Facebook open static analyzer (Python Static Analyzer), designed to identify potential vulnerabilities in Python code. The new analyzer is designed as an add-on to the type checking toolkit and placed in his repository. Code under the MIT license.
Pysa provides analysis of data flow as a result of code execution, which allows you to identify many potential vulnerabilities and privacy issues associated with the use of data in places where it should not appear.
For example, Pysa can track the use of raw external data in calls that launch external programs, in file operations, and in SQL constructs.
The work of the analyzer is reduced to determining the sources of data and dangerous calls in which the source data should not be used. Data from web requests is considered as a source (for example, the HttpRequest.GET dictionary in Django), and calls like eval and os.open are considered as dangerous uses. Pysa tracks data as it passes through the chain of function calls and associates the original data with potentially dangerous places in the code. As a typical vulnerability identified using Pysa, the problem with an open redirect is mentioned () in the Zulip messaging platform caused by passing uncleaned external parameters when rendering thumbnails.
Pysa's ability to track data flows can to check the correct use of additional frameworks and to determine the compliance with the policy on the use of user data. For example, Pysa without additional settings can be used to check projects using the Django and Tornado frameworks. Pysa can also detect common web application vulnerabilities such as SQL substitution and cross site scripting (XSS).
In Facebook, the analyzer is used to check the code of the Instagram service. In the first quarter of 2020, Pysa helped identify 44% of all issues found by Facebook engineers in the Instagram back-end codebase.
A total of 330 problems were identified during the automated change check process using Pysa, 49 (15%) of which were rated as significant, and 131 (40%) were not serious. In 150 cases (45%) the problems were classified as false positives.
Source: opennet.ru