python-security / Pyt

Licence: gpl-2.0
A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

Programming Languages

python
139335 projects - #7 most used programming language

Projects that are alternatives of or similar to Pyt

gotcha
Go Taint CHeck Analyser
Stars: ✭ 40 (-98.06%)
Mutual labels:  static-code-analysis, static-analysis, dataflow, taint-analysis
instrumentation
Assorted pintools
Stars: ✭ 24 (-98.84%)
Mutual labels:  program-analysis, taint-analysis, taint
Wala
T.J. Watson Libraries for Analysis
Stars: ✭ 395 (-80.83%)
Mutual labels:  static-analysis, program-analysis, static-code-analysis
Dg
[LLVM Static Slicer] Various program analyses, construction of dependence graphs and program slicing of LLVM bitcode.
Stars: ✭ 242 (-88.26%)
Mutual labels:  static-analysis, program-analysis, static-code-analysis
Pyre Check
Performant type-checking for python.
Stars: ✭ 5,716 (+177.34%)
Mutual labels:  static-analysis, program-analysis, taint-analysis
Bap
Binary Analysis Platform
Stars: ✭ 1,385 (-32.8%)
Mutual labels:  static-analysis, program-analysis
Phpstan
PHP Static Analysis Tool - discover bugs in your code without running it!
Stars: ✭ 10,534 (+411.11%)
Mutual labels:  static-analysis, static-code-analysis
Find Sec Bugs
The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
Stars: ✭ 1,748 (-15.19%)
Mutual labels:  static-analysis, taint-analysis
Tip
Static program analysis for TIP
Stars: ✭ 140 (-93.21%)
Mutual labels:  program-analysis, static-code-analysis
Pest
🐞 Primitive Erlang Security Tool
Stars: ✭ 79 (-96.17%)
Mutual labels:  static-analysis, static-code-analysis
I18n Tasks
Manage translation and localization with static analysis, for Ruby i18n
Stars: ✭ 1,748 (-15.19%)
Mutual labels:  static-analysis, static-code-analysis
Crab Llvm
Static Analyzer for LLVM bitcode based on Abstract Interpretation
Stars: ✭ 143 (-93.06%)
Mutual labels:  static-analysis, program-analysis
Crab
CoRnucopia of ABstractions: a library for building abstract interpretation-based analyses
Stars: ✭ 102 (-95.05%)
Mutual labels:  static-analysis, program-analysis
Ikos
Static analyzer for C/C++ based on the theory of Abstract Interpretation.
Stars: ✭ 1,368 (-33.62%)
Mutual labels:  static-analysis, program-analysis
Abaplint
Standalone linter for ABAP
Stars: ✭ 111 (-94.61%)
Mutual labels:  static-analysis, static-code-analysis
Unimport
A linter, formatter for finding and removing unused import statements.
Stars: ✭ 96 (-95.34%)
Mutual labels:  static-analysis, static-code-analysis
Semgrep Rules
Semgrep rules registry
Stars: ✭ 140 (-93.21%)
Mutual labels:  static-analysis, program-analysis
Perl Critic
The leading static analyzer for Perl. Configurable, extensible, powerful.
Stars: ✭ 149 (-92.77%)
Mutual labels:  static-analysis, static-code-analysis
Bento
[DEPRECATED] Find Python web-app bugs delightfully fast, without changing your workflow. 🍱
Stars: ✭ 147 (-92.87%)
Mutual labels:  flask, static-code-analysis
Tajs
Type Analyzer for JavaScript
Stars: ✭ 150 (-92.72%)
Mutual labels:  program-analysis, static-code-analysis
https://travis-ci.org/python-security/pyt.svg?branch=master https://readthedocs.org/projects/pyt/badge/?version=latest

This project is no longer maintained

March 2020 Update: Please go see the amazing Pysa tutorial that should get you up to speed finding security vulnerabilities in your Python codebase.

Pyre from Facebook is an amazing project that has a bright future and many smart people working on it. I would suggest, if you don't know that much about program analysis, that you understand how PyT works before diving into Pyre. Along with the README's in most directories, there are the original Master's Thesis and some slides. With that said, I am happy to review pull requests and give you write permissions if you make more than a few.

There were a lot of great contributors to this project, I plan on working on other projects like detect-secrets and others (e.g. Pyre eventually) in the future if you'd like to work together more :)

If you are a security engineer with e.g. a Python codebase without type annotations, that Pyre won't handle, I would suggest you replace your sinks with a secure wrapper (something like defusedxml), and alert off any uses of the standard sink. You can use Bandit to do this since dataflow analysis is not required, but you will have to trim it a lot, due to the high false-positive rate.

Python Taint

Static analysis of Python web applications based on theoretical foundations (Control flow graphs, fixed point, dataflow analysis)

Features

  • Detect command injection, SSRF, SQL injection, XSS, directory traveral etc.
  • A lot of customisation possible

For a look at recent changes, please see the changelog.

Example usage and output:

https://raw.githubusercontent.com/KevinHock/rtdpyt/master/readme_static_files/pyt_example.png

Install

Before continuing, make sure you have python3.6 or 3.7 installed.

pip install python-taint
✨🍰✨

PyT can also be installed from source. To do so, clone the repo, and then run:

python3 setup.py install

How it Works

Soon you will find a README.rst in every directory in the pyt/ folder, start here.

How to Use

  1. Choose a web framework

The -a option determines which functions will have their arguments tainted, by default it is Flask.

  1. (optional) Customize source and sink information

Use the -t option to specify sources and sinks, by default this file is used.

  1. (optional) Customize which library functions propagate taint

For functions from builtins or libraries, e.g. url_for or os.path.join, use the -m option to specify whether or not they return tainted values given tainted inputs, by default this file is used.

Usage

usage: python -m pyt [-h] [-a ADAPTOR] [-pr PROJECT_ROOT]
                     [-b BASELINE_JSON_FILE] [-j] [-t TRIGGER_WORD_FILE]
                     [-m BLACKBOX_MAPPING_FILE] [-i] [-o OUTPUT_FILE]
                     [--ignore-nosec] [-r] [-x EXCLUDED_PATHS]
                     [--dont-prepend-root] [--no-local-imports]
                     targets [targets ...]

required arguments:
  targets               source file(s) or directory(s) to be scanned

important optional arguments:
  -a ADAPTOR, --adaptor ADAPTOR
                        Choose a web framework adaptor: Flask(Default),
                        Django, Every or Pylons

  -t TRIGGER_WORD_FILE, --trigger-word-file TRIGGER_WORD_FILE
                        Input file with a list of sources and sinks

  -m BLACKBOX_MAPPING_FILE, --blackbox-mapping-file BLACKBOX_MAPPING_FILE
                            Input blackbox mapping file

optional arguments:
  -pr PROJECT_ROOT, --project-root PROJECT_ROOT
                        Add project root, only important when the entry file
                        is not at the root of the project.

  -b BASELINE_JSON_FILE, --baseline BASELINE_JSON_FILE
                        Path of a baseline report to compare against (only
                        JSON-formatted files are accepted)

  -j, --json            Prints JSON instead of report.

  -i, --interactive     Will ask you about each blackbox function call in
                        vulnerability chains.

  -o OUTPUT_FILE, --output OUTPUT_FILE
                        Write report to filename

  --ignore-nosec        Do not skip lines with # nosec comments

  -r, --recursive       Find and process files in subdirectories

  -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
                        Separate files with commas

  --dont-prepend-root   In project root e.g. /app, imports are not prepended
                        with app.*

  --no-local-imports    If set, absolute imports must be relative to the
                        project root. If not set, modules in the same
                        directory can be imported just by their names.

Usage from Source

Using it like a user python3 -m pyt examples/vulnerable_code/XSS_call.py

Running the tests python3 -m tests

Running an individual test file python3 -m unittest tests.import_test

Running an individual test python3 -m unittest tests.import_test.ImportTest.test_import

Contributions

Join our slack group: https://pyt-dev.slack.com/ - ask for invite: [email protected]

Guidelines

Virtual env setup guide

Create a directory to hold the virtual env and project

mkdir ~/a_folder

cd ~/a_folder

Clone the project into the directory

git clone https://github.com/python-security/pyt.git

Create the virtual environment

python3 -m venv ~/a_folder/

Check that you have the right versions

python3 --version sample output Python 3.6.0

pip --version sample output pip 9.0.1 from /Users/kevinhock/a_folder/lib/python3.6/site-packages (python 3.6)

Change to project directory

cd pyt

In the future, just type source ~/a_folder/bin/activate to start developing.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].