Security Test on PyBitmessage Branch Master

BM-2cUNNhAmbvBqsxDoXvofyCmTtTMbEsABzD
May 26 05:53 [raw]

Test results: >> Issue: [B411:blacklist] Using xmlrpclib to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities. Severity: High Confidence: High Location: PyBitmessage/packages/collectd/pybitmessagestatus.py:5 4 import json 5 import xmlrpclib 6 7 pybmurl = "" -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low Location: PyBitmessage/src/bitmessagecurses/__init__.py:840 839 ORDER BY received 840 """ % (where,), what) 841 for row in ret: -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low Location: PyBitmessage/src/bitmessagecurses/__init__.py:889 888 ORDER BY lastactiontime 889 """ % (where,), what) 890 for row in ret: -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with call module. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:29 28 from struct import pack 29 from subprocess import call 30 from time import sleep -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:84 83 state.maximumNumberOfHalfOpenConnections = 4 84 except: 85 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:165 164 s.close() 165 except: 166 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:177 176 if attempt > 0: 177 port = randint(32767, 65535) 178 se = StoppableXMLRPCServer((BMConfigParser().get('bitmessagesettings', 'apiinterface'), port), -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:292 291 292 call([apiNotifyPath, "startingUp"]) 293 singleAPIThread = singleAPI() -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:76 75 QtGui.QApplication.removeTranslator(qmytranslator) 76 except: 77 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:81 80 QtGui.QApplication.removeTranslator(qsystranslator) 81 except: 82 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:1952 1951 toAddress = unicode(toAddress, 'utf-8', 'ignore') 1952 except: 1953 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:2576 2575 os.remove(previousAppdataLocation + 'debug.log.1') 2576 except: 2577 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:2594 2593 os.remove(paths.lookupExeFolder() + 'debug.log.1') 2594 except: 2595 pass -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low Location: PyBitmessage/src/bitmessageqt/__init__.py:2659 2658 markread = sqlExecuteChunked( 2659 "UPDATE %s SET read = 1 WHERE %s IN({0}) AND read=0" % ( 2660 ('sent', 'ackdata') if self.getCurrentFolder() == 'sent' 2661 else ('inbox', 'msgid') 2662 ), idCount, *msgids -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:2856 2855 'bitmessagesettings', 'trayonclose') 2856 except Exception: 2857 pass -------------------------------------------------- >> Issue: [B303:blacklist] Use of insecure MD2, MD4, or MD5 hash function. Severity: Medium Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:3710 3709 os.makedirs(state.appdata + 'avatars/') 3710 hash = hashlib.md5(addBMIfNotPresent(addressAtCurrentRow)).hexdigest() 3711 extensions = ['PNG', 'GIF', 'JPG', 'JPEG', 'SVG', 'BMP', 'MNG', 'PBM', 'PGM', 'PPM', 'TIFF', 'XBM', 'XPM', 'TGA'] -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low Location: PyBitmessage/src/bitmessageqt/__init__.py:4009 4008 queryreturn = sqlQuery( 4009 '''SELECT message FROM %s WHERE %s=?''' % ( 4010 ('sent', 'ackdata') if folder == 'sent' 4011 &nbsp; else ('inbox', 'msgid') 4012 ), msgid -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:4230 4229 else: 4230 assert False 4231 -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:4290 4289 return "nmcontrol" 4290 assert False 4291 -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:4295 4294 nmctype = self.getNamecoinType() 4295 assert nmctype == "namecoind" or nmctype == "nmcontrol" 4296 4297 isNamecoind = (nmctype == "namecoind") -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/account.py:69 68 return GatewayAccount(address) 69 except: 70 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/bitmessageui.py:704 703 hours = int(BMConfigParser().getint('bitmessagesettings', 'ttl')/60/60) 704 except: 705 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/languagebox.py:21 20 configuredLocale = BMConfigParser().get('bitmessagesettings', 'userlocale', "system") 21 except: 22 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/settingsmixin.py:31 30 target.restoreGeometry(geom.toByteArray() if hasattr(geom, 'toByteArray') else geom) 31 except Exception as e: 32 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/settingsmixin.py:40 39 target.restoreState(state.toByteArray() if hasattr(state, 'toByteArray') else state) 40 except Exception as e: 41 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/support.py:105 104 os = unixversion[0] + " " + unixversion[2] 105 except: 106 pass -------------------------------------------------- >> Issue: [B303:blacklist] Use of insecure MD2, MD4, or MD5 hash function. Severity: Medium Confidence: High Location: PyBitmessage/src/bitmessageqt/utils.py:40 39 import qidenticon 40 hash = hashlib.md5(addBMIfNotPresent(address)+identiconsuffix).hexdigest() 41 use_two_colors = (identicon_lib[:len('qidenticon_two')] == 'qidenticon_two') -------------------------------------------------- >> Issue: [B303:blacklist] Use of insecure MD2, MD4, or MD5 hash function. Severity: Medium Confidence: High Location: PyBitmessage/src/bitmessageqt/utils.py:74 73 idcon = QtGui.QIcon() 74 hash = hashlib.md5(addBMIfNotPresent(address)).hexdigest() 75 str_broadcast_subscribers = '[Broadcast subscribers]' -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_addressGenerator.py:30 29 queues.addressGeneratorQueue.put(("stopThread", "data")) 30 except: 31 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectHashHolder.py:40 39 def holdHash(self,hash): 40 self.collectionOfHashLists[random.randrange(0, objectHashHolder.size)].append(hash) 41 -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectHashHolder.py:48 47 def holdPeer(self,peerDetails): 48 self.collectionOfPeerLists[random.randrange(0, objectHashHolder.size)].append(peerDetails) 49 -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with call module. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:9 8 import string 9 from subprocess import call # used when the API must execute an outside program 10 import traceback -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:359 358 359 for key, cryptorObject in sorted(shared.myECCryptorObjects.items(), key=lambda x: random.random()): 360 try: -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:368 367 logger.info('EC decryption successful using key associated with ripe hash: %s.' % hexlify(key)) 368 except Exception as err: 369 pass -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:542 541 if apiNotifyPath != '': 542 call([apiNotifyPath, "newMessage"]) 543 -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:637 636 initialDecryptionSuccessful = False 637 for key, cryptorObject in sorted(shared.MyECSubscriptionCryptorObjects.items(), key=lambda x: random.random()): 638 try: -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:646 645 logger.info('EC decryption successful using key associated with ripe hash: %s' % hexlify(key)) 646 except Exception as err: 647 pass -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:795 794 if apiNotifyPath != '': 795 call([apiNotifyPath, "newBroadcast"]) 796 -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_outgoingSynSender.py:62 61 priority = 0.001 62 if (random.random() <= priority): 63 break -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_outgoingSynSender.py:74 73 self.sock.shutdown(socket.SHUT_RDWR) 74 except: 75 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_receiveDataThread.py:141 140 logger.debug('removed self (a receiveDataThread) from selfInitiatedConnections') 141 except: 142 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_receiveDataThread.py:820 819 queues.UISignalQueue.put(('newVersionAvailable', remoteVersion)) 820 except: 821 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_sendDataThread.py:211 210 self.sock.close() 211 except: 212 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleListener.py:63 62 break 63 except: 64 pass -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with call module. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:8 7 import random 8 from subprocess import call # used when the API must execute an outside program 9 from addresses import * -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:50 49 queues.workerQueue.put(("stopThread", "data")) 50 except: 51 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:112 111 self.sendMsg() 112 except: 113 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:117 116 self.sendBroadcast() 117 except: 118 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:122 121 self.doPOWForMyV2Pubkey(data) 122 except: 123 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:127 126 self.sendOutOrStoreMyV3Pubkey(data) 127 except: 128 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:132 131 self.sendOutOrStoreMyV4Pubkey(data) 132 except: 133 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:137 136 proofofwork.resetPoW() 137 except: 138 pass /> -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:161 160 161 TTL = int(28 * 24 * 60 * 60 + random.randrange(-300, 300))# 28 days from now plus or minus five minutes 162 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:212 211 BMConfigParser().save() 212 except: 213 # The user deleted the address out of the keys.dat file before this -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:233 232 233 TTL = int(28 * 24 * 60 * 60 + random.randrange(-300, 300))# 28 days from now plus or minus five minutes 234 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:302 301 BMConfigParser().save() 302 except: 303 # The user deleted the address out of the keys.dat file before this -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:319 318 319 TTL = int(28 * 24 * 60 * 60 + random.randrange(-300, 300))# 28 days from now plus or minus five minutes 320 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:439 438 TTL = 60*60 439 TTL = int(TTL + random.randrange(-300, 300))# add some randomness to the TTL 440 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:632 631 TTL = 28 * 24 * 60 * 60 632 TTL = int(TTL + random.randrange(-300, 300))# add some randomness to the TTL 633 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:821 820 logger.info('PoW took %.1f seconds, speed %s.', time.time() - powStartTime, sizeof_fmt(nonce / (time.time() - powStartTime))) 821 except: 822 pass -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:882 881 if apiNotifyPath != '': 882 call([apiNotifyPath, "newMessage"]) 883 -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:915 914 TTL = 28*24*60*60 915 TTL = TTL + random.randrange(-300, 300) # add some randomness to the TTL 916 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:978 977 TTL = 28*24*60*60 # 4 weeks 978 TTL = int(TTL + random.randrange(-300, 300)) # Add some randomness to the TTL 979 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:993 992 logger.info('PoW took %.1f seconds, speed %s.', time.time() - powStartTime, sizeof_fmt(nonce / (time.time() - powStartTime))) 993 except: 994 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_smtpDeliver.py:26 25 queues.UISignallerQueue.put(("stopThread", "data")) 26 except: 27 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_sqlThread.py:266 265 if not BMConfigParser().has_option('bitmessagesettings', 'identiconsuffix'): # acts as a salt 266 BMConfigParser().set('bitmessagesettings', 'identiconsuffix', ''.join(random.choice("123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz") for x in range(12))) # a twelve character pseudo-password to salt the identicons 267 -------------------------------------------------- >> Issue: [B112:try_except_continue] Try, Except, Continue detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_sqlThread.py:329 328 BMConfigParser().set(addressInKeysFile,'payloadlengthextrabytes', str(int(previousSmallMessageDifficulty * 1000))) 329 except: 330 continue -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/depends.py:110 109 paths.append(path) 110 except: 111 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/helper_ackPayload.py:22 21 # (the smallest possible standard-formatted message is 234 bytes) 22 dummyMessage = helper_random.randomBytes(random.randint(234, 800)) 23 # Encrypt the message using standard BM encryption (ECIES) -------------------------------------------------- >> Issue: [B403:blacklist] Consider possible security implications associated with pickle module. Severity: Low Confidence: High Location: PyBitmessage/src/helper_bootstrap.py:3 2 import defaultKnownNodes 3 import pickle 4 import time -------------------------------------------------- >> Issue: [B301:blacklist] Pickle library appears to be in use, possible security issue. Severity: Medium Confidence: High Location: PyBitmessage/src/helper_bootstrap.py:27 26 with knownnodes.knownNodesLock: 27 knownnodes.knownNodes = pickle.load(pickleFile) 28 # the old format was {Peer:lastseen, ...} -------------------------------------------------- >> Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval. Severity: Medium Confidence: High Location: PyBitmessage/src/inventory.py:24 23 self._className = "storage." + self._moduleName + "." + self._moduleName.title() + "Inventory" 24 self._inventoryClass = eval(self._className) 25 self._realInventory = self._inventoryClass() -------------------------------------------------- >> Issue: [B403:blacklist] Consider possible security implications associated with pickle module. Severity: Low Confidence: High Location: PyBitmessage/src/knownnodes.py:1 1 import pickle 2 import os 3 import threading -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/multiqueue.py:27 26 #self.queue.append(item) 27 self.queues[random.randrange(self.queueCount)].append((item)) 28 -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/namecoin.py:80 79 80 assert self.nmctype == "namecoind" or self.nmctype == "nmcontrol" 81 if self.nmctype == "namecoind": -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/namecoin.py:103 102 else: 103 assert False 104 except RPCError as exc: -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/namecoin.py:161 160 else: 161 assert False 162 -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/namecoin.py:179 178 else: 179 assert False 180 val = json.loads (resp) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/network/bmproto.py:495 494 return False 495 except: 496 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/network/connectionpool.py:159 158 try: 159 chosen = chooseConnection(random.choice(self.streams)) 160 except ValueError: -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/network/dandelion.py:101 100 # pick a random from available stems 101 stem = choice(range(len(self.stem))) 102 if self.stem[stem] == parent: -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/network/invthread.py:61 60 # auto-ignore if config set to 0, i.e. dandelion is off 61 if randint(1, 100) >= state.dandelion: 62 fluffs.append(inv[1]) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/network/networkthread.py:26 25 i.close() 26 except: 27 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/network/networkthread.py:31 30 i.close() 31 except: 32 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/network/networkthread.py:36 35 i.close() 36 except: 37 pass -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module. Severity: Low Confidence: High Location: PyBitmessage/src/plugins/sound_playfile.py:11 10 import os 11 &nbsp; import subprocess 12 13 play_cmd = {} -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/plugins/sound_playfile.py:17 16 FNULL = open(os.devnull, 'wb') 17 subprocess.call( 18 args, stdout=FNULL, stderr=subprocess.STDOUT, close_fds=True) 19 -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with call module. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:6 5 from struct import unpack, pack 6 from subprocess import call 7 import sys -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:34 33 win32process.SetPriorityClass(handle, win32process.IDLE_PRIORITY_CLASS) 34 except: 35 #Windows 64-bit -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:82 81 pool.join() 82 except: 83 pass -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:181 180 # BSD make 181 call(["make", "-C", os.path.join(paths.codePath(), "bitmsghash"), '-f', 'Makefile.bsd']) 182 else: -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:181 180 # BSD make 181 call(["make", "-C", os.path.join(paths.codePath(), "bitmsghash"), '-f', 'Makefile.bsd']) 182 else: -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:184 183 # GNU make 184 call(["make", "-C", os.path.join(paths.codePath(), "bitmsghash")]) 185 if os.path.exists(os.path.join(paths.codePath(), "bitmsghash", "bitmsghash.so")): -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:184 183 # GNU make 184 call(["make", "-C", os.path.join(paths.codePath(), "bitmsghash")]) 185 if os.path.exists(os.path.join(paths.codePath(), "bitmsghash", "bitmsghash.so")): -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:207 206 raise 207 except: 208 pass # fallback -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:214 213 raise 214 except: 215 pass # fallback -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:233 232 raise 233 except: 234 pass #fallback -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/protocol.py:45 44 eightBytesOfRandomDataUsedToDetectConnectionsToSelf = pack( 45 '>Q', random.randrange(1, 18446744073709551615)) 46 -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/pyelliptic/openssl.py:545 544 return 545 except: 546 pass -------------------------------------------------- >> Issue: [B104:hardcoded_bind_all_interfaces] Possible binding to all interfaces. Severity: Medium Confidence: Medium Location: PyBitmessage/src/socks/__init__.py:388 387 raise HTTPError((statuscode, statusline[2])) 388 self.__proxysockname = ("0.0.0.0", 0) 389 self.__proxypeername = (addr, destport) -------------------------------------------------- >> Issue: [B408:blacklist] Using Document to parse untrusted XML data is known to be vulnerable to XML attacks. Replace Document with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:18 17 def createRequestXML(service, action, arguments=None): 18 from xml.dom.minidom import Document 19 20 doc = Document() -------------------------------------------------- >> Issue: [B408:blacklist] Using parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace parseString with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:79 78 import urllib2 79 from xml.dom.minidom import parseString 80 from urlparse import urlparse -------------------------------------------------- >> Issue: [B310:blacklist] Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected. Severity: Medium Confidence: High Location: PyBitmessage/src/upnp.py:100 99 # get the profile xml file and read it into a variable 100 directory = urllib2.urlopen(header['location']).read() 101 -------------------------------------------------- >> Issue: [B318:blacklist] Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called Severity: Medium Confidence: High Location: PyBitmessage/src/upnp.py:103 102 # create a DOM object that represents the `directory` document 103 dom = parseString(directory) 104 -------------------------------------------------- >> Issue: [B408:blacklist] Using parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace parseString with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:142 141 def GetExternalIPAddress(self): 142 from xml.dom.minidom import parseString 143 resp = self.soapRequest(self.upnp_schema + ':1', 'GetExternalIPAddress') -------------------------------------------------- >> Issue: [B318:blacklist] Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called Severity: Medium Confidence: High Location: PyBitmessage/src/upnp.py:144 143 resp = self.soapRequest(self.upnp_schema + ':1', 'GetExternalIPAddress') 144 dom = parseString(resp) 145 return dom.getElementsByTagName('NewExternalIPAddress')[0].childNodes[0].data -------------------------------------------------- >> Issue: [B408:blacklist] Using parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace parseString with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:148 147 def soapRequest(self, service, action, arguments=None): 148 from xml.dom.minidom import parseString 149 from debug import logger -------------------------------------------------- >> Issue: [B318:blacklist] Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called Severity: Medium Confidence: High Location: PyBitmessage/src/upnp.py:165 164 try: 165 dom = parseString(respData) 166 errinfo = dom.getElementsByTagName('errorDescription') -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:217 216 self.sendSearchRouter() 217 except: 218 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:249 248 self.sock.shutdown(socket.SHUT_RDWR) 249 except: 250 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:253 252 self.sock.close() 253 except: 254 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:297 296 else: 297 extPort = randint(32767, 65535) 298 logger.debug("Attempt %i, requesting UPnP mapping for %s:%i on external port %i", i, localIP, self.localPort, extPort) -------------------------------------------------- Code scanned: Total lines of code: 27741 Total lines skipped (#nosec): 0 Run metrics: Total issues (by severity): Undefined: 0.0 Low: 97.0 Medium: 14.0 High: 1.0 Total issues (by confidence): Undefined: 0.0 Low: 4.0 Medium: 1.0 High: 107.0 Files skipped (37): PyBitmessage/build/compiletest.py (syntax error while parsing AST from file) PyBitmessage/checkdeps.py (syntax error while parsing AST from file) PyBitmessage/dev/bloomfiltertest.py (syntax error while parsing AST from file) PyBitmessage/dev/msgtest.py (syntax error while parsing AST from file) PyBitmessage/dev/powinterrupttest.py (syntax error while parsing AST from file) PyBitmessage/dev/ssltest.py (syntax error while parsing AST from file) PyBitmessage/src/addresses.py (syntax error while parsing AST from file) PyBitmessage/src/api.py (syntax error while parsing AST from file) PyBitmessage/src/api_client.py (syntax error while parsing AST from file) PyBitmessage/src/bitmessagecli.py (syntax error while parsing AST from file) PyBitmessage/src/bitmessageqt/address_dialogs.py (syntax error while parsing AST from file) PyBitmessage/src/bitmessageqt/foldertree.py (syntax error while parsing AST from file) PyBitmessage/src/bitmessageqt/newaddresswizard.py (syntax error while parsing AST from file) PyBitmessage/src/class_singleCleaner.py (syntax error while parsing AST from file) PyBitmessage/src/class_smtpServer.py (syntax error while parsing AST from file) PyBitmessage/src/debug.py (syntax error while parsing AST from file) PyBitmessage/src/defaultKnownNodes.py (syntax error while parsing AST from file) PyBitmessage/src/helper_bitcoin.py (syntax error while parsing AST from file) PyBitmessage/src/helper_generic.py (syntax error while parsing AST from file) PyBitmessage/src/helper_msgcoding.py (syntax error while parsing AST from file) PyBitmessage/src/helper_startup.py (syntax error while parsing AST from file) PyBitmessage/src/message_data_reader.py (syntax error while parsing AST from file) PyBitmessage/src/network/asyncore_pollchoose.py (syntax error while parsing AST from file) PyBitmessage/src/network/connectionchooser.py (syntax error while parsing AST from file) PyBitmessage/src/network/http-old.py (syntax error while parsing AST from file) PyBitmessage/src/network/http.py (syntax error while parsing AST from file) PyBitmessage/src/network/socks4a.py (syntax error while parsing AST from file) PyBitmessage/src/network/socks5.py (syntax error while parsing AST from file) PyBitmessage/src/network/tcp.py (syntax error while parsing AST from file) PyBitmessage/src/network/udp.py (syntax error while parsing AST from file) PyBitmessage/src/openclpow.py (syntax error while parsing AST from file) PyBitmessage/src/paths.py (syntax error while parsing AST from file) PyBitmessage/src/randomtrackingdict.py (syntax error while parsing AST from file) PyBitmessage/src/shared.py (syntax error while parsing AST from file) PyBitmessage/src/singleinstance.py (syntax error while parsing AST from file) PyBitmessage/src/storage/filesystem.py (syntax error while parsing AST from file) PyBitmessage/src/tr.py (syntax error while parsing AST from file)

[chan] po_polsku
BM-2cX9uTshtCbunGLKok9MiFMhXmLhS4D47Y

Subject Last Count
JEBAC - KURWE POLICJE Dec 9 18:51 54
JAK SKW OBCIAGA KUTASA :) Dec 9 18:33 33
APEL- ODEZWA-do-WSZYSTKICH. Dec 8 09:34 4
Dla wielbicieli sprzętu firmy Huawei Dec 8 09:11 1
Ku przestrodze debilom antyszczepionkowcom Dec 7 19:06 1
Piosenki rapera są analizowane pod względem ekstremistycznych treści Dec 7 18:05 1
Elysium is back! Dec 7 03:21 1
UnitedCorp Launches Suit against Bitmain, Bitcoin.com, Roger Ver, Kraken Bitcoin Exchange and others Alleging Hijacking of the Bitcoin Cash Network Dec 6 21:49 1
Dezentrale Plattformen zur Förderung des Links- und Rechtsterrorismus Dec 6 14:15 3
Kryptowaluty Dec 5 21:18 5
Sam tego chciałeś, "ArnoldB". Dec 4 15:11 12
Pomysł na zabawe - zamach terorystyczny ? Dec 4 09:30 7
Ruskie trolle pierdolą, że to PiS wysłał młodych Polaków na zmywak... Nov 29 12:11 1
POLACY SRAJĄ NA RUCH NARODOWY Nov 29 12:03 1
Wielka Chazaria to brednia i rosyjska propaganda Nov 29 12:01 1
Coraz większe problemy ekonomiczne doprowadziły do trwałego pogorszenia warunków życia Rosjan Nov 27 13:57 1
Kaczyńscy nie są elitą, bo nie jedli ostryg w Bretanii Nov 27 13:31 1
Kremlowska melodyjka znów zagrała Nov 27 13:31 1
Piotr Tymochowicz, użytkownik numer 1200 Nov 24 18:25 1
wieje nuda Nov 24 11:10 8
W łańcuszku przekazywania funduszy dla Silk Road Nov 24 08:32 1
Monaro router kovri (i2p) Nov 21 18:20 2
JEBAĆ KURWE POLICJE ツ Nov 21 18:18 1
Żydzi w Austrii, Izraelu i na całym świecie będą mogli żyć w warunkach pokoju i wolności Nov 21 18:10 2
Na onet,pl mediach A. Michnika, wp , tvn24 & company - ZERO na temat sensacyjnych zeznań Nov 21 16:57 1
Protonmail to ściema Nov 21 16:33 1
JAK SKW OBCIAGA KUTASA :) Nov 20 19:50 2
JAK ROSYJSKA AGENTURA PODSYCA ANTYŻYDOWSKIE NASTROJE W POLSCE Nov 20 18:55 2
JAK SKW - OBCIAGA KUTASA. Nov 20 18:17 24
Załóżmy, że raz „Gazeta Wyborcza” napisała prawdę Nov 20 17:38 1
Deportacje Polaków w głąb Rosji oraz grabież polskich dóbr kultury. Nov 20 17:38 1
Kim jest OneAnother Nov 18 19:36 1
Służba dla Sowietów była jednoczesnym wyparciem się Rzeczypospolitej Polskiej niepodległej Nov 18 16:18 1
Ostrzeżenie dla "arnoldB" Nov 17 14:40 1
Większość mediów postanowiła tych faktów nie zauważać. Nov 17 10:08 1
Ukraina nie ma większego przyjaciela niż USA Nov 17 08:18 1
Kacapy zakłócają GPS Nov 17 08:18 1
pozbawianie majątku przestępców jest najskuteczniejszym narzędziem Nov 15 19:13 1
jesteście debilami Nov 15 16:15 4
Setki milionów ludzi wołają: STALIN! STALIN! STALIN! Nov 14 19:01 1
Były szef Informacyjnej Agencji Radiowej, Mariusz Borkowski, to ruski agent. Nov 14 17:03 1
Infromacja o powiązaniach Czarneckiego z komunistycznymi służbami Nov 14 14:10 1
PiS to nie mafia, to uczciwa grupa. I dowodzą tego właśnie teraz. Nov 14 13:53 1
Nie ma takiej bzdury, która w imię równości nie zostałaby popełniona. Nov 14 13:51 1
Dziwna cisza Nov 13 17:40 5
[niebezpiecznik.pl] Wywiad z cyberpolicjantem. Najłatwiej wyrobić słupki waląc sprawców z OLX-a Nov 13 16:39 1
A tutejsi bajkopisarze pisali o rozhasaniu w chińskim necie... Nov 13 15:19 1
Kurwy z ONR zapraszają do Polski ruskich prowokatorów Nov 12 14:52 2
Podatek dochodowy od kryptowalut – co się zmieni w 2019 roku Nov 12 12:31 1
"Polsko, wspaniały kraju - gratulacje w 100. rocznicę niepodległości!" - napisał na Twitterze Donald Trump Nov 12 11:09 1
Krang = Adam Golański Nov 12 09:47 1