Merge branch 'ossf:main' into jp-translation-regex1

Author: Muuhh-CTJ

docs/Concise-Guide-for-Evaluating-Open-Source-Software.md

@@ -57,7 +57,8 @@ Licensing frameworks, while not directly security-related, significantly impact
 |------|-------------|:--------:|
 | **License Clarity** | Verify that every component has a license, that it's a widely-used [OSI license](https://opensource.org/licenses) if it's OSS, and that it's consistent with your intended use. Projects that won't provide clear license information are less likely to follow other good practices that lead to secure software. |   |
 | **Name Verification** | Check if a similar name is more popular - that could indicate a typosquatting attack. |   |
-| **Usage Metrics** | Assess if it has significant use. Software with many users or large users may be inappropriate for your use. However, widely-used software is more likely to offer useful information on how to use it securely, and more people will care about its security. |   |
+| **Adoption** | Assess if the software has significant use. Widely-used software is more likely to offer useful information on how to use it securely and more people will care about its security. |   |
+| **Suitability** | Choose software that is a good solution for your problem. Avoid [Hype Driven Development](https://blog.daftcode.pl/hype-driven-development-3469fc2e9b22): Don't choose it merely because it's used by large companies or because it's the latest fad. |   |
 
 ## Practical Testing
 

docs/Correctly-Using-Regular-Expressions-Rationale.md

@@ -477,6 +477,45 @@ Many developers believe that regex notation is the same everywhere, even though
 
 Such changes would take years to adopt. Even worse, these changes might not be accepted in some cases because some people may think that merely being possible to do something is adequate. We don’t agree; we think it’s important to make it _easy_ to do the secure action, not just possible, and it’s best to make avoidable mistakes les likely. These changes require implementations in many systems and modifications of many specifications; doing this has been historically challenging. Still, such changes would reduce the likelihood of these problems worldwide.
 
+#### Status of adding \A and \z across ecosystems
+
+As previously noted, one start is to have a _single_ regex syntax
+that _always_ means "match beginning of input and "match end of input"
+_even_ when a multi-line mode is enabled.
+This notation is especially important for security, because they make it
+practical to use regexes for input validation.
+
+Many platforms already support \A and \z respectively for beginning-of-input
+and end-of-input.
+These platforms are
+Perl, .NET/C#, Java, PHP, PCRE, Golang, Rust crate regex, RE2, and Ruby.
+
+If the following platforms made adjustments, the notation would
+be nearly universal:
+
+* POSIX: On 2024-04-24 the Austin Group "accepted as marked"
+  [bug 1919](https://www.austingroupbugs.net/view.php?id=1919) the
+  proposed change to add \A and \z to extended regular expressions (EREs).
+  They decided to not require the older BRE syntax to support it at this time,
+  but do plan to add a NOTE saying "a future version of this standard is likely
+  to require such characters to be supported in a regular expression.
+  Implementors are encouraged to provide this as an extension using
+  "\A" for the beginning and "\z" for the end of strings as they are
+  already in widespread use for this purpose in other languages."
+* ECMAScript/JavaScript: In 2021 Ron Buckton (@rbuckton) created the proposal
+  [Regular Expression Buffer Boundaries for ECMAScript](https://github.com/tc39/proposal-regexp-buffer-boundaries)
+  to add \A and \z to ECMAScript/JavaScript, and it advanced to stage 2,
+  but it seems to be stuck there. We intend to see if we can help it advance.
+* Python: Python supports \A, but it uses the unique \Z instead of the
+  \z used everywhere else for end-of-string.
+  We'll ask to see if \z could be supported in addition to \Z for end-of-string.
+  We'll probably start with a minor git request (as this is a really
+  small change), otherwise we'll create a PEP, depending on the desires
+  of the Python community.
+  In current versions of Python3 a \z in a regex raises an exception, so
+  adding \z for end-of-string would be a backwards-compatible addition.
+  See [CPython issue 133306](https://github.com/python/cpython/issues/133306).
+
 ## Authors and contributors
 
 We would like to thank the following contributors:

docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-754/README.md

@@ -0,0 +1,204 @@
+# CWE-754: Improper Check for Unusual or Exceptional Conditions - Float
+
+Ensure to have handling for exceptional floating-point values.
+
+The `float` class has the capability to interpret various input values as floating-point numbers. Some special cases can interpret input values as
+
+* Positive Infinity
+* Negative Infinity
+* `NaN` (Not-a-Number)
+
+These floating-point class values represent numbers that fall outside the typical range and exhibit unique behaviors. `NaN` (Not a Number) lacks a defined order and is not considered equal to any value, including itself. Hence, evaluating an expression such as `NaN == NaN` returns `False`.
+
+## Non-Compliant Code Example
+
+The `noncompliant01.py` intent is to ensure that adding objects will not exceed a total weight of `100` units. Validation fails as the code to test for exceptional conditions, such as `NaN` or `infinity`, is missing.
+
+*[noncompliant01.py](noncompliant01.py):*
+
+```py
+# SPDX-FileCopyrightText: OpenSSF project contributors
+# SPDX-License-Identifier: MIT
+"""Non-compliant Code Example"""
+ 
+import sys
+ 
+ 
+class Package:
+    """Class representing a package object"""
+ 
+    def __init__(self):
+        self.package_weight: float = 0.0
+        self.max_package_weight: float = 100.0
+ 
+    def add_to_package(self, object_weight: str):
+        """Function for adding an object into the package"""
+        value = float(object_weight)
+        # This is dead code as value gets type cast to float,
+        # hence will never be equal to string "NaN"
+        if value == "NaN":
+            raise ValueError("'NaN' not a number")
+        # This is also dead code as value is type cast to float,
+        # unusual inputs like -infinity will not get caught
+        if isinstance(value, float) is False:
+            raise ValueError("not a number")
+        if self.package_weight + value > self.max_package_weight:
+            raise ValueError("Addition would exceed maximum package weight.")
+ 
+        self.package_weight += value
+ 
+    def get_package_weight(self):
+        """Getter for outputting the package's current weight"""
+        return self.package_weight
+ 
+ 
+#####################
+# exploiting above code example
+#####################
+package = Package()
+print(f"\nOriginal package's weight is {package.get_package_weight():.2f} units\n")
+for item in [100, "-infinity", sys.float_info.max, "NaN", -100]:
+    print(f"package.add_to_package({item})")
+    try:
+        package.add_to_package(item)
+        print(
+            f"package.get_package_weight() = {package.get_package_weight():.2f}\n"
+        )
+ 
+    except Exception as e:
+        print(e)
+```
+
+Some important considerations when dealing with floating-point values from `non-complaint01.py`.
+
+* Setting a value above `sys.float_info.max` does not increase the held value. In some cases, incrementing `package_weight` with a high enough value may turn its value into `inf`.
+* Setting the added value to `-infinity` and `+infinity` causes the value of the `package_weight` to be infinite as well.
+* Adding `"NaN"`, which is not a valid value to `package_weight` will always return `"nan"`.
+
+**Example `noncompliant01.py` output:**
+
+```bash
+Original package's weight is 0.00 units
+
+package.add_to_package(100)
+package.get_package_weight() = 100.00
+
+package.add_to_package(-infinity)
+package.get_package_weight() = -inf
+
+package.add_to_package(1.7976931348623157e+308)
+package.get_package_weight() = -inf
+
+package.add_to_package(NaN)
+package.get_package_weight() = nan
+
+package.add_to_package(-100)
+package.get_package_weight() = nan
+```
+
+## Compliant Solution
+
+Exceptional values and out-of-range values are handled in `compliant01.py`. Some negative values are also checked for due to the nature of the code example.
+The `isfinite` function from the `math` library is useful for checking for `NaN`, `infinity` and `-infinity` values. `math.isfinite` checks if a value is neither `infinite` nor a `NaN`.
+
+Other functions from the `math` library that could be of use are `isnan`, which checks if an inputted value is `"NaN"`, and `isinf` (which checks if a value is positive or negative infinity).
+
+*[compliant01.py](compliant01.py):*
+
+```py
+# SPDX-FileCopyrightText: OpenSSF project contributors
+# SPDX-License-Identifier: MIT
+""" Compliant Code Example """
+
+
+import sys
+from math import isfinite, isnan
+from typing import Union
+
+
+class Package:
+    """Class representing a package object."""
+    def __init__(self) -> None:
+        self.package_weight: float = 0.0
+        self.max_package_weight: float = 100.0
+
+    def add_to_package(self, object_weight: Union[str, int, float]) -> None:
+        # TODO: input sanitation.
+        # TODO: proper exception handling
+        """Add an object into the package after validating its weight."""
+        try:
+            value = float(object_weight)
+        except (ValueError, TypeError) as e:
+            raise ValueError("Input cannot be converted to a float.") from e
+        if isnan(value):
+            raise ValueError("Input is not a number")
+        if not isfinite(value):
+            raise ValueError("Input is not a finite number.")
+        if value < 0:
+            raise ValueError("Weight must be a non-negative number.")
+        if self.package_weight + value > self.max_package_weight:
+            raise ValueError("Addition would exceed maximum package weight.")
+ 
+        print(f"Adding an object that weighs {value} units to package")
+        self.package_weight += value
+ 
+    def get_package_weight(self) -> float:
+        """Return the package's current weight."""
+        return self.package_weight
+
+
+#####################
+# exploiting above code example
+#####################
+ 
+ 
+package = Package()
+print(f"\nOriginal package's weight is {package.get_package_weight():.2f} units\n")
+for item in [100, "-infinity", sys.float_info.max, "NaN", -100]:
+    print(f"package.add_to_package({item})")
+    try:
+        package.add_to_package(item)
+        print(
+            f"package.get_package_weight() = {package.get_package_weight():.2f}\n"
+        )
+ 
+    except Exception as e:
+        print(e)
+```
+
+This compliant code example will raise a `ValueError` for inputs that are `-infinity`, `infinity`, or `NaN`, with messages "Input is not a finite number" and "Input is not a number" respectively. It should also ensure weights are non-negative, returning "Weight must be a non-negative number" for negative inputs.
+
+**Example `compliant01.py` output:**
+
+```bash
+Original package's weight is 0.00 units
+ 
+package.add_to_package(100)
+Adding an object that weighs 100.0 units to package
+package.get_package_weight() = 100.00
+ 
+package.add_to_package(-infinity)
+Input is not a finite number.
+package.add_to_package(1.7976931348623157e+308)
+Addition would exceed maximum package weight.
+package.add_to_package(NaN)
+Input is not a number
+package.add_to_package(-100)
+Weight must be a non-negative number.
+```
+
+## Automated Detection
+
+|||||
+|:---|:---|:---|:---|
+|Tool|Version|Checker|Description|
+|bandit|1.7.4|no detection||
+
+## Related Guidelines
+
+|||
+|:---|:---|
+|[SEI CERT C Coding Standard](https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard)|[FLP04-C. Check floating-point inputs for exceptional values](https://wiki.sei.cmu.edu/confluence/display/c/FLP04-C.+Check+floating-point+inputs+for+exceptional+values)|
+|[SEI CERT Oracle Coding Standard for Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java?src=sidebar)|[NUM08-J. Check floating-point inputs for exceptional values](https://wiki.sei.cmu.edu/confluence/display/java/NUM08-J.+Check+floating-point+inputs+for+exceptional+values)|
+|[CWE MITRE Pillar](http://cwe.mitre.org/)|[CWE-703: Improper Check or Handling of Exceptional Conditions](https://cwe.mitre.org/data/definitions/703.html)|
+|[MITRE CWE Base](https://cwe.mitre.org/)|[CWE-754: Improper Check for Unusual or Exceptional Conditions](https://cwe.mitre.org/data/definitions/754.html)|

docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-754/compliant01.py

@@ -1,46 +1,58 @@
 # SPDX-FileCopyrightText: OpenSSF project contributors
 # SPDX-License-Identifier: MIT
 """ Compliant Code Example """
+
+
 import sys
-from math import isinf, isnan
+from math import isfinite, isnan
+from typing import Union
 
 
 class Package:
-    def __init__(self):
-        self.package_weight = float(1.0)
-
-    def put_in_the_package(self, user_input):
+    """Class representing a package object."""
+    def __init__(self) -> None:
+        self.package_weight: float = 0.0
+        self.max_package_weight: float = 100.0
+
+    def add_to_package(self, object_weight: Union[str, int, float]) -> None:
+        """Add an object into the package after validating its weight."""
+        # TODO: input sanitation.
+        # TODO: proper exception handling
         try:
-            value = float(user_input)
-        except ValueError:
-            raise ValueError(f"{user_input} - Input is not a number!")
-
-        print(f"value is {value}")
-
-        if isnan(value) or isinf(value):
-            raise ValueError(f"{user_input} - Input is not a real number!")
-
+            value = float(object_weight)
+        except (ValueError, TypeError) as e:
+            raise ValueError("Input cannot be converted to a float.") from e
+        if isnan(value):
+            raise ValueError("Input is not a number")
+        if not isfinite(value):
+            raise ValueError("Input is not a finite number.")
         if value < 0:
-            raise ValueError(
-                f"{user_input} - Packed object weight  cannot be negative!"
-            )
+            raise ValueError("Weight must be a non-negative number.")
+        if self.package_weight + value > self.max_package_weight:
+            raise ValueError("Addition would exceed maximum package weight.")
 
-        if value >= sys.float_info.max - self.package_weight:
-            raise ValueError(f"{user_input} - Input exceeds acceptable range!")
+        print(f"Adding an object that weighs {value} units to package")
         self.package_weight += value
 
-    def get_package_weight(self):
+    def get_package_weight(self) -> float:
+        """Return the package's current weight."""
         return self.package_weight
 
 
 #####################
 # exploiting above code example
 #####################
+
+
 package = Package()
 print(f"\nOriginal package's weight is {package.get_package_weight():.2f} units\n")
-for item in [sys.float_info.max, "infinity", "-infinity", "nan"]:
+for item in [100, "-infinity", sys.float_info.max, "NaN", -100]:
+    print(f"package.add_to_package({item})")
     try:
-        package.put_in_the_package(item)
-        print(f"Current package weight = {package.get_package_weight():.2f}\n")
+        package.add_to_package(item)
+        print(
+            f"package.get_package_weight() = {package.get_package_weight():.2f}\n"
+        )
+
     except Exception as e:
         print(e)

docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-754/noncompliant01.py

@@ -1,19 +1,35 @@
 # SPDX-FileCopyrightText: OpenSSF project contributors
 # SPDX-License-Identifier: MIT
-""" Non-compliant Code Example """
+"""Non-compliant Code Example"""
+
 import sys
 
 
 class Package:
+    """Class representing a package object"""
+
     def __init__(self):
-        self.package_weight = float(1.0)
+        self.package_weight: float = 0.0
+        self.max_package_weight: float = 100.0
 
-    def put_in_the_package(self, object_weight):
+    def add_to_package(self, object_weight: str):
+        """Function for adding an object into the package"""
         value = float(object_weight)
-        print(f"Adding an object that weighs {value} units")
+        # This is dead code as value gets type cast to float,
+        # hence will never be equal to string "NaN"
+        if value == "NaN":
+            raise ValueError("'NaN' not a number")
+        # This is also dead code as value is type cast to float,
+        # unusual inputs like -infinity will not get caught
+        if isinstance(value, float) is False:
+            raise ValueError("not a number")
+        if self.package_weight + value > self.max_package_weight:
+            raise ValueError("Addition would exceed maximum package weight.")
+
         self.package_weight += value
 
     def get_package_weight(self):
+        """Getter for outputting the package's current weight"""
         return self.package_weight
 
 
@@ -22,9 +38,13 @@ def get_package_weight(self):
 #####################
 package = Package()
 print(f"\nOriginal package's weight is {package.get_package_weight():.2f} units\n")
-for item in [sys.float_info.max, "infinity", "-infinity", "nan"]:
+for item in [100, "-infinity", sys.float_info.max, "NaN", -100]:
+    print(f"package.add_to_package({item})")
     try:
-        package.put_in_the_package(item)
-        print(f"Current package weight = {package.get_package_weight():.2f}\n")
+        package.add_to_package(item)
+        print(
+            f"package.get_package_weight() = {package.get_package_weight():.2f}\n"
+        )
+
     except Exception as e:
         print(e)