Amazon CodeGuruDetector Library Sign in to CodeGuru

CodeGuru

Detector Library

Python detectors (123/123)

Improper privilege management Resource leak Tensorflow redundant softmax AWS insecure transmission CDK Spawning a process without main module Public method parameter validation Improper error handling Integer overflow Time zone aware datetimes Catch and swallow exception Pytorch control sources of randomness Deadlocks caused by improper multiprocessing API usage Unauthenticated LDAP requests Low maintainability with low class cohesion Untrusted AMI images Notebook invalid execution order Confusion between equality and identity in conditional expression Pytorch sigmoid before bceloss Path traversal Loose file permissions Pytorch data loader with multiple workers Pytorch avoid softmax with nllloss Pytorch miss call to zero grad Error prone sequence modification Bad exception handling Use of Default Credentials CDK Exposure of Sensitive Information CDK File injection Incorrect use of Process.terminate API XML External Entity Notebook variable redefinition Pytorch use nondeterministic algoritm Set SNS Return Subscription ARN Do not pass generic exception rule Usage of an API that is not recommended - High Severity Insecure cryptography Tensorflow enable ops determinism Outdated subprocess module API S3 partial encrypt CDK Improper input validation Improper authentication Cross-site scripting Missing pagination Semaphore overflow prevention Mutable objects as default arguments of functions Insecure cookie Violation of PEP8 programming recommendations Insecure temporary file or directory Usage of an API that is not recommended - Low Severity Socket connection timeout AWS client not reused in a Lambda function Pytorch assign in place mod Complex code hard to maintain Leaky subprocess timeout Usage of an API that is not recommended Pytorch disable gradient calculation Enabling and overriding debug feature Risky use of dict get method XPath injection Missing authorization Deserialization of untrusted object Use of an inefficient or incorrect API Multidimensional list initialization using replication is error prone SQL injection Avoid using nondeterministic Tensorflow API Pytorch miss call to eval Inefficient string concatenation inside loop Improper sanitization of wildcards or matching symbols Improper certificate validation URL redirection to untrusted site Mutually exclusive call Insecure hashing Notebook best practice violation Stack trace exposure Using AutoAddPolicy or WarningPolicy Use of a deprecated method Log injection Weak obfuscation of web request AWS api logging disabled cdk OS command injection AWS credentials logged Socket close platform compatibility Zip bomb attack Unsanitized input is run as code Sensitive data stored unencrypted due to partial encryption Synchronous publication of AWS Lambda metrics Batch request with unchecked failures Unrestricted upload of dangerous file type Pytorch redundant softmax Inefficient polling of AWS resource Hardcoded interface binding Hardcoded IP address Insecure connection using unencrypted protocol Unauthenticated Amazon SNS unsubscribe requests might succeed Hardcoded credentials Insecure Socket Bind Insecure CORS policy Cross-site request forgery Server-side request forgery Module injection Unnecessary iteration Tensorflow control sources of randomness Garbage collection prevention in multiprocessing Catch and rethrow exception Weak algorithm used for Password Hashing Missing Authentication for Critical Function CDK Usage of an API that is not recommended - Medium Severity Missing none check on response metadata Sensitive information leak Incorrect binding of SNS publish operations Client-side KMS reencryption PyTorch create tensors directly on device Inefficient new method from hashlib Dangerous global variables Multiple values in return statement is prone to error LDAP injection Clear text credentials Override of reserved variable names in a Lambda function Docker arbitrary container run Missing S3 bucket owner condition Direct dict object modification Catastrophic backtracking regex AWS missing encryption CDK

Client-side KMS reencryption High

Client-side decryption followed by reencryption is inefficient and can lead to sensitive data leaks. The reencrypt APIs allow decryption followed by reencryption on the server side. This is more efficient and secure.

Detector ID

python/aws-kms-reencryption@v1.0

Category

Common Weakness Enumeration (CWE)

CWE-310 CWE-311

Tags

# aws-python-sdk # aws-kms

Noncompliant example

1def kms_reencrypt_noncompliant():
2    import boto3
3    import base64
4    client = boto3.client('kms')
5    plaintext = client.decrypt(
6        CiphertextBlob=bytes(base64.b64decode("secret"))
7    )
8    # Noncompliant: decrypt is immediately followed by encrypt.
9    response = client.encrypt(
10        KeyId='string',
11        Plaintext=plaintext
12    )
13    return response

Compliant example

1def kms_reencrypt_compliant():
2    import boto3
3    import base64
4    client = boto3.client('kms')
5    # Compliant: server-side reencryption.
6    response = client.re_encrypt(
7        CiphertextBlob=bytes(base64.b64decode("secret")),
8        DestinationKeyId="string",
9    )
10    return response