Python analysis detects more security issues involving "import"

Hello Python developers,

As announced during last communication about your favorite language, we continued our effort to create a better Python analyzer.
This time we decided to tackle a new set of 4 security rules which understand import and import aliasing.

  • S5439: HTML autoescape mechanism should not be globally disabled. (Security Vulnerability)
  • S2245: Using pseudorandom number generators (PRNGs) is security-sensitive. (Security Hotspot)
  • S4792: Configuring loggers is security-sensitive. (Security Hotspot)
  • S4787: Encrypting data is security-sensitive. (Security Hotspot)

Here are examples of these rules in action:

  • S5439: Template engines have an HTML autoescape mechanism that protects web applications against most common cross-site-scripting (XSS) vulnerabilities. By default, it automatically replaces HTML special characters in any template variables. This secure by design configuration should not be globally disabled.

  • S2245: When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.

Also, as a bonus of the better support of import, the following rules raise more true-positive issues:

  • S4507: Delivering code in production with debug features activated is security-sensitive. (Security Hotspot)
  • S4790: Hashing data is security-sensitive. (Security Hotspot)

For more information you can read the changelog.

You can already enjoy these new features on SonarCloud. As for SonarQube, this will be built-in the next version (8.0), and meanwhile you can get it by installing v1.16 of the Python analysis engine.

All feedback is welcome.