file/python/python-scanner.yaml

id: python-scanner

info:
  name: Python Scanner
  author: majidmc2
  severity: info
  description: Indicators for dangerous Python functions
  reference:
    - https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html
    - https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html
  tags: python,file,sast
file:
  - extensions:
      - py

    extractors:
      - type: regex
        name: code-injection
        regex:
          - 'exec'
          - 'eval'
          - '__import__'
          - 'execfile'

      - type: regex
        name: command-injection
        regex:
          - 'subprocess.call\(.*shell=True.*\)'
          - 'os.system'
          - 'os.popen\d?'
          - 'subprocess.run'
          - 'commands.getoutput'

      - type: regex
        name: untrusted-source
        regex:
          - 'pickle\.loads'
          - 'c?Pickle\.loads?'
          - 'marshal\.loads'
          - 'pickle\.Unpickler'

      - type: regex
        name: dangerous-yaml
        regex:
          - 'yaml\.load'
          - 'yaml\.safe_load'

      - type: regex
        name: sqli
        regex:
          - 'cursor\.execute'
          - 'sqlite3\.execute'
          - 'MySQLdb\.execute'
          - 'psycopg2\.execute'
          - 'cx_Oracle\.execute'
# digest: 4a0a00473045022100d5b183fba0418cf56693190a2b1b1112a53d5b2584f31c07241959a209caafac02200f7da04a1708afc23df42188fcae13c0efae39881a4179b4ecec77ce2e9843c7:922c64590222798bb761d5b6d8e72950
Add file/python 2021-10-24 16:48:44 +03:30			`id: python-scanner`

			`info:`
			`name: Python Scanner`
			`author: majidmc2`
			`severity: info`
update description 2023-08-11 10:25:18 +05:30			`description: Indicators for dangerous Python functions`
Update python-scanner.yaml 2021-10-25 14:35:29 +05:30			`reference:`
			`- https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html`
			`- https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html`
Update python-scanner.yaml 2021-10-25 14:35:43 +05:30			`tags: python,file,sast`
Add file/python 2021-10-24 16:48:44 +03:30			`file:`
			`- extensions:`
			`- py`

			`extractors:`
			`- type: regex`
misc formatting update 2021-10-25 16:03:46 +05:30			`name: code-injection`
Add file/python 2021-10-24 16:48:44 +03:30			`regex:`
			`- 'exec'`
			`- 'eval'`
			`- '__import__'`
Update python-scanner.yaml - Added new regex for code injection: 'execfile'. - Added new regex for command injection: 'subprocess.run', 'commands.getoutput'. Modified 'os.popen' regex for better detection. - Added new regex for untrusted source: 'marshal.loads', 'pickle.Unpickler'. - Modified 'dangerous-yaml' regex to include 'yaml.safe_load'. - Added new regex in 'sqli' for various database execute functions. 2023-08-04 12:57:44 +03:30			`- 'execfile'`
fix-template 2023-08-04 16:50:30 +05:30
Add file/python 2021-10-24 16:48:44 +03:30			`- type: regex`
misc formatting update 2021-10-25 16:03:46 +05:30			`name: command-injection`
Add file/python 2021-10-24 16:48:44 +03:30			`regex:`
			`- 'subprocess.call\(.shell=True.\)'`
			`- 'os.system'`
Update python-scanner.yaml - Added new regex for code injection: 'execfile'. - Added new regex for command injection: 'subprocess.run', 'commands.getoutput'. Modified 'os.popen' regex for better detection. - Added new regex for untrusted source: 'marshal.loads', 'pickle.Unpickler'. - Modified 'dangerous-yaml' regex to include 'yaml.safe_load'. - Added new regex in 'sqli' for various database execute functions. 2023-08-04 12:57:44 +03:30			`- 'os.popen\d?'`
			`- 'subprocess.run'`
			`- 'commands.getoutput'`
Add file/python 2021-10-24 16:48:44 +03:30
			`- type: regex`
misc formatting update 2021-10-25 16:03:46 +05:30			`name: untrusted-source`
Add file/python 2021-10-24 16:48:44 +03:30			`regex:`
Update python-scanner.yaml - Added new regex for code injection: 'execfile'. - Added new regex for command injection: 'subprocess.run', 'commands.getoutput'. Modified 'os.popen' regex for better detection. - Added new regex for untrusted source: 'marshal.loads', 'pickle.Unpickler'. - Modified 'dangerous-yaml' regex to include 'yaml.safe_load'. - Added new regex in 'sqli' for various database execute functions. 2023-08-04 12:57:44 +03:30			`- 'pickle\.loads'`
			`- 'c?Pickle\.loads?'`
			`- 'marshal\.loads'`
Update python-scanner.yaml - Fix minor syntax in last update 2023-08-04 12:59:31 +03:30			`- 'pickle\.Unpickler'`
Add file/python 2021-10-24 16:48:44 +03:30
			`- type: regex`
misc formatting update 2021-10-25 16:03:46 +05:30			`name: dangerous-yaml`
Add file/python 2021-10-24 16:48:44 +03:30			`regex:`
Update python-scanner.yaml - Added new regex for code injection: 'execfile'. - Added new regex for command injection: 'subprocess.run', 'commands.getoutput'. Modified 'os.popen' regex for better detection. - Added new regex for untrusted source: 'marshal.loads', 'pickle.Unpickler'. - Modified 'dangerous-yaml' regex to include 'yaml.safe_load'. - Added new regex in 'sqli' for various database execute functions. 2023-08-04 12:57:44 +03:30			`- 'yaml\.load'`
			`- 'yaml\.safe_load'`
Add file/python 2021-10-24 16:48:44 +03:30
			`- type: regex`
misc formatting update 2021-10-25 16:03:46 +05:30			`name: sqli`
Add file/python 2021-10-24 16:48:44 +03:30			`regex:`
Update python-scanner.yaml - Added new regex for code injection: 'execfile'. - Added new regex for command injection: 'subprocess.run', 'commands.getoutput'. Modified 'os.popen' regex for better detection. - Added new regex for untrusted source: 'marshal.loads', 'pickle.Unpickler'. - Modified 'dangerous-yaml' regex to include 'yaml.safe_load'. - Added new regex in 'sqli' for various database execute functions. 2023-08-04 12:57:44 +03:30			`- 'cursor\.execute'`
			`- 'sqlite3\.execute'`
			`- 'MySQLdb\.execute'`
			`- 'psycopg2\.execute'`
			`- 'cx_Oracle\.execute'`
Auto Template Signing [Thu Oct 19 13:13:50 UTC 2023] :robot: 2023-10-19 13:13:52 +00:00			`# digest: 4a0a00473045022100d5b183fba0418cf56693190a2b1b1112a53d5b2584f31c07241959a209caafac02200f7da04a1708afc23df42188fcae13c0efae39881a4179b4ecec77ce2e9843c7:922c64590222798bb761d5b6d8e72950`