python-security
Safeguard articles tagged "python-security" — guides, analysis, and best practices for software supply chain and application security.
70 articles
Why assert is not a security control in Python
Run Python with -O and every assert statement vanishes from the bytecode — including the ones guarding auth checks and input validation.
The Python code review security checklist: eval, pickle, and shell=True
Bandit ships named checks for eval, pickle, and shell=True — B307, B301, B602 — yet these three smells still slip past manual review into production Python.
Robust URL Validation in Python: Stopping SSRF and Open Redirects
One misparsed IP string cost Capital One 106 million records. Here's how to validate URLs in Python without repeating that mistake.
Python code injection: eval, exec, and pickle explained
eval(), exec(), and pickle.load() can each hand an attacker a Python interpreter — CVE-2020-1747 shows how one unsafe deserialization call became a real RCE.
Command injection in Python: subprocess, os.system, and safe-by-default patterns
os.system() and subprocess.run(shell=True) both hand a string straight to /bin/sh — one unescaped semicolon is enough to run arbitrary commands.
Dependency injection in Python: a guide to testability and security boundaries
FastAPI shipped a built-in DI container in its very first release in December 2018 — but the same swappability that makes DI testable can quietly ship a mock into production.
Finding and fixing IDOR vulnerabilities in Python
Broken Object Level Authorization has held the #1 spot on the OWASP API Security Top 10 since 2019 — and Django's get_object_or_404() does nothing to stop it.
CVE-2024-22195: how Jinja2's xmlattr filter opened an XSS hole
A single filter in Jinja, xmlattr, could inject arbitrary HTML attributes and slip past autoescaping entirely — fixed in Jinja 3.1.3, tracked as CVE-2024-22195.
Native-extension vulnerabilities in Python packages
numpy, pandas, cryptography, and lxml all ship compiled C/C++ code — and a Python SCA scan that only checks package versions can miss memory-safety bugs buried in that native layer.
The Python pickle security model, explained
Python's own docs warn that unpickling can execute arbitrary code — yet pickle is still the default weight format behind millions of ML model downloads.
PyPI typosquatting malicious packages
PyPI typosquatting tricks developers into installing malicious lookalike packages via one-letter typos. Real incidents, attack patterns, and defenses inside.
Securing LangChain and LlamaIndex Applications in Production
Agent frameworks ship fast and patch fast. The CVE history, the dangerous defaults, and a production hardening baseline for LangChain and LlamaIndex apps.