Python validating sql parser
The attacker can use that to include references to one of the subprocess modules to run arbitrary commands on the host.
This wonderful example shows how to pickle a class that opens a shell in Python 2.
They impact all languages, frameworks and environments.
SQL injection is where you’re writing SQL queries directly instead of using an ORM and mixing your string literals with variables.
Timing attacks are essentially a way of exposing the behaviour and algorithm by timing how long it takes to compare provided values.
Most POSIX systems come with a version of Python 2. Since “Python”, ie CPython is written in C, there are times when the Python interpreter itself has holes.
I’ve read plenty of code where “escaping quotes” is deemed a fix. Familiarise yourself with all the complex ways SQL injection can happen with this cheatsheet.
Command injection is anytime you’re calling a process using popen, subprocess, os.system and taking arguments from variables.
You might not even be aware that one of your dependencies leaves itself open to these types of attacks. Well, the standard library modules, etree, DOM, xmlrpc are all wide open to these types of attacks.
It’s well documented https://docs.python.org/3/library/xml.html#xml-vulnerabilities Use defusedxml as a drop-in replacement for the standard library modules.