bpo-39498 Start linking the security warnings in the stdlib modules#18272
bpo-39498 Start linking the security warnings in the stdlib modules#18272ambv merged 5 commits intopython:mainfrom
Conversation
There was a problem hiding this comment.
@willingc, what do you think about this?
This looks like a good idea, but there are more modules that I would think to add if we're going this route: marshal, multiprocessing, and random, to name a few.
The PR looks fine to me, but I'm not familiar enough with the security stuff to review the actual content. It looks like we don't have any devs that have registered themselves as "security" experts, but maybe @tiran can weigh in?
|
I also found:
Maybe @vstinner know more, and we may found some other in the https://github.com/pycqa/bandit implementation. |
|
By the way, I'm maintaining https://python-security.readthedocs.io/ website. But I would prefer to migrate it under a .python.org domain before starting to mention it in the official documentation. |
|
So between the additions in #18272 (review), #18272 (comment) and inside the link @vstinner sent (there's a section on dangerous modules and usage) I looked at "tagging" them in Sphinx, but it would add a whole bunch of code and engineering complexity that seemed unnecessary. To keep the scope narrow, this is a "security guidance for standard library modules" index? |
This is a discussion for b.p.o, let's try to avoid discussing on PRs (other than reviewing the commits). |
|
Thanks @tonybaloney for the PR, and @ambv for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9. |
|
Thanks @tonybaloney for the PR, and @ambv for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10. |
|
Sorry @tonybaloney and @ambv, I had trouble checking out the |
…ythonGH-18272) Co-authored-by: Łukasz Langa <[email protected]> (cherry picked from commit c5c5326) Co-authored-by: Anthony Shaw <[email protected]>
|
GH-27696 is a backport of this pull request to the 3.10 branch. |
|
Thanks @tonybaloney for the PR, and @ambv for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9. |
…ythonGH-18272) Co-authored-by: Łukasz Langa <[email protected]> (cherry picked from commit c5c5326) Co-authored-by: Anthony Shaw <[email protected]>
|
GH-27699 is a backport of this pull request to the 3.9 branch. |
…H-18272) Co-authored-by: Łukasz Langa <[email protected]> (cherry picked from commit c5c5326) Co-authored-by: Anthony Shaw <[email protected]>
…H-18272) (GH-27699) Co-authored-by: Łukasz Langa <[email protected]> (cherry picked from commit c5c5326) Co-authored-by: Anthony Shaw <[email protected]>
8 participants
Within the documentation, there are some really important security considerations for standard library modules. e.g. subprocess, ssl, pickle, xml.
There is currently no "index" of these, so you have to go hunting for them. They're easter eggs within the docs. There isn't a unique admonition type either, so you have to search across many criteria.
In particular for security researchers, it would be useful to consolidate and signpost these security best-practices in one index.
This PR links to some of the existing ones that I found.
https://bugs.python.org/issue39498