Exemple #1
0
def _evaluate_ast(node):
    if not isinstance(node.parent, ast.BinOp):
        return (False, "")

    out = utils.concat_string(node, node.parent)
    if isinstance(out[0].parent, ast.Call):  # wrapped in "execute" call?
        names = ['execute', 'executemany']
        name = utils.get_called_name(out[0].parent)
        return (name in names, out[1])
    return (False, out[1])
Exemple #2
0
def _evaluate_ast(node):
    if not isinstance(node.parent, ast.BinOp):
        return (False, "")

    out = utils.concat_string(node, node.parent)
    if isinstance(out[0].parent, ast.Call):  # wrapped in "execute" call?
        names = ['execute', 'executemany']
        name = utils.get_called_name(out[0].parent)
        return (name in names, out[1])
    return (False, out[1])
Exemple #3
0
def _evaluate_ast(node):
    wrapper = None
    statement = ''

    if isinstance(node.parent, ast.BinOp):
        out = utils.concat_string(node, node.parent)
        wrapper = out[0].parent
        statement = out[1]
    elif (isinstance(node.parent, ast.Attribute)
          and node.parent.attr == 'format'):
        statement = node.s
        # Hierarchy for "".format() is Wrapper -> Call -> Attribute -> Str
        wrapper = node.parent.parent.parent

    if isinstance(wrapper, ast.Call):  # wrapped in "execute" call?
        names = ['execute', 'executemany']
        name = utils.get_called_name(wrapper)
        return (name in names, statement)
    else:
        return (False, statement)
Exemple #4
0
def _evaluate_ast(node):
    wrapper = None
    statement = ""

    if isinstance(node._bandit_parent, ast.BinOp):
        out = utils.concat_string(node, node._bandit_parent)
        wrapper = out[0]._bandit_parent
        statement = out[1]
    elif (isinstance(node._bandit_parent, ast.Attribute)
          and node._bandit_parent.attr == "format"):
        statement = node.s
        # Hierarchy for "".format() is Wrapper -> Call -> Attribute -> Str
        wrapper = node._bandit_parent._bandit_parent._bandit_parent
    elif hasattr(ast, "JoinedStr") and isinstance(node._bandit_parent,
                                                  ast.JoinedStr):
        statement = node.s
        wrapper = node._bandit_parent._bandit_parent

    if isinstance(wrapper, ast.Call):  # wrapped in "execute" call?
        names = ["execute", "executemany"]
        name = utils.get_called_name(wrapper)
        return (name in names, statement)
    else:
        return (False, statement)