diff options
author | Aric Gardner <agardner@linuxfoundation.org> | 2017-08-31 20:21:16 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@opnfv.org> | 2017-08-31 20:21:16 +0000 |
commit | d1fe715a48749e6363b27e2479f5eca8c92043f9 (patch) | |
tree | 189f463d728aab78a279439491b47a3f62726333 /master_list.yaml | |
parent | 9671dbbce50fad2173447f3a43b0bec26500ca82 (diff) | |
parent | f5f335aa4e575512bd5184fb7dea97f6d0f5c416 (diff) |
Merge "desc field set to just one line"
Diffstat (limited to 'master_list.yaml')
-rw-r--r-- | master_list.yaml | 25 |
1 files changed, 7 insertions, 18 deletions
diff --git a/master_list.yaml b/master_list.yaml index 178dde4..af35076 100644 --- a/master_list.yaml +++ b/master_list.yaml @@ -101,9 +101,7 @@ file_audits: ripemd: regex: ripemd - desc: | - "RACE Integrity Primitives Evaluation Message Digest - is an insecure hashing algorithm" + desc: "RACE Message Digest is an insecure hashing algorithm" secret: regex: secret @@ -152,38 +150,29 @@ file_audits: apprun: regex: app\.run\s*\(.*debug.*=.*True.*\) desc: | - "Running flask in debug mode can give away sensitive data on a - systems configuration" + "Running flask in debug mode can give away sensitive data" autoescape: regex: autoescape.*=.*False - desc: | - "Without escaping HTML input an application becomes - vulnerable to Cross Site Scripting (XSS) attacks." + desc: "Not escaping HTML input is vulnerable to XSS attacks." safestring: regex: safestring\.mark_safe.*\(.*\) - desc: | - "Without escaping HTML input an application becomes - vulnerable to Cross Site Scripting (XSS) attacks." + desc: "Not escaping HTML input is vulnerable to XSS attacks." shelltrue: regex: shell.*=.*True - desc: | - "Shell=True can lead to dangerous shell escapes, - expecially when the input can be crafted by untrusted external input" + desc: "Shell=True can lead to dangerous shell escapes" tmp: regex: \/tmp\/ desc: | - "Use of tmp directories can be dangerous. Its world writable and - accessable, and can be easily guessed by attackers" + "tmp directories are risky. They are world writable and easily guessed" yamlload: regex: \yaml\.load desc: | - "Avoid dangerous file parsing and object serialization libraries, - use instead `yaml.safe_load`" + "Avoid dangerous file parsing & serialization libs, use yaml.safe_load" telnet: regex: telnet |