Add module loaded through importlib

Bandit only checks if imports is done using keyword ``import`` or
``__import__()`` and does not check for blacklisted module loaded
via importlib.  This patch set adds additional check for blacklisted
modules loaded via importlib.

Change-Id: I97ed93af1066fa39dfc5be0868ab814c8eadd147
Closes-Bug: #1718516
Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
Tin Lam 2017-12-28 04:09:01 -06:00
parent 03b390b59b
commit bb1bf81856
3 changed files with 17 additions and 0 deletions

View File

@ -53,6 +53,10 @@ def blacklist(context, config):
name = "" # handle '__import__()'
else:
name = context.call_function_name_qual
# In the case the Call is an importlib.import, treat the first
# argument name as an actual import module name.
if name in ["importlib.import_module", "importlib.__import__"]:
name = context.call_args[0]
for check in blacklists[node_type]:
for qn in check['qualnames']:
if fnmatch.fnmatch(name, qn):

View File

@ -0,0 +1,5 @@
import importlib
a = importlib.import_module('os')
b = importlib.import_module('pickle')
c = importlib.__import__('sys')
d = importlib.__import__('subprocess')

View File

@ -256,6 +256,14 @@ class FunctionalTests(testtools.TestCase):
}
self.check_example('imports.py', expect)
def test_imports_using_importlib(self):
'''Test for dangerous imports using importlib.'''
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 2, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}
}
self.check_example('imports-with-importlib.py', expect)
def test_mktemp(self):
'''Test for `tempfile.mktemp`.'''
expect = {