Skip to content

Commit d86ee55

Browse files
committed
updates
1 parent 5c22646 commit d86ee55

6 files changed

Lines changed: 935 additions & 0 deletions

File tree

constructs/exceptions.md

Lines changed: 169 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,169 @@
1+
# Exception Statements
2+
3+
## Rationale or Security Concerns
4+
5+
The use of Python exception statements becomes a critical security weakness when `pass` or `continue` is used for exception handling. This pattern is inherently dangerous as it creates silent failure conditions that can mask security vulnerabilities and enable attacks.
6+
7+
8+
The Python pattern:
9+
```python
10+
try:
11+
do_some_stuff()
12+
except Exception:
13+
pass
14+
```
15+
16+
presents severe security risks due to:
17+
18+
- **Overly broad exception handling** – catching `Exception` masks virtually all errors, including security-critical ones
19+
- **Silent failure** – using `pass` suppresses all evidence that something went wrong
20+
- **Arbitrary Code Execution Risk** – If `do_some_stuff()` involves deserialization (e.g., `pickle.loads()`), catching and ignoring exceptions could hide successful exploitation of deserialization vulnerabilities that lead to arbitrary code execution
21+
- **Attack Vector Concealment** – Attackers can deliberately trigger exceptions as part of reconnaissance or exploitation, and the silenced errors provide no defensive alerts
22+
23+
24+
This pattern often appears due to:
25+
- **Use of AI coding tools** :Many AI vibe coding tools will produce `pass` in exception handling functions by default.
26+
- **Developer convenience**: Quick "fix" to prevent crashes without addressing root causes
27+
- **Misguided stability attempts** : Belief that catching all errors ensures application stability
28+
- **Lack of security awareness**: Developers unaware of the security implications
29+
30+
### Inherent Security Risks
31+
32+
1. **Masking of Critical Errors and Vulnerabilities:**
33+
- **Hiding Bugs:** Any exception, from a simple `TypeError` to a critical `MemoryError` or a security-related issue like an `InjectionError` (if `do_some_stuff()` interacts with databases or external systems), will be silently caught and ignored
34+
- **Undetected Attacks:** If an attacker triggers an exception as part of an exploit (e.g., a buffer overflow causing specific exceptions, invalid input leading to unhandled conditions), the `except Exception: pass` block swallows it. The attack might succeed without any indication
35+
- **Resource Leaks:** If `do_some_stuff()` involves opening files, network connections, or acquiring locks, exceptions occurring before proper cleanup can lead to resource exhaustion, denial-of-service (DoS), or data corruption
36+
37+
2. **Denial of Service (DoS) Vulnerabilities:**
38+
- **Infinite Loops/Stuck Processes:** An error within `do_some_stuff()` leading to infinite loops or stuck processes won't be reported, potentially making the application unresponsive and vulnerable to DoS attacks
39+
- **Resource Exhaustion:** Silenced exceptions prevent proper cleanup, allowing resource leaks to accumulate over time
40+
41+
3. **Compromised Data Integrity and Consistency:**
42+
- If `do_some_stuff()` performs data-modifying operations (database writes, file manipulations), exceptions can leave data in inconsistent or corrupted states. Silently ignoring these means the program continues, potentially propagating bad data
43+
44+
4. **Lack of Forensic Information:**
45+
- No logging, no traceback, no indication of what went wrong severely hinders post-mortem analysis and incident investigation
46+
47+
5. **Compliance Failures:**
48+
- For security audits and compliance requirements (GDPR, HIPAA, PCI DSS), robust error handling is a necessity. Silenced exceptions make it impossible to demonstrate appropriate error management
49+
50+
51+
## Preventive Measures / Mitigations
52+
53+
### Safer Alternatives
54+
55+
**1. Be Specific – Catch Only Expected Exceptions:**
56+
Always catch specific exceptions you anticipate and know how to handle:
57+
```python
58+
try:
59+
do_some_stuff()
60+
except ValueError:
61+
handle_value_error()
62+
except FileNotFoundError:
63+
handle_missing_file()
64+
```
65+
66+
**2. Log Exceptions Properly:**
67+
Even if choosing not to crash, always log the exception with full traceback:
68+
```python
69+
import logging
70+
71+
logging.basicConfig(level=logging.ERROR)
72+
73+
try:
74+
do_some_stuff()
75+
except Exception as e:
76+
logging.error("Unexpected error in do_some_stuff()", exc_info=True)
77+
# Optionally re-raise if program cannot continue meaningfully
78+
# raise
79+
```
80+
81+
**3. Use `finally` or Context Managers for Cleanup:**
82+
Ensure resource cleanup regardless of exceptions:
83+
```python
84+
try:
85+
f = open("my_file.txt", "r")
86+
# ... do stuff with f ...
87+
except FileNotFoundError:
88+
print("File not found!")
89+
finally:
90+
if 'f' in locals() and not f.closed:
91+
f.close()
92+
```
93+
94+
Even better using `with` :
95+
```python
96+
try:
97+
with open("my_file.txt", "r") as f:
98+
# ... do stuff with f ...
99+
pass
100+
except FileNotFoundError:
101+
print("File not found!")
102+
```
103+
104+
105+
**4. Implement Graceful Degradation:**
106+
Rather than failing silently, provide meaningful fallback behavior:
107+
```python
108+
try:
109+
result = fetch_from_external_service()
110+
except ExternalServiceError as e:
111+
logging.critical("External service unavailable", exc_info=True)
112+
result = get_cached_data() # Fallback
113+
```
114+
115+
**5. Use Cryptographic Signing for Validation:**
116+
For deserialization operations, consider using `hmac` or `safetensors`:
117+
```python
118+
import hmac
119+
import hashlib
120+
import pickle
121+
122+
def secure_load(data, key):
123+
"""Load pickled data only if signature is valid."""
124+
signature = data[:32] # Prepend signature
125+
payload = data[32:]
126+
127+
expected = hmac.new(key, payload, hashlib.sha256).digest()
128+
if not hmac.compare_digest(signature, expected):
129+
raise ValueError("Invalid signature - possible tampering")
130+
131+
return pickle.loads(payload)
132+
```
133+
134+
## Discussion
135+
136+
### When Is Silent Exception Handling Acceptable?
137+
138+
Rarely. Some valid but limited scenarios include:
139+
- **Cleanup operations where failure is non-critical** (but still log)
140+
- **Context managers where the only purpose is resource management**
141+
- **Hook functions where exceptions from one handler shouldn't affect others** (but log each)
142+
143+
Always document why an exception is being ignored.
144+
145+
### The `continue` Variation
146+
147+
Using `continue` within a loop's exception handler similarly bypasses error reporting:
148+
```python
149+
for item in data:
150+
try:
151+
process(item)
152+
except Exception:
153+
continue # Just as dangerous as pass
154+
```
155+
156+
157+
158+
159+
160+
161+
## More Information
162+
163+
- [CWE-248: Uncaught Exception](https://cwe.mitre.org/data/definitions/248.html)
164+
- [CWE-703: Improper Check or Handling of Exceptional Conditions](https://cwe.mitre.org/data/definitions/703.html)
165+
- [CWE-456: Missing Initialization of a Variable](https://cwe.mitre.org/data/definitions/456.html)
166+
- [CWE-391: Unchecked Error Condition](https://cwe.mitre.org/data/definitions/391.html)
167+
- [Python Exception Handling Best Practices](https://docs.python.org/3/tutorial/errors.html)
168+
- [OWASP Error Handling Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html)
169+

constructs/ftp.md

Lines changed: 138 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,138 @@
1+
# FTP Statement
2+
3+
The use of `ftplib.FTP` from Python's standard library is **insecure and should be avoided** in modern application development. This class implements the legacy File Transfer Protocol (FTP), which lacks native encryption for both authentication and data transmission.
4+
5+
:::{danger}
6+
Never ever allow or use `ftplib.FTP`.
7+
8+
Even within isolated or private networks, the risk of credential theft and data interception is unacceptably high. Always implement protocols that secure data transfers by default.
9+
:::
10+
11+
## Security Concerns
12+
13+
Using `ftplib.FTP` introduces several critical vulnerabilities that compromise the confidentiality and integrity of your data:
14+
15+
### Cleartext Credentials
16+
Usernames and passwords are transmitted in plain text over the network, making them trivial to intercept via packet sniffing tools such as Wireshark or tcpdump.
17+
18+
### Unencrypted Data Transfer
19+
File contents, directory structures, and command responses are sent without encryption. This exposes sensitive information to eavesdropping and allows attackers to read or modify data in transit.
20+
21+
### Man-in-the-Middle (MITM) Attacks
22+
Because FTP lacks cryptographic integrity checks, an attacker positioned between the client and server can capture, alter, or inject malicious content into the communication stream undetected.
23+
24+
### Deceptive Aliasing
25+
Renaming the class (e.g., `from ftplib import FTP as SecureFTP`) provides no technical security whatsoever and is **dangerously misleading**. This practice can create a false sense of security among developers and should be strictly prohibited in code reviews.
26+
27+
### Firewall and NAT Complications
28+
FTP's use of multiple ports (control and data channels) frequently leads to firewall and Network Address Translation (NAT) traversal problems, increasing operational complexity and security risk.
29+
30+
## Preventive Measures
31+
32+
To mitigate the risks associated with file transfer operations, adopt the following security practices:
33+
34+
### Avoid `ftplib.FTP` Entirely
35+
Never use plain FTP in production environments or for handling sensitive data, regardless of network segmentation or perceived isolation.
36+
37+
### Use Secure Alternatives
38+
- **Prefer SFTP** (SSH File Transfer Protocol) using the `paramiko` library, which provides strong encryption and authentication through the SSH protocol.
39+
- **Alternatively, use FTPS** (FTP over TLS/SSL) via `ftplib.FTP_TLS` where SFTP is not available. Ensure that explicit TLS is enabled and certificate validation is enforced.
40+
41+
### Enforce Encrypted Communication
42+
Verify that all authentication credentials and file transfers occur exclusively over encrypted channels. Reject any connection that does not support modern cryptographic standards.
43+
44+
### Validate Third-Party Integrations
45+
Before integrating external services, confirm that they support secure protocols (SFTP or FTPS) and are configured to enforce encryption.
46+
47+
### Apply Secure Credential Handling
48+
Store and manage credentials using secure mechanisms such as environment variables, dedicated secrets managers (e.g., HashiCorp Vault, AWS Secrets Manager), or encrypted configuration files. Never hard-code credentials in source code.
49+
50+
## Example
51+
52+
The following example demonstrates both insecure and secure approaches to file transfer using only Python's standard library:
53+
54+
**INSECURE: Do not use this approach**
55+
```python
56+
from ftplib import FTP
57+
58+
ftp = FTP("example.com")
59+
ftp.login("username", "password") # Credentials sent in cleartext
60+
with open("file.txt", "rb") as f:
61+
ftp.storbinary("STOR file.txt", f)
62+
ftp.quit()
63+
```
64+
65+
**SECURE: Use FTPS with explicit TLS (standard library only)**
66+
67+
```python
68+
from ftplib import FTP_TLS
69+
import ssl
70+
71+
# Create FTPS connection with explicit TLS
72+
ftps = FTP_TLS("example.com")
73+
ftps.login("username", "password")
74+
75+
# Force encryption for the data channel
76+
ftps.prot_p()
77+
78+
# Optional: Enforce strict certificate validation
79+
ftps.ssl_context = ssl.create_default_context()
80+
ftps.ssl_context.check_hostname = True
81+
ftps.ssl_context.verify_mode = ssl.CERT_REQUIRED
82+
83+
# Transfer file securely
84+
with open("file.txt", "rb") as f:
85+
ftps.storbinary("STOR file.txt", f)
86+
87+
ftps.quit()
88+
```
89+
90+
### FTPS Configuration Best Practices
91+
92+
When using `ftplib.FTP_TLS`, implement these additional security measures:
93+
94+
```python
95+
import ssl
96+
from ftplib import FTP_TLS
97+
98+
# Create a secure SSL context
99+
context = ssl.create_default_context()
100+
context.set_ciphers("ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:!aNULL:!MD5:!DSS")
101+
context.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
102+
103+
# Establish secure connection
104+
ftps = FTP_TLS("example.com", context=context)
105+
ftps.login("username", "password")
106+
ftps.prot_p() # Critical: Force encrypted data channel
107+
108+
# Verify server certificate matches hostname
109+
ftps.ssl_context.check_hostname = True
110+
111+
# Transfer files with encryption
112+
with open("sensitive_data.txt", "rb") as f:
113+
ftps.storbinary("STOR sensitive_data.txt", f)
114+
115+
# Secure logout
116+
ftps.quit()
117+
```
118+
119+
### Important FTPS Considerations
120+
121+
- **Always call `prot_p()`**: Without this, your data channel remains unencrypted even if the control channel is secure.
122+
- **Certificate Validation**: Never disable certificate verification (avoid `ssl.CERT_NONE` in production).
123+
- **TLS Version**: Require TLS 1.2 or higher; disable older, vulnerable protocols.
124+
- **Cipher Suites**: Use only strong, modern cipher suites that provide forward secrecy.
125+
126+
## Discussion
127+
128+
The decision to avoid `ftplib.FTP` stems from fundamental protocol design flaws that cannot be mitigated through configuration or workarounds. While FTP remains in use due to legacy system requirements, modern security standards mandate encryption for all network communications.
129+
130+
When SFTP is unavailable, FTPS with explicit TLS provides an acceptable alternative, provided that certificate validation is enforced and weak cryptographic ciphers are disabled. However, SFTP is generally preferred due to its simpler firewall traversal (single port), better integration with SSH infrastructure, and more comprehensive security features.
131+
132+
Organizations should conduct regular audits to identify and remediate any lingering FTP usage. Good SAST scanning tools for Python detect imports of `ftplib.FTP` and flag them.
133+
134+
## More Information
135+
136+
- [CWE-319: Cleartext Transmission of Sensitive Information](https://cwe.mitre.org/data/definitions/319.html)
137+
- [Python `ftplib` Documentation](https://docs.python.org/3/library/ftplib.html)
138+
- [NIST SP 800-52: Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations](https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final)

0 commit comments

Comments
 (0)