From 710e736ac6b69a912c56efdb6afdfd8a4daec6f7 Mon Sep 17 00:00:00 2001 From: Nicolas Valcarcel Date: Fri, 5 Jul 2019 18:10:59 -0500 Subject: [PATCH 1/3] Add build.sh with dependency vulnerability check --- README.md | 41 ++++++++++++++++++++++++++++++++++++++++- build.sh | 5 +++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 build.sh diff --git a/README.md b/README.md index 4b5ca36..1f88ab1 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,45 @@ Since Flask 0.12 the following security releases had been issued: Given that we used an old version that's vulnerable to all of the above, our application, by definition is vulnerable if we make use of the affected functionallity. +### Testing +In order to make sure our libraries don't containg any know vulnerabilities, we can use a dependency scanner such as [Safety](https://pyup.io/safety/). + +``` +(venv) > $ pip install safety +(venv) > $ safety check -r requirements.txt --full-report +╒══════════════════════════════════════════════════════════════════════════════╕ +│ │ +│ /$$$$$$ /$$ │ +│ /$$__ $$ | $$ │ +│ /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ │ +│ /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ │ +│ | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ │ +│ \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ │ +│ /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ │ +│ |_______/ \_______/|__/ \_______/ \___/ \____ $$ │ +│ /$$ | $$ │ +│ | $$$$$$/ │ +│ by pyup.io \______/ │ +│ │ +╞══════════════════════════════════════════════════════════════════════════════╡ +│ REPORT │ +│ checked 1 packages, using default DB │ +╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡ +│ package │ installed │ affected │ ID │ +╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡ +│ flask │ 0.12 │ <0.12.3 │ 36388 │ +╞══════════════════════════════════════════════════════════════════════════════╡ +│ flask version Before 0.12.3 contains a CWE-20: Improper Input Validation │ +│ vulnerability in flask that can result in Large amount of memory usage │ +│ possibly leading to denial of service. This attack appear to be exploitable │ +│ via Attacker provides JSON data in incorrect encoding. This vulnerability │ +│ appears to have been fixed in 0.12.3. │ +╘══════════════════════════════════════════════════════════════════════════════╛ +``` +**Note:** The free version of safety updates it's database once a month, so latest vulnerabilities might not show up. For better security a paid API key can be used to get more up-to-date releases information. + +We can start building our CI build script with a simple dependency vulnerabilities check using [Safety](https://pyup.io/safety/) as shown in build.sh + ## Description Welcome to the Secure coding with python course. In this repository you will find a series of branches for each step of the development of a sample marketplace application. In such a development, we will be making security mistakes and introducing vulnerabilities, we will add tests for them and finally fixing them. @@ -19,7 +58,7 @@ The branches will have the following naming scheme for easier navigation: {Chapt For this course we will be using Python3, Flask and PostgreSQL. -**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/1-vulnerable-components/test)** +**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/1-vulnerable-components/fix)** ## Index ### 1. Vulnerable Components diff --git a/build.sh b/build.sh new file mode 100644 index 0000000..14716b7 --- /dev/null +++ b/build.sh @@ -0,0 +1,5 @@ +#!/bin/bash +vulnerable_deps=$(safety check --bare -r requirements.txt) +if [[ $? != 0 ]]; then + echo "Vulnerabilities found in packages:" $vulnerable_deps +fi From ff75bb7b3ccfa20cbc4fb9db8d185ea25a0a1036 Mon Sep 17 00:00:00 2001 From: Nicolas Valcarcel Date: Sat, 3 Aug 2019 15:26:56 -0500 Subject: [PATCH 2/3] remove last step text --- README.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/README.md b/README.md index 64da69c..2c26e7e 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,6 @@ # Secure Coding with Python. ## Chapter 1: Project Bootstrap -### Requirement -To start with our development, we install Flask, create our requirements.txt with it and create the `marketplace` package, with a minimal Flask app in `__init__.py`. We can run the project with `python -m flask run` to see that it loads correctly. - -### Vulnerability -Since we have done some Flask work in the past, we copied over a requirements.txt and installed Flask from it. The version in said file was Flask 0.12. At the date of the development, the latest Flask release is 1.0.3 - -Since Flask 0.12 the following security releases had been issued: -* [0.12.3](https://github.com/pallets/flask/releases/tag/0.12.3): CWE-20: Improper Input Validation on JSON decoding. - -Given that we used an old version that's vulnerable to all of the above, our application, by definition is vulnerable if we make use of the affected functionallity. - ### Testing In order to make sure our libraries don't containg any know vulnerabilities, we can use a dependency scanner such as [Safety](https://pyup.io/safety/). From 7fe13ca7f6ee7dd76902b8068b0bfc31f1845b28 Mon Sep 17 00:00:00 2001 From: Nicolas Valcarcel Date: Tue, 20 Aug 2019 21:42:30 -0500 Subject: [PATCH 3/3] add safety to requirements.txt --- requirements.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 4be7437..da95a78 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1,2 @@ -Flask==0.12 \ No newline at end of file +Flask==0.12 +safety==1.8.5 \ No newline at end of file