diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-390/compliant01.py b/docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-390/compliant01.py new file mode 100644 index 00000000..65eadf6d --- /dev/null +++ b/docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-390/compliant01.py @@ -0,0 +1,20 @@ +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Compliant Code Example """ +from time import sleep + + +def exception_example(): + """Compliant Code Example catching a specific exception""" + while True: + sleep(1) + try: + _ = 1 / 0 + except ZeroDivisionError: + print("How is it now?") + + +##################### +# exploiting above code example +##################### +exception_example() diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-390/compliant02.py b/docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-390/compliant02.py new file mode 100644 index 00000000..5d6a3bc6 --- /dev/null +++ b/docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-390/compliant02.py @@ -0,0 +1,28 @@ +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Compliant Code Example """ + +from pathlib import Path + + +def exception_example(args: list): + """Compliant code demonstrating a simplistic handling. + input validation or architectural are not demonstrated. + """ + file_exists = False + path = Path(Path.home(), args[0]) + while not file_exists: + try: + file_handle = open(path, "r", encoding="utf-8") + file_exists = True + print(file_handle.readlines()) + except FileNotFoundError: + print(f"Unable to find file '{path.name}'") + filename = input("Please provide a valid filename: ") + path = Path(Path.home(), filename) + + +##################### +# exploiting above code example +##################### +exception_example(["goblegoblegoble"]) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-390/noncompliant01.py b/docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-390/noncompliant01.py new file mode 100644 index 00000000..144acd49 --- /dev/null +++ b/docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-390/noncompliant01.py @@ -0,0 +1,21 @@ +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Non-compliant Code Example """ + +from time import sleep + + +def exception_example(): + """Non-compliant Code Example using bare except""" + while True: + try: + sleep(1) + _ = 1 / 0 + except: + print("Don't care") + + +##################### +# exploiting above code example +##################### +exception_example() diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-390/noncompliant02.py b/docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-390/noncompliant02.py new file mode 100644 index 00000000..39bbfcf0 --- /dev/null +++ b/docs/Secure-Coding-Guide-for-Python/CWE-703/CWE-390/noncompliant02.py @@ -0,0 +1,22 @@ +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Non-compliant Code Example """ + +import logging +from pathlib import Path + + +def exception_example(args: list): + """Non-compliant Code Example missing handling""" + file_path = Path(Path.home(), args[0]) + try: + file_handle = open(file_path, "r", encoding="utf-8") + _ = file_handle.readlines() + except Exception as exception: + logging.exception(exception) + + +##################### +# exploiting above code example +##################### +exception_example(["goblegoblegoble"]) diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index 6c27955e..1bc77a54 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -70,6 +70,7 @@ It is **not production code** and requires code-style or python best practices t |[CWE-703: Improper Check or Handling of Exceptional Conditions](https://cwe.mitre.org/data/definitions/703.html)|Prominent CVE| |:----------------------------------------------------------------|:----| |[CWE-230: Improper Handling of Missing Values](CWE-703/CWE-230/.)|| +|[CWE-390: Detection of Error Condition without Action](CWE-703/CWE-390/)|| |[CWE-392: Missing Report of Error Condition](CWE-703/CWE-392/README.md)|| |[CWE-754: Improper Check for Unusual or Exceptional Conditions](CWE-703/CWE-754/.)||