Safeguard
Tag

python-security

Safeguard articles tagged "python-security" — guides, analysis, and best practices for software supply chain and application security.

70 articles

Application Security

Why assert is not a security control in Python

Run Python with -O and every assert statement vanishes from the bytecode — including the ones guarding auth checks and input validation.

Jul 11, 20266 min read
Application Security

The Python code review security checklist: eval, pickle, and shell=True

Bandit ships named checks for eval, pickle, and shell=True — B307, B301, B602 — yet these three smells still slip past manual review into production Python.

Jul 11, 20266 min read
Application Security

Robust URL Validation in Python: Stopping SSRF and Open Redirects

One misparsed IP string cost Capital One 106 million records. Here's how to validate URLs in Python without repeating that mistake.

Jul 11, 20266 min read
Application Security

Python code injection: eval, exec, and pickle explained

eval(), exec(), and pickle.load() can each hand an attacker a Python interpreter — CVE-2020-1747 shows how one unsafe deserialization call became a real RCE.

Jul 8, 20265 min read
Application Security

Command injection in Python: subprocess, os.system, and safe-by-default patterns

os.system() and subprocess.run(shell=True) both hand a string straight to /bin/sh — one unescaped semicolon is enough to run arbitrary commands.

Jul 8, 20266 min read
Application Security

Dependency injection in Python: a guide to testability and security boundaries

FastAPI shipped a built-in DI container in its very first release in December 2018 — but the same swappability that makes DI testable can quietly ship a mock into production.

Jul 8, 20267 min read
Application Security

Finding and fixing IDOR vulnerabilities in Python

Broken Object Level Authorization has held the #1 spot on the OWASP API Security Top 10 since 2019 — and Django's get_object_or_404() does nothing to stop it.

Jul 8, 20266 min read
Application Security

CVE-2024-22195: how Jinja2's xmlattr filter opened an XSS hole

A single filter in Jinja, xmlattr, could inject arbitrary HTML attributes and slip past autoescaping entirely — fixed in Jinja 3.1.3, tracked as CVE-2024-22195.

Jul 7, 20266 min read
Open Source Security

Native-extension vulnerabilities in Python packages

numpy, pandas, cryptography, and lxml all ship compiled C/C++ code — and a Python SCA scan that only checks package versions can miss memory-safety bugs buried in that native layer.

Jul 7, 20266 min read
Application Security

The Python pickle security model, explained

Python's own docs warn that unpickling can execute arbitrary code — yet pickle is still the default weight format behind millions of ML model downloads.

Jul 7, 20266 min read
Software Supply Chain Security

PyPI typosquatting malicious packages

PyPI typosquatting tricks developers into installing malicious lookalike packages via one-letter typos. Real incidents, attack patterns, and defenses inside.

Jul 2, 20265 min read
AI Security

Securing LangChain and LlamaIndex Applications in Production

Agent frameworks ship fast and patch fast. The CVE history, the dangerous defaults, and a production hardening baseline for LangChain and LlamaIndex apps.

Jun 14, 20266 min read
python-security — Safeguard Blog