This patch set fixes an issue where modules whose names begin with
string ``Crypto`` are incorrectly flagged for pyCrypto imports. The
fix will now explicitly calls out pyCrypto module one sub-level to
avoid the false positives.
Change-Id: Iafd3fae2fc7a13a0a93800ee570c4e1354be1391
Closes-Bug: #1749603
Signed-off-by: Tin Lam <tin@irrational.io>
This patch set adds pyCrypto to bandit's blacklist, so bandit will
strongly advise against using pyCrypto. As mentioned in the bug,
this may cause false positives if people use pyCrytodome, but will be
tracked and addressed in follow up patch set.
Depends-On: I0b1a90c3a47ad6d3b18597e5315e9f017854a146
Change-Id: I81f695cd31dee393ab4530dbcdb20dd925bbece2
Closes-Bug: #1655973
Running bandit using relative paths inside a subdirectory when the current
directory contains __init__.py causes bandit to be stuck in an infinite
loop.
Co-Authored-By: Calvin Li
Closes-Bug: #1743042
Change-Id: I247108c1365847134ee561073ea0eb43c57b54cc
Bandit only checks if imports is done using keyword ``import`` or
``__import__()`` and does not check for blacklisted module loaded
via importlib. This patch set adds additional check for blacklisted
modules loaded via importlib.
Change-Id: I97ed93af1066fa39dfc5be0868ab814c8eadd147
Closes-Bug: #1718516
Signed-off-by: Tin Lam <tin@irrational.io>
Currently, insecure hash function usage by calling hashlib.md5()
is flagged in B303. But these hash functions can also be obtained using
hashlib.new(), by passing 'md4' or 'md5' as an argument. This plugin
checks such usage.
Change-Id: I8d368aea287e1287e5f638b48c4297d355037839
Closes-Bug: #1708582
Makes escaping using select_autoescape function valid by checking
for ast.Call instance and if func id == select_autoescape.
Example:
from jinja2 import Environment, select_autoescape
env = Environment(autoescape=select_autoescape(['html', 'htm', 'xml']),
loader=PackageLoader('mypackage'))
Change-Id: I47c6b346332a6d9f7c4c57dd45ab7636c78996a1
Closes-Bug: #1684249
The ssl._create_unverified_context creates a context for use with
such classes as HTTPSConnection which will do no certificate or
hostname verification. This should be flagged.
Change-Id: I326316e20ee11034c0a794f41c1bd8ae75720142
With the news of a first collison implemented [1], bandit should
now start blacklisting the use of sha-1.
The sha-1 hash was added to the existing blacklist check B303 which
currently checks for MD5 and variants.
[1]: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Change-Id: I411d8d4aeb4d740635c60b559ecda72ab951b629
Currently the check_example in test_functional computes sums and
on error tells the developer the difference in sums, which is
confusing and error prone.
It also leads to false positives where sums may be correct, but
the exact number of MEDIUM, HIGH, etc is different. This was the
case for two tests: test_xml and test_secret_config_option.
The general_hardcoded_password test was also broken for py35
because it was assuming function args are ast.Name not ast.arg.
But surprisingly the tests passed because of a syntax error in
the example.
Change-Id: Icd06fb7ca27a8a01d6442f199775d474d436371b
As stated in the bug, the PyCryptodomex package reintroduces
PyCrypto, but with a different namespace. Therefore Bandit should
also include Cryptodome in its checks.
Change-Id: I6a02f97747420cedfb4523917ea0083ed5792d7a
Closes-Bug: #1655975
The previous version assumed the SQL query would start with `select`,
`insert into`, `update` or `delete from` which rules out queries that
are not so simple, for example queries using `with` such as:
WITH cte AS (query)
SELECT something FROM cte;
This version losens the criteria and considers any string with simple
SQL grammar (e.g. `select` followed by `from` anywhere within) as SQL.
Change-Id: I4c95842474e71aed61abc4bc878f3565a907f7c7
This commit updates the check for a partial path in the shell
plugin to recognize Windows paths (c:\something\) as complete
paths.
Change-Id: I0e6e3b83f5464e2fe4b06bc72632bb950b5e3d7e
Closes-Bug: #1650392
This commit removes our logic that checks for special characters
in shell injection tests. Really, all we care about is whether
format string characters are being used - if so we're probably
taking some kind of user input. If not, it doesn't matter
whether we're calling something with special characters.
Change-Id: I7e6a8c45a25608e3a8ab8a7eca8d8f2de5dd9837
Closes-Bug: #1650393
Several checks lack any functional test as described in the bug.
This patch adds mark_safe and ftplib tests.
There was also a typo in the calls doc where mark_safe was listed
under httpsconnection.
Also, the mark_safe check wasn't working because the full import
path for the call was not specified. That was also corrected.
Change-Id: I6f35fb65cb8c25a474175de99fcac04ea2b7d81e
Closes-Bug: #1648257
The weak_cryptographic_key check was missing the handling of a
curve keyword argument.
Change-Id: I716e4cde550866fe4a99011b7dc945c5f8357eae
Closes-Bug: #1650387
The code checking for yaml.load() issues had false positives
on json.load() and foo.load(). This patch checks the
qualnames of the load function to avoid false positives.
Change-Id: I22ffb9e852e31d04dc49c4ad949d1417e70f8828
Closes-bug: 1622615
Bandit cannot infer the value of local variables yet, so the key size test
will fail when the size is not a constant. Ignore those lines for now.
Change-Id: If0320ab5cb36592e61fc9cf03b2d230c381e2698
Closes-bug: 1546802
This modifies the Bandit manager to catch a general Exception on a
per-file basis. When an exception does occur, the name of the file is
emitted and the file is logged as a 'skipped file' for inclusion in
the end-of-run output. When run in debug mode, a traceback will also
be printed.
The change also adds a new test targeting this case, along with a new
example file (nonsense2.py is gzipped nonsense.py) to trigger the
test.
Change-Id: I86e648890dddcc5c2fff7dd9844678e990b0cd63
Closes-Bug: #1498258
Along with a 'try, except, pass' check, we should also check for the
similar existance of 'try, except, continue', which raises the same
type of security implications, given the similar type of functionality.
Using 'continue' in place of 'pass' (inside a loop) currently allows
code to bypass the 'try, except, pass' warning.
Change-Id: I3e7ce037518875c5f5e46e26e1d72ef878f78a2f
Additional test cases to improve functional test coverage for baseline
candidate tests. Also includes example files for more complex candidate
comparisons.
Change-Id: I7d05c0f1e3f0d9e0a36c825654d28c19ed4c0bbd
To help improve test coverage of bandit baseline, a set of functional tests
have been added. These tests will cover multiple baseline comparisons with
different candidate examples.
Change-Id: I290fa023b703463cd20fc449a5eb15ec969c9742
allow #nosec in exactly the same place the error was reported rather than at the
beginning of a function call. For example the error is reported on the second
line of:
Popen("foo *",
shell=True)
so #nosec on the same line should be interpreted correctly.
The original behaviour of #nosec at the start of function call is still allowed
for backwards compatibility.
Plugins which check keyword arguments must explicitly pass the line of the
argument to the Issue constructor now.
Closes-bug: 1477739
Change-Id: I71f25e2920e0533649ad8dc65b9883559fc31311
According to http://docs.python-requests.org/en/latest/user/advanced/
requests supports many HTTP verbs, however bandit was checking for
use of only two (post and get) - this patch adds support for the
other verbs that requests supports today.
Change-Id: I57df1f1139def0c3663d2377eabbcbe9ca248146
Originally shell=True did not check what kind of command is being run.
This patch extends the logic to treat static strings differently than
computed ones (but still, not ignore them).
New checks are split into 3 categories: computed string, static string
with special shell chars, and simple static string. Those have
respectively HIGH, MEDIUM and LOW severity.
New results:
> Issue: subprocess call with shell=True seems safe, but may be changed
> in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: examples/subprocess_shell.py:24
24subprocess.check_output('/bin/ls -l', shell=True)
>> Issue: call with shell=True contains special shell characters,
>> consider moving extra logic into Python code
Severity: Medium Confidence: High
Location: examples/subprocess_shell.py:26
26subprocess.Popen('/bin/ls *', shell=True)
>> Issue: subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
Location: examples/subprocess_shell.py:27
27subprocess.Popen('/bin/ls %s' % ('something',), shell=True)
28subprocess.Popen('/bin/ls {}'.format('something'), shell=True)
co-authored-by: Tim Kelsey <tim.kelsey@hpe.com>
Change-Id: Ib5dde50cd12d2648cd3d67d449b9578e9f2943db
Closes-bug: 1509061
This expanded check looks for EC keys that are less than 160 bits
(high severity) or 224 bits (medium severity).
Change-Id: If67997e2ceab3dde29c2d0b6ab6370945fce2979
When executed with debug=True, Flask applications expose the Werkzeug
debugger which includes an abritrary code execution function.
This check looks for a combination of the flask module being imported,
a .run() call, and a named argument debug=True.
Setting it up in plugins/app_debug.py so we can add checks for Django
and perhaps other frameworks in future.
Change-Id: If49e53d0807dfc2fccad6433edc5ef43f5464f22
Implements: blueprint detect-werkzeug-debug-enabled
ECB is a known insecure cipher mode and needs to be checked for.
Currently this test will only scan for pyca/cryptography's use of
ECB. Future patches should check for PyCrypto and others.
Change-Id: I27c30cb93e814eb3b3ce6732e94a76128b5b9e81
The previous tmp file check would check for /tmp anywhere in the
string. This would lead to false positives by finding things
like: my_directory/tmp, which should be ok if my_directory is
protected. This commit changes the test to only look for strings
which start with /tmp.
We'll also remove the multi-line string stuff because without
/tmp we no longer have a way to test. We don't have any plugins
left that check for strings in the middle of multiline strings.
To maintain coverage we'll add an example with a multiline
statement and change the testing to use that.
Change-Id: If30da3db93768bc9a6b1c909924204c30f28efad
This replaces the existing hardcoded password test with a number of
smarter tests. None of the new tests utilize a word dictionary, we
now trigger the warnings based on matching variable names and the
like against a list of candidate names:
- "password"
- "pass"
- "passwd"
- "pwd"
- "secret"
- "token"
hardcoded_password_string looks for:
candidate = "some_string_literal"
dict[candidate] = "some_string_literal"
candidate == "some_string_literal"
hardcoded_password_funcarg looks for:
func_call(candidate="some_string_literal")
hardcoded_password_default looks for:
def func_def(candidate="some_string_literal"):
All issues are reported as MEDIUM confidence, LOW severity
Closes-bug: #1502348
Closes-bug: #1502343
Closes-bug: #1432887
Change-Id: I36d97ee838a7f08234b759c352649721d07e8ab0
lhinds