Common security gotchas in Python and how to avoid them

  • Prevent input injections (SQL or command injections) by sanitizing input using utilities that come with your web framework, avoid constructing SQL queries manually, and use shlex module to escape input correctly.
  • Avoid relying on assert statements except when communicating with other developers (such as in unit tests or to guard against incorrect API usage) because in the production environment it is common to run with optimisations and Python will skip the assert statements.
  • Python’s import system is very flexible, and installing third-party packages exposes security holes. You also need to consider the dependencies of your dependencies. So vet your packages: look at PyUp.io, check package signatures, use virtual environments for all apps, and ensure your global site package is as clean as possible.
  • Rather than the very powerful yaml.load, use yaml.safe_load.
  • Python can have overrun or overflow vulnerabilities related to memory allocation, so always patch your runtime, even with the latest version.

Full post here, 7 mins read