Add Python rule file

Gillis-SCW · Gillis-SCW · commit 1aa909bba268 · 2025-11-26T11:00:47.000+01:00
diff --git a/README.md b/README.md
@@ -7,10 +7,15 @@ Current version: **1.0.0**
 ### Overview
 This repository contains security rule files designed to be used with AI-assisted developer tools such as GitHub Copilot, Cursor, Windsurf, and other context-aware coding assistants.
 
-Each rule file defines security best practices that guide how AI tools interact with your codebase. They are organized by platform:
-- **Backend** (`backend.md`)
-- **Frontend** (`frontend.md`)
-- **Mobile** (`mobile.md`)
+Each rule file defines security best practices that guide how AI tools interact with your codebase.
+
+#### Platform-Specific Rules
+- **Backend** (`backend.md`) - Server-side security practices
+- **Frontend** (`frontend.md`) - Client-side security practices
+- **Mobile** (`mobile.md`) - Mobile application security
+
+#### Language-Specific Rules
+- **Python** (`language-specific/python.md`) - Python-specific security practices including deserialization, cryptography, and safe coding patterns
 
 ### Purpose
 AI coding assistants are powerful, but they can generate insecure or non-compliant code without proper guidance. These tools work best when contextual rules steer them toward safe, standardized output.
diff --git a/language-specific/python.md b/language-specific/python.md
@@ -0,0 +1,34 @@
+## General Coding Practices
+- Do not use `assert` statements for security checks or input validation.
+
+## Database
+- Use parameterized queries and parameters as a second argument to `cursor.execute()` (e.g., `cursor.execute(sql, (param,))`).
+- For ORMs (SQLAlchemy, Django), use ORM methods and avoid raw SQL with string formatting.
+
+## Code Execution
+- Do not use `eval()` or `exec()` with data from untrusted sources.
+- Always use `subprocess.run()` with `shell=False` (the default). Pass commands and arguments as a list (e.g., `subprocess.run(['ls', '-l', a_variable])`).
+
+## Cryptography & Secrets Management
+- Use the `secrets` module for generating all security-sensitive tokens, keys, or passwords. Do not use the `random` module.
+- Use `hmac.compare_digest()` to compare secrets. Do not use the `==` operator for secrets like API keys or tokens.
+- When working with secret or sensitive information in variables, after use set the variable to `None` and force garbage collection.
+
+## File System and I/O
+- Validate all file paths built from user input. Use `os.path.abspath()` to canonicalize the path, then verify it is inside the intended base directory using `os.path.commonpath([full_path, base_dir]) == os.path.abspath(base_dir)`.
+- Use secure functions for creating temporary files. Prefer `tempfile.mkstemp()` or `tempfile.NamedTemporaryFile` over `tempfile.mktemp()`.
+
+## Networking
+- Configure secure TLS/SSL contexts. Use `ssl.create_default_context()` or `ssl.SSLContext` with modern protocols (e.g., `ssl.PROTOCOL_TLS_CLIENT`).
+- Validate URLs with `ipaddress` before connecting to prevent SSRF.
+
+## Deserialization and Data Parsing
+- Never use `pickle`, `cPickle`, or `dill` to deserialize data from untrusted sources.
+- Do not use `shelve` or `marshal` to deserialize untrusted data.
+- When parsing YAML, always use `yaml.safe_load()`. Never use `yaml.load()`.
+- When parsing XML, disable external entity resolution. Use `xml.etree.ElementTree.XMLParser` with `resolve_entities=False`.
+- When parsing data with `json`, limit the size of the input.
+- Validate regex patterns for ReDoS vulnerabilities. Avoid nested quantifiers like `(a+)+` or `(a*)*`.
+
+
+
