What's New

Thanks to all our contributors, users, and the many people that make PyT possible! ❤️

If you love PyT, please star our project on GitHub to show your support! ⭐

Unreleased

🎉 New Features

• Added visting functions in the tests of while nodes (#186, thanks @adrianbn)

0.42

November 1st, 2018

💥 Breaking Changes

• Changed trigger file format when specifying specific tainted args (#182, thanks @bcaller)

🎉 New Features

• Function calls such as list.append and dict.update now propagate taint to the list or dict (#181, thanks @bcaller)

🐛 Bugfixes

• IfExp (or ternary) expression handling improved (#179, thanks @bcaller)

0.40

September 11th, 2018

📣 Release Highlights

• Logging changes. Logging verbosity can be changed with -v to -vvv (#172, thanks @bcaller)

💥 Breaking Changes

• Removed --trim option (#169)

🎉 New Features

• Added --only-unsanitised flag to not print sanitised vulnerabilities (#172, thanks @bcaller)

🐛 Bugfixes

• Recursive functions don't cause RecursionError (#173, thanks @bcaller)
• Handling of chained functions improved (#171, thanks @bcaller)

0.39

August 21st, 2018

🎉 New Features

• Added handling of assignment unpacking e.g. a, b, c = d (#164, thanks @bcaller)
• Made file loading and vulnerability order deterministic (#165, thanks @bcaller)

🐛 Bugfixes

• Fixed VarsVisitor RuntimeError on code like f(g(a)(b)(c)) (#163, thanks @bcaller)

🔭 Precision

• Taint propagates from methods of tainted objects (#167, thanks @bcaller)

🐍 Miscellaneous

• Cleaned test cases of extraneous reassignments (#166, thanks @bcaller)

0.38

August 2nd, 2018

🎉 New Features

• Support for all async node types (#158, thanks @bcaller)

🐛 Bugfixes

• Fixed a bug where we wrote to the default_blackbox_mapping file even if the -i option was not being used. (#161, thanks @polyzen)

🐍 Miscellaneous

• Switched to using built-in mock (#160, thanks @polyzen)

0.37

July 30th, 2018

🎉 New Features

• Ability to analyze directories, -r Recursive option (#129, thanks @omergunal)
• Added --dont-prepend-root option, makes it so that we don't require imports start with project_root.* (#151, thanks @bcaller)
• Added --no-local-imports option, to require absolute imports be relative to the project root (#151, thanks @bcaller)
• PEP 498 support, formatted string literals (#142, thanks @bcaller)
• PEP 526 support, syntax for variable annotations (#143, thanks @bcaller)
• Whitelist lines of sources and sinks ending in # nosec (#121, thanks @omergunal)

🔭 Precision

• Added per-arg taint, for sink functions (#147, thanks @bcaller)
• AugAssign, Yield, and YieldFrom taint propagation improvements (#155, thanks @bcaller)
• Improved tuple assingment to be more precise and support starargs (#150, thanks @bcaller)

🐛 Bugfixes

• Fixed a bug where get_call_names only handled ast.Attribute nodes (#148, thanks @bcaller)
• Fixed a bug where vars_visitor.py crashed on Python 3.5 dict syntax (#144, thanks @bcaller)

🎭 Performance

• Added an lru_cache to the generate_ast function (#153, thanks @bcaller)

🎓 Walkthrough / Help

• Added README.rst files to almost every directory. (Partially #126)

🐍 Miscellaneous

• Added tests for vars_visitor.py, making our overall coverage 91% (#139, thanks @stannum-l)
• Cleaned and organized requirements, setup.py, tox.ini and .travis.yml (#152, thanks @bcaller)
• Cleaned up the new pyt/core/ folder (#132)
• Fixed all flake8 errors (#114 & #130, thanks @cclauss)
• Re-organized the entire codebase into different directories (#126)
• Return exit code 1 if any non-sanitised vulnerabilities are found (#156, thanks @bcaller)

0.34

April 24th, 2018

🎉 New Features

• Baseline support (#106, thanks @omergunal)

✨ Usability

• Combined all source/sink information files and made it the default (#116)

🔭 Precision

• Fixed a bug where Post.query.paginate propagated taint (#115)
• Fixed a false-positive where self was marked as taint (#119, thanks @lFatty)

🐛 Bugfixes

• Fixed a bug where visit_Raise raised a TypeError (#117, thanks @lFatty)
• Fixed a bug where we were not including pyt/vulnerability_definitions files (#122, thanks @Ekultek)
• Fixed an infinite loop bug that was caused while handling certain loops (#118)

🐍 Miscellaneous

• Moved out a bunch of historical files to the ReadTheDocs repo (#110, #111)