5 Python Security Mistakes That Expose Your Application

ReleaseRun · Python Security 5 Python Security Mistakes That Expose Your Application These show up in code review constantly. Some are silent until someone exploits them. Tap to start →

1 Mistake 1 / 5 eval() on any external input One of the most dangerous Python anti-patterns. Any string that reaches eval() gets executed as Python code. Attackers can import os, delete files, open reverse shells. # Never do this result = eval(user_input) # Use ast.literal_eval for safe parsing import ast result = ast.literal_eval(user_input) # Only handles literals: strings, ints, dicts, lists ✗ eval() = remote code execution waiting to happen

2 Mistake 2 / 5 Unpickling data from users Python's pickle module executes arbitrary code during deserialization. Accepting pickle from an HTTP request or Redis queue (without ownership control) is an RCE vulnerability. # Dangerous: untrusted pickle = code execution data = pickle.loads(request.body) # Use JSON, MessagePack, or orjson instead import orjson data = orjson.loads(request.body) ✓ Pickle only for data you wrote yourself

3 Mistake 3 / 5 Secrets hardcoded in source GitHub's secret scanning finds API keys in milliseconds of a push. Rotation doesn't undo the exposure — git history preserves every version. `trufflehog` finds them retroactively. import os # Read from environment, not source DB_PASSWORD = os.environ["DB_PASSWORD"] API_KEY = os.environ.get("API_KEY", "") # Use python-dotenv for local dev .env files from dotenv import load_dotenv; load_dotenv() ✓ Secrets belong in env vars or a secrets manager

4 Mistake 4 / 5 Unpinned or outdated dependencies Django 3.2 has 55 known CVEs. requests <2.28 has 3 critical ones. Most projects accumulate vulnerable deps over 6-12 months without realising it. # Audit your requirements.txt right now: pip install pip-audit pip-audit # Or paste requirements.txt into: # releaserun.com/tools/vulnerability-scanner/ ✓ Run pip-audit in CI on every PR

5 Mistake 5 / 5 yaml.load() without safe_load `yaml.load()` can deserialize Python objects. A malicious YAML file can call `os.system()` on load. PyYAML warns about it now, but the warning is easy to miss. # Dangerous — can execute code data = yaml.load(file) # Safe — only handles scalars, lists, dicts data = yaml.safe_load(file) # Or use ruamel.yaml in safe mode from ruamel.yaml import YAML yaml = YAML(typ="safe") ✓ Always yaml.safe_load() for external files

🐍 Scan your Python dependencies now Paste your requirements.txt and get a full CVE report. Checks against OSV.dev — 55 known vulns in Django 3.2 alone. Free, no signup. Free Vuln Scanner → Python Reference Guide