updates

Author: nocomplexity

docs/checks/base64_check.md

@@ -1,19 +1,43 @@
 # Base64 Statements
 
-Python Code Audit checks for obfuscated text, particularly content encoded with `base64`:
+The Python Code Audit tool detects obfuscated content, particularly code that uses `base64` (and related encodings) for encoding or decoding data.
 
-*  `base64` Encoding / Decoding.
+It specifically checks for the following calls:
 
+* `base64.b64decode`
+* `base64.b64encode`
+* `base64.b85encode`
+* `base64.z85decode`
 
 ## Rationale
 
+Obfuscation using Base64 is a **long-standing and simple technique** commonly employed to conceal malicious code in Python projects. It enables attackers to hide payloads that would otherwise be easily identified.
 
-Obfuscation is a long-standing and straightforward technique often used to conceal malicious code within Python projects. This technique allows attackers to easily hide malware within Python programs.
+The use of obfuscated content is uncommon in well-structured, legitimate Python code and is therefore considered a strong indicator of potential security risks.
 
-The presence of obfuscated content is atypical in well-structured, non-malicious Python code and is a significant indicator of potential security risks.
+It is strongly recommended that any code containing Base64 encoding/decoding be carefully reviewed before deployment to production. **Python Code Audit** performs this check automatically.
 
+**Key red flags include:**
+* `base64.b64decode` followed immediately by `exec()` or `eval()`
+* Long Base64 strings embedded in Python scripts
+* Constructs such as `exec(base64.b64decode(...))` from untrusted sources
 
-It’s recommended to review any code deployed to production using `base64` encoding. **Python Code Audit** does this automatically.
+## Common Malware Patterns
+
+Base64 encoding patterns are frequently found in Python-based malware and droppers:
+
+| Pattern              | Code Snippet                                      | Why It Is Detected                              | Implemented |
+|----------------------|---------------------------------------------------|--------------------------------------------------|-------------|
+| Standard b64 + exec | `exec(base64.b64decode(long_string))`            | Extremely common obfuscation technique           | ✅          |
+| Compressed           | `exec(zlib.decompress(base64.b64decode(...)))`   | Suggests larger hidden payload and evasion       | ✅          |
+| Multi-layer          | `base64.b64decode(base64.b64decode(...))`        | Attempts to bypass simple pattern matching       | ✅          |
+| Bytes decode         | `exec(base64.b64decode(data).decode())`          | Hides intent by decoding to string               | ✅          |
+| Using aliases        | `b64 = base64.b64decode; exec(b64(payload))`     | Evasion of basic static analysis                 | ✅          |
+| Z85 / b85            | `base64.b85decode(...)` or `base64.z85decode(...)` | Non-standard encodings often indicate stealth    | ✅          |
+
+## Security Considerations
+
+Base encoding does not provide confidentiality. As noted in RFC 4648 (Section 12), care must be taken when implementing base encoding and decoding to avoid introducing vulnerabilities.
 
 Security considerations section from RFC 4648 (section 12):
 
@@ -55,8 +79,10 @@ Security Considerations
    distribution.
 ```
 
-## More information
 
-* https://docs.python.org/3/library/base64.html#base64-security
-* https://datatracker.ietf.org/doc/html/rfc4648.html#page-14 
-* [Base64 Malleability in Practice](https://eprint.iacr.org/2022/361.pdf)
+## References
+
+* [Python Documentation – base64](https://docs.python.org/3/library/base64.html)
+* [RFC 4648 – Security Considerations](https://datatracker.ietf.org/doc/html/rfc4648#section-12)
+* [Base64 Malleability in Practice](https://eprint.iacr.org/2022/361.pdf)
+

docs/features.md

@@ -1,7 +1,7 @@
 # Features
 
+**Python Code Audit** is a modern security-focused source code analysis tool for Python, built on a **zero-trust** mindset. It identifies security risks, hidden behaviours, and trust boundaries without ever executing the code. This makes it safe to use on both your own projects and third-party code.
 
-**Python Code Audit** is a modern Python **security** source code analysis tool built on a *zero-trust* mindset. It focuses on identifying security risks, hidden behaviors, and trust boundaries in Python code—without executing it.
 
 :::{admonition} Key Features of Python Code Audit
 :class: tip

pyproject.toml

@@ -7,7 +7,7 @@ name = "codeaudit"
 dynamic = ["version"] # This tells Hatch that version is dynamically determined
 description = 'A modern Python security source code analyzer (SAST) based on distrust.'
 readme = "README.md"
-dependencies = ["fire==0.7.1","pandas==3.0.2","altair==6.0.0"]
+dependencies = ["fire==0.7.1","pandas>=2.3","altair==6.0.0"]
 requires-python = ">=3.11"
 license = "GPL-3.0-or-later"
 keywords = ["SAST", "Python SAST", "SAST API", "Complexity Checker"]

src/codeaudit/__about__.py

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2025-present Maikel Mardjan
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
-__version__ = "1.6.5"
+__version__ = "1.6.6a0"

src/codeaudit/data/sastchecks.csv

@@ -52,7 +52,10 @@ Subprocess Usage,subprocess.check_output,Medium,Requires careful input validatio
 Subprocess Usage,subprocess.getstatusoutput,Medium,Requires careful input validation to prevent command injection vulnerabilities.
 Subprocess Usage,subprocess.getoutput,Medium,Requires careful input validation to prevent command injection vulnerabilities.
 Tarfile Extraction,tarfile.TarFile,High,Vulnerable to path traversal attacks if used with untrusted archives.
-Base64 Encoding ,base64,Low,"Base64 encoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code."
+Base64 Decoding ,base64.b64decode,Medium,"Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code."
+Base64 Decoding ,base64.z85decode,Medium,Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.
+Base64 Decoding ,base64.b85encode,Low,Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.
+Base64 Decoding ,base64.b64encode,Low,Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.
 XML-RPC Client,xmlrpc.client,High,Vulnerable to denial-of-service via decompression bombs.
 XML-RPC Server,xmlrpc.server.SimpleXMLRPCServer,High,Vulnerable to denial-of-service via decompression bombs.
 Cryptographically Unsafe Randomness,random.random,Low,The pseudo-random generators in this module are not suitable for security purposes. 

tests/test_base64.py

@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2025-present Maikel Mardjan(https://nocomplexity.com/) and all contributors!
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import pytest
+from pathlib import Path
+
+from codeaudit.security_checks import perform_validations
+
+
+def test_base64_use():
+    current_file_directory = Path(__file__).parent
+
+    # validation1.py is in a subfolder:
+    validation_file_path = current_file_directory / "validationfiles" / "base64.py"
+
+    result = perform_validations(validation_file_path)
+
+    # actual_data = find_constructs(source, constructs)
+    actual_data = result["result"]
+
+    # This is the expected dictionary
+    expected_data = {
+        "base64.b64encode": [9],
+        "base64.b64decode": [12, 15],
+        "base64.z85decode": [13],
+        "exec": [16],
+        "base64.b85encode": [13],
+    }
+
+    # Assert that the actual data matches the expected data
+    assert actual_data == expected_data

tests/test_standardlibconstructs.py

@@ -42,26 +42,6 @@ def test_os_interfaces():
     assert actual_data == expected_data
 
 
-def test_base64encoding():
-    current_file_directory = Path(__file__).parent
-
-    # validation1.py is in a subfolder:
-    validation_file_path = current_file_directory / "validationfiles" / "base64.py"
-
-    source = read_in_source_file(validation_file_path)
-
-    constructs = {"base64"}
-    actual_data = find_constructs(source, constructs)
-
-    # This is the expected dictionary
-    expected_data = {
-        "base64": [2, 3],
-    }
-
-    # Assert that the actual data matches the expected data
-    assert actual_data == expected_data
-
-
 def test_httpserver_usage():
     current_file_directory = Path(__file__).parent
 

tests/validationfiles/base64.py

@@ -1,4 +1,20 @@
+# SPDX-FileCopyrightText: 2026-present Maikel Mardjan(https://nocomplexity.com/) and all contributors!
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 import base64
-encoded = base64.b64encode(b'data to be encoded')
-data = base64.b64decode(encoded)
-print(data)
+
+payload = b"import os; os.system('malicious command')"
+
+# Encoding (attacker side)
+encoded_b64 = base64.b64encode(payload)
+
+# Decoding patterns (common in malware)
+decoded1 = base64.b64decode(encoded_b64)  # Most common
+decoded2 = base64.z85decode(base64.b85encode(payload))  # Less common
+
+b64 = base64.b64decode
+exec(b64(payload))  # alias use should be detected!
+
+
+print("b64 encoded :", encoded_b64)
+print("b64 decoded :", decoded1)