Q
Detector Library
Python detectors (131/131)
Improper privilege managementSpawning a process without main moduleInteger overflowCatch and swallow exceptionInsufficient Logging CDKUnauthenticated LDAP requestsPath traversalLoose file permissionsExposure of Sensitive Information CDKFile injectionIncorrect use of Process.terminate APIXML External EntityPytorch use nondeterministic algoritmSet SNS Return Subscription ARNTensorflow enable ops determinismOutdated subprocess module APIImproper input validationImproper authenticationMissing paginationSemaphore overflow preventionInsecure cookieUsage of an API that is not recommended - Low SeveritySocket connection timeoutAWS client not reused in a Lambda functionPytorch assign in place modLeaky subprocess timeoutPytorch disable gradient calculationRisky use of dict get methodXPath injectionMissing authorizationMultidimensional list initialization using replication is error proneSQL injectionPytorch miss call to evalAWS AppConfigImproper certificate validationURL redirection to untrusted siteMutually exclusive callNotebook best practice violationStack trace exposureUse of a deprecated methodAWS api logging disabled cdkOS command injectionAWS credentials loggedMissing Authorization CDKZip bomb attackSensitive data stored unencrypted due to partial encryptionSynchronous publication of AWS Lambda metricsUnrestricted upload of dangerous file typePytorch redundant softmaxInsecure connection using unencrypted protocolUnauthenticated Amazon SNS unsubscribe requests might succeedInsecure Socket BindInsecure CORS policyCross-site request forgeryGarbage collection prevention in multiprocessingCatch and rethrow exceptionWeak algorithm used for Password HashingMissing none check on response metadataSensitive information leakClient-side KMS reencryptionOverride of reserved variable names in a Lambda functionDocker arbitrary container runDirect dict object modificationCatastrophic backtracking regexResource management errors cdkResource leakTensorflow redundant softmaxAWS insecure transmission CDKPublic method parameter validationImproper error handlingTime zone aware datetimesPytorch control sources of randomnessDeadlocks caused by improper multiprocessing API usageLow maintainability with low class cohesionUntrusted AMI imagesNotebook invalid execution orderConfusion between equality and identity in conditional expressionPytorch sigmoid before bcelossPytorch data loader with multiple workersPytorch avoid softmax with nlllossPytorch miss call to zero gradError prone sequence modificationAWS missing encryption of sensitive data cdkBad exception handlingUse of Default Credentials CDKNotebook variable redefinitionDo not pass generic exception ruleUsage of an API that is not recommended - High SeverityInsecure cryptographyS3 partial encrypt CDKCross-site scriptingMutable objects as default arguments of functionsImproper Access Control CDKViolation of PEP8 programming recommendationsInsecure temporary file or directoryComplex code hard to maintainaws kmskey encryption cdkUsage of an API that is not recommendedEnabling and overriding debug featureDeserialization of untrusted objectUse of an inefficient or incorrect APIAvoid using nondeterministic Tensorflow APIInefficient string concatenation inside loopImproper sanitization of wildcards or matching symbolsInsecure hashingUsing AutoAddPolicy or WarningPolicyLog injectionWeak obfuscation of web requestSocket close platform compatibilityUnsanitized input is run as codeBatch request with unchecked failuresInefficient polling of AWS resourceHardcoded interface bindingHardcoded IP addressHardcoded credentialsServer-side request forgeryModule injectionUnnecessary iterationTensorflow control sources of randomnessMissing Authentication for Critical Function CDKUsage of an API that is not recommended - Medium SeverityUnsafe Cloudpickle LoadIncorrect binding of SNS publish operationsPyTorch create tensors directly on deviceInefficient new method from hashlibDangerous global variablesMultiple values in return statement is prone to errorLDAP injectionClear text credentialsMissing S3 bucket owner conditionAWS missing encryption CDK
Medium
Showing all detectors for the Python language with medium severity.
Spawning a process without main module
Using the
spawn or forkserver start method without importing the main module might lead to unexpected behavior (for example, it might cause a RuntimeError).Integer overflow
An integer overflow might might cause security issues when it is used for resource management or execution control.
Pytorch use nondeterministic algoritm
APIs with nondeterministic algorithm are used
Tensorflow enable ops determinism
Non-deterministic ops might return different outputs when run with the same inputs.
Improper input validation
Improper input validation can enable attacks and lead to unwanted behavior.
Missing pagination
Missing pagination on a paginated call can lead to inaccurate results.
Semaphore overflow prevention
When you process and remove an item from the
JoinableQueue without calling JoinableQueue.task_done(), a semaphore overflow exception might be thrown.Socket connection timeout
Not setting the connection timeout parameter can cause a blocking socket connection.
Leaky subprocess timeout
Failure to end a child process that doesn't terminate before its timeout expires can result in leaked resources.
Pytorch disable gradient calculation
Checks if gradient calculation is disabled during evaluation.
Pytorch miss call to eval
Checks if eval() is called before validating or testing a model.
Sensitive data stored unencrypted due to partial encryption
Encryption that is dependent on conditional logic, such as an
if...then clause, might cause unencrypted sensitive data to be stored.Pytorch redundant softmax
Detects if Softmax is used with CrossEntropyLoss.
Insecure CORS policy
Cross-Origin Resource Sharing policies that are too permissive may lead to security vulnerabilities.
Garbage collection prevention in multiprocessing
Passing a parent process object in a child process can prevent its garbage collection.
Missing none check on response metadata
Response metadata was not checked to verify that it is not
None.Docker arbitrary container run
Passing an unsanitized user argument to a function call makes your code insecure.
Catastrophic backtracking regex
Inefficient regular expression patterns can lead to catastrophic backtracking.
Resource leak
Allocated resources are not released properly.
Tensorflow redundant softmax
Detects if Softmax is explicitly computed.
Public method parameter validation
Public method parameters should be validated for nullness, unexpected values, and malicious values.
Pytorch control sources of randomness
Not setting seeds for the random number generators in Pytorch can lead to reproducibility issues.
Deadlocks caused by improper multiprocessing API usage
Improper multiprocessing API usage with wrong parameters might lead to deadlocks.
Untrusted AMI images
Improper filtering of Amazon Machine Images (AMIs) can result in loading an untrusted image, a potential security vulnerability.
Notebook invalid execution order
Notebook has uninitialized variable usage given the execution order
Pytorch sigmoid before bceloss
The computation of the bceloss using sigmoid values as inputs can be replaced by a single BCEWithLogitsLoss which is numerically more stable.
Pytorch data loader with multiple workers
Using DataLoader with
num_workers greater than 0 can cause increased memory consumption over time when iterating over native Python objects such as list or dict.Pytorch avoid softmax with nllloss
Checks if
Softmax is used with NLLLoss function.Pytorch miss call to zero grad
Zero out the gradients before doing a backward pass
Error prone sequence modification
Sequence modification while iterating over it might cause unexpected bugs.
Notebook variable redefinition
A variable is re-defined in multiple cells with different types.
Insecure temporary file or directory
Insecure ways of creating temporary files and directories can lead to race conditions, privilege escalation, and other security vulnerabilities.
Enabling and overriding debug feature
The Debug feature should not be enabled or overridden.
Avoid using nondeterministic Tensorflow API
Detects if nondeterministic tensorflow APIs are used.
Insecure hashing
Obsolete, broken, or weak hashing algorithms can lead to security vulnerabilities.
Hardcoded interface binding
Binding to all network interfaces can open a service up to traffic on interfaces that are not properly documented or secured.
Hardcoded IP address
Hardcoding an IP address can cause security problems.
Tensorflow control sources of randomness
Detects if a random seed is set before random number generation.
Usage of an API that is not recommended - Medium Severity
APIs that are not recommended were found - Medium Severity.
PyTorch create tensors directly on device
Creating PyTorch tensors on the CPU and then moving them to the device is inefficient.