Install word_list, raise exception if cannot find
Previously, the default bandit.yaml config file had an entry for a relative word-list which is only really useful if running bandit from git, as the path is both relative but also the default word-list is not installed by the bandit python package. If the word-list from the config cannot be found, the current behavior is to silently continue with an empty set, meaning that this test does not function at all - giving a false sense of assurance. This change installs the default word_list to: - /usr/local/share/bandit/wordlist/default-passwords The config file now supports "(site_data_dir)" for substitution, which is replaced by distro standard site_data locations (including /usr/local and /usr). The first substitution attempted is still relative to the pwd, to allow the current working tree (and unit tests) to function). Crucially, this change now raises an exception if the declared word-list cannot be found. Closes-Bug: #1451575 Signed-off-by: Dave Walker (Daviey) <email@daviey.com> Change-Id: Ia090ee6b16866d374191c03de55529fbd6a10c99
This commit is contained in:
parent
c7f582271c
commit
78643c5b21
|
@ -107,7 +107,9 @@ blacklist_imports:
|
|||
message: "Consider possible security implications associated with {module} module."
|
||||
|
||||
hardcoded_password:
|
||||
word_list: "wordlist/default-passwords"
|
||||
# Support for full path, relative path and special "%(site_data_dir)s"
|
||||
# substitution (/usr/{local}/share)
|
||||
word_list: "%(site_data_dir)s/wordlist/default-passwords"
|
||||
|
||||
ssl_with_bad_version:
|
||||
bad_protocol_versions:
|
||||
|
|
|
@ -14,27 +14,56 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import os.path
|
||||
import warnings
|
||||
|
||||
from appdirs import site_data_dir
|
||||
|
||||
import bandit
|
||||
from bandit.core.test_properties import *
|
||||
|
||||
|
||||
def find_word_list(cfg_word_list_f):
|
||||
if not isinstance(cfg_word_list_f, str):
|
||||
return None
|
||||
try:
|
||||
cfg_word_list_f % {'site_data_dir': ''}
|
||||
except TypeError:
|
||||
return cfg_word_list_f
|
||||
|
||||
site_data_dirs = ['.'] + site_data_dir("bandit", "",
|
||||
multipath=True).split(':')
|
||||
for dir in site_data_dirs:
|
||||
word_list_path = cfg_word_list_f % {'site_data_dir': dir}
|
||||
if os.path.isfile(word_list_path):
|
||||
if dir == ".":
|
||||
warnings.warn("Using relative path for word_list: %s"
|
||||
% word_list_path)
|
||||
return word_list_path
|
||||
|
||||
raise RuntimeError("Could not substitute '%(site_data_dir)s' "
|
||||
"to a path with a valid word_list file")
|
||||
|
||||
|
||||
@takes_config
|
||||
@checks('Str')
|
||||
def hardcoded_password(context, config):
|
||||
word_list_file = ""
|
||||
|
||||
# try to read the word list file from config
|
||||
if(config is not None and 'word_list' in config and
|
||||
type(config['word_list']) == str):
|
||||
word_list_file = config['word_list']
|
||||
|
||||
word_list_file = None
|
||||
word_list = []
|
||||
# try to read the word list file from config
|
||||
if (config is not None and 'word_list' in config):
|
||||
try:
|
||||
word_list_file = find_word_list(config['word_list'])
|
||||
except RuntimeError as e:
|
||||
warnings.warn(e.message)
|
||||
return
|
||||
|
||||
# try to open the word list file and read passwords from it
|
||||
try:
|
||||
f = open(word_list_file, 'r')
|
||||
except (OSError, IOError):
|
||||
return
|
||||
raise RuntimeError("Could not open word_list (from config"
|
||||
" file): %s" % word_list_file)
|
||||
else:
|
||||
for word in f:
|
||||
word_list.append(word.strip())
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
appdirs>=1.3.0 # MIT License
|
||||
PyYAML>=3.1.0
|
||||
six>=1.9.0
|
||||
stevedore>=1.5.0 # Apache 2.0
|
||||
|
|
Loading…
Reference in New Issue