Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signpost security considerations in library #83679

Closed
tonybaloney mannequin opened this issue Jan 30, 2020 · 9 comments
Closed

Signpost security considerations in library #83679

tonybaloney mannequin opened this issue Jan 30, 2020 · 9 comments
Labels
docs Documentation in the Doc dir type-feature A feature request or enhancement

Comments

@tonybaloney
Copy link
Mannequin

tonybaloney mannequin commented Jan 30, 2020

BPO 39498
Nosy @tiran, @merwok, @ambv, @willingc, @JulienPalard, @tonybaloney, @miss-islington
PRs
  • bpo-39498 Start linking the security warnings in the stdlib modules #18272
  • [3.10] bpo-39498 Start linking the security warnings in the stdlib modules (GH-18272) #27696
  • [3.9] bpo-39498 Start linking the security warnings in the stdlib modules (GH-18272) #27699
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2021-08-10.07:52:07.617>
created_at = <Date 2020-01-30.05:14:32.157>
labels = ['type-feature', 'docs']
title = 'Signpost security considerations in library'
updated_at = <Date 2021-08-10.07:52:07.617>
user = 'https://github.com/tonybaloney'

    bugs.python.org fields:

    activity = <Date 2021-08-10.07:52:07.617>
actor = 'lukasz.langa'
assignee = 'docs@python'
closed = True
closed_date = <Date 2021-08-10.07:52:07.617>
closer = 'lukasz.langa'
components = ['Documentation']
creation = <Date 2020-01-30.05:14:32.157>
creator = 'anthonypjshaw'
dependencies = []
files = []
hgrepos = []
issue_num = 39498
keywords = ['patch']
message_count = 9.0
messages = ['361009', '361697', '361746', '372288', '372302', '372303', '399293', '399299', '399300']
nosy_count = 8.0
nosy_names = ['christian.heimes', 'eric.araujo', 'docs@python', 'lukasz.langa', 'willingc', 'mdk', 'anthonypjshaw', 'miss-islington']
pr_nums = ['18272', '27696', '27699']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue39498'
versions = []
    @tonybaloney
    Copy link
    Mannequin Author

    tonybaloney mannequin commented Jan 30, 2020

    Within the documentation, there are some really important security considerations for standard library modules. e.g. subprocess, ssl, pickle, xml.

    There is currently no "index" of these, so you have to go hunting for them. They're easter eggs within the docs. There isn't a unique admonition type either, so you have to search across many criteria.

    In particular for security researchers, it would be useful to consolidate and signpost these security best-practices in one index.

    PR to follow,

    @tonybaloney tonybaloney mannequin assigned docspython Jan 30, 2020
    @tonybaloney tonybaloney mannequin added docs Documentation in the Doc dir type-feature A feature request or enhancement labels Jan 30, 2020
    @tonybaloney tonybaloney mannequin assigned docspython Jan 30, 2020
    @tonybaloney tonybaloney mannequin added docs Documentation in the Doc dir type-feature A feature request or enhancement labels Jan 30, 2020
    @JulienPalard
    Copy link
    Member

    Asked on gh:

    this is a "security guidance for standard library modules" index?

    (I'm not sure to understand the question exactly)

    I think it could be usefull from a reviewer point of view to have such index so he can iterate over it and check point by point if the code is OK.

    In this case, linking to all notes like "beware, wrong usage of this could lead to security issues" looks what's needed in this index.

    Anthony: did you opened the issue with this in mind or any other usages?

    @willingc
    Copy link
    Contributor

    I agree that a helpful entry in the index would be a nice addition. Christian would be the person to start with since he probably has ideas what would be useful too.

    @merwok
    Copy link
    Member

    merwok commented Jun 24, 2020

    I think that we could make this easier with a custom directive that’s rendered into the appropriate markup during build and auto-generates the index page with links to all links. No error-prone manual update needed!

    @tiran
    Copy link
    Member

    tiran commented Jun 25, 2020

    +1

    @tiran
    Copy link
    Member

    tiran commented Jun 25, 2020

    There are more features that should have security considerations, e.g. builtin functions like eval and exec.

    @ambv
    Copy link
    Contributor

    ambv commented Aug 9, 2021

    New changeset c5c5326 by Anthony Shaw in branch 'main':
    bpo-39498 Start linking the security warnings in the stdlib modules (GH-18272)
    c5c5326

    @miss-islington
    Copy link
    Contributor

    New changeset d657da8 by Miss Islington (bot) in branch '3.10':
    bpo-39498 Start linking the security warnings in the stdlib modules (GH-18272)
    d657da8

    @ambv
    Copy link
    Contributor

    ambv commented Aug 10, 2021

    New changeset fcbe8c6 by Miss Islington (bot) in branch '3.9':
    bpo-39498 Start linking the security warnings in the stdlib modules (GH-18272) (GH-27699)
    fcbe8c6

    @ambv ambv closed this as completed Aug 10, 2021
    @ambv ambv closed this as completed Aug 10, 2021
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    docs Documentation in the Doc dir type-feature A feature request or enhancement
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    6 participants
    @ambv @JulienPalard @tiran @merwok @willingc @miss-islington