pySCG: Adding documentation to CWE-175 as part of #531 #687
Conversation
Signed-off-by: edanhub <hubert.daniszewski@ericsson.com>
There was a problem hiding this comment.
code not working, line 12 and 15 are missing locale.CURRENT_LOCALE
docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-175/compliant03.py
Outdated
Show resolved
Hide resolved
docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-175/noncompliant03.py
Outdated
Show resolved
Hide resolved
myteron
changed the title
Signed-off-by: edanhub <hubert.daniszewski@ericsson.com>
| ```py | ||
| """ Code Example """ | ||
| import locale | ||
| word = "Title" |
There was a problem hiding this comment.
Getting:
Constant name "word" doesn't conform to UPPER_CASE naming stylePylintC0103:invalid-name
Maybe just capitalise "word" variable to silence the linters?
|
|
||
| dt = datetime.datetime(2022, 3, 9, 12, 55, 35, 000000) | ||
|
|
||
| def get_date(date): |
There was a problem hiding this comment.
Getting the following on Flake:
expected 2 blank lines, found 1Flake8(E302)
Missing function or method docstringPylintC0116:missing-function-docstring
| # Trying to exploit above code example | ||
| ##################### | ||
|
|
||
| CURRENT_LOCALE = 'en_IE.utf8' |
There was a problem hiding this comment.
Getting the following on Flake:
expected 2 blank lines after class or function definition, found 1Flake8(E305)
(constant) CURRENT_LOCALE: Literal['en_IE.utf8']
| # SPDX-FileCopyrightText: OpenSSF project contributors | ||
| # SPDX-License-Identifier: MIT | ||
| """ Compliant Code Example """ | ||
| import datetime, locale |
There was a problem hiding this comment.
Getting these linters giving out about multiple imports on one line:
Multiple imports on one lineRuffE401
Multiple imports on one line (datetime, locale)PylintC0410:multiple-imports
multiple imports on one lineFlake8(E401)
(module) datetime
| # SPDX-FileCopyrightText: OpenSSF project contributors | ||
| # SPDX-License-Identifier: MIT | ||
| """ Non-compliant Code Example """ | ||
| import datetime, locale |
There was a problem hiding this comment.
Linters giving out about linters on one line:
Multiple imports on one lineRuffE401
Multiple imports on one line (datetime, locale)PylintC0410:multiple-imports
multiple imports on one lineFlake8(E401)
(module) datetime
| # Trying to exploit above code example | ||
| ##################### | ||
|
|
||
| locale.setlocale(locale.LC_ALL, CURRENT_LOCALE) |
There was a problem hiding this comment.
Did you forget to initialise CURRENT_LOCALE in here?
|
|
||
| For example, reading values from a data file values might be misinterpreted if the developer is unaware that the program locale does not accommodate the data locale. | ||
|
|
||
| This simple code example does not set a locale and sets `ORIGINAL_NUMBER` for comparison to 12.345 (twelve point three-four-five). In Ireland, a comma is a thousands separator and a dot is a decimal separator. In Germany these are reversed, so a comma is a decimal separator and a decimal is a thousands separator. |
There was a problem hiding this comment.
| This simple code example does not set a locale and sets `ORIGINAL_NUMBER` for comparison to 12.345 (twelve point three-four-five). In Ireland, a comma is a thousands separator and a dot is a decimal separator. In Germany these are reversed, so a comma is a decimal separator and a decimal is a thousands separator. | |
| The `example03.py` code does not set a locale and sets `ORIGINAL_NUMBER` for comparison to 12.345 (twelve point three-four-five). In Ireland, a comma is a thousands separator and a dot is a decimal separator. In Germany these are reversed, so a comma is a decimal separator and a decimal is a thousands separator. |
| @@ -0,0 +1,27 @@ | |||
| # SPDX-FileCopyrightText: OpenSSF project contributors | |||
There was a problem hiding this comment.
I believe that example03.py can be simplified and that we should keep CLI interaction to a minimum. Its enough to experience that a 12.345 with a German local results in 12345.0.
| # SPDX-FileCopyrightText: OpenSSF project contributors | |
| # SPDX-FileCopyrightText: OpenSSF project contributors | |
| # SPDX-License-Identifier: MIT | |
| """ Non-compliant Code Example """ | |
| import locale | |
| def compare_number(number): | |
| input_number = locale.atof(input(f"Enter a number {number}: ")) | |
| print(f"Locale is {locale.getlocale()}, you entered {input_number}.") | |
| print(f"Does the number {number} match {input_number}? {number == input_number}") | |
| locale.setlocale(locale.LC_ALL, 'de_DE.utf8') | |
| compare_number(12.345) | |
| import locale | ||
| ORIGINAL_NUMBER = 12.345 # This will read as 12,345 in German | ||
|
|
||
| def compare_number(number): |
There was a problem hiding this comment.
Getting this from Flake:
expected 2 blank lines, found 1Flake8(E302)
Missing function or method docstringPylintC0116:missing-function-docstring
| # Test if inputted number equals current number | ||
| return number == input_number | ||
|
|
||
| print(f"Locale is {locale.getlocale()}") |
There was a problem hiding this comment.
Getting this from Flake:
expected 2 blank lines after class or function definition, found 1Flake8(E305)
(function) def print(
*values: object,
sep: str | None = " ",
end: str | None = "\n",
file: SupportsWrite[str] | None = None,
flush: Literal[False] = False
) -> None
Prints the values to a stream, or to sys.stdout by default.
sep
string inserted between values, default a space.
| print(f"Locale is {locale.getlocale()}") | ||
| print(f"Do the numbers match? {compare_number(ORIGINAL_NUMBER)}") | ||
|
|
||
| ## Locale is ('English_Ireland', '1252') |
There was a problem hiding this comment.
Linter also gives out everytime there is more than one "#" for me
too many leading '#' for block commentFlake8(E266)
| Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. | ||
| Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.""" | ||
|
|
||
| output = io.BytesIO() |
There was a problem hiding this comment.
2 spaces here after "output"
Would change it myself but it won't let me!
| """ Non-compliant Code Example """ | ||
| import io | ||
|
|
||
| LOREM = """Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. |
There was a problem hiding this comment.
Got a lot of "Line too long" from Pylint... not sure if we care about this though:
Line too long (456/100)PylintC0301:line-too-long
(constant) LOREM: Literal['Lorem ipsum dolor sit amet, consectetur adipiscing…']
Got that for lines 6,7,8 and 18
| """ Compliant Code Example """ | ||
| import io | ||
|
|
||
| LOREM = """Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. |
There was a problem hiding this comment.
Pylint giving out that lines 6, 7 and 8 are too long... not sure if we care though...
| Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. | ||
| Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.""" | ||
|
|
||
| output = io.BytesIO() |
There was a problem hiding this comment.
2 spaces after "output" here
Adding documentation to CWE-175 as part of #531