Sign upLogin

apel/apel

View on GitHub
Star

Showing 1,562 of 1,569 total issues

Using xml.dom.minidom to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Open

import xml.dom.minidom
Severity: Info
Found in apel/db/loader/xml_parser.py by bandit

Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.
Open

        conn = urllib.request.urlopen(url)
Severity: Minor
Found in bin/retrieve_dns.py by bandit

Consider possible security implications associated with subprocess module.
Open

import subprocess
Severity: Info
Found in apel/parsers/sge.py by bandit

Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Open

                dom = xml.dom.minidom.parseString(xml_string)
Severity: Minor
Found in bin/retrieve_dns.py by bandit

Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Open

        self.doc = xml.dom.minidom.parseString(self.text)
Severity: Minor
Found in apel/db/loader/xml_parser.py by bandit

Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.
Open

        conn = urllib.urlopen(url)
Severity: Minor
Found in bin/retrieve_dns.py by bandit

Library mysqlclient is licensed under a non-compliant license: GNU General Public License 3.0
Open

mysqlclient==2.1.1  # (Latest package) Documentation says it should work with py3.6 and py3.9. Above verison has dropped support for py3.6.
Severity: Minor
Found in requirements.txt by git-legal

Possible SQL injection vector through string-based query construction.
Open

        select_query = ('SELECT Site, SubmitHost, sum(NumberOfJobs) '
                        'AS NumberOfJobs, Month, Year FROM VSuperSummaries %s '
                        'GROUP BY Site, SubmitHost, Month, Year ORDER BY NULL'
                        % where)
Severity: Minor
Found in apel/db/backends/mysql.py by bandit

subprocess call - check for execution of untrusted input.
Open

            p = subprocess.Popen(["qhost", "-F", "-xml"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
Severity: Info
Found in apel/parsers/sge.py by bandit

TODO found
Open

-- TODO Check relevance of this view and possibly move to server-extra.sql
Severity: Minor
Found in schemas/server.sql by fixme

Possible SQL injection vector through string-based query construction.
Open

        select_query = 'SELECT * FROM %s' % (table_name)
Severity: Minor
Found in apel/db/backends/mysql.py by bandit

Using Document to parse untrusted XML data is known to be vulnerable to XML attacks. Replace Document with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Open

from xml.dom.minidom import Document
Severity: Info
Found in apel/db/records/normalised_summary.py by bandit

Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Open

        assert len(tup) == len(self._db_fields), 'Different length of tuple and fields list'
Severity: Info
Found in apel/db/records/record.py by bandit

Using Document to parse untrusted XML data is known to be vulnerable to XML attacks. Replace Document with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Open

from xml.dom.minidom import Document
Severity: Info
Found in apel/db/records/summary.py by bandit

Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Open

        xml_str = xml.dom.minidom.parseString(out)
Severity: Minor
Found in apel/parsers/sge.py by bandit

Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.
Open

            conn = urllib.urlopen(url, proxies=proxy)
Severity: Minor
Found in bin/retrieve_dns.py by bandit

Possible SQL injection vector through string-based query construction.
Open

    c.execute('DELETE FROM JobRecords where date(EndTime) < "%s"' % cutoff)
Severity: Minor
Found in scripts/migrate_apel.py by bandit

Using xml.dom.minidom to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Open

import xml.dom.minidom
Severity: Info
Found in apel/parsers/sge.py by bandit

Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Open

        assert data['WallDuration'] >= 0, 'Negative WallDuration value'
Severity: Info
Found in apel/parsers/sge.py by bandit

Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Open

    d = xml.dom.minidom.parseString(msg_text)
Severity: Minor
Found in apel/db/loader/xml_parser.py by bandit
Severity
Category
Status
Source
Language