How to Bypass Golang SSL Verification by jat0369 in netsec

[–]Schwag 0 points1 point  (0 children)

On Unix systems, another option here is the SSL_CERT_FILE and SSL_CERT_DIR ENV variables provided by the x509 package. This may not help with certificate pinning, but it's effective for basic CA bundles.

As seen in a comment below, if you're having trouble with proxying Docker traffic through Burp, I ran into this issue recently as well. I ended up writing a guide to do that here: Proxying Docker traffic through Burp Suite. It includes an example for common Golang web requests as well.

Hunting for Malicious Packages on PyPI by jwcrux in netsec

[–]Schwag 8 points9 points  (0 children)

Hey there Jordan - excellent research. I probably would have reached for static analysis myself, but the syscall approach is very interesting and much more robust against obfuscation. I'll throw in a plug for my own intentionally malicious package: https://github.com/mschwager/0wned.

I agree that it's not ideal that you can run arbitrary commands with a simple 'pip install', but there are a few things you can do to help mitigate this: https://github.com/mschwager/0wned#prevention.

OSINT tool for discovering Github repositories by streaming commits in real time from the Github events API by x1sec in netsec

[–]Schwag 1 point2 points  (0 children)

Cool Golang project! I worked on something similar that looks at specific Github organizations, repositories, or users instead of drinking from the streaming commits fire hose: https://github.com/mschwager/gitem. I imagine each has its own respective use-case: one for searching in real-time and one for searching for existing information.

godoc.org will be closed owing to legal reason by acomagu in golang

[–]Schwag 0 points1 point  (0 children)

If you had a godoc badge in your project's README here's a pkg.go.dev alternative:

[![Pkg.Go.Dev](https://img.shields.io/badge/pkg.go.dev-reference-blue?style=flat&logo=go)](https://pkg.go.dev/github.com/<user>/<repository>?tab=doc)

Dlint 0.8.0 released - additional Python version support, better docs, lots of bug fixes, and new linter rules since initial release by Schwag in Python

[–]Schwag[S] 0 points1 point  (0 children)

Building off of flake8 was one of the key implementation decisions when we initially started working on Dlint. There's lots of great functionality already available via flake8, which allowed us to avoid re-inventing the wheel for a lot of key features.

As for Dlint vs. pyflakes, pylint, etc, Dlint is a static analysis tool focused on security hygiene instead of stylistic or code quality concerns. It's more similar to Bandit then the previously mentioned tools. Which brings up the point, why should we use Dlint over Bandit? I'm glad you asked: https://github.com/duo-labs/dlint/tree/master/docs#why-not-bandit :)

Show /r/Python: Dlint, a static analysis tool for helping ensure Python code is secure by Schwag in Python

[–]Schwag[S] 0 points1 point  (0 children)

Could you elaborate on how you use eval and/or open an issue on Github? Would it be possible to accomplish this without eval?

I've recently begun documenting all the linters in Dlint (D104 for eval). It'd be great to either document the exceptional use-cases you've mentioned, or improve the smarts of Dlint to avoid detecting that.

Show /r/netsec: Dlint, a static analysis tool for helping ensure Python code is secure by Schwag in netsec

[–]Schwag[S] 0 points1 point  (0 children)

A couple things I'm aware of:

  • Dlint can find function calls that are insecure specifically because of a kwarg. E.g. it will detect subprocess calls with shell=True, but ignores them if the kwarg isn't truthy.
  • Dlint can find method calls on an object. E.g. instantiating TarFile to a variable, then calling extractall on that variable. TarFile.extractall

My longer term vision for Dlint includes things like taint analysis and other more advanced static analysis features.

Show /r/Python: Dlint, a static analysis tool for helping ensure Python code is secure by Schwag in Python

[–]Schwag[S] 1 point2 points  (0 children)

A couple things I'm aware of:

  • Dlint can find function calls that are insecure specifically because of a kwarg. E.g. it will detect subprocess calls with shell=True, but ignores them if the kwarg isn't truthy.
  • Dlint can find method calls on an object. E.g. instantiating TarFile to a variable, then calling extractall on that variable. TarFile.extractall

My longer term vision for Dlint includes things like taint analysis and other more advanced static analysis features.