PyPI - codeaudit - Versions diffs - 1.0.0__tar.gz → 1.2.0__tar.gz - Mend

codeaudit 1.0.0tar.gz → 1.2.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (164) hide show

codeaudit-1.2.0/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,59 @@
+# Change Log
+# Version 1.2: Changes and Updates
+* fix: Improved error handling — when performing a file scan on a single Python file that cannot be parsed, the CLI now correctly displays an error message.
+* fix: Updated API logic to properly handle parsing errors for single Python files.
+* fix: Corrected validation descriptions for `os.write` and `os.writev`. Writing to unvalidated or unintended file descriptors can lead to data corruption, privilege escalation, or denial of service.
+* fix: Internal API functions now use a leading underscore (`_`) to clearly distinguish them from public APIs.
+* **new**: Added a function for weakness visualization. Refer to the examples for usage details.
+* **new**: Added API documentation and examples for usage details.
+## Version 1.1:What's New
+We've released a new version with several key improvements focused on making your security workflow smoother and providing more detailed security information.
+* Streamlined Scanning:
+The separate `directoryscan` command has been removed. You can now use the versatile `filescan` command to scan both individual files and entire directories. This simplifies the command-line interface and makes the process more intuitive.
+* Enhanced Reporting:
+We've made minor corrections to the documentation and static HTML reports to improve clarity. Additionally, warning messages are now more descriptive, helping you quickly understand potential issues.
+* Improved Vulnerability Data:
+You'll now get more detailed information about module vulnerabilities. The tool now includes CVSS scores, a standard metric for rating vulnerability severity, giving you a clearer picture of the risks.
+* Behind-the-Scenes Fixes:
+We've made a more robust and reliable adjustment to how the tool retrieves file names. This ensures consistency and accuracy during scans. We've also added beta-level API functions, opening up new possibilities for integration.
+## Version 1.0
+This release represents a stabilisation of Python Code Audit!
+Main changes in relation to the pre-1.0 versions are:
+* More validations added: Python Code Audit now counts 70 security validations!
+* Documentation updates
+* Improved validation for `builtins`, like `compile`, `exec`,, `eval` that can be obfuscated in code.
+* Various UI/UX updates. CLI text improved and HTML report text made consistent.
+* Added test to validate correct working for now and in the future. Also validated working with other SAST tools to make sure core functionality is rock solid or better! Spoiler Python Code Audit is better than most used OSS and commercial SAST tools available today!
+## Beta Versions (Before 1.0)
+All published beta version are stable and verified!
+During the public beta phase input of users and experts is retrieved.
+This resulted is mainly:
+* More validation
+* Better documentation and
+* UI/UX improvements to make sure Python Code Audit is dead simple to use for non-programmers to validate a Python package.

{codeaudit-1.0.0 → codeaudit-1.2.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: codeaudit
-Version: 1.0.0
+Version: 1.2.0
 Summary: Simplified static security checks for Python
 Project-URL: Documentation, https://github.com/nocomplexity/codeaudit#readme
 Project-URL: Issues, https://github.com/nocomplexity/codeaudit/issues
@@ -35,13 +35,17 @@ Description-Content-Type: text/markdown
 Python Code Audit - A modern Python source code analyzer based on distrust.
-Python Code Audit is a tool to find **security issues** in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy.
+Python Code Audit is a tool to find **security weaknesses** in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy.
+This tool is designed for anyone who uses or creates Python programs and wants to understand and mitigate potential security risks.
 This tool is created for:
-* Users of Python programs who want to known the security risks of the used Python code.
-* Anyone who loves to create Python programs and want to deliver Python code without vulnerabilities. So this tool is not only professional programs, but also occasional Python programmers. Creating secure software is very difficult. This program with the extensive documentation is your friendly security colleague!
-* Anyone who wants a simple way to get fast insight in possible security risks with Python packages or Python files.
+* Python Users who want to assess the security risks in the Python code they use.
+* Python Developers: Anyone, from professionals to hobbyists, who wants to deliver secure Python code.
+* Security-Conscious Users: People seeking a simple, fast way to gain insight into potential security vulnerabilities within Python packages or files.
+Creating secure software can be challenging. This tool, with its comprehensive [documentation](https://nocomplexity.com/documents/codeaudit/intro.html), acts as your helpful security colleague, making it easier to identify and address vulnerabilities.
 ## Features
@@ -59,7 +63,7 @@ Python Code Audit has the following features:
-> [!IMPORTANT]
+> [!NOTE]
 > Python Code Audit uses the Python's Abstract Syntax Tree (AST) to get robust and reliable result. Using the Python AST makes contextual Vulnerability Detection possible and false positive are minimized.
@@ -71,7 +75,7 @@ pip install codeaudit
 or use:
-```bash
+```console
 pip install -U codeaudit
 ```
@@ -103,9 +107,8 @@ Depending on the command, a directory or file name must be specified. The output
 Commands:
   overview             Reports Complexity and statistics per Python file from a directory.
-  directoryscan        Reports potential security issues for all Python files found in a directory.
-  filescan             Reports potential security issues for a single Python file.
-  modulescan           Reports module information per file.
+  filescan             Scans Python files or directories(packages) for vulnerabilities and reports potential issues.
+  modulescan           Reports module vulnerability information.
   checks               Creates an HTML report of all implemented security checks.
   version              Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version].
@@ -116,7 +119,7 @@ Check https://simplifysecurity.nocomplexity.com/
 ## Example
-By running the `codeaudit filescan` command, detailed security information is determined for a Python file based on more than **60 validations** implemented.
+By running the `codeaudit filescan` command, detailed security information is determined for a Python file based on more than **70 validations** implemented.
 The `codeaudit filescan` command shows all **potential** security issues that are detected in the source file in a HTML-report.

{codeaudit-1.0.0 → codeaudit-1.2.0}/README.md RENAMED Viewed

@@ -9,13 +9,17 @@
 Python Code Audit - A modern Python source code analyzer based on distrust.
-Python Code Audit is a tool to find **security issues** in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy.
+Python Code Audit is a tool to find **security weaknesses** in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy.
+This tool is designed for anyone who uses or creates Python programs and wants to understand and mitigate potential security risks.
 This tool is created for:
-* Users of Python programs who want to known the security risks of the used Python code.
-* Anyone who loves to create Python programs and want to deliver Python code without vulnerabilities. So this tool is not only professional programs, but also occasional Python programmers. Creating secure software is very difficult. This program with the extensive documentation is your friendly security colleague!
-* Anyone who wants a simple way to get fast insight in possible security risks with Python packages or Python files.
+* Python Users who want to assess the security risks in the Python code they use.
+* Python Developers: Anyone, from professionals to hobbyists, who wants to deliver secure Python code.
+* Security-Conscious Users: People seeking a simple, fast way to gain insight into potential security vulnerabilities within Python packages or files.
+Creating secure software can be challenging. This tool, with its comprehensive [documentation](https://nocomplexity.com/documents/codeaudit/intro.html), acts as your helpful security colleague, making it easier to identify and address vulnerabilities.
 ## Features
@@ -33,7 +37,7 @@ Python Code Audit has the following features:
-> [!IMPORTANT]
+> [!NOTE]
 > Python Code Audit uses the Python's Abstract Syntax Tree (AST) to get robust and reliable result. Using the Python AST makes contextual Vulnerability Detection possible and false positive are minimized.
@@ -45,7 +49,7 @@ pip install codeaudit
 or use:
-```bash
+```console
 pip install -U codeaudit
 ```
@@ -77,9 +81,8 @@ Depending on the command, a directory or file name must be specified. The output
 Commands:
   overview             Reports Complexity and statistics per Python file from a directory.
-  directoryscan        Reports potential security issues for all Python files found in a directory.
-  filescan             Reports potential security issues for a single Python file.
-  modulescan           Reports module information per file.
+  filescan             Scans Python files or directories(packages) for vulnerabilities and reports potential issues.
+  modulescan           Reports module vulnerability information.
   checks               Creates an HTML report of all implemented security checks.
   version              Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version].
@@ -90,7 +93,7 @@ Check https://simplifysecurity.nocomplexity.com/
 ## Example
-By running the `codeaudit filescan` command, detailed security information is determined for a Python file based on more than **60 validations** implemented.
+By running the `codeaudit filescan` command, detailed security information is determined for a Python file based on more than **70 validations** implemented.
 The `codeaudit filescan` command shows all **potential** security issues that are detected in the source file in a HTML-report.

{codeaudit-1.0.0 → codeaudit-1.2.0}/SECURITY.md RENAMED Viewed

@@ -15,7 +15,6 @@ To report a security issue, please use the GitHub Security Advisory ["Report a V
 I will send a response indicating the next steps in handling your report. After the initial reply to your report, I will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
-For context on Electron's security notification process, please see the Notifications section of the Security WG's Membership and Notifications Governance document.
 ## Learning More About Security

{codeaudit-1.0.0 → codeaudit-1.2.0}/docs/CLIcommands.ipynb RENAMED Viewed

@@ -13,7 +13,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 1,
+   "execution_count": 9,
    "id": "923aba22-7103-4431-8545-ee5596efa371",
    "metadata": {},
    "outputs": [],
@@ -23,7 +23,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 2,
+   "execution_count": 10,
    "id": "057c9730-7b09-49a8-82f1-bc681d880c96",
    "metadata": {},
    "outputs": [],
@@ -33,7 +33,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 3,
+   "execution_count": 11,
    "id": "67576531-b66f-42a3-b6e4-460423ca28e0",
    "metadata": {},
    "outputs": [],
@@ -44,7 +44,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 4,
+   "execution_count": 12,
    "id": "2717fe66-9e66-4fcc-ae82-0d1ba26892c4",
    "metadata": {},
    "outputs": [],
@@ -54,19 +54,19 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 5,
+   "execution_count": 13,
    "id": "3f286724-0a8f-45b2-80fe-d6d061fe440a",
    "metadata": {},
    "outputs": [],
    "source": [
     "output += '% THIS FILE IS GENERATED! - Use CLIcommands.ipynb to make it better!\\n'\n",
-    "output += '# Overview of Codeaudit commands\\n'\n",
-    "output += f'Codeaudit commands for: {version_id}'"
+    "output += '# Commands Overview\\n'\n",
+    "output += f'Python Code Audit commands for: {version_id}'"
    ]
   },
   {
    "cell_type": "code",
-   "execution_count": 6,
+   "execution_count": 14,
    "id": "693c3354-530b-4a40-a561-ed722d9bb1fa",
    "metadata": {},
    "outputs": [],
@@ -77,7 +77,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 7,
+   "execution_count": 15,
    "id": "5fa9a420-bd9a-4641-99c9-de0bcf448dbc",
    "metadata": {},
    "outputs": [],
@@ -90,19 +90,18 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 8,
+   "execution_count": 16,
    "id": "bf6afe56-e0f7-4fa2-a3a5-968bad11bf9c",
    "metadata": {},
    "outputs": [],
    "source": [
     "commands = {  \"overview\": 'overview_report',               \n",
     "                \"modulescan\": 'report_module_information',\n",
-    "                \"filescan\" : 'file_scan_report',\n",
-    "                \"directoryscan\" : 'directory_scan_report',\n",
+    "                \"filescan\" : 'scan_report',                \n",
     "                \"checks\" : 'report_implemented_tests',\n",
     "               \"version\" : 'display_version'} \n",
     "for key, value in commands.items():    \n",
-    "    output += f'## codeaudit {key}\\n' # newlines matter when creating markdown\n",
+    "    output += f'## Code Audit {key}\\n' # newlines matter when creating markdown\n",
     "    output += '```text\\n' # raw display    \n",
     "    func_name = value\n",
     "    output += getattr(codeaudit, func_name).__doc__\n",
@@ -114,7 +113,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 9,
+   "execution_count": 17,
    "id": "0335783c-7676-4099-94c5-c98cc8f2f205",
    "metadata": {
     "editable": true,
@@ -135,13 +134,21 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 10,
+   "execution_count": 18,
    "id": "4667d7ec-3727-4e2d-97b5-6f597c697ec7",
    "metadata": {},
    "outputs": [],
    "source": [
     "create_documentation_file(output)"
    ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "fd67a8f6-ed99-4f69-ab55-aad6103c7b5c",
+   "metadata": {},
+   "source": [
+    "## Create overview of validation commands for in documentation"
+   ]
   }
  ],
  "metadata": {
@@ -160,7 +167,7 @@
    "name": "python",
    "nbconvert_exporter": "python",
    "pygments_lexer": "ipython3",
-   "version": "3.13.1"
+   "version": "3.13.5"
   }
  },
  "nbformat": 4,

{codeaudit-1.0.0 → codeaudit-1.2.0}/docs/CONTRIBUTE.md RENAMED Viewed

@@ -23,7 +23,7 @@ This simple tool is designed to be simple to use and maintain.
 **Pull Requests are welcome!**
-When you contribute to Codeaudit, your contributions are made under the same license as the file you are working on.
+When you contribute to Python Code Audit, your contributions are made under the same license as the file you are working on.
 We adopt the [Collective Code Construction Contract(C4)](https://rfc.zeromq.org/spec/42/) to streamline collaboration. C4 is meant to provide a reusable optimal collaboration model for open source software projects.
@@ -37,6 +37,16 @@ This project values respect and inclusiveness, and enforces a [Code of Conduct](
 This is an open community driven project. Contributors will be mentioned in the documentation.
 :::
+## Help with development
+:::{admonition} Start with Code Development
+:class: tip
+Making code contributions to **Python Code Audit** should be fun and simple!
+See the [section Development](makeitbetter) for to get a head start when making code contributions!
+:::
 (CoC-label)=
 ## Code of Conduct

{codeaudit-1.0.0 → codeaudit-1.2.0}/docs/_toc.yml RENAMED Viewed

@@ -7,17 +7,19 @@ parts:
   - file: features
   - file: userguide
     sections:
-    - file: codeauditoverview
-    - file: directoryscan
+    - file: codeauditoverview
     - file: filescan
     - file: modulescan
     - file: codeauditchecks
+  - file: howtoscan
+  - file: whatissast
   - file: whysast
   - file: issues
 - caption: Security Checks
   chapters:
+  - file: implementedvalidations
   - file: checksinformation
     sections:
     - file: checks/assert_check
@@ -51,17 +53,23 @@ parts:
   chapters:
   #- file: astlines
   # - file: astlines2
+  - file: makeitbetter
   - file: complexitycheck
   - file: warnings
-  - file: codeauditcommands
+  - file: codeauditcommands
   - file: changelog
+- caption: API Documentation
+  chapters:
+  - file: apidocs/api_intro
+    sections:
+    - file: examples/ca_api_example_overview
+    - file: examples/ca_api_example_json
+    - file: examples/ca_api_example_basic
+  - file: apidocs/modules
-# - caption: API Documentation
-#   chapters:
-#   - file: modules
 - caption: About
   chapters:
@@ -70,3 +78,4 @@ parts:
   - file: sponsors
   - file: license
   - file: about

codeaudit-1.2.0/docs/apidocs/api_intro.md ADDED Viewed

@@ -0,0 +1,19 @@
+# Python Code Audit APIs
+The **Python Code Audit** APIs make it easy to build your own tools and integrations, such as:
+* **Reporting dashboard**: Easily create custom dashboards using the APIs. Audit scan results can be exported to a human-readable JSON file for analysis and visualization.
+* **Statistical Analysis**:
+Use the APIs to identify and study common Python security weaknesses across multiple packages within your organization.
+* **CI/CD Integration**:
+Integrate the APIs into your continuous integration and deployment pipelines — even when using remote source control systems like `GitHub.com`, `GitLab.com`, `https://codeberg.org/` or https://notabug.org/ and many others!
+We’ve provided a few simple examples to demonstrate how to use the APIs effectively.
+```{tableofcontents}
+```

codeaudit-1.2.0/docs/apidocs/codeaudit.rst ADDED Viewed

@@ -0,0 +1,12 @@
+Code Audit Public APIs
+=======================
+Public Interfaces module
+------------------------
+.. automodule:: codeaudit.api_interfaces
+   :members:
+   :undoc-members:
+   :show-inheritance:

codeaudit-1.2.0/docs/apidocs/modules.rst ADDED Viewed

@@ -0,0 +1,7 @@
+API Reference
+==============
+.. toctree::
+   :maxdepth: 4
+   codeaudit

{codeaudit-1.0.0 → codeaudit-1.2.0}/docs/checks/assert_check.md RENAMED Viewed

@@ -3,7 +3,7 @@
 The Python `assert` statement itself is not insecure, but its *misuse* can lead to security vulnerabilities.
 :::{danger}
-Using `assert` can be problematic from a security perspective!
+Using `assert` for checks can introduce **serious security** risks!
 :::
@@ -21,18 +21,50 @@ This means any crucial checks you rely on for security or data integrity will si
 * **Not for graceful error handling:** Assertions are designed to signal "this should never happen, it's a bug." They raise an `AssertionError` which typically halts the program. In a production environment, you usually want to handle anticipated errors gracefully, log them, and potentially recover or inform the user, rather than crashing the application.
-2. Some side effects within `assert` statements can be dangerous.
+2.  Dangers of Side effects in assert Statements:
-* If an `assert` statement contains code with side effects (e.g., modifying a variable, calling a function that performs an action), those side effects will also be skipped when assertions are disabled. This can lead to unexpected behavior and security gaps.
+* If an assert statement contains code with side effects (e.g., modifying a variable or calling a function that performs an action), those side effects will also be skipped when assertions are disabled. For example, when running Python with the -O optimization flag. This can lead to unexpected behaviour and even security vulnerabilities.
-3. Use assert for testing code and during development only
+* If you rely on `assert` to prevent a `ZeroDivisionError` or validate user input, those checks will silently disappear in optimized environments. As a result, code may behave differently than intended, creating potential security gaps.
+* Relying on assert for input validation is especially dangerous. If assertions are used to block malicious input (e.g., to prevent SQL injection or enforce type checks), an attacker could exploit the fact that these validations are stripped out in production.
+* If an `assert` statement contains code with side effects (e.g., modifying a variable, calling a function that performs an action), those side effects will also be skipped when assertions are disabled. This can lead to unexpected behaviour and security gaps.
+* Instead of catching an AssertionError, a program can run differently. This can have severe security consequences. E.g. if asserts are used to validate user input to prevent sql injections or user input.
+## Preventive measures
+1. Use assert for testing code and during development only!
 * `assert` is good to use for `pytest` or other development constructs.
 * `Assert` helps to find mistakes during development. But it is not a security fence to protect against external threats or a robust mechanism for handling runtime issues in a live system. For production code, especially when dealing with external inputs or critical business logic, rely on explicit `if/else` checks and robust exception handling.
  * `Assert` statements should in general only be used for testing and debugging purposes.
- `assert` statements **SHOULD** be removed when not running in debug mode (i.e. when invoking the Python command with the -O or -OO options).
+ `assert` statements **SHOULD** be removed when not running in debug mode. This means when invoking the Python command with the -O or -OO options.
+2. Use explicit condition checks and raise proper exceptions (e.g., `ValueError`, `TypeError`) for input validation and critical logic.
+3. **Never ever** use `assert` in production Python code for checks.
+4. The **only** safe alternative: Explicit Checks!
+For production code, especially when handling external inputs or executing critical logic, always rely on explicit condition checks and robust exception handling.
+:::{admonition} Instead of an assert, use standard control flow and exception raising
+:class: hint
+* Use if/else checks: Explicitly validate inputs and conditions.
+* Raise proper exceptions: Use dedicated exceptions like `ValueError`, `TypeError`, or a custom exception to signal an issue. This provides a robust mechanism that can be caught and handled gracefully by upstream code, logging a clear error message instead of silently failing or creating a security hole.
+:::
 ## Example

codeaudit-1.2.0/docs/checks/builtinfunctions_check.md ADDED Viewed

@@ -0,0 +1,138 @@
+# Built-in Functions
+Some Python built-in functions can cause severe risks.
+The Python built-in functions:
+* `eval`
+* `exec` and
+* `compile`
+Should always be reviewed within the full context. By default use of this function is a **red** alert from a security perspective.
+Python Code Audit checks also on Builtin that are 'hidden':
+* Confusable homoglyphs like: `ℯ𝓍ℯ𝒸("print(2 + 2)")` Statements are detected.
+* Obfuscating usage of builtins module calls of `eval`, `exec` and `compile` like:
+```python
+import builtins
+b = builtins
+b.exec("2+2")
+```
+Or
+```python
+code_obj = d.compile('x = 5*5\nprint(x)', '<string>', 'exec')
+result = d.exec(code_obj)  #Input should not be obfuscated. Code Audit will detect this!
+```
+## Why check on `eval`
+:::{admonition} Security risk
+:class: danger
+`eval()` can execute arbitrary Python code.
+If the input is user-controlled or from an untrusted source, this can be exploited.
+:::
+So calling `eval` with user-supplied input may lead to security vulnerabilities.
+The `eval` function can also be used to execute arbitrary code objects (such as those created by `compile()`).
+Normal Python programs should not need to use this built-in function.
+The primary security concern with Python’s built-in `eval()` is its potential to enable **Remote Code Execution (RCE)**. Passing untrusted input to `eval()` is effectively the same as letting an attacker run arbitrary Python code on your system.
+Key Security Risks when using `eval`:
+1. **Arbitrary Code Execution (RCE)**
+   * `eval()` runs any Python code in the string it receives. If an attacker controls that string, they can execute malicious commands—stealing data, reading files, or invoking dangerous modules like `os` or `subprocess`.
+2. **Broken Sandboxing**
+   * Attempts to make `eval()` “safe” by restricting variables or the execution environment are unreliable. Attackers often find creative ways to escape these sandboxes and access sensitive data, functions, or the file system.
+3. **Denial of Service (DoS)**
+   * Even without stealing data, attackers can craft inputs that trigger infinite loops, deep recursion, or memory exhaustion. This can crash the interpreter or take down an entire service.
+:::{warning}
+This function is capable of executing any Python code given to it. Passing unvalidated external input (such as user input, or file contents , or API retrieved content) is a major security flaw that enables arbitrary code execution.
+**Never ever not use this function on data from untrusted sources.**
+:::
+## Why Check on `exec`
+:::{danger}
+The use of the exec() function in Python should never be permitted from a security perspective.
+It can executes arbitrary code. Or be called with untrusted input. This is a direct path to a severe security compromise.
+:::
+This function executes arbitrary code. Calling it with user-supplied input may lead to security vulnerabilities.
+Using `exec` in Python should never be tolerated from a security perspective. Key risks are:
+1. **Arbitrary Code Execution:** Executes any string as Python code; untrusted input can lead to full system compromise.
+2. **Sandboxing Fails:** Attempts to restrict execution are often bypassed.
+3. **Denial of Service:** Malicious code can cause infinite loops or memory exhaustion.
+4. **Injection Risk:** Dynamic code with user input creates exploitable injection points.
+5. **Hidden Side Effects:** Alters variables or global state unpredictably, introducing security and reliability issues.
+## Why check on `compile`
+As a general rule:
+* Never trust Python code that uses `compile`. Verify and understand all risks before running such a program.
+Security reasons to avoid Python’s built-in `compile()`:
+1. **Arbitrary Code Execution**
+   * `compile()` takes raw strings and turns them into executable Python code objects. If user input is passed to it (directly or indirectly), an attacker can execute arbitrary Python code on your system.
+2. **Bypassing Sandboxing or Input Validation**
+   * Using `compile()` can allow malicious input to bypass normal validation layers. Even if you sanitise strings for SQL or HTML, a crafted payload compiled into Python bytecode can escape restrictions.
+3. **Denial of Service (DoS) via Resource Exhaustion**
+   * Large or deeply nested input passed to `compile()` can consume huge amounts of CPU, memory, or recursion depth, potentially crashing the interpreter (e.g., from complex expressions or nested structures).
+4. **Exposure of Sensitive Data**
+   * Once arbitrary code is compiled and run, it can access system resources, environment variables, secrets in memory, or files on disk—leading to credential leaks or other security breaches.
+:::{warning}
+Compiling very large or deeply nested strings into an AST object can crash the Python interpreter. This happens because Python’s AST compiler has stack depth limitations, which may be exceeded by sufficiently complex input.
+:::
+:::{warning}
+Also the construct `ast.literal_eval` is not safe!
+Using this construct can still crash the Python interpreter due to stack depth limitations in Python’s AST compiler.
+[Reference](https://docs.python.org/3/library/ast.html#ast.literal_eval)
+:::
+## Preventive measures
+* Avoid using `eval`,`exec` and `compile`: Find a secure way by design, so rethink your design again from a security perspective. There is always a better and safer solution.
+## More information
+* https://docs.python.org/3/library/functions.html#eval
+* https://docs.python.org/3/library/functions.html#exec
+* https://docs.python.org/3/library/functions.html#compile

codeaudit 1.0.0__tar.gz → 1.2.0__tar.gz

codeaudit 1.0.0tar.gz → 1.2.0tar.gz