Security Test on PyBitmessage Branch Master

BM-2cUNNhAmbvBqsxDoXvofyCmTtTMbEsABzD
May 26 05:53 [raw]

Test results: >> Issue: [B411:blacklist] Using xmlrpclib to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities. Severity: High Confidence: High Location: PyBitmessage/packages/collectd/pybitmessagestatus.py:5 4 import json 5 import xmlrpclib 6 7 pybmurl = "" -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low Location: PyBitmessage/src/bitmessagecurses/__init__.py:840 839 ORDER BY received 840 """ % (where,), what) 841 for row in ret: -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low Location: PyBitmessage/src/bitmessagecurses/__init__.py:889 888 ORDER BY lastactiontime 889 """ % (where,), what) 890 for row in ret: -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with call module. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:29 28 from struct import pack 29 from subprocess import call 30 from time import sleep -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:84 83 state.maximumNumberOfHalfOpenConnections = 4 84 except: 85 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:165 164 s.close() 165 except: 166 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:177 176 if attempt > 0: 177 port = randint(32767, 65535) 178 se = StoppableXMLRPCServer((BMConfigParser().get('bitmessagesettings', 'apiinterface'), port), -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:292 291 292 call([apiNotifyPath, "startingUp"]) 293 singleAPIThread = singleAPI() -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:76 75 QtGui.QApplication.removeTranslator(qmytranslator) 76 except: 77 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:81 80 QtGui.QApplication.removeTranslator(qsystranslator) 81 except: 82 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:1952 1951 toAddress = unicode(toAddress, 'utf-8', 'ignore') 1952 except: 1953 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:2576 2575 os.remove(previousAppdataLocation + 'debug.log.1') 2576 except: 2577 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:2594 2593 os.remove(paths.lookupExeFolder() + 'debug.log.1') 2594 except: 2595 pass -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low Location: PyBitmessage/src/bitmessageqt/__init__.py:2659 2658 markread = sqlExecuteChunked( 2659 "UPDATE %s SET read = 1 WHERE %s IN({0}) AND read=0" % ( 2660 ('sent', 'ackdata') if self.getCurrentFolder() == 'sent' 2661 else ('inbox', 'msgid') 2662 ), idCount, *msgids -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:2856 2855 'bitmessagesettings', 'trayonclose') 2856 except Exception: 2857 pass -------------------------------------------------- >> Issue: [B303:blacklist] Use of insecure MD2, MD4, or MD5 hash function. Severity: Medium Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:3710 3709 os.makedirs(state.appdata + 'avatars/') 3710 hash = hashlib.md5(addBMIfNotPresent(addressAtCurrentRow)).hexdigest() 3711 extensions = ['PNG', 'GIF', 'JPG', 'JPEG', 'SVG', 'BMP', 'MNG', 'PBM', 'PGM', 'PPM', 'TIFF', 'XBM', 'XPM', 'TGA'] -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low Location: PyBitmessage/src/bitmessageqt/__init__.py:4009 4008 queryreturn = sqlQuery( 4009 '''SELECT message FROM %s WHERE %s=?''' % ( 4010 ('sent', 'ackdata') if folder == 'sent' 4011 &nbsp; else ('inbox', 'msgid') 4012 ), msgid -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:4230 4229 else: 4230 assert False 4231 -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:4290 4289 return "nmcontrol" 4290 assert False 4291 -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:4295 4294 nmctype = self.getNamecoinType() 4295 assert nmctype == "namecoind" or nmctype == "nmcontrol" 4296 4297 isNamecoind = (nmctype == "namecoind") -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/account.py:69 68 return GatewayAccount(address) 69 except: 70 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/bitmessageui.py:704 703 hours = int(BMConfigParser().getint('bitmessagesettings', 'ttl')/60/60) 704 except: 705 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/languagebox.py:21 20 configuredLocale = BMConfigParser().get('bitmessagesettings', 'userlocale', "system") 21 except: 22 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/settingsmixin.py:31 30 target.restoreGeometry(geom.toByteArray() if hasattr(geom, 'toByteArray') else geom) 31 except Exception as e: 32 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/settingsmixin.py:40 39 target.restoreState(state.toByteArray() if hasattr(state, 'toByteArray') else state) 40 except Exception as e: 41 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/support.py:105 104 os = unixversion[0] + " " + unixversion[2] 105 except: 106 pass -------------------------------------------------- >> Issue: [B303:blacklist] Use of insecure MD2, MD4, or MD5 hash function. Severity: Medium Confidence: High Location: PyBitmessage/src/bitmessageqt/utils.py:40 39 import qidenticon 40 hash = hashlib.md5(addBMIfNotPresent(address)+identiconsuffix).hexdigest() 41 use_two_colors = (identicon_lib[:len('qidenticon_two')] == 'qidenticon_two') -------------------------------------------------- >> Issue: [B303:blacklist] Use of insecure MD2, MD4, or MD5 hash function. Severity: Medium Confidence: High Location: PyBitmessage/src/bitmessageqt/utils.py:74 73 idcon = QtGui.QIcon() 74 hash = hashlib.md5(addBMIfNotPresent(address)).hexdigest() 75 str_broadcast_subscribers = '[Broadcast subscribers]' -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_addressGenerator.py:30 29 queues.addressGeneratorQueue.put(("stopThread", "data")) 30 except: 31 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectHashHolder.py:40 39 def holdHash(self,hash): 40 self.collectionOfHashLists[random.randrange(0, objectHashHolder.size)].append(hash) 41 -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectHashHolder.py:48 47 def holdPeer(self,peerDetails): 48 self.collectionOfPeerLists[random.randrange(0, objectHashHolder.size)].append(peerDetails) 49 -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with call module. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:9 8 import string 9 from subprocess import call # used when the API must execute an outside program 10 import traceback -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:359 358 359 for key, cryptorObject in sorted(shared.myECCryptorObjects.items(), key=lambda x: random.random()): 360 try: -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:368 367 logger.info('EC decryption successful using key associated with ripe hash: %s.' % hexlify(key)) 368 except Exception as err: 369 pass -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:542 541 if apiNotifyPath != '': 542 call([apiNotifyPath, "newMessage"]) 543 -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:637 636 initialDecryptionSuccessful = False 637 for key, cryptorObject in sorted(shared.MyECSubscriptionCryptorObjects.items(), key=lambda x: random.random()): 638 try: -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:646 645 logger.info('EC decryption successful using key associated with ripe hash: %s' % hexlify(key)) 646 except Exception as err: 647 pass -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:795 794 if apiNotifyPath != '': 795 call([apiNotifyPath, "newBroadcast"]) 796 -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_outgoingSynSender.py:62 61 priority = 0.001 62 if (random.random() <= priority): 63 break -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_outgoingSynSender.py:74 73 self.sock.shutdown(socket.SHUT_RDWR) 74 except: 75 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_receiveDataThread.py:141 140 logger.debug('removed self (a receiveDataThread) from selfInitiatedConnections') 141 except: 142 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_receiveDataThread.py:820 819 queues.UISignalQueue.put(('newVersionAvailable', remoteVersion)) 820 except: 821 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_sendDataThread.py:211 210 self.sock.close() 211 except: 212 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleListener.py:63 62 break 63 except: 64 pass -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with call module. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:8 7 import random 8 from subprocess import call # used when the API must execute an outside program 9 from addresses import * -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:50 49 queues.workerQueue.put(("stopThread", "data")) 50 except: 51 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:112 111 self.sendMsg() 112 except: 113 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:117 116 self.sendBroadcast() 117 except: 118 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:122 121 self.doPOWForMyV2Pubkey(data) 122 except: 123 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:127 126 self.sendOutOrStoreMyV3Pubkey(data) 127 except: 128 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:132 131 self.sendOutOrStoreMyV4Pubkey(data) 132 except: 133 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:137 136 proofofwork.resetPoW() 137 except: 138 pass /> -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:161 160 161 TTL = int(28 * 24 * 60 * 60 + random.randrange(-300, 300))# 28 days from now plus or minus five minutes 162 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:212 211 BMConfigParser().save() 212 except: 213 # The user deleted the address out of the keys.dat file before this -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:233 232 233 TTL = int(28 * 24 * 60 * 60 + random.randrange(-300, 300))# 28 days from now plus or minus five minutes 234 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:302 301 BMConfigParser().save() 302 except: 303 # The user deleted the address out of the keys.dat file before this -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:319 318 319 TTL = int(28 * 24 * 60 * 60 + random.randrange(-300, 300))# 28 days from now plus or minus five minutes 320 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:439 438 TTL = 60*60 439 TTL = int(TTL + random.randrange(-300, 300))# add some randomness to the TTL 440 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:632 631 TTL = 28 * 24 * 60 * 60 632 TTL = int(TTL + random.randrange(-300, 300))# add some randomness to the TTL 633 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:821 820 logger.info('PoW took %.1f seconds, speed %s.', time.time() - powStartTime, sizeof_fmt(nonce / (time.time() - powStartTime))) 821 except: 822 pass -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:882 881 if apiNotifyPath != '': 882 call([apiNotifyPath, "newMessage"]) 883 -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:915 914 TTL = 28*24*60*60 915 TTL = TTL + random.randrange(-300, 300) # add some randomness to the TTL 916 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:978 977 TTL = 28*24*60*60 # 4 weeks 978 TTL = int(TTL + random.randrange(-300, 300)) # Add some randomness to the TTL 979 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:993 992 logger.info('PoW took %.1f seconds, speed %s.', time.time() - powStartTime, sizeof_fmt(nonce / (time.time() - powStartTime))) 993 except: 994 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_smtpDeliver.py:26 25 queues.UISignallerQueue.put(("stopThread", "data")) 26 except: 27 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_sqlThread.py:266 265 if not BMConfigParser().has_option('bitmessagesettings', 'identiconsuffix'): # acts as a salt 266 BMConfigParser().set('bitmessagesettings', 'identiconsuffix', ''.join(random.choice("123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz") for x in range(12))) # a twelve character pseudo-password to salt the identicons 267 -------------------------------------------------- >> Issue: [B112:try_except_continue] Try, Except, Continue detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_sqlThread.py:329 328 BMConfigParser().set(addressInKeysFile,'payloadlengthextrabytes', str(int(previousSmallMessageDifficulty * 1000))) 329 except: 330 continue -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/depends.py:110 109 paths.append(path) 110 except: 111 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/helper_ackPayload.py:22 21 # (the smallest possible standard-formatted message is 234 bytes) 22 dummyMessage = helper_random.randomBytes(random.randint(234, 800)) 23 # Encrypt the message using standard BM encryption (ECIES) -------------------------------------------------- >> Issue: [B403:blacklist] Consider possible security implications associated with pickle module. Severity: Low Confidence: High Location: PyBitmessage/src/helper_bootstrap.py:3 2 import defaultKnownNodes 3 import pickle 4 import time -------------------------------------------------- >> Issue: [B301:blacklist] Pickle library appears to be in use, possible security issue. Severity: Medium Confidence: High Location: PyBitmessage/src/helper_bootstrap.py:27 26 with knownnodes.knownNodesLock: 27 knownnodes.knownNodes = pickle.load(pickleFile) 28 # the old format was {Peer:lastseen, ...} -------------------------------------------------- >> Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval. Severity: Medium Confidence: High Location: PyBitmessage/src/inventory.py:24 23 self._className = "storage." + self._moduleName + "." + self._moduleName.title() + "Inventory" 24 self._inventoryClass = eval(self._className) 25 self._realInventory = self._inventoryClass() -------------------------------------------------- >> Issue: [B403:blacklist] Consider possible security implications associated with pickle module. Severity: Low Confidence: High Location: PyBitmessage/src/knownnodes.py:1 1 import pickle 2 import os 3 import threading -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/multiqueue.py:27 26 #self.queue.append(item) 27 self.queues[random.randrange(self.queueCount)].append((item)) 28 -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/namecoin.py:80 79 80 assert self.nmctype == "namecoind" or self.nmctype == "nmcontrol" 81 if self.nmctype == "namecoind": -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/namecoin.py:103 102 else: 103 assert False 104 except RPCError as exc: -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/namecoin.py:161 160 else: 161 assert False 162 -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/namecoin.py:179 178 else: 179 assert False 180 val = json.loads (resp) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/network/bmproto.py:495 494 return False 495 except: 496 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/network/connectionpool.py:159 158 try: 159 chosen = chooseConnection(random.choice(self.streams)) 160 except ValueError: -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/network/dandelion.py:101 100 # pick a random from available stems 101 stem = choice(range(len(self.stem))) 102 if self.stem[stem] == parent: -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/network/invthread.py:61 60 # auto-ignore if config set to 0, i.e. dandelion is off 61 if randint(1, 100) >= state.dandelion: 62 fluffs.append(inv[1]) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/network/networkthread.py:26 25 i.close() 26 except: 27 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/network/networkthread.py:31 30 i.close() 31 except: 32 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/network/networkthread.py:36 35 i.close() 36 except: 37 pass -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module. Severity: Low Confidence: High Location: PyBitmessage/src/plugins/sound_playfile.py:11 10 import os 11 &nbsp; import subprocess 12 13 play_cmd = {} -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/plugins/sound_playfile.py:17 16 FNULL = open(os.devnull, 'wb') 17 subprocess.call( 18 args, stdout=FNULL, stderr=subprocess.STDOUT, close_fds=True) 19 -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with call module. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:6 5 from struct import unpack, pack 6 from subprocess import call 7 import sys -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:34 33 win32process.SetPriorityClass(handle, win32process.IDLE_PRIORITY_CLASS) 34 except: 35 #Windows 64-bit -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:82 81 pool.join() 82 except: 83 pass -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:181 180 # BSD make 181 call(["make", "-C", os.path.join(paths.codePath(), "bitmsghash"), '-f', 'Makefile.bsd']) 182 else: -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:181 180 # BSD make 181 call(["make", "-C", os.path.join(paths.codePath(), "bitmsghash"), '-f', 'Makefile.bsd']) 182 else: -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:184 183 # GNU make 184 call(["make", "-C", os.path.join(paths.codePath(), "bitmsghash")]) 185 if os.path.exists(os.path.join(paths.codePath(), "bitmsghash", "bitmsghash.so")): -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:184 183 # GNU make 184 call(["make", "-C", os.path.join(paths.codePath(), "bitmsghash")]) 185 if os.path.exists(os.path.join(paths.codePath(), "bitmsghash", "bitmsghash.so")): -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:207 206 raise 207 except: 208 pass # fallback -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:214 213 raise 214 except: 215 pass # fallback -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:233 232 raise 233 except: 234 pass #fallback -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/protocol.py:45 44 eightBytesOfRandomDataUsedToDetectConnectionsToSelf = pack( 45 '>Q', random.randrange(1, 18446744073709551615)) 46 -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/pyelliptic/openssl.py:545 544 return 545 except: 546 pass -------------------------------------------------- >> Issue: [B104:hardcoded_bind_all_interfaces] Possible binding to all interfaces. Severity: Medium Confidence: Medium Location: PyBitmessage/src/socks/__init__.py:388 387 raise HTTPError((statuscode, statusline[2])) 388 self.__proxysockname = ("0.0.0.0", 0) 389 self.__proxypeername = (addr, destport) -------------------------------------------------- >> Issue: [B408:blacklist] Using Document to parse untrusted XML data is known to be vulnerable to XML attacks. Replace Document with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:18 17 def createRequestXML(service, action, arguments=None): 18 from xml.dom.minidom import Document 19 20 doc = Document() -------------------------------------------------- >> Issue: [B408:blacklist] Using parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace parseString with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:79 78 import urllib2 79 from xml.dom.minidom import parseString 80 from urlparse import urlparse -------------------------------------------------- >> Issue: [B310:blacklist] Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected. Severity: Medium Confidence: High Location: PyBitmessage/src/upnp.py:100 99 # get the profile xml file and read it into a variable 100 directory = urllib2.urlopen(header['location']).read() 101 -------------------------------------------------- >> Issue: [B318:blacklist] Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called Severity: Medium Confidence: High Location: PyBitmessage/src/upnp.py:103 102 # create a DOM object that represents the `directory` document 103 dom = parseString(directory) 104 -------------------------------------------------- >> Issue: [B408:blacklist] Using parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace parseString with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:142 141 def GetExternalIPAddress(self): 142 from xml.dom.minidom import parseString 143 resp = self.soapRequest(self.upnp_schema + ':1', 'GetExternalIPAddress') -------------------------------------------------- >> Issue: [B318:blacklist] Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called Severity: Medium Confidence: High Location: PyBitmessage/src/upnp.py:144 143 resp = self.soapRequest(self.upnp_schema + ':1', 'GetExternalIPAddress') 144 dom = parseString(resp) 145 return dom.getElementsByTagName('NewExternalIPAddress')[0].childNodes[0].data -------------------------------------------------- >> Issue: [B408:blacklist] Using parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace parseString with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:148 147 def soapRequest(self, service, action, arguments=None): 148 from xml.dom.minidom import parseString 149 from debug import logger -------------------------------------------------- >> Issue: [B318:blacklist] Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called Severity: Medium Confidence: High Location: PyBitmessage/src/upnp.py:165 164 try: 165 dom = parseString(respData) 166 errinfo = dom.getElementsByTagName('errorDescription') -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:217 216 self.sendSearchRouter() 217 except: 218 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:249 248 self.sock.shutdown(socket.SHUT_RDWR) 249 except: 250 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:253 252 self.sock.close() 253 except: 254 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:297 296 else: 297 extPort = randint(32767, 65535) 298 logger.debug("Attempt %i, requesting UPnP mapping for %s:%i on external port %i", i, localIP, self.localPort, extPort) -------------------------------------------------- Code scanned: Total lines of code: 27741 Total lines skipped (#nosec): 0 Run metrics: Total issues (by severity): Undefined: 0.0 Low: 97.0 Medium: 14.0 High: 1.0 Total issues (by confidence): Undefined: 0.0 Low: 4.0 Medium: 1.0 High: 107.0 Files skipped (37): PyBitmessage/build/compiletest.py (syntax error while parsing AST from file) PyBitmessage/checkdeps.py (syntax error while parsing AST from file) PyBitmessage/dev/bloomfiltertest.py (syntax error while parsing AST from file) PyBitmessage/dev/msgtest.py (syntax error while parsing AST from file) PyBitmessage/dev/powinterrupttest.py (syntax error while parsing AST from file) PyBitmessage/dev/ssltest.py (syntax error while parsing AST from file) PyBitmessage/src/addresses.py (syntax error while parsing AST from file) PyBitmessage/src/api.py (syntax error while parsing AST from file) PyBitmessage/src/api_client.py (syntax error while parsing AST from file) PyBitmessage/src/bitmessagecli.py (syntax error while parsing AST from file) PyBitmessage/src/bitmessageqt/address_dialogs.py (syntax error while parsing AST from file) PyBitmessage/src/bitmessageqt/foldertree.py (syntax error while parsing AST from file) PyBitmessage/src/bitmessageqt/newaddresswizard.py (syntax error while parsing AST from file) PyBitmessage/src/class_singleCleaner.py (syntax error while parsing AST from file) PyBitmessage/src/class_smtpServer.py (syntax error while parsing AST from file) PyBitmessage/src/debug.py (syntax error while parsing AST from file) PyBitmessage/src/defaultKnownNodes.py (syntax error while parsing AST from file) PyBitmessage/src/helper_bitcoin.py (syntax error while parsing AST from file) PyBitmessage/src/helper_generic.py (syntax error while parsing AST from file) PyBitmessage/src/helper_msgcoding.py (syntax error while parsing AST from file) PyBitmessage/src/helper_startup.py (syntax error while parsing AST from file) PyBitmessage/src/message_data_reader.py (syntax error while parsing AST from file) PyBitmessage/src/network/asyncore_pollchoose.py (syntax error while parsing AST from file) PyBitmessage/src/network/connectionchooser.py (syntax error while parsing AST from file) PyBitmessage/src/network/http-old.py (syntax error while parsing AST from file) PyBitmessage/src/network/http.py (syntax error while parsing AST from file) PyBitmessage/src/network/socks4a.py (syntax error while parsing AST from file) PyBitmessage/src/network/socks5.py (syntax error while parsing AST from file) PyBitmessage/src/network/tcp.py (syntax error while parsing AST from file) PyBitmessage/src/network/udp.py (syntax error while parsing AST from file) PyBitmessage/src/openclpow.py (syntax error while parsing AST from file) PyBitmessage/src/paths.py (syntax error while parsing AST from file) PyBitmessage/src/randomtrackingdict.py (syntax error while parsing AST from file) PyBitmessage/src/shared.py (syntax error while parsing AST from file) PyBitmessage/src/singleinstance.py (syntax error while parsing AST from file) PyBitmessage/src/storage/filesystem.py (syntax error while parsing AST from file) PyBitmessage/src/tr.py (syntax error while parsing AST from file)

[chan] po_polsku
BM-2cX9uTshtCbunGLKok9MiFMhXmLhS4D47Y

Subject Last Count
Lista rabinów molestujących dzieci Sep 25 00:51 2
Polska w gronie najbardziej rozwiniętych państw świata Sep 25 00:48 15
POLICJA - JEBAC KURWE Sep 24 19:04 14
(no subject) Sep 24 19:04 2
Tysiące filmów i zdjęć z dziecięcą pornografią u 53-latka Sep 24 18:45 1
PiS podjął się odbudowania i zbudowania silnej klasy średniej w całej Rzeczpospolitej Sep 24 18:38 1
NSA potrafi wstrzykiwać pakiety do sieci WiFi z odległości 12 kilometrów Sep 24 18:32 13
Pomysł na zabawe - zamach terorystyczny ? Sep 24 18:06 15
Żyrinowski sponsorem terroryzmu Sep 24 17:32 1
USA są jednym z najlepszych, najbardziej wypróbowanych przyjaciół Polski Sep 24 16:14 1
Koniec "pluralizmu" Sep 24 16:13 1
Dyktat Rosji się skończył Sep 24 14:20 3
Nord Stream 2 zdycha Sep 24 13:49 3
Pieniądze z Moskwy i Berlina w obronie polskich sądów Sep 24 13:15 1
Macierewicz demaskuje rosyjskiego agenta wpływu Sep 24 13:15 1
Zielony ludzik Różański pluje na strategię obronną RP Sep 24 13:15 1
Rządy czołowych państw wypowiadają wojnę szyfrowaniu Sep 24 08:50 1
JAK SKW - OBCIAGA KUTASA. Sep 24 08:25 6
Kim jest OneAnother Sep 23 20:26 5
Norwegia regularnie demaskuje podejmowane przez Rosję próby szpiegowania Sep 23 18:40 1
Opowiadacz ruskich bajek Grzegorz Braun Sep 23 10:22 1
Niemiecka żałoba po nieudanym planie IV Rzeszy Sep 23 07:12 1
Razem z ochroniarzami wyrzucił dziennikarzy Sep 22 20:37 1
Defilada Armii Czerwonej i Wermachtu w Brześciu Sep 22 14:47 1
Rostowskiego czeka odsiadka Sep 22 13:51 1
Potajemne nagrywanie prezydenta Donalda Trumpa Sep 22 08:42 1
Relacje polsko-amerykańskie nigdy nie były tak dobre jak dzisiaj Sep 22 06:45 1
WIS = WSI Sep 22 05:20 1
gdzie kupic lewe papiery Sep 21 21:28 3
Ruscy planowali ucieczkę swojego agenta Assange'a Sep 21 20:30 1
JaK SKW OBCIĄGA Sep 21 18:24 1
Tuluza. Gwałt zbiorowy na 19-latce. Wideo pojawiło się w internecie. "Przestańcie filmować, to gwałt!" Sep 21 16:48 6
Wspaniałe życie w Chinach Sep 21 16:18 1
Pieniądze z funduszu na wsparcie ofiar przestępców poszły na system do inwigilacji Sep 21 12:45 1
Morawiecki chce po kryjomu dać dupy nadzwyczajnej kaście Sep 21 11:38 1
Zasłynął wydarzeniami na stacji benzynowej Sep 21 11:38 1
Sędzia nie może należeć do partii politycznej Sep 21 11:38 1
USA ukarały Chiny Sep 21 11:38 1
Akcja wybielania NKWD Sep 21 11:38 1
„To nie ma znaczenia”, „przypadek”, „błędy młodości”, „to było wiele lat temu” Sep 21 11:38 1
Dziękuję za te wyrazy uznania! ;-) Sep 21 11:38 1
Stany Zjednoczone przeniosą do Polski swoje siły zbrojne Sep 21 11:29 1
Trump uderzył w Rosję i Chiny Sep 21 11:29 1
Niemiłe przygody z różnymi służbami – historie prawdziwe Sep 21 11:21 1
Czemu nie powinniście obcym pozwalać dotykać swoich komputerów Sep 21 11:05 5
Te zmiany w sądownictwie realnie odczują Polacy Sep 21 10:58 1
Ekshumacje nie są prywatną sprawą rodzin, które złożyły skargę Sep 21 10:58 1
Podsłuchiwanie monitora mikrofonem, czyli czy obrazy wydają dźwięki Sep 21 10:55 1
Wyłączyliście mikrofon? Dalej można Was podsłuchiwać przez słuchawki Sep 21 10:47 1
Receptury wytwarzania różnych materiałów wybuchowych Sep 20 18:29 1
Szyderstwa i napad lewackich mediów Sep 20 17:31 1
Pseudo-Polactwo, sowieckie bękarty podrzuconych nam na sowieckich tankach komunistów Sep 20 16:38 1
Wizyta prezydenta Dudy w Waszyngtonie przyniosła nam efekty o strategicznym znaczeniu Sep 20 13:17 1
O co USA walczą z Chinami? Sep 20 12:47 1
„Fort Trump” wypromował Polskę na całym świecie Sep 20 12:29 1
Prezydent Trump poświęcił stronie polskiej więcej czasu niż było planowane Sep 20 12:29 1
Polska wzrasta w siłę i będzie liderem w regionie Sep 20 12:29 1
Archiwum Eissa potwierdza zaangażowanie Polaków, państwa polskiego w ratowanie Żydów. Sep 20 12:29 1
Przedłużyła się o aż o 40 minut, co jest w świecie dyplomacji ewenementem. Sep 20 12:15 1
Orzecznie ETPCz to porażka prokuratury z czasów PO Sep 20 12:14 1
W trumnach prezydenta Ryszarda Kaczorowskiego i Anny Walentynowicz złożone były inne osoby Sep 20 12:13 1
Europejski Trybunał Praw Człowieka na smyczy Kremla Sep 20 12:11 1
Jaśkowiak chce sprowadzić do Polski terrorystów i gwałcicieli Sep 20 12:11 1
Zapadła decyzja o fundamentalnej zmianie punktu równowagi strategicznej Sep 20 12:11 1
Konstytucjonalista z ZSMP Sep 20 12:11 1
penis Sep 19 18:06 1
Niemcy grają na korzyść Rosji Sep 19 17:31 1
A to mówią, że nic nie załatwił, a to, że stał, a nie siedział Sep 19 17:18 1
Ogromny sukces spotkania w Białym Domu Sep 19 16:05 1
Joanna Schmidt poniesie odpowiedzialność za wwiezienie na teren Sejmu terrorystów Sep 19 15:36 1
Kolejna wtopa Platformy Zielonych Ludzików Sep 19 15:36 1
Totalna opozycja i ich „izolacja Polski” Sep 19 15:36 1
Szanowni Państwo Sep 19 15:24 2
Panie "alois" z forum multipasko... Sep 19 15:16 2
Potężna inwigilacja, czyli jak Ameryka podsłuchuje świat... Sep 19 12:33 4
Obława na pirackie kopie Windowsa? Sep 19 12:30 1
Ciche ugody polskiego kościoła z ofiarami pedofilii. 10 tys. zł i milczenie Sep 19 12:10 1
Nie ma mowy o sprowadzaniu uchodźców do Polski i do Poznania Sep 19 11:42 1
Media o świetnych relacjach Dudy i Trumpa Sep 19 11:22 1
Prezydent Trump wspomina polskiego bohatera! Sep 19 11:22 1
Mocny przekaz z USA Sep 19 11:22 1
Zielony ludzik Skolimowski Sep 19 11:22 1
Ależ oberwało się Moskwie! Sep 19 11:22 1
Wspólna konferencja prezydentów Polski i USA Sep 19 11:22 1
Każda agresja wobec Polski będzie atakiem na żołnierzy USA Sep 19 11:22 1
Współpraca strategiczna między Rzecząpospolitą Polską a Stanami Zjednoczonymi Ameryki Sep 19 11:22 1
Porozumienie Polski i USA, to kolejny cios dla Rosji Sep 19 11:22 1
Gdzie ci putinofile? Sep 19 11:22 1
magnetlink do filmu "kler" Sep 18 21:34 5
Jeśli będąc nastolatkiem nie ruchałeś małych dziewczynek i nastolatek to przegrałeś życie i to z KRETESEM Sep 18 20:18 1
Korwin-Mikke: „Teraz nastolatki będą się masowo pchały księżom do łóżek!”... Sep 18 18:21 1
Jeżeli chodzi o rzekomy wzrost luki VAT, jest to oczywiście nieprawda Sep 18 18:18 1
Prawda o Bogu - Ateizm Sep 18 17:48 1
Bezpieczeństwo Polski jest dla nas bardzo ważne – oznajmił Trump Sep 18 17:11 1
Jak nie dać się zaskoczyć z włączonym sprzętem? Sep 18 17:02 6
Andrzej Duda z małżonką powitani w Białym Domu Sep 18 16:48 1
Władze Poznania chcą przyjąć u siebie uchodźców Sep 18 15:18 1
Wojna wydana oszustom Sep 18 15:12 2
propozycja Sep 18 11:52 1
Rosjanie podmienili skrzynki Tupolewa Sep 18 11:43 4