id: python-scanner

info:
  name: Python Scanner
  author: majidmc2
  severity: info
  description: Indicators for dangerous Python functions
  reference:
    - https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html
    - https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html
  tags: python,file,sast

file:
  - extensions:
      - py

    extractors:
      - type: regex
        name: code-injection
        regex:
          - 'exec'
          - 'eval'
          - '__import__'
          - 'execfile'

      - type: regex
        name: command-injection
        regex:
          - 'subprocess.call\(.*shell=True.*\)'
          - 'os.system'
          - 'os.popen\d?'
          - 'subprocess.run'
          - 'commands.getoutput'

      - type: regex
        name: untrusted-source
        regex:
          - 'pickle\.loads'
          - 'c?Pickle\.loads?'
          - 'marshal\.loads'
          - 'pickle\.Unpickler'

      - type: regex
        name: dangerous-yaml
        regex:
          - 'yaml\.load'
          - 'yaml\.safe_load'

      - type: regex
        name: sqli
        regex:
          - 'cursor\.execute'
          - 'sqlite3\.execute'
          - 'MySQLdb\.execute'
          - 'psycopg2\.execute'
          - 'cx_Oracle\.execute'