Common Python Security Vulnerabilities and How to Fix Them

Python is one of the most popular programming languages, but even Python applications can have serious security vulnerabilities. This guide covers the most common Python security issues and how to fix them.

1. Command Injection

Running shell commands with user input can allow attackers to execute arbitrary commands on your server. Always use subprocess with list arguments instead of shell commands.

2. SQL Injection

Never concatenate user input into SQL queries. Use parameterized queries or ORMs like SQLAlchemy to prevent SQL injection attacks.

3. Code Injection via eval() and exec()

Never use eval() or exec() with user input. These functions can execute arbitrary code. Use ast.literal_eval for safe evaluation of literals, or better yet, don't execute user code at all.

4. Insecure Deserialization (Pickle)

Python's pickle module can execute arbitrary code during deserialization. Use JSON instead for untrusted data. If you must use pickle, validate the source with HMAC signatures.

5. Path Traversal

Attackers can access files outside the intended directory using path traversal attacks. Always validate and normalize file paths, and check that resolved paths are within the allowed directory.

6. Insecure Random Number Generation

Never use random.random() for security-sensitive operations like session tokens or encryption keys. Use the secrets module instead, which provides cryptographically secure random numbers.

7. Weak Cryptography

Don't implement your own crypto or use weak algorithms like MD5. Use bcrypt or Argon2 for password hashing with proper salts and work factors.

8. XML External Entity (XXE) Injection

Parsing untrusted XML can allow attackers to read local files. Use defusedxml library instead of standard XML parsers to prevent XXE attacks.

9. Server-Side Request Forgery (SSRF)

Validate and restrict URLs before making requests. Whitelist allowed domains and prevent access to internal IPs to avoid SSRF vulnerabilities.

10. Debug Mode in Production

Never run Flask or Django in debug mode in production. Debug mode exposes source code and allows code execution. Always set DEBUG=False in production.

Python Security Checklist

• ✅ Never use eval() or exec() with user input
• ✅ Use parameterized queries for database operations
• ✅ Validate file paths to prevent path traversal
• ✅ Use secrets module for security tokens
• ✅ Use bcrypt or Argon2 for password hashing
• ✅ Avoid pickle for untrusted data
• ✅ Disable debug mode in production
• ✅ Validate and sanitize all user input
• ✅ Use subprocess with list arguments, not shell=True
• ✅ Keep dependencies updated with pip-audit

Useful Security Tools

• Bandit: Security linter for Python
• pip-audit: Find vulnerabilities in dependencies
• Safety: Check dependencies for known issues
• ProbCheck: AI-powered vulnerability scanner

Conclusion

Python's simplicity can sometimes lead developers to overlook security considerations. By following these best practices and avoiding common pitfalls, you can write more secure Python applications.

Remember: Security is not optional. Make it a habit to think about security from the start of your project.