Security Test on PyBitmessage Branch Master

BM-2cUNNhAmbvBqsxDoXvofyCmTtTMbEsABzD
May 26 05:53 [raw]

Test results: >> Issue: [B411:blacklist] Using xmlrpclib to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities. Severity: High Confidence: High Location: PyBitmessage/packages/collectd/pybitmessagestatus.py:5 4 import json 5 import xmlrpclib 6 7 pybmurl = "" -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low Location: PyBitmessage/src/bitmessagecurses/__init__.py:840 839 ORDER BY received 840 """ % (where,), what) 841 for row in ret: -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low Location: PyBitmessage/src/bitmessagecurses/__init__.py:889 888 ORDER BY lastactiontime 889 """ % (where,), what) 890 for row in ret: -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with call module. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:29 28 from struct import pack 29 from subprocess import call 30 from time import sleep -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:84 83 state.maximumNumberOfHalfOpenConnections = 4 84 except: 85 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:165 164 s.close() 165 except: 166 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:177 176 if attempt > 0: 177 port = randint(32767, 65535) 178 se = StoppableXMLRPCServer((BMConfigParser().get('bitmessagesettings', 'apiinterface'), port), -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessagemain.py:292 291 292 call([apiNotifyPath, "startingUp"]) 293 singleAPIThread = singleAPI() -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:76 75 QtGui.QApplication.removeTranslator(qmytranslator) 76 except: 77 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:81 80 QtGui.QApplication.removeTranslator(qsystranslator) 81 except: 82 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:1952 1951 toAddress = unicode(toAddress, 'utf-8', 'ignore') 1952 except: 1953 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:2576 2575 os.remove(previousAppdataLocation + 'debug.log.1') 2576 except: 2577 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:2594 2593 os.remove(paths.lookupExeFolder() + 'debug.log.1') 2594 except: 2595 pass -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low Location: PyBitmessage/src/bitmessageqt/__init__.py:2659 2658 markread = sqlExecuteChunked( 2659 "UPDATE %s SET read = 1 WHERE %s IN({0}) AND read=0" % ( 2660 ('sent', 'ackdata') if self.getCurrentFolder() == 'sent' 2661 else ('inbox', 'msgid') 2662 ), idCount, *msgids -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:2856 2855 'bitmessagesettings', 'trayonclose') 2856 except Exception: 2857 pass -------------------------------------------------- >> Issue: [B303:blacklist] Use of insecure MD2, MD4, or MD5 hash function. Severity: Medium Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:3710 3709 os.makedirs(state.appdata + 'avatars/') 3710 hash = hashlib.md5(addBMIfNotPresent(addressAtCurrentRow)).hexdigest() 3711 extensions = ['PNG', 'GIF', 'JPG', 'JPEG', 'SVG', 'BMP', 'MNG', 'PBM', 'PGM', 'PPM', 'TIFF', 'XBM', 'XPM', 'TGA'] -------------------------------------------------- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low Location: PyBitmessage/src/bitmessageqt/__init__.py:4009 4008 queryreturn = sqlQuery( 4009 '''SELECT message FROM %s WHERE %s=?''' % ( 4010 ('sent', 'ackdata') if folder == 'sent' 4011 &nbsp; else ('inbox', 'msgid') 4012 ), msgid -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:4230 4229 else: 4230 assert False 4231 -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:4290 4289 return "nmcontrol" 4290 assert False 4291 -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/__init__.py:4295 4294 nmctype = self.getNamecoinType() 4295 assert nmctype == "namecoind" or nmctype == "nmcontrol" 4296 4297 isNamecoind = (nmctype == "namecoind") -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/account.py:69 68 return GatewayAccount(address) 69 except: 70 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/bitmessageui.py:704 703 hours = int(BMConfigParser().getint('bitmessagesettings', 'ttl')/60/60) 704 except: 705 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/languagebox.py:21 20 configuredLocale = BMConfigParser().get('bitmessagesettings', 'userlocale', "system") 21 except: 22 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/settingsmixin.py:31 30 target.restoreGeometry(geom.toByteArray() if hasattr(geom, 'toByteArray') else geom) 31 except Exception as e: 32 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/settingsmixin.py:40 39 target.restoreState(state.toByteArray() if hasattr(state, 'toByteArray') else state) 40 except Exception as e: 41 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/bitmessageqt/support.py:105 104 os = unixversion[0] + " " + unixversion[2] 105 except: 106 pass -------------------------------------------------- >> Issue: [B303:blacklist] Use of insecure MD2, MD4, or MD5 hash function. Severity: Medium Confidence: High Location: PyBitmessage/src/bitmessageqt/utils.py:40 39 import qidenticon 40 hash = hashlib.md5(addBMIfNotPresent(address)+identiconsuffix).hexdigest() 41 use_two_colors = (identicon_lib[:len('qidenticon_two')] == 'qidenticon_two') -------------------------------------------------- >> Issue: [B303:blacklist] Use of insecure MD2, MD4, or MD5 hash function. Severity: Medium Confidence: High Location: PyBitmessage/src/bitmessageqt/utils.py:74 73 idcon = QtGui.QIcon() 74 hash = hashlib.md5(addBMIfNotPresent(address)).hexdigest() 75 str_broadcast_subscribers = '[Broadcast subscribers]' -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_addressGenerator.py:30 29 queues.addressGeneratorQueue.put(("stopThread", "data")) 30 except: 31 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectHashHolder.py:40 39 def holdHash(self,hash): 40 self.collectionOfHashLists[random.randrange(0, objectHashHolder.size)].append(hash) 41 -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectHashHolder.py:48 47 def holdPeer(self,peerDetails): 48 self.collectionOfPeerLists[random.randrange(0, objectHashHolder.size)].append(peerDetails) 49 -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with call module. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:9 8 import string 9 from subprocess import call # used when the API must execute an outside program 10 import traceback -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:359 358 359 for key, cryptorObject in sorted(shared.myECCryptorObjects.items(), key=lambda x: random.random()): 360 try: -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:368 367 logger.info('EC decryption successful using key associated with ripe hash: %s.' % hexlify(key)) 368 except Exception as err: 369 pass -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:542 541 if apiNotifyPath != '': 542 call([apiNotifyPath, "newMessage"]) 543 -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:637 636 initialDecryptionSuccessful = False 637 for key, cryptorObject in sorted(shared.MyECSubscriptionCryptorObjects.items(), key=lambda x: random.random()): 638 try: -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:646 645 logger.info('EC decryption successful using key associated with ripe hash: %s' % hexlify(key)) 646 except Exception as err: 647 pass -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/class_objectProcessor.py:795 794 if apiNotifyPath != '': 795 call([apiNotifyPath, "newBroadcast"]) 796 -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_outgoingSynSender.py:62 61 priority = 0.001 62 if (random.random() <= priority): 63 break -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_outgoingSynSender.py:74 73 self.sock.shutdown(socket.SHUT_RDWR) 74 except: 75 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_receiveDataThread.py:141 140 logger.debug('removed self (a receiveDataThread) from selfInitiatedConnections') 141 except: 142 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_receiveDataThread.py:820 819 queues.UISignalQueue.put(('newVersionAvailable', remoteVersion)) 820 except: 821 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_sendDataThread.py:211 210 self.sock.close() 211 except: 212 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleListener.py:63 62 break 63 except: 64 pass -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with call module. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:8 7 import random 8 from subprocess import call # used when the API must execute an outside program 9 from addresses import * -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:50 49 queues.workerQueue.put(("stopThread", "data")) 50 except: 51 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:112 111 self.sendMsg() 112 except: 113 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:117 116 self.sendBroadcast() 117 except: 118 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:122 121 self.doPOWForMyV2Pubkey(data) 122 except: 123 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:127 126 self.sendOutOrStoreMyV3Pubkey(data) 127 except: 128 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:132 131 self.sendOutOrStoreMyV4Pubkey(data) 132 except: 133 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:137 136 proofofwork.resetPoW() 137 except: 138 pass /> -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:161 160 161 TTL = int(28 * 24 * 60 * 60 + random.randrange(-300, 300))# 28 days from now plus or minus five minutes 162 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:212 211 BMConfigParser().save() 212 except: 213 # The user deleted the address out of the keys.dat file before this -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:233 232 233 TTL = int(28 * 24 * 60 * 60 + random.randrange(-300, 300))# 28 days from now plus or minus five minutes 234 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:302 301 BMConfigParser().save() 302 except: 303 # The user deleted the address out of the keys.dat file before this -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:319 318 319 TTL = int(28 * 24 * 60 * 60 + random.randrange(-300, 300))# 28 days from now plus or minus five minutes 320 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:439 438 TTL = 60*60 439 TTL = int(TTL + random.randrange(-300, 300))# add some randomness to the TTL 440 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:632 631 TTL = 28 * 24 * 60 * 60 632 TTL = int(TTL + random.randrange(-300, 300))# add some randomness to the TTL 633 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:821 820 logger.info('PoW took %.1f seconds, speed %s.', time.time() - powStartTime, sizeof_fmt(nonce / (time.time() - powStartTime))) 821 except: 822 pass -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:882 881 if apiNotifyPath != '': 882 call([apiNotifyPath, "newMessage"]) 883 -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:915 914 TTL = 28*24*60*60 915 TTL = TTL + random.randrange(-300, 300) # add some randomness to the TTL 916 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:978 977 TTL = 28*24*60*60 # 4 weeks 978 TTL = int(TTL + random.randrange(-300, 300)) # Add some randomness to the TTL 979 embeddedTime = int(time.time() + TTL) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_singleWorker.py:993 992 logger.info('PoW took %.1f seconds, speed %s.', time.time() - powStartTime, sizeof_fmt(nonce / (time.time() - powStartTime))) 993 except: 994 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_smtpDeliver.py:26 25 queues.UISignallerQueue.put(("stopThread", "data")) 26 except: 27 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/class_sqlThread.py:266 265 if not BMConfigParser().has_option('bitmessagesettings', 'identiconsuffix'): # acts as a salt 266 BMConfigParser().set('bitmessagesettings', 'identiconsuffix', ''.join(random.choice("123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz") for x in range(12))) # a twelve character pseudo-password to salt the identicons 267 -------------------------------------------------- >> Issue: [B112:try_except_continue] Try, Except, Continue detected. Severity: Low Confidence: High Location: PyBitmessage/src/class_sqlThread.py:329 328 BMConfigParser().set(addressInKeysFile,'payloadlengthextrabytes', str(int(previousSmallMessageDifficulty * 1000))) 329 except: 330 continue -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/depends.py:110 109 paths.append(path) 110 except: 111 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/helper_ackPayload.py:22 21 # (the smallest possible standard-formatted message is 234 bytes) 22 dummyMessage = helper_random.randomBytes(random.randint(234, 800)) 23 # Encrypt the message using standard BM encryption (ECIES) -------------------------------------------------- >> Issue: [B403:blacklist] Consider possible security implications associated with pickle module. Severity: Low Confidence: High Location: PyBitmessage/src/helper_bootstrap.py:3 2 import defaultKnownNodes 3 import pickle 4 import time -------------------------------------------------- >> Issue: [B301:blacklist] Pickle library appears to be in use, possible security issue. Severity: Medium Confidence: High Location: PyBitmessage/src/helper_bootstrap.py:27 26 with knownnodes.knownNodesLock: 27 knownnodes.knownNodes = pickle.load(pickleFile) 28 # the old format was {Peer:lastseen, ...} -------------------------------------------------- >> Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval. Severity: Medium Confidence: High Location: PyBitmessage/src/inventory.py:24 23 self._className = "storage." + self._moduleName + "." + self._moduleName.title() + "Inventory" 24 self._inventoryClass = eval(self._className) 25 self._realInventory = self._inventoryClass() -------------------------------------------------- >> Issue: [B403:blacklist] Consider possible security implications associated with pickle module. Severity: Low Confidence: High Location: PyBitmessage/src/knownnodes.py:1 1 import pickle 2 import os 3 import threading -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/multiqueue.py:27 26 #self.queue.append(item) 27 self.queues[random.randrange(self.queueCount)].append((item)) 28 -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/namecoin.py:80 79 80 assert self.nmctype == "namecoind" or self.nmctype == "nmcontrol" 81 if self.nmctype == "namecoind": -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/namecoin.py:103 102 else: 103 assert False 104 except RPCError as exc: -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/namecoin.py:161 160 else: 161 assert False 162 -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: PyBitmessage/src/namecoin.py:179 178 else: 179 assert False 180 val = json.loads (resp) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/network/bmproto.py:495 494 return False 495 except: 496 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/network/connectionpool.py:159 158 try: 159 chosen = chooseConnection(random.choice(self.streams)) 160 except ValueError: -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/network/dandelion.py:101 100 # pick a random from available stems 101 stem = choice(range(len(self.stem))) 102 if self.stem[stem] == parent: -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/network/invthread.py:61 60 # auto-ignore if config set to 0, i.e. dandelion is off 61 if randint(1, 100) >= state.dandelion: 62 fluffs.append(inv[1]) -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/network/networkthread.py:26 25 i.close() 26 except: 27 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/network/networkthread.py:31 30 i.close() 31 except: 32 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/network/networkthread.py:36 35 i.close() 36 except: 37 pass -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module. Severity: Low Confidence: High Location: PyBitmessage/src/plugins/sound_playfile.py:11 10 import os 11 &nbsp; import subprocess 12 13 play_cmd = {} -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/plugins/sound_playfile.py:17 16 FNULL = open(os.devnull, 'wb') 17 subprocess.call( 18 args, stdout=FNULL, stderr=subprocess.STDOUT, close_fds=True) 19 -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with call module. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:6 5 from struct import unpack, pack 6 from subprocess import call 7 import sys -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:34 33 win32process.SetPriorityClass(handle, win32process.IDLE_PRIORITY_CLASS) 34 except: 35 #Windows 64-bit -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:82 81 pool.join() 82 except: 83 pass -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:181 180 # BSD make 181 call(["make", "-C", os.path.join(paths.codePath(), "bitmsghash"), '-f', 'Makefile.bsd']) 182 else: -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:181 180 # BSD make 181 call(["make", "-C", os.path.join(paths.codePath(), "bitmsghash"), '-f', 'Makefile.bsd']) 182 else: -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:184 183 # GNU make 184 call(["make", "-C", os.path.join(paths.codePath(), "bitmsghash")]) 185 if os.path.exists(os.path.join(paths.codePath(), "bitmsghash", "bitmsghash.so")): -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:184 183 # GNU make 184 call(["make", "-C", os.path.join(paths.codePath(), "bitmsghash")]) 185 if os.path.exists(os.path.join(paths.codePath(), "bitmsghash", "bitmsghash.so")): -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:207 206 raise 207 except: 208 pass # fallback -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:214 213 raise 214 except: 215 pass # fallback -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/proofofwork.py:233 232 raise 233 except: 234 pass #fallback -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/protocol.py:45 44 eightBytesOfRandomDataUsedToDetectConnectionsToSelf = pack( 45 '>Q', random.randrange(1, 18446744073709551615)) 46 -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/pyelliptic/openssl.py:545 544 return 545 except: 546 pass -------------------------------------------------- >> Issue: [B104:hardcoded_bind_all_interfaces] Possible binding to all interfaces. Severity: Medium Confidence: Medium Location: PyBitmessage/src/socks/__init__.py:388 387 raise HTTPError((statuscode, statusline[2])) 388 self.__proxysockname = ("0.0.0.0", 0) 389 self.__proxypeername = (addr, destport) -------------------------------------------------- >> Issue: [B408:blacklist] Using Document to parse untrusted XML data is known to be vulnerable to XML attacks. Replace Document with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:18 17 def createRequestXML(service, action, arguments=None): 18 from xml.dom.minidom import Document 19 20 doc = Document() -------------------------------------------------- >> Issue: [B408:blacklist] Using parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace parseString with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:79 78 import urllib2 79 from xml.dom.minidom import parseString 80 from urlparse import urlparse -------------------------------------------------- >> Issue: [B310:blacklist] Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected. Severity: Medium Confidence: High Location: PyBitmessage/src/upnp.py:100 99 # get the profile xml file and read it into a variable 100 directory = urllib2.urlopen(header['location']).read() 101 -------------------------------------------------- >> Issue: [B318:blacklist] Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called Severity: Medium Confidence: High Location: PyBitmessage/src/upnp.py:103 102 # create a DOM object that represents the `directory` document 103 dom = parseString(directory) 104 -------------------------------------------------- >> Issue: [B408:blacklist] Using parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace parseString with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:142 141 def GetExternalIPAddress(self): 142 from xml.dom.minidom import parseString 143 resp = self.soapRequest(self.upnp_schema + ':1', 'GetExternalIPAddress') -------------------------------------------------- >> Issue: [B318:blacklist] Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called Severity: Medium Confidence: High Location: PyBitmessage/src/upnp.py:144 143 resp = self.soapRequest(self.upnp_schema + ':1', 'GetExternalIPAddress') 144 dom = parseString(resp) 145 return dom.getElementsByTagName('NewExternalIPAddress')[0].childNodes[0].data -------------------------------------------------- >> Issue: [B408:blacklist] Using parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace parseString with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:148 147 def soapRequest(self, service, action, arguments=None): 148 from xml.dom.minidom import parseString 149 from debug import logger -------------------------------------------------- >> Issue: [B318:blacklist] Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called Severity: Medium Confidence: High Location: PyBitmessage/src/upnp.py:165 164 try: 165 dom = parseString(respData) 166 errinfo = dom.getElementsByTagName('errorDescription') -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:217 216 self.sendSearchRouter() 217 except: 218 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:249 248 self.sock.shutdown(socket.SHUT_RDWR) 249 except: 250 pass -------------------------------------------------- >> Issue: [B110:try_except_pass] Try, Except, Pass detected. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:253 252 self.sock.close() 253 except: 254 pass -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: PyBitmessage/src/upnp.py:297 296 else: 297 extPort = randint(32767, 65535) 298 logger.debug("Attempt %i, requesting UPnP mapping for %s:%i on external port %i", i, localIP, self.localPort, extPort) -------------------------------------------------- Code scanned: Total lines of code: 27741 Total lines skipped (#nosec): 0 Run metrics: Total issues (by severity): Undefined: 0.0 Low: 97.0 Medium: 14.0 High: 1.0 Total issues (by confidence): Undefined: 0.0 Low: 4.0 Medium: 1.0 High: 107.0 Files skipped (37): PyBitmessage/build/compiletest.py (syntax error while parsing AST from file) PyBitmessage/checkdeps.py (syntax error while parsing AST from file) PyBitmessage/dev/bloomfiltertest.py (syntax error while parsing AST from file) PyBitmessage/dev/msgtest.py (syntax error while parsing AST from file) PyBitmessage/dev/powinterrupttest.py (syntax error while parsing AST from file) PyBitmessage/dev/ssltest.py (syntax error while parsing AST from file) PyBitmessage/src/addresses.py (syntax error while parsing AST from file) PyBitmessage/src/api.py (syntax error while parsing AST from file) PyBitmessage/src/api_client.py (syntax error while parsing AST from file) PyBitmessage/src/bitmessagecli.py (syntax error while parsing AST from file) PyBitmessage/src/bitmessageqt/address_dialogs.py (syntax error while parsing AST from file) PyBitmessage/src/bitmessageqt/foldertree.py (syntax error while parsing AST from file) PyBitmessage/src/bitmessageqt/newaddresswizard.py (syntax error while parsing AST from file) PyBitmessage/src/class_singleCleaner.py (syntax error while parsing AST from file) PyBitmessage/src/class_smtpServer.py (syntax error while parsing AST from file) PyBitmessage/src/debug.py (syntax error while parsing AST from file) PyBitmessage/src/defaultKnownNodes.py (syntax error while parsing AST from file) PyBitmessage/src/helper_bitcoin.py (syntax error while parsing AST from file) PyBitmessage/src/helper_generic.py (syntax error while parsing AST from file) PyBitmessage/src/helper_msgcoding.py (syntax error while parsing AST from file) PyBitmessage/src/helper_startup.py (syntax error while parsing AST from file) PyBitmessage/src/message_data_reader.py (syntax error while parsing AST from file) PyBitmessage/src/network/asyncore_pollchoose.py (syntax error while parsing AST from file) PyBitmessage/src/network/connectionchooser.py (syntax error while parsing AST from file) PyBitmessage/src/network/http-old.py (syntax error while parsing AST from file) PyBitmessage/src/network/http.py (syntax error while parsing AST from file) PyBitmessage/src/network/socks4a.py (syntax error while parsing AST from file) PyBitmessage/src/network/socks5.py (syntax error while parsing AST from file) PyBitmessage/src/network/tcp.py (syntax error while parsing AST from file) PyBitmessage/src/network/udp.py (syntax error while parsing AST from file) PyBitmessage/src/openclpow.py (syntax error while parsing AST from file) PyBitmessage/src/paths.py (syntax error while parsing AST from file) PyBitmessage/src/randomtrackingdict.py (syntax error while parsing AST from file) PyBitmessage/src/shared.py (syntax error while parsing AST from file) PyBitmessage/src/singleinstance.py (syntax error while parsing AST from file) PyBitmessage/src/storage/filesystem.py (syntax error while parsing AST from file) PyBitmessage/src/tr.py (syntax error while parsing AST from file)

[chan] po_polsku
BM-2cX9uTshtCbunGLKok9MiFMhXmLhS4D47Y

Subject Last Count
Mimo wielu już wolnych niedziel, sprzedaż detaliczna wyraźnie rośnie Jun 23 11:49 2
Koniec ułudy anonimowości VPNów w Chinach Jun 23 10:10 1
JEBAC KURWE POLICJE Jun 23 09:26 49
Do Polski przybędzie blisko 3,5 tysiąca żołnierzy z czołgami M-1 Abrams Jun 23 08:35 11
Jak próbowano zatrzeć ślady tego dla kogo pracuje JKM i "Narodowcy" Jun 23 08:04 5
Jeden z ubeckich morderców, najokrutniejszych śledczych stalinowskiej bezpieki Jun 23 07:17 1
It's the Romans, you stupid Jew-hater (with extra commentary) Jun 23 02:57 1
Czy czeka nas cenzura Internetu? Jun 22 22:42 38
Nasi "przyjaciele Słowianie" Jun 22 20:42 1
Bo kacapy chcą uzależnić Europę od swojego gazu... Jun 22 20:22 1
JAK SKW OBCIĄGA. Jun 22 19:34 7
Koniec ruskiego desantu na Europę Jun 22 17:57 3
Konfiguracja bitmessage pod windows Jun 22 17:51 2
To bzdury wyssane z palca. Jakieś dziwne przecieki, które nie znajdują odzwierciedlenia w rzeczywistości. Jun 22 15:58 1
Kupię płytę głowną Abit KD7-RAID Jun 22 15:09 3
Dziwka WSI Andrzej Duda otrzymuje pytanie od obywatela Jun 22 14:07 3
JAK OBCIĄGA CBA i ABW. Jun 22 13:15 2
Pewien przepis się stale powtarza Jun 22 13:07 2
Policjant zginął na imprezie Jun 22 12:20 1
Policjan zginął na imprezie Jun 22 12:14 2
JAK OBCIĄGA CBA i ABW . Jun 22 09:35 1
RE: Wiara - co to takiego? Jun 22 04:41 1
Po przejrzeniu zawartości komputerów specjalistom udało się ustalić kody Jun 21 22:13 8
7-godzinny dzień pracy dla rodziców? Projekt ustawy jest już w Sejmie! Jun 21 20:22 9
Stzelanina w Bielanach Wrocławskich. Jun 21 20:19 2
Próba ocenzurowania Internetu przez lewaków Jun 21 17:42 2
Agent STASI "Oskar" przejęty przez BND Jun 21 17:02 2
Magia szamanistyczna DZIAŁA Jun 21 16:58 7
Folksdojcz tak obrzydliwy, że aż brzydzą się go Niemcy. Jun 21 16:43 1
RE: Prostytutki oburzone! Okrutne słowa klientów. Powołują się na RODO Jun 21 16:22 10
Wielka Brytania i Polska mówią jednym głosem, idziemy ramię w ramię Jun 21 15:31 1
Pokazujemy piękno Polski, język ojczysty, historię, tradycje. Jun 21 15:01 1
Po zajęciach, w czasie wolnym od służby, doszło do nieszczęśliwego wypadku. Jun 21 15:01 1
Musimy wynająć Rusków, żeby ją załatwić. Jun 21 14:54 1
Polska rośnie w siłę, polska gospodarka jest coraz silniejsza i zaczyna być liderem Europy Wschodniej Jun 21 14:35 10
Rosyjski agent Andrzej Duda próbuje przejąć dla Putina Konstytucję Jun 21 14:28 1
RE: RODO a cezura internetu? Jun 21 14:07 1
Kiedy zostaną sprostowane kłamstwa na temat Antoniego Macierewicza? Jun 21 09:09 2
Są granice kompromisu, poza które cofnąć się nie wolno Jun 21 08:12 1
Przepis na stworzenie leminga jest w zasadzie bardzo prosty Jun 21 07:06 1
Magia szamanistyczna działa skutecznie - polscy "piłkarze" zgnojeni Jun 21 06:00 3
"To miejsce zdrajców i pedofilów". Clint Eastwood zapowiada walkę z Hollywood Jun 20 20:09 1
STOP SOROS Jun 20 17:42 3
Chcą pamiętać tylko o zbrodniach nazizmu, a nie komunizmu Jun 20 17:05 2
Chorzy psychicznie lewacy chcą ocenzurować sieć Jun 20 16:59 1
диверсия, говорите? Jun 20 16:48 8
WYTRYSK ABERRACJI Jun 20 16:14 1
Ćwiczenia w Polsce hipnotycznego sterowania człowiekiem przed realizacją "zamachów terrorystycznych" Jun 20 14:45 1
RODO a cezura internetu? Jun 20 12:13 4
Grillowanie kacapii przez UK Jun 20 06:18 1
Koniec ruskiego szczucia ONZ na Izrael Jun 20 06:06 1
PRL-owkie rządy pomazańców gruzińskiego dewianta i jego następców Jun 20 06:06 1
mecz ... Jun 19 22:35 1
Zamach terorystyczny - zabawa ? Jun 19 17:56 4
Sędziowskie zielone ludzki znowu wierzgają przeciwko desowietyzacji sądów Jun 19 17:31 1
PO reprezentuje mafię Jun 19 15:01 1
Wszyscy uczniowie szkół średnich z Lublina zostali wezwani Jun 19 15:01 1
SZMALCOWNICY Jun 19 15:01 1
Dalsze aresztowania w sprawie kolejnej afery PO-PSL Jun 19 15:01 1
Mafia sędziowska skarży się "zagranico" Jun 19 14:56 1
To już jutro! Ostatni moment, by zaprotestować przeciwko cenzurze internetu Jun 19 12:52 5
Pozostało już tylko jedno zasadnicze pytanie – kto pociąga za sznurki? Jun 19 08:37 1
Patriotyzm - absurd i głupota Jun 19 01:41 3
Wiara - co to takiego? Jun 19 01:35 2
Nowe anonimowe forum Jun 19 00:25 1
Bardziej agresywne podejście do obrony kraju przed cyberatakami Jun 18 18:40 1
Amerykańska dominacja w kosmosie Jun 18 18:36 1
Dociskanie śruby kacapom Jun 18 13:06 1
Kolejna afera rządów PO-PSL Jun 18 12:54 1
Zdrada stanu Jun 18 12:52 1
Kto, kiedy, z kim i gdzie zawarł taką umowę? Jun 18 12:50 1
10 grzechów PiS które zmniejszyły szanse podejrzanych na sprawiedliwy proces w Polsce, to Jun 18 11:20 2
Macierewicz wciąż MON Jun 18 10:58 3
Należy wpisać zwycięstwo PO do Konstytucji. Jun 18 10:56 1
KSIĄŻE NOCY Jun 18 10:55 1
Brońcie dalej niezależności sądownictwa... od prawa, gawnojedy. Jun 18 10:54 1
Profesjonalnie zorganizowane nawoływanie do łamania prawa Jun 18 09:50 1
Charyzma, uległość, podatność Jun 18 07:48 3
Targowiczanie opluwają Polskę Jun 18 06:51 3
chan russia Jun 17 22:31 11
Polska ma zbyt małe zasoby kapitału intelektualnego Jun 17 20:24 1
Kłamstwa, manipulacje, skandale. 50 afer PiS na 2-lecie rządów Jun 17 20:19 1
Jerzy Zięba - Szarlatan czy Zbawiciel Jun 17 20:07 1
Dane DNA w serwisach genealogicznych mogą być wykorzystane w dochodzeniach Jun 17 17:54 2
Izraelski polityk o supremacji rasy żydowskiej Jun 17 16:25 2
Policjanci bardzo ciężko pobici przez zawodnika sportów walki, zawodowego... Jun 17 16:23 1
15 dilerów dopalaczy w areszcie. Handlarze mają już nowy sposób! Jun 17 16:22 1
Nowe prawo w Australii. Zmienia podejście do tajemnicy spowiedzi Jun 17 16:18 5
Zatrzymano mężczyznę, który przekazał dopalacze nastolatkom Jun 17 16:15 1
Doszukiwanie się trzeciego albo i czwartego dna, wielopiętrowych spisków. Jun 17 15:48 1
PiS nie zamiata afer pod dywan Jun 17 14:49 1
Sprawa smoleńska nie jest częścią gry politycznej, lecz częścią polskiego bytu narodowego Jun 17 14:07 1
Wzorowa praca służb ws. GetBack Jun 17 14:04 1
Spowiedź - najbardziej demoralizujący obyczaj naszych czasów? Jun 17 12:45 3
Federalna Służba Wywiadowcza (BND) prowadziła od końca lat 90. elektroniczną inwigilację Jun 17 11:19 1
Potrzeby seksualne księży Jun 17 11:13 2
Polskim specjalistom od  Chin jest wygodniej nie mówić o  pewnych tematach Jun 17 07:52 1
RDX w Smoleńsku – Pieczęć Putina oraz FSB Jun 17 06:00 1
Przed rosyjską ambasadą w Holandii ustawiono 298 krzeseł Jun 17 05:55 1
Podjął grę z Putinem przeciwko polskiemu prezydentowi Jun 17 05:55 1