diff --git a/README.md b/README.md index 0378205..abdba4a 100644 --- a/README.md +++ b/README.md @@ -1,28 +1,46 @@ # Secure Coding with Python. ## Chapter 1: Project Bootstrap -### Requirement -To start with our development, we copy over a `requirements.txt` file we had from a previous project and install -Flash from it. +### Testing +In order to make sure our libraries don't containg any know vulnerabilities, we can use a dependency scanner such as [Safety](https://pyup.io/safety/). -```bash -> pip install -r requirements.txt ``` + > $ pip install safety + > $ safety check -r requirements.txt --full-report +╒══════════════════════════════════════════════════════════════════════════════╕ +│ │ +│ /$$$$$$ /$$ │ +│ /$$__ $$ | $$ │ +│ /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ │ +│ /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ │ +│ | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ │ +│ \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ │ +│ /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ │ +│ |_______/ \_______/|__/ \_______/ \___/ \____ $$ │ +│ /$$ | $$ │ +│ | $$$$$$/ │ +│ by pyup.io \______/ │ +│ │ +╞══════════════════════════════════════════════════════════════════════════════╡ +│ REPORT │ +│ checked 1 packages, using default DB │ +╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡ +│ package │ installed │ affected │ ID │ +╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡ +│ flask │ 0.12 │ <0.12.3 │ 36388 │ +╞══════════════════════════════════════════════════════════════════════════════╡ +│ flask version Before 0.12.3 contains a CWE-20: Improper Input Validation │ +│ vulnerability in flask that can result in Large amount of memory usage │ +│ possibly leading to denial of service. This attack appear to be exploitable │ +│ via Attacker provides JSON data in incorrect encoding. This vulnerability │ +│ appears to have been fixed in 0.12.3. │ +╘══════════════════════════════════════════════════════════════════════════════╛ +``` +**Note:** The free version of safety updates it's database once a month, so latest vulnerabilities might not show up. For better security a paid API key can be used to get more up-to-date releases information. -Then we create the `marketplace` package, with a minimal Flask app in `__init__.py`. We can run the project with -`python -m flask run` to see that it loads correctly going with our browser to `http://127.0.0.1:5000/`. - -### Vulnerability -Since we copied over a `requirements.txt` and installed Flask from it, we have a very old Flask version. The -version in said file was Flask 0.12. At the date of the development, the latest Flask release is 1.0.3 - -Since Flask 0.12 the following security releases had been issued: -* [0.12.3](https://github.com/pallets/flask/releases/tag/0.12.3): CWE-20: Improper Input Validation on JSON decoding. - -Given that we used an old version that's vulnerable to all of the above, our application, by definition is vulnerable -if we make use of the affected functionallity. +We can start building our CI build script with a simple dependency vulnerabilities check using [Safety](https://pyup.io/safety/) as shown in build.sh -**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/1-vulnerable-components/test)** +**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/1-vulnerable-components/fix)** ## Index ### 1. Vulnerable Components diff --git a/build.sh b/build.sh new file mode 100644 index 0000000..14716b7 --- /dev/null +++ b/build.sh @@ -0,0 +1,5 @@ +#!/bin/bash +vulnerable_deps=$(safety check --bare -r requirements.txt) +if [[ $? != 0 ]]; then + echo "Vulnerabilities found in packages:" $vulnerable_deps +fi diff --git a/requirements.txt b/requirements.txt index 4be7437..da95a78 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1,2 @@ -Flask==0.12 \ No newline at end of file +Flask==0.12 +safety==1.8.5 \ No newline at end of file