PyDoc2GitHub CWE-426

[tommcd]

Moving CWE-426 from confluence as part of #531

Note: existing folder XXX-005 should have been CWE-426 so it has been renamed.

[tommcd]

Hi @gkunz,
I wanted to add Labels "Product: Python Hardening Guide" to this PR, but I don't see any way to do so.
The 'Labels' section on the right side of this page is not editable for me.
I assume I don't have the required permissions?

[gkunz]

Hi @gkunz, I wanted to add Labels "Product: Python Hardening Guide" to this PR, but I don't see any way to do so. The 'Labels' section on the right side of this page is not editable for me. I assume I don't have the required permissions?

Hi @tommcd: yes, that seems to be the case. I just applied the label.

[gkunz]

I tried to validate the example, but I don't fully understand the effect of the --check-hash-based-pycs flag. To my understanding, it should avoid some sort of cache poisoning, but I wasn't able to make the example work for me with regards to this option.

To be precise: the non-compliant example works as expected, but that's due to the -I flag.

Is my understanding correct that one should try to construct an example in which the cached file include different code than the original source? I tried to create two different cache files (one for the server, one for the print out) and replace one with the other, but that didn't work for me. Is that the intention?

[SecurityCRob]

thank you

[tommcd]

I tried to validate the example, but I don't fully understand the effect of the --check-hash-based-pycs flag. To my understanding, it should avoid some sort of cache poisoning, but I wasn't able to make the example work for me with regards to this option.

To be precise: the non-compliant example works as expected, but that's due to the -I flag.

Is my understanding correct that one should try to construct an example in which the cached file include different code than the original source? I tried to create two different cache files (one for the server, one for the print out) and replace one with the other, but that didn't work for me. Is that the intention?

I believe you are correct. For now I reworded the description to make it clearer that -I address the exploit but --check-hash-based-pycs always adds additional security. I'll discuss with Helge to see if another or berrer example can be used.

[tommcd]

Hi @gkunz,
I'm not sure how to fix the following:

"Changes requested
1 review requesting changes and 1 approving review by reviewers with write access.

Merging is blocked
Merging can be performed automatically once the requested changes are addressed."

As far as I can see the requested changes were already resolved?

[gkunz]

Hi @gkunz, I'm not sure how to fix the following:

"Changes requested 1 review requesting changes and 1 approving review by reviewers with write access.

Merging is blocked Merging can be performed automatically once the requested changes are addressed."

As far as I can see the requested changes were already resolved?

@tommcd sorry, my bad. I'll update my review. Thanks for addressing my comments.