Install word_list, raise exception if cannot find

Previously, the default bandit.yaml config file had an entry
for a relative word-list which is only really useful if
running bandit from git, as the path is both relative but
also the default word-list is not installed by the bandit
python package.

If the word-list from the config cannot be found, the
current behavior is to silently continue with an empty set,
meaning that this test does not function at all - giving a
false sense of assurance.

This change installs the default word_list to:
  - /usr/local/share/bandit/wordlist/default-passwords

The config file now supports "(site_data_dir)" for
substitution, which is replaced by distro standard site_data
locations (including /usr/local and /usr).

The first substitution attempted is still relative to the
pwd, to allow the current working tree (and unit tests) to
function).

Crucially, this change now raises an exception if the
declared word-list cannot be found.

Closes-Bug: #1451575
Signed-off-by: Dave Walker (Daviey) <email@daviey.com>
Change-Id: Ia090ee6b16866d374191c03de55529fbd6a10c99

bandit/config/bandit.yaml

@@ -107,7 +107,9 @@ blacklist_imports:
             message: "Consider possible security implications associated with {module} module."
 
 hardcoded_password:
-    word_list: "wordlist/default-passwords"
+    # Support for full path, relative path and special "%(site_data_dir)s"
+    # substitution (/usr/{local}/share)
+    word_list: "%(site_data_dir)s/wordlist/default-passwords"
 
 ssl_with_bad_version:
     bad_protocol_versions:

bandit/plugins/general_hardcoded_password.py

@@ -14,27 +14,56 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import os.path
+import warnings
+
+from appdirs import site_data_dir
+
 import bandit
 from bandit.core.test_properties import *
 
 
+def find_word_list(cfg_word_list_f):
+    if not isinstance(cfg_word_list_f, str):
+        return None
+    try:
+        cfg_word_list_f % {'site_data_dir': ''}
+    except TypeError:
+        return cfg_word_list_f
+
+    site_data_dirs = ['.'] + site_data_dir("bandit", "",
+                                           multipath=True).split(':')
+    for dir in site_data_dirs:
+        word_list_path = cfg_word_list_f % {'site_data_dir': dir}
+        if os.path.isfile(word_list_path):
+            if dir == ".":
+                warnings.warn("Using relative path for word_list: %s"
+                              % word_list_path)
+            return word_list_path
+
+    raise RuntimeError("Could not substitute '%(site_data_dir)s' "
+                       "to a path with a valid word_list file")
+
+
 @takes_config
 @checks('Str')
 def hardcoded_password(context, config):
-    word_list_file = ""
-
-    # try to read the word list file from config
-    if(config is not None and 'word_list' in config and
-            type(config['word_list']) == str):
-        word_list_file = config['word_list']
-
+    word_list_file = None
     word_list = []
+    # try to read the word list file from config
+    if (config is not None and 'word_list' in config):
+        try:
+            word_list_file = find_word_list(config['word_list'])
+        except RuntimeError as e:
+            warnings.warn(e.message)
+            return
 
     # try to open the word list file and read passwords from it
     try:
         f = open(word_list_file, 'r')
     except (OSError, IOError):
-        return
+        raise RuntimeError("Could not open word_list (from config"
+                           " file): %s" % word_list_file)
     else:
         for word in f:
             word_list.append(word.strip())

requirements.txt

@@ -1,3 +1,4 @@
+appdirs>=1.3.0  # MIT License
 PyYAML>=3.1.0
 six>=1.9.0
 stevedore>=1.5.0  # Apache 2.0

setup.cfg

@@ -32,3 +32,6 @@ bandit.formatters =
 [files]
 package_data =
     bandit = config/bandit.yaml
+data_files =
+    bandit =
+        share/bandit/wordlist/ = wordlist/default-passwords