Pylint plugin to enforce some secure coding standards for Python.

Last update: Jan 4, 2022

Overview

Pylint Secure Coding Standard Plugin

pylint plugin that enforces some secure coding standards.

Installation

pip install pylint-secure-coding-standard

Pylint codes

Code	Description
R8000	Use `os.path.realpath()` instead of `os.path.abspath()` and `os.path.relpath()`
E8001	Avoid using `exec()` and `eval()`
E8002	Avoid using `os.sytem()`
E8003	Avoid using `shell=True` in subprocess functions or using functions that internally set this
R8004	Avoid using `tempfile.mktemp()`, prefer `tempfile.mkstemp()` instead
E8005	Avoid using unsafe PyYAML loading functions
E8006	Avoid using `jsonpickle.decode()`
C8007	Avoid debug statement in production code
C8008	Avoid `assert` statements in production code
R8009	Use of builtin `open` for writing is discouraged in favor of `os.open` to allow for setting file permissions
E8010	Avoid using `os.popen()` as it internally uses `subprocess.Popen` with `shell=True`
E8011	Use of `shlex.quote()` should be avoided on non-POSIX platforms
W8012	Avoid using `os.open()` with unsafe permissions permissions
E8013	Avoid using `pickle.load()` and `pickle.loads()`
E8014	Avoid using `marshal.load()` and `marshal.loads()`
E8015	Avoid using `shelve.open()`
W8016	Avoid using `os.mkdir` and `os.makedirs` with unsafe file permissions
W8017	Avoid using `os.mkfifo` with unsafe file permissions
W8018	Avoid using `os.mknod` with unsafe file permissions
W8019	Avoid using `os.chmod` with unsafe permissions (W ^ X for group and others)

Plugin configuration options

This plugin supports some configuration options that may either be specified directly on the command line with a flag using the option name as --name or by specifying them in one of pylint's configuration files (ie. pyproject.toml, pylintrc, etc.).

Available options:

Option name	Option type	Related error code
os-open-mode	mode-like	W8012
os-mkdir-mode	mode-like	E8016
os-mkfifo-mode	mode-like	E8017
os-mknod-mode	mode-like	E8018

Mode-like options

Mode-like options are configuration options for errors/warnings that relate to some function that accepts a mode parameter (or similar) that control some file or directory permissions. For those kind of options, the plugin understands a variety of values that must be specified as string. They will then be parsed into a list of allowed mode values:

Any positive, non-zero (octal or decimal) integer value specifies the maximum value for the mode value
A comma-separated list of (octal or decimal) integers indicates the list of allowed mode values
'y', 'yes', 'true' (case-insensitive) will turn on the warnings using the default value of 0o755
'n', 'no', 'false' (case-insensitive) will turn off the warnings

Example of values:

    [tool.pylint.plugins]
    os-open-mode = '0'            # check disabled
    os-open-mode = 'no'           # check disabled
    os-open-mode = '493'          # all modes from 0 to 493 (=0o755)
    os-open-mode = '0o755'        # all modes from 0 to 0o755
    os-open-mode = '0o755,'       # only 0o755 (notice the comma)
    os-open-mode = '0o644,0o755'  # only 0o644 and 0o755

You can also specify those options directly on the command line:

python3 -m pylint --load-plugins=pylint_secure_coding_standard --os-open-mode='0o755'

Pre-commit hook

See pre-commit for instructions

Sample .pre-commit-config.yaml:

  - repo: https://github.com/PyCQA/pylint/
    rev: pylint-2.6.0
    hooks:
    -   id: pylint
        args: [--load-plugins=pylint_secure_coding_standard]
        additional_dependencies: ['pylint-secure-coding-standard']

Comments

[RFC] Some additional recommendations
Hey @Takishima !

Many thanks for this plugin ; I was about to start working on something similar yesterday, just before I came across yours.

Please find below some additional recommendations/rules I was thinking about :

[x] Avoid using os.popen as well (as it internally uses subprocess.Popen with shell=True) (see #6)

[x] If the current platform is Windows, avoid using shlex.quote (see python/cpython#21502). Of course, the development platform could be different from the production one, but it could be a good start (see #7)

[x] When using os.open, maybe enforce some additional recommendations on mode attribute :

~~Encouraging octal format (?)~~

Discouraging setuid, setgid and sticky bit

Discouraging any mode offering W ^ X (at least for group and other)

EDIT

[x] #14

[x] #15

[x] #9

loop.subprocess_shell (asyncio)

subprocess.getstatusoutput & subprocess.getoutput

EDIT 2

[x] Avoid using pickle.load & pickle.loads

[x] Avoid using marshal.load & marshal.loads

[x] Avoid using shelve.open

Of course, I can contribute (and will if needed), but I wanted first to ask what would you think about that.

Bye 👋
opened by HorlogeSkynet 8
Bump thomaseizinger/create-pull-request from 1.2.2 to 1.3.0
Bumps thomaseizinger/create-pull-request from 1.2.2 to 1.3.0.

Changelog

Sourced from thomaseizinger/create-pull-request's changelog.

1.3.0 - 2022-12-12

Added

Support for adding team reviewers by setting team_reviewers

Support for adding assignees by setting assignees

Changed

Execute action using node16 instead of node12 which is now deprecated.

1.2.0 - 2021-07-26

Added

Support for adding labels by setting labels

Check for existing pull request and created action output

1.1.0 - 2021-06-16

Added

Git hook to make sure we always run yarn build before committing any Typescript changes. This should prevent dist/index.js from getting out of date.

Support for setting a proxy using the HTTPS_PROXY environment variable

Support for GitHub Enterprise by reading process.env.GITHUB_REPOSITORY

Fixed

action.yml suggested to use github-token as the input where as in reality, we are looking for an input github_token (note the underscore!)

1.0.0 - 2020-02-15

Added

Initial release!

Commits

e397221 Bump nodejs to 16

321712c Merge pull request #235 from thomaseizinger/dependabot/npm_and_yarn/minimatch...

030f6ac Update changelog

7cc0778 Rebuild action

41ea577 Bump minimatch from 3.0.4 to 3.1.2

335eb12 Merge pull request #223 from thomaseizinger/dependabot/npm_and_yarn/decode-ur...

32a080b Merge pull request #224 from thomaseizinger/dependabot/npm_and_yarn/qs-6.5.3

16cf612 Bump qs from 6.5.2 to 6.5.3

5f467bf Bump decode-uri-component from 0.2.0 to 0.2.2

08c462e Merge pull request #215 from thomaseizinger/dependabot/npm_and_yarn/actions/c...

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies
opened by dependabot[bot] 1
[pre-commit.ci] pre-commit autoupdate
updates:

github.com/Lucas-C/pre-commit-hooks: v1.3.0 → v1.3.1

github.com/Lucas-C/pre-commit-hooks: v1.3.0 → v1.3.1

github.com/psf/black: 22.6.0 → 22.8.0

github.com/PyCQA/flake8: 4.0.1 → 5.0.4
opened by pre-commit-ci[bot] 1
Release version 1.4.1

Hi @Takishima! This PR was created in response to a manual trigger of the release workflow here: https://github.com/Takishima/pylint-secure-coding-standard/actions/runs/2268422485. I've updated the changelog and bumped the versions in the manifest files in this commit: e31000ab17088b2eb6d394a1922265f002e3f745. Merging this PR will create a GitHub release and upload any assets that are created as part of the release build.

opened by github-actions[bot] 1
Bump github/codeql-action from 1 to 2
Bumps github/codeql-action from 1 to 2.

Changelog

Sourced from github/codeql-action's changelog.

2.1.9 - 27 Apr 2022

Add working-directory input to the autobuild action. #1024

The analyze and upload-sarif actions will now wait up to 2 minutes for processing to complete after they have uploaded the results so they can report any processing errors that occurred. This behavior can be disabled by setting the wait-for-processing action input to "false". #1007

Update default CodeQL bundle version to 2.9.0.

Fix a bug where status reporting fails on Windows. #1042

2.1.8 - 08 Apr 2022

Update default CodeQL bundle version to 2.8.5. #1014

Fix error where the init action would fail due to a GitHub API request that was taking too long to complete #1025

2.1.7 - 05 Apr 2022

A bug where additional queries specified in the workflow file would sometimes not be respected has been fixed. #1018

2.1.6 - 30 Mar 2022

[v2+ only] The CodeQL Action now runs on Node.js v16. #1000

Update default CodeQL bundle version to 2.8.4. #990

Fix a bug where an invalid commit_oid was being sent to code scanning when a custom checkout path was being used. #956

Commits

3962f1b Bump glob from 7.1.7 to 8.0.1

9daf1de Update references to release branches

bce749b Improve consistency of variable references in Bash

fce4a01 Update the major version tag within the release process

bac9320 Update description of "Tag release and merge back" workflow

b3bf557 Merge branch 'main' into henrymercer/handle-merge-conflicts-in-releases

f6312f1 Commit any conflicts during v1 backport to simplify release process

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies
opened by dependabot[bot] 1
[pre-commit.ci] pre-commit autoupdate
updates:

github.com/Lucas-C/pre-commit-hooks: v1.1.12 → v1.1.13

github.com/Lucas-C/pre-commit-hooks: v1.1.12 → v1.1.13

github.com/mgedmin/check-manifest: 0.47 → 0.48
opened by pre-commit-ci[bot] 1
[pre-commit.ci] pre-commit autoupdate
updates:

github.com/Lucas-C/pre-commit-hooks: v1.1.10 → v1.1.11

github.com/Lucas-C/pre-commit-hooks: v1.1.10 → v1.1.11

github.com/psf/black: 21.12b0 → 22.1.0
opened by pre-commit-ci[bot] 1
Bump dangoslen/changelog-enforcer from 2 to 3
Bumps dangoslen/changelog-enforcer from 2 to 3.

Release notes

Sourced from dangoslen/changelog-enforcer's releases.

Changelog Enforcer 3.0.0

:rocket: The 3.0.0 release of the Changelog Enforcer is here! This release relies soley on the GitHub API instead of local git commands from a cloned repository. This means, for example, that actions/checkout does not need to be run before running the enforcer.

Fixes

Fixes issue #142

Dependencies

Bumps @vercel/ncc from 0.28.6 to 0.31.1

Bumps @actions/core from 1.4.0 to 1.6.0

Bumps jest from 27.0.5 to 27.3.1

Bumps actions/checkout from 2.3.4 to 2.4.0

Bumps uglify-js from 3.13.9 to 3.14.3

Bumps eslint from 7.28.0 to 8.2.0

Changelog Enforcer 2.3.1

Changed

Only runs on pull_request and pull_request_target events. This is to address issue #140

Changelog Enforcer 2.3.0

Dependencies

Bumps lodash from 4.17.19 to 4.17.21

Bumps stefanzweifel/git-auto-commit-action from 4 to 4.11.0

Bumps actions/checkout from 2 to 2.3.4

Bumps actions/create-release from 1 to 1.1.4

Bumps uglify-js from 3.13.3 to 3.13.9

Bumps eslint from 7.25.0 to 7.28.0

Bumps @vercel/ncc from 0.28.2 to 0.28.6

Bumps @actions/github from 4.0.0 to 5.0.0

Bumps dangoslen/dependabot-changelog-helper from 0.3.2 to 1

Bumps @actions/exec from 1.0.4 to 1.1.0

Bumps @actions/core from 1.2.7 to 1.4.0

Bumps jest from 26.6.3 to 27.0.5

Bumps ws from 7.4.0 to 7.5.3

Changelog Enforcer 2.2.0

Internal Changes

The pull_request workflow now executes as a pull_request_target workflow to handle incoming pull requests from forked repos.

This is needed because Dependabot now works as a forked branch. The reasoning and ways to accomodate are listed in a GitHub Security article

The verified label is needed to allow the workflow to execute

Dependencies

Bumps uglify-js from 3.13.2 to 3.13.3

Bumps y18n from 4.0.1 to 5.0.8

Bumps @vercel/ncc from 0.27.0 to 0.28.2

Bumps @actions/core from 1.2.6 to 1.2.7

Bumps eslint from 7.23.0 to 7.25.0

Changelog Enforcer 2.1.0

Deprecated

The input versionPattern is now deprecated. Starting in v3.0.0 the Changelog Enforcer will only work with Keep a Changelog for verifying the latest expected version.

Dependencies

Bumps eslint from 7.21.0 to 7.23.0

Bumps uglify-js from 3.13.0 3.13.2

... (truncated)

Changelog

Sourced from dangoslen/changelog-enforcer's changelog.

CHANGELOG

Inspired from Keep a Changelog

[v3.0.0]

:rocket: The 3.0.0 release of the Changelog Enforcer is here! This release relies soley on the GitHub API instead of local git commands from a cloned repository. This means, for example, that actions/checkout does not need to be run before running the enforcer.

Fixes

Fixes issue #142

Dependencies

Bumps @vercel/ncc from 0.28.6 to 0.31.1

Bumps @actions/core from 1.4.0 to 1.6.0

Bumps jest from 27.0.5 to 27.3.1

Bumps actions/checkout from 2.3.4 to 2.4.0

Bumps uglify-js from 3.13.9 to 3.14.3

Bumps eslint from 7.28.0 to 8.2.0

[v2.3.1]

Changed

Only runs on pull_request and pull_request_target events. This is to address issue #140

[v2.3.0]

Dependencies

Bumps lodash from 4.17.19 to 4.17.21

Bumps stefanzweifel/git-auto-commit-action from 4 to 4.11.0

Bumps actions/checkout from 2 to 2.3.4

Bumps actions/create-release from 1 to 1.1.4

Bumps uglify-js from 3.13.3 to 3.13.9

Bumps eslint from 7.25.0 to 7.28.0

Bumps @vercel/ncc from 0.28.2 to 0.28.6

Bumps @actions/github from 4.0.0 to 5.0.0

Bumps dangoslen/dependabot-changelog-helper from 0.3.2 to 1

Bumps @actions/exec from 1.0.4 to 1.1.0

Bumps @actions/core from 1.2.7 to 1.4.0

Bumps jest from 26.6.3 to 27.0.5

Bumps ws from 7.4.0 to 7.5.3

[v2.2.0]

Changed

The pull_request workflow now executes as a pull_request_target workflow to handle incoming pull requests from forked repos.

This is needed because Dependabot now works as a forked branch. The reasoning and ways to accommodate are listed in a GitHub Security article

The verified label is needed to allow the workflow to execute

Dependencies

Bumps uglify-js from 3.13.2 to 3.13.3

Bumps y18n from 4.0.1 to 5.0.8

Bumps @vercel/ncc from 0.27.0 to 0.28.2

Bumps @actions/core from 1.2.6 to 1.2.7

Bumps eslint from 7.23.0 to 7.25.0

Bumps hosted-git-info from 2.8.8 to 2.8.9

[v2.1.0]

Deprecated

... (truncated)

Commits

ac0fdae Releases/v3.0 (#169)

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies
opened by dependabot[bot] 1
Bump thomaseizinger/create-pull-request from 1.2.1 to 1.2.2
Bumps thomaseizinger/create-pull-request from 1.2.1 to 1.2.2.

Commits

ed928d9 Merge pull request #174 from uluzox/master

c12554b add input 'repository'

843eecc Merge pull request #164 from thomaseizinger/dependabot/npm_and_yarn/tar-4.4.19

96bcc57 Bump tar from 4.4.15 to 4.4.19

330dc75 Merge pull request #157 from thomaseizinger/dependabot/npm_and_yarn/path-pars...

6e35354 Bump path-parse from 1.0.6 to 1.0.7

133e95e Merge pull request #151 from thomaseizinger/dependabot/npm_and_yarn/node-fetc...

900803c Bump node-fetch from 2.6.0 to 2.6.1

56ebc60 Merge pull request #145 from thomaseizinger/remove-eslint

4a98166 Run build script

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies
opened by dependabot[bot] 1
Bump thomaseizinger/keep-a-changelog-new-release from 1.2.1 to 1.3.0
Bumps thomaseizinger/keep-a-changelog-new-release from 1.2.1 to 1.3.0.

Release notes

Sourced from thomaseizinger/keep-a-changelog-new-release's releases.

1.3.0

Added

New optional tag argument allowing v-prefixed versions

Changed

The version argument is no longer required

Deprecated

The version argument will be replaced in favor of the tag argument

Changelog

Sourced from thomaseizinger/keep-a-changelog-new-release's changelog.

[1.3.0] - 2021-10-12

Added

New optional tag argument allowing v-prefixed versions

Changed

The version argument is no longer required

Deprecated

The version argument will be replaced in favor of the tag argument

Commits

5bc2328 Merge pull request #11 from h4sh3d/add-tag-argument

7e9f6cc Document new tag argument

576342e New tag argument to control prefix of version

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies
opened by dependabot[bot] 1
Bump thomaseizinger/create-pull-request from 1.2.0 to 1.2.1
Bumps thomaseizinger/create-pull-request from 1.2.0 to 1.2.1.

Changelog

Sourced from thomaseizinger/create-pull-request's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Commits

6039001 Use github.actor instead of hardcoded name

f3b6912 Added labels to action.yml (#75)

8aa44c8 Update CHANGELOG.md

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies
opened by dependabot[bot] 1
[pre-commit.ci] pre-commit autoupdate
updates:

github.com/pre-commit/pre-commit-hooks: v4.3.0 → v4.4.0

https://github.com/PyCQA/doc8/: v1.0.0 → v1.1.1

github.com/PyCQA/isort: 5.10.1 → 5.11.4

github.com/psf/black: 22.10.0 → 22.12.0

github.com/asottile/pyupgrade: v3.2.0 → v3.3.1

github.com/PyCQA/flake8: 5.0.4 → 6.0.0

github.com/mgedmin/check-manifest: 0.48 → 0.49
opened by pre-commit-ci[bot] 1

Releases(v1.4.1)

v1.4.1(May 4, 2022)
Fixed

Fixed uses of of pylint.testutils.MessageTest instead of pylint.testutils.Message for Pylint >= 2.12

Fixed failing tests due to missing ignore_position argument to assertAddsMessages()

Repository

Update black hook to v22.3.0

Update check-manifest hook to v0.48

Update isort hook to v5.10.1

Update flake8 hook to v4.0.1

Update pre-commit/pre-commit-hooks to v4.2.0

Update Lucas-C/pre-commit-hooks hook to v1.1.13

Update dangoslen/changelog-enforcer GitHub action to v3

Update thomaseizinger/create-pull-request GitHub action to v1.2.2

Update thomaseizinger/keep-a-changelog-new-release GitHub action to v1.3.0

Update GitHub's CodeQL action to v2

Update parse-changelog version to v0.4.7

Fixed issue with release publishing GitHub workflow

Source code(tar.gz)
Source code(zip)
pylint-secure-coding-standard-1.4.1.tar.gz(26.50 KB)
pylint_secure_coding_standard-1.4.1-py2.py3-none-any.whl(13.23 KB)
v1.4.0(Jul 29, 2021)
Added

Added W8016 to warn when using os.mkdir and os.makedir with unsafe permissions (UNIX-only)

Added W8017 to warn when using os.mkfifo with unsafe permissions (UNIX-only)

Added W8018 to warn when using os.mknod with unsafe permissions (UNIX-only)

Added W8019 to warn when using os.chmod with unsafe permissions (all except Windows)

Updated

Refactor configuration option parsing for mode-like options

Fixed

Critical typo for msgs attribute of the plugin class. This effectively rendered any previous version useless as pylint would not recognize the warning/error messages

Repository

Restrict running some GitHub actions when a pull request is merged

Source code(tar.gz)
Source code(zip)
pylint-secure-coding-standard-1.4.0.tar.gz(26.10 KB)
pylint_secure_coding_standard-1.4.0-py2.py3-none-any.whl(13.23 KB)
v1.3.1(Jul 27, 2021)
Updated

Update unit tests for os.open()

Fixed

Fix issue when processing keyword arguments for os.open()

Repository

Restrict running some GitHub actions only when pull requests are updated

Source code(tar.gz)
Source code(zip)
pylint-secure-coding-standard-1.3.1.tar.gz(22.17 KB)
pylint_secure_coding_standard-1.3.1-py2.py3-none-any.whl(11.51 KB)
v1.3.0(Jul 26, 2021)
Added

Add plugin option to control whether we favour os.open over the builtin open

Added W8012 to warn when using os.open with unsafe permissions

Added E8013 to avoid using pickle.load and pickle.loads

Added E8014 to avoid using marshal.load and marshal.loads

Added E8015 to avoid using shelve.open

Fixed

Fixed a few test function names

Repository

Update pre-commit hooks

Update thomaseizinger/create-pull-request GiHub action

Source code(tar.gz)
Source code(zip)
pylint-secure-coding-standard-1.3.0.tar.gz(21.90 KB)
pylint_secure_coding_standard-1.3.0-py2.py3-none-any.whl(11.50 KB)
v1.2.1(Jul 19, 2021)
Reworded E8003 and extend it to include a few more cases:

subprocess.getoutput()

subprocess.getstatusoutput()

asyncio.create_subprocess_shell()

loop.subprocess_shell()

Source code(tar.gz)
Source code(zip)
pylint-secure-coding-standard-1.2.1.tar.gz(18.24 KB)
pylint_secure_coding_standard-1.2.1-py2.py3-none-any.whl(9.60 KB)
v1.2.0(Jul 19, 2021)
Added

Added E8010 to avoid using os.popen() as it internally uses subprocess.Popen with shell=True

Added E8011 to avoid using shlex.quote() on non-POSIX platforms.

Source code(tar.gz)
Source code(zip)
pylint-secure-coding-standard-1.2.0.tar.gz(17.62 KB)
pylint_secure_coding_standard-1.2.0-py2.py3-none-any.whl(9.35 KB)
v1.1.0(Jul 2, 2021)
Added

Added R8009 to prefer os.open() to the builtin open when in writing mode

Repository

Update pre-commit configuration

Source code(tar.gz)
Source code(zip)
pylint-secure-coding-standard-1.1.0.tar.gz(16.76 KB)
pylint_secure_coding_standard-1.1.0-py2.py3-none-any.whl(8.88 KB)
v1.0.0(Jun 21, 2021)

Initial release
Source code(tar.gz)
Source code(zip)
pylint-secure-coding-standard-1.0.0.tar.gz(16.01 KB)
pylint_secure_coding_standard-1.0.0-py2.py3-none-any.whl(8.50 KB)

Owner

Nguyen Damien

Quantum Algorithm/Software Researcher and Engineer

GitHub

Enforce the same configuration across multiple projects

Nitpick Flake8 plugin to enforce the same tool configuration (flake8, isort, mypy, Pylint...) across multiple Python projects. Useful if you maintain

315 Dec 25, 2022

flake8 plugin to run black for checking Python coding style

flake8-black Introduction This is an MIT licensed flake8 plugin for validating Python code style with the command line code formatting tool black. It

146 Dec 15, 2022

Flake8 plugin that checks import order against various Python Style Guides

flake8-import-order A flake8 and Pylama plugin that checks the ordering of your imports. It does not check anything else about the imports. Merely tha

270 Nov 24, 2022

A plugin for Flake8 finding likely bugs and design problems in your program. Contains warnings that don't belong in pyflakes and pycodestyle.

flake8-bugbear A plugin for Flake8 finding likely bugs and design problems in your program. Contains warnings that don't belong in pyflakes and pycode

869 Dec 30, 2022

❄️ A flake8 plugin to help you write better list/set/dict comprehensions.

flake8-comprehensions A flake8 plugin that helps you write better list/set/dict comprehensions. Requirements Python 3.6 to 3.9 supported. Installation

398 Dec 23, 2022

flake8 plugin that integrates isort

Flake8 meet isort Use isort to check if the imports on your python files are sorted the way you expect. Add an .isort.cfg to define how you want your

139 Nov 8, 2022

Flake8 plugin to find commented out or dead code

flake8-eradicate flake8 plugin to find commented out (or so called "dead") code. This is quite important for the project in a long run. Based on eradi

277 Dec 27, 2022

A plugin for flake8 integrating Mypy.

flake8-mypy NOTE: THIS PROJECT IS DEAD It was created in early 2017 when Mypy performance was often insufficient for in-editor linting. The Flake8 plu

103 Jun 23, 2022

A plugin for Flake8 that checks pandas code

pandas-vet pandas-vet is a plugin for flake8 that provides opinionated linting for pandas code. It began as a project during the PyCascades 2019 sprin

146 Dec 28, 2022

flake8 plugin to catch useless `assert` statements

flake8-useless-assert flake8 plugin to catch useless assert statements Download or install on the PyPI page Violations Code Description Example ULA001

1 Feb 12, 2022

Tool to automatically fix some issues reported by flake8 (forked from autoflake).

autoflake8 Introduction autoflake8 removes unused imports and unused variables from Python code. It makes use of pyflakes to do this. autoflake8 also

27 Sep 8, 2022

Simple Python style checker in one Python file

pycodestyle (formerly called pep8) - Python style guide checker pycodestyle is a tool to check your Python code against some of the style conventions

4.7k Jan 1, 2023

Optional static typing for Python 3 and 2 (PEP 484)

Mypy: Optional Static Typing for Python Got a question? Join us on Gitter! We don't have a mailing list; but we are always happy to answer questions o

14.4k Jan 8, 2023

A Python Parser

parso - A Python Parser Parso is a Python parser that supports error recovery and round-trip parsing for different Python versions (in multiple Python

520 Dec 26, 2022

A simple program which checks Python source files for errors

Pyflakes A simple program which checks Python source files for errors. Pyflakes analyzes programs and detects various errors. It works by parsing the

1.2k Dec 30, 2022

Performant type-checking for python.

Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providi

6.2k Jan 4, 2023

A static type analyzer for Python code

pytype - ?? ✔ Pytype checks and infers types for your Python code - without requiring type annotations. Pytype can: Lint plain Python code, flagging c

4k Dec 31, 2022

The strictest and most opinionated python linter ever!

wemake-python-styleguide Welcome to the strictest and most opinionated python linter ever. wemake-python-styleguide is actually a flake8 plugin with s

2.1k Jan 1, 2023

Static type checker for Python

Static type checker for Python Speed Pyright is a fast type checker meant for large Python source bases. It can run in a “watch” mode and performs fas

9.2k Jan 3, 2023

Pylint plugin to enforce some secure coding standards for Python.

Related tags

Overview

Pylint Secure Coding Standard Plugin

Installation

Pylint codes

Plugin configuration options

Mode-like options

Pre-commit hook

Comments

1.3.0 - 2022-12-12

Added

Changed

1.2.0 - 2021-07-26

Added

1.1.0 - 2021-06-16

Added

Fixed

1.0.0 - 2020-02-15

Added

2.1.9 - 27 Apr 2022

2.1.8 - 08 Apr 2022

2.1.7 - 05 Apr 2022

2.1.6 - 30 Mar 2022

Changelog Enforcer 3.0.0

Fixes

Dependencies

Changelog Enforcer 2.3.1

Changed

Changelog Enforcer 2.3.0

Dependencies

Changelog Enforcer 2.2.0

Internal Changes

Dependencies

Changelog Enforcer 2.1.0

Deprecated

Dependencies

CHANGELOG

[v3.0.0]

Fixes

Dependencies

[v2.3.1]

Changed

[v2.3.0]

Dependencies

[v2.2.0]

Changed

Dependencies

[v2.1.0]

Deprecated

1.3.0

Added

Changed

Deprecated

[1.3.0] - 2021-10-12

Added

Changed

Deprecated

Changelog

[Unreleased]

Releases(v1.4.1)

v1.4.1(May 4, 2022)

Fixed

Repository

v1.4.0(Jul 29, 2021)

Added

Updated

Fixed

Repository

v1.3.1(Jul 27, 2021)

Updated

Fixed

Repository

v1.3.0(Jul 26, 2021)

Added

Fixed

Repository

v1.2.1(Jul 19, 2021)

v1.2.0(Jul 19, 2021)

Added