From cbacf6443385932d7b05bb3885e655b81effe80a Mon Sep 17 00:00:00 2001 From: Ketki Date: Tue, 12 Aug 2025 23:34:47 +0530 Subject: [PATCH 01/22] Create compliant.py Signed-off-by: Ketki --- .../CWE-664/CWE-460/compliant.py | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py new file mode 100644 index 00000000..7cfde11e --- /dev/null +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py @@ -0,0 +1,21 @@ + +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Compliant Code Example """ +import threading + +lock = threading.Lock() + +def compliant_example(): + with lock: + # the lock has been acquired using the 'with' statement and will be released when the block exits; even if an exception occurs + print("Lock acquired, performing critical operation...") + # raising an exception + raise ValueError("Something went wrong!") + # This line will not be reached because of the exception above, + print("Lock released.") + +try: + compliant_example() +except ValueError as e: + print(f"Caught exception: {e}") From db57284f9a79b574a6c72b6da2b1feacac069d08 Mon Sep 17 00:00:00 2001 From: Ketki Date: Tue, 12 Aug 2025 23:39:38 +0530 Subject: [PATCH 02/22] Create noncompliant.py Signed-off-by: Ketki --- .../CWE-664/CWE-460/noncompliant.py | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py new file mode 100644 index 00000000..23309250 --- /dev/null +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py @@ -0,0 +1,24 @@ +import threading + + +lock = threading.Lock() + + +def noncompliant_example(): + lock.acquire() + print("Lock acquired, performing critical operation...") + raise ValueError("Something went wrong!") + lock.release() # This line is never reached due to the exception + + +try: + noncompliant_example() +except ValueError as e: + print(f"Caught exception: {e}") + + +# Next attempt to acquire the lock will block forever; as there is a deadlock! +lock.acquire() +print("This will not print because the lock was never released.") + + From 88bf2a1b9d00910098fdbc5ce9fd56b883e0a46b Mon Sep 17 00:00:00 2001 From: Ketki Date: Tue, 12 Aug 2025 23:45:29 +0530 Subject: [PATCH 03/22] Create README.md Signed-off-by: Ketki --- .../CWE-664/CWE-460/README.md | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md new file mode 100644 index 00000000..d347280c --- /dev/null +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -0,0 +1,82 @@ + +# CWE-460: Improper Cleanup on Thrown Exception + +The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. + +Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening. + +A consequence of this is that the code is left in a bad state. + +One of the ways to mitigate this is to make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely. + +Another way to mitigate this is to use the ‘with’ statement. It simplifies resource management by automatically handling setup and cleanup tasks. It's commonly used with files, network connections and databases to ensure resources are properly released even if errors occur making your code cleaner. + +## Non-Compliant Code Example + +In the noncompliant.py example, a thread gets locked, but not unlocked due to an exception being thrown before it can be closed. This might lead to the lock remaining closed and inaccessible for further use. + +noncompliant.py: + +```import threading + +lock = threading.Lock() + +def noncompliant_example(): + lock.acquire() + print("Lock acquired, performing critical operation...") + raise ValueError("Something went wrong!") + lock.release() # This line is never reached due to the exception + +try: + noncompliant_example() +except ValueError as e: + print(f"Caught exception: {e}") + +# Next attempt to acquire the lock will block forever — deadlock! +lock.acquire() +print("This will never print because the lock was never released.") +``` + +In the above code example, the acquired lock never gets released, as an error gets thrown before it can be released. + +## Compliant Solution + +In compliant01.py we use the with statement to ensure that the lock is released properly even if an error is to occur. + +compliant01.py: +## Compliant Code Example + +``` +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Compliant Code Example """ +import threading + +lock = threading.Lock() + +def compliant_example(): + with lock: + # the lock has been acquired using the 'with' statement and will be released when the block exits; even if an exception occurs + print("Lock acquired, performing critical operation...") + # raising an exception + raise ValueError("Something went wrong!") + print("Lock released.") + +try: + compliant_example() +except ValueError as e: + print(f"Caught exception: {e}") +``` + +with lock: is shorthand for + +``` +lock.acquire() +try: + ... +finally: + lock.release() +``` + + + From 73e1102e1efcda04bc27f03d24650904bd0f082a Mon Sep 17 00:00:00 2001 From: Ketki Date: Tue, 12 Aug 2025 23:57:31 +0530 Subject: [PATCH 04/22] Update README.md Signed-off-by: Ketki --- .../CWE-664/CWE-460/README.md | 25 +++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index d347280c..1bdf3262 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -17,13 +17,19 @@ In the noncompliant.py example, a thread gets locked, but not unlocked due to an noncompliant.py: -```import threading +``` +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +"""Non-compliant Code Example""" + import threading lock = threading.Lock() def noncompliant_example(): + # the lock has been acquired for performing a critical operation lock.acquire() print("Lock acquired, performing critical operation...") + # simulating an error before it can be released raise ValueError("Something went wrong!") lock.release() # This line is never reached due to the exception @@ -68,7 +74,7 @@ except ValueError as e: print(f"Caught exception: {e}") ``` -with lock: is shorthand for +### with lock: is shorthand for ``` lock.acquire() @@ -78,5 +84,20 @@ finally: lock.release() ``` +It is best practice to use 'with' in such cases as it will make sure the resource gets released even if an exception occurs in the execution. + + +## Automated Detection + +||||| +|:---|:---|:---|:---| +|Tool|Version|Checker|Description| + +## Related Guidelines + +||| +|:---|:---| +|[CWE MITRE Pillar](http://cwe.mitre.org/)|[https://cwe.mitre.org/data/definitions/460.html]| + From 08fbbd653ae346686f7884afa2a4278591d357b5 Mon Sep 17 00:00:00 2001 From: Ketki Date: Sat, 16 Aug 2025 00:58:31 +0530 Subject: [PATCH 05/22] Update docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py Co-authored-by: Bartlomiej Karas Signed-off-by: Ketki --- .../CWE-664/CWE-460/noncompliant.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py index 23309250..80810ac7 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py @@ -1,10 +1,13 @@ +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Non-compliant Code Example """ import threading lock = threading.Lock() -def noncompliant_example(): +def perform_critical_operation(): lock.acquire() print("Lock acquired, performing critical operation...") raise ValueError("Something went wrong!") @@ -12,7 +15,7 @@ def noncompliant_example(): try: - noncompliant_example() + perform_critical_operation() except ValueError as e: print(f"Caught exception: {e}") @@ -21,4 +24,3 @@ def noncompliant_example(): lock.acquire() print("This will not print because the lock was never released.") - From 7cbeb84240fb9ccba730e2e2d984712973833cd6 Mon Sep 17 00:00:00 2001 From: Ketki Date: Sat, 16 Aug 2025 00:58:42 +0530 Subject: [PATCH 06/22] Update docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md Co-authored-by: Bartlomiej Karas Signed-off-by: Ketki --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index 1bdf3262..ca141680 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -82,6 +82,7 @@ try: ... finally: lock.release() + ``` It is best practice to use 'with' in such cases as it will make sure the resource gets released even if an exception occurs in the execution. From 1e3b2b80c76006e0a2243c3a5d1823acc912b69d Mon Sep 17 00:00:00 2001 From: Ketki Date: Sat, 16 Aug 2025 00:58:53 +0530 Subject: [PATCH 07/22] Update docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py Co-authored-by: Bartlomiej Karas Signed-off-by: Ketki --- .../CWE-664/CWE-460/compliant.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py index 7cfde11e..56198c71 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py @@ -1,4 +1,3 @@ - # SPDX-FileCopyrightText: OpenSSF project contributors # SPDX-License-Identifier: MIT """ Compliant Code Example """ @@ -6,7 +5,8 @@ lock = threading.Lock() -def compliant_example(): + +def perform_critical_operation(): with lock: # the lock has been acquired using the 'with' statement and will be released when the block exits; even if an exception occurs print("Lock acquired, performing critical operation...") @@ -15,7 +15,9 @@ def compliant_example(): # This line will not be reached because of the exception above, print("Lock released.") + try: - compliant_example() + perform_critical_operation() except ValueError as e: print(f"Caught exception: {e}") + From 28481ac3a55ce0996af8f3b53f28047d942d73c4 Mon Sep 17 00:00:00 2001 From: Ketki Date: Sat, 16 Aug 2025 00:59:06 +0530 Subject: [PATCH 08/22] Update docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md Co-authored-by: Bartlomiej Karas Signed-off-by: Ketki --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index ca141680..5057ba07 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -68,6 +68,7 @@ def compliant_example(): raise ValueError("Something went wrong!") print("Lock released.") + try: compliant_example() except ValueError as e: From ca47af4a52e35c4041819ef45a843d77dee29305 Mon Sep 17 00:00:00 2001 From: Ketki Date: Sat, 16 Aug 2025 00:59:15 +0530 Subject: [PATCH 09/22] Update docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md Co-authored-by: Bartlomiej Karas Signed-off-by: Ketki --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index 5057ba07..94da893a 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -60,6 +60,7 @@ import threading lock = threading.Lock() + def compliant_example(): with lock: # the lock has been acquired using the 'with' statement and will be released when the block exits; even if an exception occurs From f29037719f72b7eb8659d9e20eea2a5bff5d9cbf Mon Sep 17 00:00:00 2001 From: Ketki Date: Sat, 16 Aug 2025 00:59:24 +0530 Subject: [PATCH 10/22] Update docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md Co-authored-by: Bartlomiej Karas Signed-off-by: Ketki --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index 94da893a..1ce3b8df 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -41,6 +41,7 @@ except ValueError as e: # Next attempt to acquire the lock will block forever — deadlock! lock.acquire() print("This will never print because the lock was never released.") + ``` In the above code example, the acquired lock never gets released, as an error gets thrown before it can be released. From 49419767c51807a98590aef946be7985eebbadab Mon Sep 17 00:00:00 2001 From: Ketki Date: Sat, 16 Aug 2025 00:59:37 +0530 Subject: [PATCH 11/22] Update docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md Co-authored-by: Bartlomiej Karas Signed-off-by: Ketki --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index 1ce3b8df..264c8406 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -25,7 +25,7 @@ noncompliant.py: lock = threading.Lock() -def noncompliant_example(): +def perform_critical_operation(): # the lock has been acquired for performing a critical operation lock.acquire() print("Lock acquired, performing critical operation...") From d7e18decb4059de8afbb1d47e31a673c64c8e8e0 Mon Sep 17 00:00:00 2001 From: Ketki Date: Sat, 16 Aug 2025 00:59:44 +0530 Subject: [PATCH 12/22] Update docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md Co-authored-by: Bartlomiej Karas Signed-off-by: Ketki --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index 264c8406..cafdbc7b 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -34,7 +34,7 @@ def perform_critical_operation(): lock.release() # This line is never reached due to the exception try: - noncompliant_example() + perform_critical_operation() except ValueError as e: print(f"Caught exception: {e}") From 80a4e949b114bd6744cf9fadb4f43c07587bb5cb Mon Sep 17 00:00:00 2001 From: Ketki Date: Sat, 16 Aug 2025 00:59:52 +0530 Subject: [PATCH 13/22] Update docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md Co-authored-by: Bartlomiej Karas Signed-off-by: Ketki --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index cafdbc7b..b0f7198a 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -33,6 +33,7 @@ def perform_critical_operation(): raise ValueError("Something went wrong!") lock.release() # This line is never reached due to the exception + try: perform_critical_operation() except ValueError as e: From de7591072bb1875dc63d4f4d40dd5afc9ba8cc27 Mon Sep 17 00:00:00 2001 From: Ketki Date: Sat, 16 Aug 2025 01:00:01 +0530 Subject: [PATCH 14/22] Update docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md Co-authored-by: Bartlomiej Karas Signed-off-by: Ketki --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index b0f7198a..0f4e871f 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -25,6 +25,7 @@ noncompliant.py: lock = threading.Lock() + def perform_critical_operation(): # the lock has been acquired for performing a critical operation lock.acquire() From 9fe869badc90e71c979e96a08162013a1ef675be Mon Sep 17 00:00:00 2001 From: Ketki Date: Sat, 16 Aug 2025 01:00:15 +0530 Subject: [PATCH 15/22] Update docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md Co-authored-by: Bartlomiej Karas Signed-off-by: Ketki --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index 0f4e871f..1d2d9b14 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -21,7 +21,7 @@ noncompliant.py: # SPDX-FileCopyrightText: OpenSSF project contributors # SPDX-License-Identifier: MIT """Non-compliant Code Example""" - import threading +import threading lock = threading.Lock() From abb9040a4a04c1b084b00db847fc7d8aa8930915 Mon Sep 17 00:00:00 2001 From: Ketki Date: Sat, 16 Aug 2025 01:01:16 +0530 Subject: [PATCH 16/22] Update README.md Signed-off-by: Ketki --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index 1d2d9b14..ea83f51f 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -1,7 +1,7 @@ # CWE-460: Improper Cleanup on Thrown Exception -The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. +Make sure that your code fully and correctly cleans up its state whenever an exception occurs to avoid unexpected state or control flow. Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening. From aeea36e8b622b9f524420b360fd4163f7b6eec4c Mon Sep 17 00:00:00 2001 From: Ketki Date: Mon, 1 Sep 2025 20:58:58 +0530 Subject: [PATCH 17/22] Update compliant.py for lint compliance Signed-off-by: Ketki --- .../CWE-664/CWE-460/compliant.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py index 56198c71..c95fc17e 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py @@ -1,6 +1,11 @@ -# SPDX-FileCopyrightText: OpenSSF project contributors -# SPDX-License-Identifier: MIT -""" Compliant Code Example """ + + +## Compliant Code Example + +```python import threading lock = threading.Lock() @@ -20,4 +25,3 @@ def perform_critical_operation(): perform_critical_operation() except ValueError as e: print(f"Caught exception: {e}") - From 6ec3b1c743795b28432954ac2adc3c6f3a129a78 Mon Sep 17 00:00:00 2001 From: Ketki Date: Wed, 3 Sep 2025 21:27:55 +0530 Subject: [PATCH 18/22] Update README.md Signed-off-by: Ketki --- .../CWE-664/CWE-460/README.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index ea83f51f..b8be07f3 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -3,9 +3,10 @@ Make sure that your code fully and correctly cleans up its state whenever an exception occurs to avoid unexpected state or control flow. -Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening. +Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. +Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening. -A consequence of this is that the code is left in a bad state. +A consequence of this is that the code is left in a bad state. One of the ways to mitigate this is to make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely. @@ -17,15 +18,16 @@ In the noncompliant.py example, a thread gets locked, but not unlocked due to an noncompliant.py: -``` +```python # SPDX-FileCopyrightText: OpenSSF project contributors # SPDX-License-Identifier: MIT + """Non-compliant Code Example""" + import threading lock = threading.Lock() - def perform_critical_operation(): # the lock has been acquired for performing a critical operation lock.acquire() @@ -34,7 +36,6 @@ def perform_critical_operation(): raise ValueError("Something went wrong!") lock.release() # This line is never reached due to the exception - try: perform_critical_operation() except ValueError as e: @@ -53,17 +54,18 @@ In the above code example, the acquired lock never gets released, as an error ge In compliant01.py we use the with statement to ensure that the lock is released properly even if an error is to occur. compliant01.py: + ## Compliant Code Example -``` +```python # SPDX-FileCopyrightText: OpenSSF project contributors # SPDX-License-Identifier: MIT + """ Compliant Code Example """ import threading lock = threading.Lock() - def compliant_example(): with lock: # the lock has been acquired using the 'with' statement and will be released when the block exits; even if an exception occurs @@ -72,7 +74,6 @@ def compliant_example(): raise ValueError("Something went wrong!") print("Lock released.") - try: compliant_example() except ValueError as e: From 8764bf26ac5d39d781a930b48bad15c6c3fa942c Mon Sep 17 00:00:00 2001 From: Ketki Date: Wed, 3 Sep 2025 21:37:28 +0530 Subject: [PATCH 19/22] Update README.md Signed-off-by: Ketki --- .../Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index b8be07f3..2b942d70 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -82,7 +82,10 @@ except ValueError as e: ### with lock: is shorthand for -``` +```python +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT + lock.acquire() try: ... From 1c67894147557dd146c6ed98ec91985fd99ae01b Mon Sep 17 00:00:00 2001 From: Ketki Date: Wed, 3 Sep 2025 21:46:13 +0530 Subject: [PATCH 20/22] Update README.md Signed-off-by: Ketki --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index 2b942d70..572e307d 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -100,13 +100,12 @@ It is best practice to use 'with' in such cases as it will make sure the resourc ## Automated Detection ||||| -|:---|:---|:---|:---| + |Tool|Version|Checker|Description| ## Related Guidelines ||| -|:---|:---| |[CWE MITRE Pillar](http://cwe.mitre.org/)|[https://cwe.mitre.org/data/definitions/460.html]| From c86dd788980286b1d7ccec81caac1ea4f1be1295 Mon Sep 17 00:00:00 2001 From: Ketki Date: Wed, 3 Sep 2025 22:06:00 +0530 Subject: [PATCH 21/22] Update README.md Signed-off-by: Ketki --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index 572e307d..2b942d70 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -100,12 +100,13 @@ It is best practice to use 'with' in such cases as it will make sure the resourc ## Automated Detection ||||| - +|:---|:---|:---|:---| |Tool|Version|Checker|Description| ## Related Guidelines ||| +|:---|:---| |[CWE MITRE Pillar](http://cwe.mitre.org/)|[https://cwe.mitre.org/data/definitions/460.html]| From fc0d9da55671bfb77bba2d578f06abde89fecd7a Mon Sep 17 00:00:00 2001 From: Ketki Date: Wed, 3 Sep 2025 22:21:40 +0530 Subject: [PATCH 22/22] Update README.md Signed-off-by: Ketki --- .../CWE-664/CWE-460/README.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index 2b942d70..113e18e3 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -80,7 +80,7 @@ except ValueError as e: print(f"Caught exception: {e}") ``` -### with lock: is shorthand for +### with lock: is shorthand for ```python # SPDX-FileCopyrightText: OpenSSF project contributors @@ -94,8 +94,7 @@ finally: ``` -It is best practice to use 'with' in such cases as it will make sure the resource gets released even if an exception occurs in the execution. - +It is best practice to use 'with' in such cases as it will make sure the resource gets released even if an exception occurs in the execution. ## Automated Detection @@ -108,6 +107,3 @@ It is best practice to use 'with' in such cases as it will make sure the resourc ||| |:---|:---| |[CWE MITRE Pillar](http://cwe.mitre.org/)|[https://cwe.mitre.org/data/definitions/460.html]| - - -