Merge branch 'ossf:main' into pyCode2GitHub_CWE-665

Author: myteron

README.md

@@ -82,6 +82,7 @@ Our work is organized into several discrete-yet-related projects that help us ac
 |[OpenSSF Best Practices Badge - formerly CII Best Practices badge](https://www.bestpractices.dev/) | Identifies FLOSS best practices & implements a badging system for those practices, | | | |
 | [OpenSSF Scorecard](https://scorecard.dev/) | Automate analysis on the security posture of open source projects | [OpenSSF Scorecard](https://github.com/ossf/scorecard) | [#scorecard](https://openssf.slack.com/archives/C0235AR8N2C) | [Contribute!](https://github.com/ossf/scorecard?tab=readme-ov-file#contribute) |
 | [OpenSSF Scorecard — Allstar](https://github.com/ossf/allstar) | Monitors GitHub organizations or repositories for adherence to security best practices | [Allstar](https://github.com/ossf/allstar) | [#allstar](https://openssf.slack.com/archives/C02UQ2RL0HM) | [Contribute!](https://github.com/ossf/scorecard?tab=readme-ov-file#contribute) |
+| [OpenSSF Security Baseline](https://github.com/ossf/security-baseline) | Provide avenue for particpants to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects |[OpenSSF Security Baseline](https://github.com/ossf/security-baseline) | [#sig-security-baseline](https://app.slack.com/client/T019QHUBYQ3/C07DC6TT2QY) | [Mailing List](https://lists.openssf.org/g/openssf-sig-security-baseline) |
 | [Secure Software Development Fundamentals - online course](https://openssf.org/training/courses/)  |Teach software developers fundamentals of developing secure software  | [GitHub](https://github.com/ossf/secure-sw-dev-fundamentals) | | |
 | Memory Safety SIG | The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4.   |[Git Repo](https://github.com/ossf/Memory-Safety) | [Slack](https://openssf.slack.com/archives/C03G8NZH58R) | [Mailing List](https://lists.openssf.org/g/openssf-sig-memory-safety) |
 |  The Security Toolbelt | Assemble a “sterling” collection of capabilities (**software frameworks, specifications, and human and automated processes**) that work together to **automatically list, scan, remediate, and secure the components flowing through the software supply chain** that come together as software is written, built, deployed, consumed, and maintained. Each piece of the collection will represent an **interoperable** link in that supply chain, enabling adaptation and integration into the major upstream language toolchains, developer environments, and CI/CD systems. | [Security Toolbelt](https://github.com/ossf/toolbelt) | [security-toolbelt](https://openssf.slack.com/archives/C057BN7K19B) | [Mailing List]([email protected]) |
@@ -142,7 +143,7 @@ Every 2 weeks, Tuesday 10am EST. The meeting invite is available on the [public
 |   EDU.SIG   | Every 2 weeks, Wednesday 6:00a PT/9:00a ET/1400 UTC   | [Meeting Notes](https://docs.google.com/document/d/1NPk5HZLfSMLpUsqaqVcbUSmSR66gS8WoJmEqfsCwrrE/edit#heading=h.yi1fmphbeqoj)                       |  [Git Repo](https://github.com/ossf/education) | [Slack](https://openssf.slack.com/archives/C03FW3YGXH9) | [Mailing List](https://lists.openssf.org/g/openssf-sig-education) |
 |  Memory Safety SIG   | Every 2 weeks, Thursday 10:00a PT/1:00p ET/1500 UTC           | [Meeting Notes](https://docs.google.com/document/d/1KgWw0co9xvUfCqQYW6Qei2lii2Fl-t-L7gYkAZBYDWg/edit?usp=sharing)                       |  [Git Repo](https://github.com/ossf/Memory-Safety) | [Slack](https://openssf.slack.com/archives/C03G8NZH58R) | [Mailing List](https://lists.openssf.org/g/openssf-sig-memory-safety) |
 |  Scorecard  | Every 2 weeks, Thursday 1:00p PT/4:00p ET/1800 UTC    | [Meeting Notes](https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing)           |  [Git Repo](https://github.com/ossf/scorecard) | [Slack](https://openssf.slack.com/archives/C0235AR8N2C ) | Mailing List |
-|  The Security Toolbelt  | Every Tuesday Noon/12pm ET  | [Meeting Notes](https://docs.google.com/document/d/1H3Nk0PwmylLg5F7pqrIvyKzTyXAll0-f50B7DdqOh4A/edit#heading=h.a615m7qzeitc)           |  [Git Repo](https://github.com/ossf/toolbelt) | [Slack](https://openssf.slack.com/archives/C057BN7K19B) | [Mailing List](Openssf-sig-sterling-toolchain@lists.openssf.org) |
+| Security Baseline  | Every other Tuesday @ 10:00am EST  | [Meeting Minutes](https://docs.google.com/document/d/16tL1Ln7owIRXSoCKgyYHCs9-JP9iw-ouyk8koGAeHA0/)  | [Git Repo](https://github.com/ossf/security-baseline) | [Slack Channel](https://app.slack.com/client/T019QHUBYQ3/C07DC6TT2QY) | [Mailing List](https://lists.openssf.org/g/openssf-sig-security-baseline) |
 | Python Hardening Guide SIG | Every two weeks, Monday 11AM ET  | [Meeting Notes](https://docs.google.com/document/d/1JY8FREBPCUUFpuv7-4B9EjeS2MLDpel0dbG5DFWrTns/edit) | [Git Repo](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python) | Slack | Mailing List |
 | EDU.SIG - Course Content Collab | Every week, Monday 1PM ET | [Meeting Notes](https://docs.google.com/document/d/1NPk5HZLfSMLpUsqaqVcbUSmSR66gS8WoJmEqfsCwrrE/edit#heading=h.y1wl36c7u5mn) | [Git Repo](https://github.com/ossf/education) | Slack | Mailing List |
 

docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md

@@ -994,7 +994,7 @@ The `-fexceptions` option is also needed for C code that needs to interoperate w
 
 ---
 
-## Enable pre-determined set of hardening options in GCC
+### Enable pre-determined set of hardening options in GCC
 
 | Compiler Flag                             | Supported since | Description                                                         |
 |:----------------------------------------- |:---------------:|:------------------------------------------------------------------- |
@@ -1003,7 +1003,7 @@ The `-fexceptions` option is also needed for C code that needs to interoperate w
 
 The `-fhardened` umbrella option enables a pre-determined set of hardening options for C and C++ on GNU/Linux targets[^gcc-fhardened]. The precise set of options may change between major releases of GCC. The exact set of options for a specific GCC version can be displayed using the `--help=hardened` option.
 
-### Additional Considerations
+#### Additional Considerations
 
 Options explicitly specified on the compiler command line always take precedence over options implied by `-fhardened`. For example, `-fhardened` in GCC 14 enables [`-fstack-protector-strong`](#-fstack-protector-strong) but specifying `-fstack-protector -fhardened` or `-fhardened -fstack-protector` on the compiler command line will enable the weaker `-fstack-protector` instead of `-fstack-protector-strong`.
 
@@ -1345,6 +1345,7 @@ Many more security-relevant compiler options exist than are recommended in this
 | <span id="-mshstk">`-mshstk`</span>                                         | GCC 8.0.0<br/>Clang 6.0.0 | Enables discouraged shadow stack built-in functions[^gcc_mshstk], which are only needed for programs with an unconventional management of the program stack. CET instrumentation is controlled by [`-fcf-protection`](#-fcf-protection=full).
 | <span id="-fsanitize=safe-stack">`-fsanitize=safe-stack`</span>             | Clang 4.0.0 | Known compatibility limitations with garbage collection, signal handling, and shared libraries[^clang_safestack].
 | <span id="-fasynchronous-unwind-tables">`-fasynchronous-unwind-tables`</span> | GCC 3.1.1<br/>Clang 7.0.0  | Generate stack unwind table in DWARF2 format, which improves precision of unwind information[^Song20] and can improve the performance of profilers at the cost of larger binary sizes[^Bastian19], but does not benefit security.
+| <span id="-fvtable-verify">`-fvtable-verify`</span> |GCC 4.9.4 | Enables run-time checks for C++ virtual function pointers corruption. This option has significant performance overhead[^Tice2014] and breaks ABI with all existing system libraries unless the entire userspace is built with `-fvtable-verify`[^gentoo-vtv]. Believed to be currently unmaintained in GCC.
 
 [^nodump]: The `-Wl,-z,nodump` option sets `DF_1_NODUMP` flag in the object’s `.dynamic` section tags. On Solaris this restricts calls to `dldump(3)` for the object. However, other operating systems ignore the `DF_1_NODUMP` flag. While Binutils implements `-Wl,-z,nodump` for Solaris compatibility a choice was made to not support it in `lld` ([D52096 lld: add -z nodump support](https://reviews.llvm.org/D52096)).
 
@@ -1360,4 +1361,8 @@ Many more security-relevant compiler options exist than are recommended in this
 
 [^Bastian19]: Bastian, Théophile and Kell, Stephen and Nardelli, Francesco Zappa, [Reliable and fast DWARF-based stack unwinding](https://doi.org/10.1145/3360572), Proceedings of the ACM Journal of Programming Languages, Volume 3, Issue OOPSLA, Article 146, 2019-10-10.
 
+[^Tice2014]: Tice, Caroline, [Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-tice.pdf#page=12) USENIX Security, August 2014
+
+[^gentoo-vtv]: Gentoo Foundation, [Local Use Flag: vtv](https://packages.gentoo.org/useflags/vtv) Gentoo Packages, Retrieved 2024-06-27.
+
 ## References

docs/Concise-Guide-for-Developing-More-Secure-Software.md

@@ -33,5 +33,6 @@ Here is a concise guide for all software developers for secure software developm
 24. **Continuously improve**. Improve scores, look for tips, & apply as appropriate.
 25. **Manage succession**. Have clear governance & work to add active, trustworthy maintainer(s).
 26. **Prefer memory-safe languages**. Many vulnerabilities involve memory safety. Where practical, use memory-safe programming languages (most are) and keep memory safety enabled. Otherwise, use mechanisms like extra tools and peer review to reduce risk.
+27. **Ensure production websites only load assets from your own domains**. _Linking_ to other domains is fine, but where practical, don't directly load assets such as JavaScript, CSS, and media (including images) from domains you do not control. If you do, your site might be subverted if that other domain is subverted, so investigate the risks before doing so. See the [subverted polyfill.io revelation in 2024](https://blog.qualys.com/vulnerabilities-threat-research/2024/06/28/polyfill-io-supply-chain-attack).
 
-Welcome suggestions and updates! Please open an [issue](https://github.com/ossf/wg-best-practices-os-developers/issues/) or post a [pull request](https://github.com/ossf/wg-best-practices-os-developers/pulls).
+We welcome suggestions and updates! Please open an [issue](https://github.com/ossf/wg-best-practices-os-developers/issues/) or post a [pull request](https://github.com/ossf/wg-best-practices-os-developers/pulls).

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-197/01/compliant01.py

@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: OpenSSF project contributors
+# SPDX-License-Identifier: MIT
+""" Compliant Code Example """
+foo = int(round(0.9))
+type(foo)  # class int
+print(foo)  # prints 1

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-197/01/compliant02.py

@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: OpenSSF project contributors
+# SPDX-License-Identifier: MIT
+""" Compliant Code Example """
+from decimal import Decimal, ROUND_HALF_UP, ROUND_HALF_DOWN
+
+print(Decimal("3.5").quantize(Decimal("1"), rounding=ROUND_HALF_UP))  # prints 4
+print(Decimal("3.5").quantize(Decimal("1"), rounding=ROUND_HALF_DOWN))  # prints 3

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-197/01/noncompliant01.py

@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: OpenSSF project contributors
+# SPDX-License-Identifier: MIT
+""" Non-compliant Code Example """
+foo = int(0.9)
+type(foo)  # class int
+print(foo)  # prints 0

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-426/README.md

@@ -0,0 +1,92 @@
+# CWE-426: Untrusted Search Path
+
+In an environment where an untrusted or less trusted entity can modify the environment variables, consider validating hash-based byte code [Python 2023 Command line and environment].
+
+Python source code `.py` files need to be converted into "byte code" `.pyc` or `.pyo` in memory or in a filesystem `__pycache__` before running on the Python Virtual Machine (PVM) [Dec 2009 PEP 3147].
+Python 3.8 [Dec 2009 PEP 3147] also has a backward compatibility mode supporting delivering only byte code.
+
+Python 3.8 introduced the option to customize the `__pycache__` folder via `-X pycache_prefix=PATH`, or the `PYTHONPYCACHEPREFIX` environment variable. An attacker may manipulate the `PYTHONPYCACHEPREFIX` or `PYTHONPATH` to inject their code that can go unnoticed without hash-based verification. Without `--check-hash-based-pycs` Python only compares the byte code against the source code via a timestamp [Python 2023 The import system], potentially allowing an attack.
+
+Python 2.6 also introduced the ability to stop Python from writing "byte code" files via the `-B` flag or `PYTHONDONTWRITEBYTECODE=1` environment variable. However, this does not guarantee full protection.
+
+Byte code files contain a 32-bit 'magic number' to identify the byte code format to determine if the PVM matches. Byte code also uses a naming convention to match up the CPython interpreter down to its minor version, such as `sessions.cpython-39.pyc` for the sessions module compiled with CPython 3.9.
+
+## Non-Compliant Code Example
+
+Setting `--check-hash-based-pycs` to `default` or `never` skips integrity verification of the byte code against its source code and only compares timestamp and size.
+
+The following `noncompliant01.bash` code uses the Python standard library `http.server` as an example of a Python process started from a bash script without hash-based verification:
+
+*[noncompliant01.bash](noncompliant01.bash):*
+
+```bash
+# Non-compliant Code Example
+python3 -m http.server -b 127.0.0.42 8080
+```
+
+An attacker can exploit this by manipulating the `PYTHONPATH` to inject their code that can go unnoticed without hash-based verification as shown in the following example:
+
+*[example01.bash](example01.bash)*
+
+```bash
+cd
+CWD=$(pwd)
+mkdir -p temp/http
+touch temp/http/__init__.py
+echo "print('hello there')" > temp/http/server.py
+export PYTHONPATH=$CWD/temp/
+
+# and now launch again
+python3 -m http.server -b 127.0.0.42 8080
+```
+
+The `http.server` module is now launched from the `PYTHONPATH` and only prints "hello there" instead of launching the web server.
+
+## Compliant Solution
+
+In the following compliant solution, a user custom `PYTHONPATH` is suppressed with the `-I` isolation flag. This isolates the environment to avoid malicious code injection via `PYTHONPATH`. Additionally, using `--check-hash-based-pycs always` enforces hash-based integrity verification of byte code files against their source code files.
+
+compliant01.bash:
+
+*[compliant01.bash](compliant01.bash):*
+
+```bash
+# Compliant Code Example
+python3 -I --check-hash-based-pycs always -m http.server -b 127.0.0.42 8080
+```
+
+## Exceptions
+
+**ENV-4P-EX0:** Untrusted entities are not able to change environmental variables or any Python files.
+
+## Automated Detection
+
+Currently None.
+
+## Related Vulnerabilities
+
+| Component | CVE | Description  | CVSS rating | Comment |
+|:----------|:----|:-------------|:------------|:--------|
+| python-dbusmock <=0.15.1 | [CVE-2015-1326](https://nvd.nist.gov/vuln/detail/CVE-2015-1326) | AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() method could be tricked into executing malicious code if an attacker supplies a .pyc file. | 3.x: 8.8 High | |
+| catfish <= 0.6           | [CVE-2014-2095](https://nvd.nist.gov/vuln/detail/CVE-2014-2095) | Fedora package such as 0.8.2-1 is not used, allowing local users to gain privileges via a Trojan horse bin/catfish.pyc under the current working directory. | 2.0: 4.6 Med | |
+| catfish <= 0.4.0.3       | [CVE-2014-2094](https://nvd.nist.gov/vuln/detail/CVE-2014-2094) | Local users can gain privileges via a Trojan horse catfish.pyc in the current working directory. | 2.0: 4.6 Med | |
+
+## Related Guidelines
+
+|||
+|:---|:---|
+|[SEI CERT JAVA](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[ENV04-J. Do not disable bytecode verification - SEI CERT Oracle Coding Standard for Java - Confluence (cmu.edu)](https://wiki.sei.cmu.edu/confluence/display/java/ENV04-J.+Do+not+disable+bytecode+verification)|
+| [SEI CERT C Coding Standard](https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard) | [STR02-C. Sanitize data passed to complex subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems) |
+| [SEI CERT C++ Coding Standard](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046682) | [VOID STR02-CPP. Sanitize data passed to complex subsystems](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046726) |
+| [SEI CERT Perl Coding Standard](https://wiki.sei.cmu.edu/confluence/display/perl/SEI+CERT+Perl+Coding+Standard) | [IDS33-PL. Sanitize untrusted data passed across a trust boundary](https://wiki.sei.cmu.edu/confluence/display/perl/IDS33-PL.+Sanitize+untrusted+data+passed+across+a+trust+boundary) |
+| MITRE | Pillar: [CWE-664: Improper Control of a Resource Through its Lifetime](https://cwe.mitre.org/data/definitions/664.html)<br>Base: [CWE-426: Untrusted Search Path](https://cwe.mitre.org/data/definitions/426.html)|
+|[OWASP 2005](https://wiki.sei.cmu.edu/confluence/display/java/Rule+AA.+References#RuleAA.References-OWASP05)|[A Guide to Building Secure Web Applications and Web Services](http://sourceforge.net/projects/owasp/files/Guide/2.0.1/OWASPGuide2.0.1.pdf/download) |
+
+## Biblography
+
+|||
+|:---|:---|
+|Dec 2009 PEP 3147|[PEP 3147 – PYC Repository Directories \| peps.python.org](https://peps.python.org/pep-3147/)|
+|[Python 2023 Command line and environment](https://docs.python.org/3.9/using/cmdline.html#cmdoption-check-hash-based-pycs)|<https://docs.python.org/3.9/using/cmdline.html#cmdoption-check-hash-based-pycs>|
+|[Python 2023 The import system](https://docs.python.org/3.9/reference/import.html#pyc-invalidation)|<https://docs.python.org/3.9/reference/import.html#pyc-invalidation>|
+|CPython 2023|<https://github.com/python/cpython/blob/main/Lib/importlib/_bootstrap_external.py>|

docs/Secure-Coding-Guide-for-Python/CWE-664/XXX-005/compliant01.bash renamed to docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-426/compliant01.bash

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: OpenSSF project contributors
 # SPDX-License-Identifier: MIT
-""" Compliant Code Example """   
+# Compliant Code Example
 python3 -I --check-hash-based-pycs always -m http.server -b 127.0.0.42 8080

docs/Secure-Coding-Guide-for-Python/CWE-664/XXX-005/example01.bash renamed to docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-426/example01.bash

@@ -6,6 +6,6 @@ mkdir -p temp/http
 touch temp/http/__init__.py
 echo "print('hello there')" > temp/http/server.py
 export PYTHONPATH=$CWD/temp/
- 
+
 # and now launch again
 python3 -m http.server -b 127.0.0.42 8080

docs/Secure-Coding-Guide-for-Python/CWE-664/XXX-005/noncompliant01.bash renamed to docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-426/noncompliant01.bash

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: OpenSSF project contributors
 # SPDX-License-Identifier: MIT
-""" Non-compliant Code Example """   
+# Non-compliant Code Example
 python3 -m http.server -b 127.0.0.42 8080