security-modern-python
Secure Modern Python
When to Use
- Reviewing Python code for security vulnerabilities
- Writing secure Python web applications (Flask, Django, FastAPI)
- Implementing secure patterns with modern Python (3.10+) features
- Hardening Python packaging and dependency management
- Auditing Python code handling user input, secrets, or cryptography
When NOT to Use
- Python 2 legacy code (different security considerations)
- Non-Python security reviews
- Infrastructure security without Python components
Common Vulnerability Patterns
Injection
# BAD: SQL injection
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
# GOOD: Parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
Command Injection
# BAD: Shell injection
os.system(f"convert {filename} output.png")
# GOOD: Use subprocess with list args, no shell
subprocess.run(["convert", filename, "output.png"], check=True)
Path Traversal
# BAD: Unvalidated path
path = os.path.join(BASE_DIR, user_input)
# GOOD: Resolve and check containment
path = Path(BASE_DIR).joinpath(user_input).resolve()
if not str(path).startswith(str(Path(BASE_DIR).resolve())):
raise ValueError("Path traversal detected")
Deserialization
# BAD: Arbitrary code execution via pickle
data = pickle.loads(user_data)
# GOOD: Use safe formats
data = json.loads(user_data)
Secrets Management
# BAD: Hardcoded secrets
API_KEY = "sk-abc123"
# GOOD: Environment variables or secret store
API_KEY = os.environ["API_KEY"]
# GOOD: Constant-time comparison for secrets
import hmac
hmac.compare_digest(provided_token, expected_token)
Modern Python Security Features
| Feature | Version | Security Benefit |
|---|---|---|
match statements |
3.10+ | Safer input dispatching |
| Type hints + mypy | 3.5+ | Catch type confusion bugs |
tomllib |
3.11+ | Safe TOML parsing (read-only) |
hashlib.file_digest |
3.11+ | Correct file hashing |
Stricter int() |
3.11+ | Rejects underscore tricks |
Dependency Security
# Audit installed packages
pip-audit
# Pin dependencies
pip freeze > requirements.txt
pip install pip-tools && pip-compile --generate-hashes
# Check for known vulnerabilities
safety check -r requirements.txt
Checklist
- All user input is validated and sanitized
- SQL uses parameterized queries
- Subprocess calls avoid
shell=True - No use of
eval(),exec(), orpicklewith untrusted data - Secrets loaded from environment or secret store
- Dependencies pinned with hashes
- HTTPS enforced for all external API calls
- Logging does not include sensitive data
More from elizaos/eliza
nano-pdf
Edits PDF files using natural-language instructions via the nano-pdf CLI. Supports modifying text, changing titles, fixing typos, and updating content on specific pages. Use when the user wants to edit a PDF, modify PDF content, update PDF text, fix a typo in a PDF, change a PDF title, or rewrite part of a PDF page.
30wacli
Send WhatsApp messages to other people or search/sync WhatsApp history via the wacli CLI (not for normal user chats). Use when the user asks to send a WhatsApp message, text someone on WhatsApp, search WhatsApp chat history, sync WhatsApp conversations, backfill message history, or forward a file via WhatsApp to a third party.
27nano-banana-pro
Generate or edit images via Gemini 3 Pro Image (Nano Banana Pro). Use when the user asks to create an image, generate a picture, produce AI-generated artwork, edit a photo, compose multiple images, or upscale an image to higher resolution. Supports text-to-image generation, single-image editing, and multi-image composition using the Gemini API.
27obsidian
Work with Obsidian vaults (plain Markdown notes) and automate via obsidian-cli. Use when the user asks about notes, vault management, PKM, knowledge base organization, wikilinks, or personal knowledge management in Obsidian.
25session-logs
Search and analyze session logs (older/parent conversations) stored as JSONL files using jq and rg. Use when the user asks about prior chats, previous conversations, conversation history, what was said before, session costs, token usage, or tool usage breakdown across past sessions.
24discord
Use when you need to control Discord from Otto via the discord tool: send messages, react, post or upload stickers, upload emojis, run polls, manage threads/pins/search, create/edit/delete channels and categories, fetch permissions or member/role/channel info, set bot presence/activity, or handle moderation actions in Discord DMs or channels.
24