def test_get_call_name2(self):
'''Gets qualified call name and resolves aliases'''
tree = ast.parse('a.b.c.d(x,y)').body[0].value
name = b_utils.get_call_name(tree, {'a': 'alias.x.y'})
self.assertEqual('alias.x.y.b.c.d', name)
name = b_utils.get_call_name(tree, {'a.b': 'alias.x.y'})
self.assertEqual('alias.x.y.c.d', name)
name = b_utils.get_call_name(tree, {'a.b.c.d': 'alias.x.y'})
self.assertEqual('alias.x.y', name)
def test_get_call_name2(self):
'''Gets qualified call name and resolves aliases.'''
tree = ast.parse('a.b.c.d(x,y)').body[0].value
name = b_utils.get_call_name(tree, {'a': 'alias.x.y'})
self.assertEqual('alias.x.y.b.c.d', name)
name = b_utils.get_call_name(tree, {'a.b': 'alias.x.y'})
self.assertEqual('alias.x.y.c.d', name)
name = b_utils.get_call_name(tree, {'a.b.c.d': 'alias.x.y'})
self.assertEqual('alias.x.y', name)
def test_get_call_name2(self):
"""Gets qualified call name and resolves aliases"""
tree = ast.parse("a.b.c.d(x,y)").body[0].value
name = b_utils.get_call_name(tree, {"a": "alias.x.y"})
self.assertEqual("alias.x.y.b.c.d", name)
name = b_utils.get_call_name(tree, {"a.b": "alias.x.y"})
self.assertEqual("alias.x.y.c.d", name)
name = b_utils.get_call_name(tree, {"a.b.c.d": "alias.x.y"})
self.assertEqual("alias.x.y", name)
def test_get_call_name2(self):
"""Gets qualified call name and resolves aliases."""
tree = ast.parse("a.b.c.d(x,y)").body[0].value
name = b_utils.get_call_name(tree, {"a": "alias.x.y"})
self.assertEqual("alias.x.y.b.c.d", name)
name = b_utils.get_call_name(tree, {"a.b": "alias.x.y"})
self.assertEqual("alias.x.y.c.d", name)
name = b_utils.get_call_name(tree, {"a.b.c.d": "alias.x.y"})
self.assertEqual("alias.x.y", name)
def basic_auth_literal(context):
call_node = context.node
parent = s_utils.get_top_parent_node(call_node)
if not (isinstance(call_node.func, ast.Attribute)
and call_node.func.attr == 'add_header'):
return
klass_name = next(
(klass
for klass in s_utils.iter_method_classes(parent, call_node, context)
if klass in ('urllib2.Request', 'urllib.request.Request')), None)
if klass_name is None:
return
if not len(call_node.args) == 2:
return
arg0, arg1 = call_node.args[:2]
if not (isinstance(arg0, ast.Str) and arg0.s.lower() == 'authorization'):
return
if isinstance(arg1, ast.BinOp) and isinstance(arg1.left, ast.Str):
str_node = arg1.left
str_node.parent = arg1
elif isinstance(arg1, ast.Str):
str_node = arg1
else:
return
if re.match(r'^basic\s+', str_node.s, flags=re.IGNORECASE) is None:
return
issue = bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.MEDIUM,
text=
'A hard-coded string is being used as an HTTP basic authorization header'
)
if re.match(r'^basic\s+[\w]{2,}={0,2}$', str_node.s, flags=re.IGNORECASE):
return issue
if not isinstance(str_node.parent, ast.BinOp):
return
binop_node = str_node.parent
if not (isinstance(binop_node.op,
(ast.Add, ast.Mod)) and binop_node.left == str_node):
return
header_value = None
if isinstance(binop_node.right, ast.Call):
call_name = b_utils.get_call_name(binop_node.right,
context._context['import_aliases'])
if re.match(r'base64.(standard_|urlsafe_)?b64encode',
call_name) is None:
return
header_value = next((value for value in s_utils.get_call_arg_values(
parent, binop_node.right, arg=0)
if isinstance(value, (str, bytes))), None)
elif isinstance(binop_node.right, (ast.Name, ast.Str)):
header_value = next(
(value for value in s_utils.iter_expr_literal_values(
parent, binop_node.right) if isinstance(value, (str, bytes))),
None)
if header_value is None:
return
return issue
def visit_Call(self, node):
'''Visitor for AST Call nodes
add relevant information about the node to
the context for use in tests which inspect function calls.
:param node: The node that is being inspected
:return: -
'''
self.context['call'] = node
qualname = b_utils.get_call_name(node, self.import_aliases)
name = qualname.split('.')[-1]
self.context['qualname'] = qualname
self.context['name'] = name
self.update_scores(self.tester.run_tests(self.context, 'Call'))
def visit_Call(self, node):
'''Visitor for AST Call nodes
add relevant information about the node to
the context for use in tests which inspect function calls.
:param node: The node that is being inspected
:return: -
'''
self.context['call'] = node
qualname = b_utils.get_call_name(node, self.import_aliases)
name = qualname.split('.')[-1]
self.context['qualname'] = qualname
self.context['name'] = name
self.update_scores(self.tester.run_tests(self.context, 'Call'))
def visit_Call(self, node):
"""Visitor for AST Call nodes
add relevant information about the node to
the context for use in tests which inspect function calls.
:param node: The node that is being inspected
:return: -
"""
self.context["call"] = node
qualname = b_utils.get_call_name(node, self.import_aliases)
name = qualname.split(".")[-1]
self.context["qualname"] = qualname
self.context["name"] = name
self.update_scores(self.tester.run_tests(self.context, "Call"))
def visit_Call(self, node):
"""Visitor for AST Call nodes
add relevant information about the node to
the context for use in tests which inspect function calls.
:param node: The node that is being inspected
:return: -
"""
self.context["call"] = node
if self.debug:
logger.debug("visit_Call called (%s)", ast.dump(node))
qualname = b_utils.get_call_name(node, self.import_aliases)
name = qualname.split(".")[-1]
self.context["qualname"] = qualname
self.context["name"] = name
self.update_scores(self.tester.run_tests(self.context, "Call"))
self.generic_visit(node)
def requests_auth_literal(context):
if re.match(r'requests\.(get|head|post|put|)', context.call_function_name_qual) is None:
return
call_node = context.node
kwarg_nodes = dict((kwarg.arg, kwarg.value) for kwarg in call_node.keywords)
if 'auth' not in kwarg_nodes:
return
auth_value = context.call_keywords.get('auth')
if auth_value is not None:
return bandit.Issue(
severity=bandit.HIGH,
confidence=(bandit.HIGH if (isinstance(auth_value, (list, tuple)) and len(auth_value) == 2) else bandit.MEDIUM),
text="Hard-coded credentials are being passed to the requests library for basic authentication."
)
if not isinstance(kwarg_nodes['auth'], ast.Call):
return
arg_call = b_utils.get_call_name(kwarg_nodes['auth'], context._context['import_aliases'])
if arg_call not in ('requests.HTTPBasicAuth', 'requests.HTTPDigestAuth'):
return
parent = s_utils.get_top_parent_node(call_node)
username = next(s_utils.get_call_arg_values(parent, kwarg_nodes['auth'], arg=0, child=call_node), None)
password = next(s_utils.get_call_arg_values(parent, kwarg_nodes['auth'], arg=1, kwarg='password', child=call_node), None)
return s_utils.report_hardcoded_credentials('requests', username, password)
def test_get_call_name1(self):
'''Gets a qualified call name'''
tree = ast.parse('a.b.c.d(x,y)').body[0].value
name = b_utils.get_call_name(tree, {})
self.assertEqual('a.b.c.d', name)
def test_get_call_name1(self):
'''Gets a qualified call name.'''
tree = ast.parse('a.b.c.d(x,y)').body[0].value
name = b_utils.get_call_name(tree, {})
self.assertEqual('a.b.c.d', name)
def test_get_call_name1(self):
"""Gets a qualified call name"""
tree = ast.parse("a.b.c.d(x,y)").body[0].value
name = b_utils.get_call_name(tree, {})
self.assertEqual("a.b.c.d", name)
def test_get_call_name1(self):
"""Gets a qualified call name."""
tree = ast.parse("a.b.c.d(x,y)").body[0].value
name = b_utils.get_call_name(tree, {})
self.assertEqual("a.b.c.d", name)