
Common security gotchas in Python and how to avoid them - BerislavLopac
https://hackernoon.com/10-common-security-gotchas-in-python-and-how-to-avoid-them-e19fbe265e03
======
ShorsHammer
This is a good article, however this part seems a bit off:

> Because of the variable latency involved in most web-applications, it’s
> pretty much impossible to write a timing attack over HTTP web servers.

There are certainly demonstrated timing attacks against webapps, it may take a
little extra time for the attacker, but latency won't save you here, you
should always use constant time comparison, there's little excuse not to.

------
methodover
About Pickle—

If we pickle a string which comes from an untrusted source, that’s fine right?
There’s no way to format the string or anything such that it exploits any kind
of vulnerability with pickle. Right?

~~~
Rjevski
Correct, although I’m happy to be proven wrong.

I don’t see any way this could be possible - in order to create a malicious
pickle object you’d have to have your untrusted input somehow “break outside”
of its string container before it even gets pickled.

But honestly, what’s the use-case for pickle that can’t be replaced with a
safer string-based format like JSON?

~~~
BerislavLopac
Well, pretty obviously, if your use case satisfies (most of) the following
prerequisites, there is no reason to chose JSON over pickle:

\- you need to serialise arbitrary objects \- you both read and write only
using Python \- your transfer protocol handles binary data (as opposed to
plain text) \- you don't need the serialisation to be human-readable \- you
want to be able to handle any Python type \- you don't want to write your own
serialization rules

JSON is "safer" only if you have full control over deserialization.

------
diafygi
Can anyone who has used pyup.io give a review? I'm curious to hear an on-the-
ground experience.

~~~
Rjevski
Haven’t really used them directly, but _pipenv_ has a _check_ command that
tests your dependencies against the free version of pyup.io. It’s nice, and
while I’m not sure how better it could be but it’s still better than nothing
and pointed out around 10 vulnerable deps (in a messy years-old Django project
with like 50+ dependencies).

