Top 10 Python Security Pitfalls and How to Fix Them

Writing secure code is challenging, and many Python developers are unaware of common security pitfalls in the language and its standard library.

1. Input Injection

Injection attacks, such as SQL injection and command injection, affect all languages and frameworks. Using raw string concatenation for SQL queries or calling subprocesses with untrusted input can lead to exploitation.

Fix: Use web framework utilities to sanitize input, avoid manual SQL string building, rely on ORM sanitization, and employ shlex for safe shell argument handling.

2. XML Parsing

Parsing untrusted XML can trigger denial‑of‑service attacks like the “billion laughs” entity expansion or external entity inclusion, allowing attackers to consume excessive memory or access internal resources.

Fix: Replace vulnerable standard library parsers with defusedxml, which disables dangerous features.

3. Assert Statements

Using assert for security checks is unsafe because assertions are stripped when Python runs with optimizations, bypassing the check.

Fix: Reserve assert for unit tests only; perform runtime validation with explicit checks.

4. Timing Attacks

Timing attacks measure the duration of operations to infer secret data, which can be feasible for local command‑line tools.

Fix: Use secrets.compare_digest (available from Python 3.5) for constant‑time comparisons.

5. Compromised site‑packages or Import Path

Installing malicious packages that mimic popular names or exploiting deep dependency chains can execute arbitrary code.

Fix: Audit third‑party packages with tools like PyUp.io, use virtual environments, and verify package signatures.

6. Temporary Files

Creating temporary files via mktemp() is unsafe because another process may create a file with the same name between calls.

Fix: Use the tempfile module, specifically mkstemp(), which creates a secure temporary file.

7. Using yaml.load

Calling yaml.load on untrusted data can execute arbitrary code, similar to pickle.load.

Fix: Always use yaml.safe_load unless a trusted loader is required.

8. Pickle Vulnerabilities

Deserializing untrusted data with pickle allows attackers to define a __reduce__ method that runs arbitrary commands.

Fix: Never unpickle data from untrusted sources; prefer safe formats like JSON.

9. Using System‑Provided Python Without Patching

Many operating systems ship outdated Python 2 versions with known memory‑corruption bugs.

Fix: Install the latest Python release and apply security updates promptly.

10. Unpatched Dependency Vulnerabilities

Neglecting to update third‑party packages leaves known vulnerabilities unaddressed.

Fix: Regularly check dependencies with services such as PyUp.io, submit pull/merge requests for updates, and use tools like InSpec to verify installed versions.