Insecure code 2 #402
Insecure code 2 #402
Conversation
See how SAST does
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -59,6 +59,9 @@ | |||
|
|
|||
| def contains(self, z: complex) -> bool: | |||
| """Returns True if the point z lies within the contour, False if otherwise""" | |||
| import requests | |||
| requests.get("http://api.github.com") | |||
Check warning
Code scanning / Bandit
Requests call without timeout Warning
| @@ -90,6 +90,8 @@ | |||
| .. [KB] "Computing the zeros of analytic functions" by Peter Kravanja, | |||
| Marc Van Barel, Springer 2000 | |||
| """ | |||
| eval(f"foo={phi}") | |||
Check warning
Code scanning / Bandit
Use of possibly insecure function - consider using safer ast.literal_eval. Warning
| @@ -189,6 +190,8 @@ | |||
| # wrap f to record the number of function calls | |||
| f = CountCalls(f) | |||
|
|
|||
| exec('foo=1') | |||
Check warning
Code scanning / Bandit
Use of exec detected. Warning
| @@ -59,6 +59,9 @@ | |||
|
|
|||
| def contains(self, z: complex) -> bool: | |||
| """Returns True if the point z lies within the contour, False if otherwise""" | |||
| import requests | |||
| requests.get("http://api.github.com") | |||
There was a problem hiding this comment.
Detected a request using 'http://'. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use 'https://' instead.
View Dataflow Graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>cxroots/contours/annulus.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/rparini/cxroots/blob/9adf053f6b18d7193d6e06d3acdd03e5860a2f1c/cxroots/contours/annulus.py#L63 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 63] "http://api.github.com"</a>"]
end
%% Intermediate
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/rparini/cxroots/blob/9adf053f6b18d7193d6e06d3acdd03e5860a2f1c/cxroots/contours/annulus.py#L63 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 63] "http://api.github.com"</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
File0:::invis
%% Connections
Source --> Sink
| @@ -90,6 +90,8 @@ | |||
| .. [KB] "Computing the zeros of analytic functions" by Peter Kravanja, | |||
| Marc Van Barel, Springer 2000 | |||
| """ | |||
| eval(f"foo={phi}") | |||
There was a problem hiding this comment.
Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
Ignore this finding from eval-detected.
No description provided.