsson to improve secure coding in Python by providing a location for study. Its structure is based on -Common Weakness Enamurator (CWE) [Pillar Weakness](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness) [mitre.org 2023]. +This page is in initiative by Ericsson to improve secure coding in Python by providing a location for study. Its structure is based on +Common Weakness Enamurator (CWE) [Pillar Weakness](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness) [mitre.org 2023]. It currently contains *only* the code examples, documentation will follow. -# Disclaimer +## Disclaimer + Content comes WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, as stated in the license text [CC-BY-4.0](LICENSE/CC-BY-4.0.txt) for documentation and [MIT](LICENSE/MIT.txt). Following or using the documentation and or code is at your own risk. Code examples are intended purely for educational use and not for products in parts or in full. Code examples are NOT to be used to cause harm of any kind to anyone or anything. +## Introduction -# Introduction Every person writing code shall study the following: * OWASP Secure Coding [Practices-Quick Reference Guide](https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/) [OWASP 2022] * OWASP Top 10 Report [OWASP 2022](https://owasp.org/www-project-top-ten/) [OWASP 2022] * CWE Top 25 2022 [CWE 2022](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html) [MITRE 2023] -# Secure Coding Standard for Python +## Secure Coding Standard for Python + Code examples are written to explain security design with as little code as possible demonstrating the issue in the `noncompliantXX.py` titled Python file. The `compliantXX.py` file demonstrates only the mitigation or removal of the described risk. None of the code examples are intendet to be used 'as is' for production. Using the code is at your own risk. It is **not production code** and requires code-style or python best practices to be added such as: + * Inline documentation * Custom exceptions * Full descriptive variable names @@ -36,9 +39,9 @@ It is **not production code** and requires code-style or python best practices t |[CWE-664: Improper Control of a Resource Through its Lifetime](https://cwe.mitre.org/data/definitions/664.html)|Prominent CVE| |:-----------------------------------------------------------------------------------------------------------------------------------------------|:----| -|[CWE-134: Use of Externally-Controlled Format String](CWE-664/CWE-134/.)|[CVE-2022-27177](https://www.cvedetails.com/cve/CVE-2022-27177/),
CVSSv3.1: **9.8**,
EPSS:**00.37**(01.12.2023)| +|[CWE-134: Use of Externally-Controlled Format String](CWE-664/CWE-134/.)|[CVE-2022-27177](https://www.cvedetails.com/cve/CVE-2022-27177/),
CVSSv3.1: **9.8**,
EPSS:**00.37**(01.12.2023)| |[CWE-197: Numeric Truncation Error](CWE-664/CWE-197/.)|| -|[CWE-400: Uncontrolled Resource Consumption](CWE-664/CWE-400/.)|| +|[CWE-400: Uncontrolled Resource Consumption](CWE-664/CWE-400/README.md)|| |[CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)](CWE-664/CWE-409/.)|| |[CWE-410: Insufficient Resource Pool](CWE-664/CWE-410/.)|| |[CWE-502: Deserialization of Untrusted Data)](CWE-664/CWE-502/.)|| @@ -48,7 +51,6 @@ It is **not production code** and requires code-style or python best practices t |[XXX-005: Consider hash-based integrity verification of byte code files against their source code files](CWE-664/XXX-005/.)|| ||| - |[CWE-682: Incorrect Calculation](https://cwe.mitre.org/data/definitions/682.html)|Prominent CVE| |:---------------------------------------------------------------------------------------------------------------|:----| |[CWE-1335: Promote readability and compatibility by using mathematical written code with arithmetic operations instead of bit-wise operations](CWE-682/CWE-1335/.)|| @@ -71,7 +73,7 @@ It is **not production code** and requires code-style or python best practices t |[CWE-707: Improper Neutralization](https://cwe.mitre.org/data/definitions/707.html)|Prominent CVE| |:----------------------------------------------------------------|:----| -|[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](CWE-707/CWE-89/.)|[CVE-2019-8600](https://www.cvedetails.com/cve/CVE-2019-8600/),
CVSSv3.1: **9.8**,
EPSS:**01.43**(18.02.2024)| +|[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](CWE-707/CWE-89/.)|[CVE-2019-8600](https://www.cvedetails.com/cve/CVE-2019-8600/),
CVSSv3.1: **9.8**,
EPSS:**01.43**(18.02.2024)| |[CWE-117: Improper Output Neutralization for Logs](CWE-707/CWE-117/.)|| |[CWE-180: Incorrect behavior order: Validate before Canonicalize](CWE-707/CWE-180/.)|| ||| @@ -82,9 +84,7 @@ It is **not production code** and requires code-style or python best practices t |[CWE-1109: Use of Same Variable for Multiple Purposes](CWE-710/CWE-1109/.)|| ||| - - -# Biblography +## Biblography |Ref|Detail| |-----|-----| @@ -94,7 +94,7 @@ It is **not production code** and requires code-style or python best practices t |[OWASP 2022]|[OWASP Top 10 Report 2022](https://owasp.org/www-project-top-ten/)| |[MITRE 2023]|[CWE Top 25 2022](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html)| +## License -# License * [CC-BY 4.0](LICENSE/CC-BY-4.0.txt) for documentation * [MIT](LICENSE/MIT.txt) for code snippets From 56e7f1f09c679588702f82a068ecd5d79a1b050d Mon Sep 17 00:00:00 2001 From: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> Date: Wed, 22 May 2024 12:13:07 +0200 Subject: [PATCH 2/2] CWE-400 Fixes for bibliography and links --- CWE-664/CWE-400/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CWE-664/CWE-400/README.md b/CWE-664/CWE-400/README.md index 746f39c..d2ea79e 100644 --- a/CWE-664/CWE-400/README.md +++ b/CWE-664/CWE-400/README.md @@ -4,7 +4,7 @@ Canceling the task in a thread pool only prevents it from being executed if it h ## Non-Compliant Code Example -Tasks can be submitted to the ThreadPoolExecutor by calling `submit()`. Submitted tasks can be canceled by calling `cancel()` on the Future object returned by `submit()`. Calling this method will return True and stop the task from being executed if it has not started yet. However, if its execution has already started, calling `cancel()` will instead return False and will not stop the task [Python 3.10 docs on Future.cancel]. +Tasks can be submitted to the ThreadPoolExecutor by calling `submit()`. Submitted tasks can be canceled by calling `cancel()` on the Future object returned by `submit()`. Calling this method will return True and stop the task from being executed if it has not started yet. However, if its execution has already started, calling `cancel()` will instead return False and will not stop the task [[Python 3.10.4 docs on threading.Event]](https://docs.python.org/3/library/threading.html#event-objects). [*noncompliant01.py:*](noncompliant01.py) @@ -45,7 +45,7 @@ with ThreadPoolExecutor() as executor: ## Compliant Solution -Tasks submitted to the ThreadPoolExecutor can be interrupted by setting a thread-safe flag, such as `threading.Event` [Python 3.10 docs on threading.Event]. An Event object should be passed as an argument to the submitted task. From within the task function, we need to manually check the flag status by calling `event.is_set()` and handling the interruption. In order to set the Event flag, we can call `event.set()` on the event object. +Tasks submitted to the ThreadPoolExecutor can be interrupted by setting a thread-safe flag, such as `threading.Event` [[Python 3.10.4 docs on threading.Event]](https://docs.python.org/3/library/threading.html#event-objects). An Event object should be passed as an argument to the submitted task. From within the task function, we need to manually check the flag status by calling `event.is_set()` and handling the interruption. In order to set the Event flag, we can call `event.set()` on the event object. [*compliant01.py:*](compliant01.py) @@ -99,9 +99,9 @@ with ThreadPoolExecutor() as executor: |[MITRE CWE](http://cwe.mitre.org/)|Class [CWE-400: Uncontrolled Resource Consumption (4.12)](https://cwe.mitre.org/data/definitions/400.html)| |[SEI CERT Coding Standard for Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[TPS02-J. Ensure that tasks submitted to a thread pool are interruptible](https://wiki.sei.cmu.edu/confluence/display/java/TPS02-J.+Ensure+that+tasks+submitted+to+a+thread+pool+are+interruptible)| -## Biblography +## Bibliography ||| |:---|:---| -|[[Python 3.10.4 docs Future.cancel]](https://docs.python.org/)|concurrent.futures — Launching parallel tasks — Python 3.10.4 documentation. Available from: \[Last Accessed May 2024]| -|[[Python 3.10.4 docs on threading.Event]](https://docs.python.org/)|threading — Thread-based parallelism - Event Objects. Available from: \[Last Accessed May 2024]| +|[[Python 3.10.4 docs Future.cancel]](https://docs.python.org/3/library/concurrent.futures.html)|concurrent.futures — Launching parallel tasks — Python 3.10.4 documentation. Available from: \[Last Accessed May 2024]| +|[[Python 3.10.4 docs on threading.Event]](https://docs.python.org/3/library/threading.html#event-objects)|threading — Thread-based parallelism - Event Objects. Available from: \[Last Accessed May 2024]|