Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Begin adding material CWE-74 (CWE-79 and CWE-94) #715

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

david-a-wheeler
Copy link
Contributor

Here is a start add subclasses of CWE-74, specifically CWE-79 and CWE-94. CWE-79 is one of the most common vulnerabilities on the planet, including code written in Python, so saying nothing about it would be a mistake.
This is complicated because the only proper solutions to CWE-79 are external modules, which are out of scope. However, I think it's reasonable to make it clear that you cannot solve this at scale with only the built-in modules, so you must think beyond it.

I didn't try to fill in the examples, because I wanted to see if this was a reasonable direction first.

Here is a start add subclasses of CWE-74, specifically
CWE-79 and CWE-94. CWE-79 is one of the most common
vulnerabilities on the planet, including code written in Python,
so saying *nothing* about it would be a mistake.
This is complicated because the only proper solutions to
CWE-79 are external modules, which are out of scope.
However, I think it's reasonable to make it clear that you
*cannot* solve this at scale with only the built-in modules, so
you *must* think beyond it.

I didn't try to fill in the examples, because I wanted to see if
this was a reasonable direction first.

Signed-off-by: David A. Wheeler <[email protected]>
@myteron
Copy link
Contributor

myteron commented Dec 18, 2024

This PR is related issue #680, some related CWEs such as 184 in the process of getting moved to GitHub as part of #531

To help find code examples, see existing related rules:

Some of the CWEs in this PR rule have code examples or CVEs might have patches listed:
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') has a Python code examples on mitre.org and a Python related CVE:

  • CVE-2022-36069 CVSSv3.x 7.3 Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash

CWE-79: Improper Neutralization of Input During Web Page Generation('Cross-site Scripting') no python code on mitre but following CVEs listed:

  • CVE-2021-25926 CVSSv3.x 6.1 Python Library Manager did not sufficiently neutralize a user-supplied search term, allowing reflected XSS.
  • CVE-2021-25963 CVSSv3.x 6.1 Python-based e-commerce platform did not escape returned content on error pages, allowing for reflected Cross-Site Scripting attacks.

CWE-94: Improper Control of Generation of Code ('Code Injection') has Python code examples on mitre.org and a bunch of CVEs, here only a few of the latest:

  • CVE-2023-29374 CVSSv3.x 9.8 Math component in an LLM framework translates user input into a Python expression that is input into the Python exec() method, allowing code execution - one variant of a "prompt injection" attack.
  • CVE-2024-5565 CVSSv3.x 8.1 Python-based library uses an LLM prompt containing user input to dynamically generate code that is then fed as input into the Python exec() method, allowing code execution - one variant of a "prompt injection" attack.
  • CVE-2022-2054 CVSSv3.x 7.8 Python compiler uses eval() to execute malicious strings as Python code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants