bpo-39498 Start linking the security warnings in the stdlib modules

[tonybaloney]

Within the documentation, there are some really important security considerations for standard library modules. e.g. subprocess, ssl, pickle, xml.

There is currently no "index" of these, so you have to go hunting for them. They're easter eggs within the docs. There isn't a unique admonition type either, so you have to search across many criteria.

In particular for security researchers, it would be useful to consolidate and signpost these security best-practices in one index.

This PR links to some of the existing ones that I found.

https://bugs.python.org/issue39498

[brandtbucher]

@willingc, what do you think about this?

This looks like a good idea, but there are more modules that I would think to add if we're going this route: marshal, multiprocessing, and random, to name a few.

The PR looks fine to me, but I'm not familiar enough with the security stuff to review the actual content. It looks like we don't have any devs that have registered themselves as "security" experts, but maybe @tiran can weigh in?

[JulienPalard]

I also found:

• xmlrpc.server and client warning about not being secure against maliciously constructed data.
• hmac deprecated md5 by default
• hashlib warning about BLAKE2 and some other being unsuitable for hashing passwords
• hashlib warning about hash collision weakness
• logging.config note about portions of the configuration being passed through eval
• pyexpat warning about not begin secure against maliciously constructed data
• shelve warning about using pickle, so being insecure.
• sqlite3 about SQL injections
• tempfile about mktemp not being secure and being deprecated.
• xml, xml.dom.{minidom,pulldom}, xml.etree.ElementTree, xml.sax warning about not being secure against maliciously constructed data

Maybe @vstinner know more, and we may found some other in the https://github.com/pycqa/bandit implementation.

[vstinner]

By the way, I'm maintaining https://python-security.readthedocs.io/ website. But I would prefer to migrate it under a .python.org domain before starting to mention it in the official documentation.

[tonybaloney]

So between the additions in #18272 (review), #18272 (comment) and inside the link @vstinner sent (there's a section on dangerous modules and usage)
I can put something together.

I looked at "tagging" them in Sphinx, but it would add a whole bunch of code and engineering complexity that seemed unnecessary.

To keep the scope narrow, this is a "security guidance for standard library modules" index?

[JulienPalard]

To keep the scope narrow, this is a "security guidance for standard library modules" index?

This is a discussion for b.p.o, let's try to avoid discussing on PRs (other than reviewing the commits).

[miss-islington]

Thanks @tonybaloney for the PR, and @ambv for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

[miss-islington]

Thanks @tonybaloney for the PR, and @ambv for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

[miss-islington]

Sorry @tonybaloney and @ambv, I had trouble checking out the 3.9 backport branch.
Please backport using cherry_picker on command line.
cherry_picker c5c5326d4799fe4ae566aff32ed3461af95859cc 3.9

[bedevere-bot]

GH-27696 is a backport of this pull request to the 3.10 branch.

[miss-islington]

Thanks @tonybaloney for the PR, and @ambv for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9.
🐍🍒⛏🤖

[bedevere-bot]

GH-27699 is a backport of this pull request to the 3.9 branch.