# Tornado (Python) Security

Security vulnerabilities and detection rules for tornado framework. 5 rules across 5 CWE categories.

- Total rules: 5
- CWE categories: 5
- Critical rules: 3

## CWEs

- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- **CWE-90**: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
- **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor

## Rules

- **OS Command Injection** [CRITICAL]: Detects untrusted user input flowing into operating system command execution
functions without proper sanitization.
- **LDAP Injection** [HIGH]: Detects LDAP queries constructed with unsanitized user input.
- **Path Traversal / Directory Traversal** [HIGH]: Detects untrusted user input being used in file system operations without
proper validation.
- **Sensitive Field Exposure in API Response** [CRITICAL]: Detects when sensitive data fields (passwords, tokens, secrets) are
exposed through API endpoint responses. This commonly happens when:

1. Returning user dictionaries with sensitive fields
2. Serializing ORM objects without excluding sensitive fields
3. Including sensitive fields in JSON responses

Security Impact:
- Password hash exposure enabling offline cracking attacks
- API key/token leakage allowing account takeover
- Session token exposure enabling session hijacking
- PII disclosure violating privacy regulations (GDPR, CCPA)
- **SQL Injection via Database Queries** [CRITICAL]: Detects untrusted user input flowing into SQL database queries without proper
parameterization.