Merge pull request #1004 from BartKaras1128/reviews

Reviewed the Python Secure Coding Guide and made a lot of minor changes

Author: myteron

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-134/README.md

@@ -2,7 +2,7 @@
 
 Ensure that all format string functions are passed a static string which cannot be controlled by the user [[MITRE 2023]](https://cwe.mitre.org/data/definitions/134.html)
 
-In Python, the use of string formatting combined with the ability to access a function's `__globals__` attribute can exposing internal variables and methods unless properly guarded.
+In Python, the use of string formatting combined with the ability to access a function's `__globals__` attribute can expose internal variables and methods unless properly guarded.
 
 ## Non-Compliant Code Example
 

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-197/README.md

@@ -126,7 +126,7 @@ while counter <= target:
 
 |Definition|Explanation|Reference|
 |:---|:---|:---|
-|Loop Counters|loop counters are variables used to control the iterations of a loop|[Loop counter - Wikipedia](https://en.wikipedia.org/wiki/For_loop#Loop_counters)|
+|Loop Counters|loop counters are variables used to control the iterations of a loop|[Loops and their control variables](http://www.knosof.co.uk/vulnerabilities/loopcntrl.pdf)|
 
 ## Automated Detection
 
@@ -150,6 +150,6 @@ while counter <= target:
 |||
 |:---|:---|
 |[IEEE Std 754-2019](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8766229)|IEEE Standard for Floating-Point Arithmetic, available from: [https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8766229](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8766229), [Last  accessed June 2024] |
-|[Wikipedia 2024]|Repeating Decimals, available from:[https://en.wikipedia.org/wiki/Repeating_decimal](https://en.wikipedia.org/wiki/Repeating_decimal), [Last accessed August 2024] |
+|[Loops and control variables]|Derek M. Jones(2006 )Loops and their control variables, Discussion and proposed guidelines:[http://www.knosof.co.uk/vulnerabilities/loopcntrl.pdf](http://www.knosof.co.uk/vulnerabilities/loopcntrl.pdf), [Last accessed October 2025] |
 |[Albing and Vossen, 2017]|Albin, C. and Vossen, JP (2017) 6.13 Looping with Floating Point Values. In: Bleiel, J., Brown, K. and Head, R. eds. bash Cookbook: Solutions and Examples for bash Users, 2d Edition. Sebastopol: O'Reilly Media, Inc., pp.159-160|
 |[Bloch 2005]|Puzzle 34, "Down for the Count", available from: [https://web.archive.org/web/20220511061752/https://wiki.sei.cmu.edu/confluence/display/java/Rule+AA.+References#RuleAA.References-Bloch05](https://web.archive.org/web/20220511061752/https://wiki.sei.cmu.edu/confluence/display/java/Rule+AA.+References#RuleAA.References-Bloch05), [Last accessed August 2024] |

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-409/README.md

@@ -223,8 +223,8 @@ def extract_files(filepath: str, base_path: str, exist_ok: bool = True):
         exist_ok (bool, optional): Overwrite existing. Defaults to True.
 
     Raises:
-        ZipExtractException: If there are to many files
-        ZipExtractException: If there are to big files
+        ZipExtractException: If there are too many files
+        ZipExtractException: If the files are too big
         ZipExtractException: If a directory traversal is detected
     """
     # TODO: avoid CWE-209: Generation of Error Message Containing Sensitive Information

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-409/compliant01.py

@@ -43,8 +43,8 @@ def extract_files(filepath: str, base_path: str, exist_ok: bool = True):
         exist_ok (bool, optional): Overwrite existing. Defaults to True.
 
     Raises:
-        ZipExtractException: If there are to many files
-        ZipExtractException: If there are to big files
+        ZipExtractException: If there are too many files
+        ZipExtractException: If the files are too big
         ZipExtractException: If a directory traversal is detected
     """
     # TODO: avoid CWE-209: Generation of Error Message Containing Sensitive Information

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-410/README.md

@@ -1,6 +1,8 @@
 # CWE-410: Insufficient Resource Pool
 
-Ensure load control during traffic bursts or Denial of Service (DoS) by using a limited amount of threads in a pool. An attacker can cause a DoS by flooding a system with too many requests. Services with time-consuming, I/O-bound, or session-based sequential execution make limited use of available resources and can be blocked by a single hanging process or by overloading the queue.
+Ensure load control during traffic bursts or Denial of Service (DoS) by using a limited amount of threads in a pool.
+
+An attacker can cause a DoS by flooding a system with too many requests. Services with time-consuming, I/O-bound, or session-based sequential execution make limited use of available resources and can be blocked by a single hanging process or by overloading the queue.
 
 Thread pools combine:
 

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-459/README.md

@@ -54,8 +54,6 @@ Thanks to the use of the `with` statement we ensure that the file is closed afte
 *[compliant01.py](compliant01.py):*
 
 ```python
-"""Compliant Code Example"""
-
 # SPDX-FileCopyrightText: OpenSSF project contributors
 # SPDX-License-Identifier: MIT
 """ Compliant Code Example """

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-501/README.md

@@ -1,8 +1,8 @@
 # CWE-501: Trust Boundary Violation
 
-Python does not share the concept of different trust zones within the same runtime as explained in the *JAVA SEI CERT Rule 15 platform security (SEC)* [[SEI CERT 2022]](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487683) rules. Python neither has a security manager that can control access between trusted and untrusted code running on the same JVM. “Private” instance variables that cannot be accessed except from inside an object don’t exist in Python [Python 2023].
+Python's trust boundaries rely on explicit process isolation, rather than in-process access control within a single interpreter.
 
-In Python we need to implement different trust zone's by starting  python runtime's with individual POSIX/Machine users. The POSIX/Machine user access rights must be set in accordance to level of trust per zone.
+Unlike Java, where we have in-process mechanisms like [Oracle Access Management](https://docs.oracle.com/en/middleware/idm/access-manager/12.2.1.3/aiaag/introducing-oracle-access-management.html) that can enforce access boundaries inside the same runtime, standard Python does not provide a built-in in-process access manager. In Python we need to implement different trust zones by starting python runtimes with individual POSIX/Machine users. The POSIX/Machine user access rights must be set in accordance to level of trust per zone.
 
 ## Noncompliant STRIDE example - New User Sign-up Process
 
@@ -44,6 +44,6 @@ unknown
 
 |||
 |:---|:---|
-|[[SEI CERT 2022]](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487683)|Rule 15. Platform Security (SEC). Available from: [SEI CERT](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487683) [accessed 07 May 2024]|
 |[[Python 2023]](https://docs.python.org/3.9/tutorial/classes.html?highlight=private#private-variables)|Python Software Foundation. (2023). Classes - Private Variables. Available from: [Python Documentation](https://docs.python.org/3.9/tutorial/classes.html?highlight=private#private-variables) [accessed 13 September 2023]|
 |[[OWASP, Conklin,  Drake, 2023]](https://cwe.mitre.org/data/definitions/134.html)|[CWE - CWE-134: Use of Externally-Controlled Format String (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/134.html)|
+|[Oracle Docs](https://docs.oracle.com/en/)| [Administering Oracle Access Management](https://docs.oracle.com/en/middleware/idm/access-manager/12.2.1.3/aiaag/introducing-oracle-access-management.html#GUID-D1D083AA-538E-4063-A921-9328DB784319) [accessed 29 October 2025]|

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-502/README.md

@@ -1,7 +1,8 @@
 # CWE-502: Deserialization of Untrusted Data
 
+Even if data has been created from a trusted source, we need to verify that it has not been tampered with during transport.
+
 The `pickle` module is known to be vulnerable [[docs.python.org 2023]](https://docs.python.org/3.9/library/pickle.html) against unwanted code execution during deserialization and should only be used if there is no architectural text-based alternative.
-Even if data has been created from a trusted source we need to verify that it has not been tampered with during transport.
 
 Security-related concerns during object serialization and deserialization include:
 
@@ -15,7 +16,7 @@ Security-related concerns during object serialization and deserialization includ
 
 ## Noncompliant Code Example
 
-The `noncompliant01.py`  code demonstrates arbitrary code execution [Checkoway Oct 2013] using `os.system` to launch a program during unpickling when `pickle.loads()`.
+The `noncompliant01.py`  code demonstrates arbitrary code execution using `os.system` to launch a program during unpickling when `pickle.loads()` [[Checkoway Oct 2013](https://checkoway.net/musings/pickle/)]
 
 *[noncompliant01.py](noncompliant01.py):*
 
@@ -198,7 +199,7 @@ The integrity verification in `compliant01.py` throws an exception `ValueError:
 
 Text-based formats, such as `JSON` and `YAML`, should always be preferred. They have a lower set of capabilities and reduce the attack surface [python.org comparison-with-json 2023] when compared to `pickle`.
 
-The `compliant01.py`  code only allows serializing and deserialization of object data and not object methods as in `noncompliant01.py` or `compliant01.py`.
+The `compliant01.py`  code only allows serializing and deserialization of object data and not object methods as in `noncompliant01.py` or `example01.py`.
 
 Consider converting binary data into text using `Base64` encoding for performance and size irrelevant operations.
 
@@ -288,7 +289,7 @@ message = None
 message = p3.uncan(PAYLOAD)
 ```
 
-The `compliant02.py` stops with the unpacking with a `json.decoder.JSONDecodeError`.
+The `compliant01.py` stops with the unpacking with a `json.decoder.JSONDecodeError`.
 
 ## Exceptions
 
@@ -317,6 +318,7 @@ Serialized data from a trusted input source does not require sanitization, provi
 |[SEI CERT Coding Standard for Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[SER01-J. Do not deviate from the proper signatures of serialization methods](https://wiki.sei.cmu.edu/confluence/display/java/SER01-J.+Do+not+deviate+from+the+proper+signatures+of+serialization+methods)|
 |[MITRE CWE](http://cwe.mitre.org/)|Pillar [CWE-664: Improper Control of a Resource Through its Lifetime (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/664.html)|
 |[MITRE CWE](http://cwe.mitre.org/)|Base [CWE-502, Deserialization of Untrusted Data](http://cwe.mitre.org/data/definitions/502.html)|
+|[Checkoway 2013]|Checkoway, S. (2013) 'Arbitrary code execution with Python pickles', 8 October. Available from: [stephen.checkoway.com](https://stephen.checkoway.com/2013/10/08/arbitrary-code-execution-with-python-pickles/) [Accessed 07 May 2024]|
 
 ## Biblography
 

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-584/README.md

@@ -91,6 +91,7 @@ def do_logic():
 # exploiting above code example
 #####################
 do_logic()
+
 ```
 
 ## Automated Detection

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-584/compliant01.py

@@ -1,6 +1,5 @@
 # SPDX-FileCopyrightText: OpenSSF project contributors
 # SPDX-License-Identifier: MIT
-
 """Compliant Code Example"""
 
 
@@ -18,4 +17,3 @@ def do_logic():
 # exploiting above code example
 #####################
 do_logic()
-