def test_plugin(): sets = [] sets.append(utils.build_conf_dict( 'telnet', 'B401', ['telnetlib'], 'A telnet-related module is being imported. Telnet is ' 'considered insecure. Use SSH or some other encrypted protocol.', 'HIGH' )) sets.append(utils.build_conf_dict( 'marshal', 'B302', ['marshal.load', 'marshal.loads'], 'Deserialization with the marshal module is possibly dangerous.' )) return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
def test_plugin(): sets = [] sets.append( utils.build_conf_dict( 'telnet', 'B401', ['telnetlib'], 'A telnet-related module is being imported. Telnet is ' 'considered insecure. Use SSH or some other encrypted protocol.', 'HIGH')) sets.append( utils.build_conf_dict( 'marshal', 'B302', ['marshal.load', 'marshal.loads'], 'Deserialization with the marshal module is possibly dangerous.')) return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
def test_profile_blacklist_compat(self): data = [utils.build_conf_dict( 'marshal', 'B302', ['marshal.load', 'marshal.loads'], ('Deserialization with the marshal module is possibly ' 'dangerous.'))] profile = {'include': ['B001'], 'blacklist': {'Call': data}} ts = test_set.BanditTestSet(self.config, profile) blacklist = ts.get_tests('Call')[0] self.assertNotIn('Import', blacklist._config) self.assertNotIn('ImportFrom', blacklist._config) self.assertEqual(len(blacklist._config['Call']), 1)
def test_plugin(): sets = [] sets.append( utils.build_conf_dict( "telnet", "B401", ["telnetlib"], "A telnet-related module is being imported. Telnet is " "considered insecure. Use SSH or some other encrypted protocol.", "HIGH", ) ) sets.append( utils.build_conf_dict( "marshal", "B302", ["marshal.load", "marshal.loads"], "Deserialization with the marshal module is possibly dangerous.", ) ) return {"Import": sets, "ImportFrom": sets, "Call": sets}
def test_profile_blacklist_compat(self): data = [utils.build_conf_dict( 'marshal', 'B302', ['marshal.load', 'marshal.loads'], ('Deserialization with the marshal module is possibly ' 'dangerous.'))] profile = {'include': ['B001'], 'blacklist': {'Call': data}} ts = test_set.BanditTestSet(self.config, profile) blacklist = ts.get_tests('Call')[0] self.assertNotIn('Import', blacklist._config) self.assertNotIn('ImportFrom', blacklist._config) self.assertEqual(1, len(blacklist._config['Call']))
def test_profile_blacklist_compat(self): data = [ utils.build_conf_dict( "marshal", "B302", issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, ["marshal.load", "marshal.loads"], ("Deserialization with the marshal module is possibly " "dangerous."), ) ] profile = {"include": ["B001"], "blacklist": {"Call": data}} ts = test_set.BanditTestSet(self.config, profile) blacklist = ts.get_tests("Call")[0] self.assertNotIn("Import", blacklist._config) self.assertNotIn("ImportFrom", blacklist._config) self.assertEqual(1, len(blacklist._config["Call"]))
def gen_blacklist(): """Generate a list of items to blacklist. Methods of this type, "bandit.blacklist" plugins, are used to build a list of items that bandit's built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage. :return: a dictionary mapping node types to a list of blacklist data """ sets = [] sets.append( utils.build_conf_dict( "pickle", "B301", [ "pickle.loads", "pickle.load", "pickle.Unpickler", "cPickle.loads", "cPickle.load", "cPickle.Unpickler", "dill.loads", "dill.load", "dill.Unpickler", "shelve.open", "shelve.DbfilenameShelf", ], "Pickle and modules that wrap it can be unsafe when used to " "deserialize untrusted data, possible security issue.", ) ) sets.append( utils.build_conf_dict( "marshal", "B302", ["marshal.load", "marshal.loads"], "Deserialization with the marshal module is possibly dangerous.", ) ) sets.append( utils.build_conf_dict( "md5", "B303", [ "hashlib.md5", "hashlib.sha1", "Crypto.Hash.MD2.new", "Crypto.Hash.MD4.new", "Crypto.Hash.MD5.new", "Crypto.Hash.SHA.new", "Cryptodome.Hash.MD2.new", "Cryptodome.Hash.MD4.new", "Cryptodome.Hash.MD5.new", "Cryptodome.Hash.SHA.new", "cryptography.hazmat.primitives.hashes.MD5", "cryptography.hazmat.primitives.hashes.SHA1", ], "Use of insecure MD2, MD4, MD5, or SHA1 hash function.", ) ) sets.append( utils.build_conf_dict( "ciphers", "B304", [ "Crypto.Cipher.ARC2.new", "Crypto.Cipher.ARC4.new", "Crypto.Cipher.Blowfish.new", "Crypto.Cipher.DES.new", "Crypto.Cipher.XOR.new", "Cryptodome.Cipher.ARC2.new", "Cryptodome.Cipher.ARC4.new", "Cryptodome.Cipher.Blowfish.new", "Cryptodome.Cipher.DES.new", "Cryptodome.Cipher.XOR.new", "cryptography.hazmat.primitives.ciphers.algorithms.ARC4", "cryptography.hazmat.primitives.ciphers.algorithms.Blowfish", "cryptography.hazmat.primitives.ciphers.algorithms.IDEA", ], "Use of insecure cipher {name}. Replace with a known secure" " cipher such as AES.", "HIGH", ) ) sets.append( utils.build_conf_dict( "cipher_modes", "B305", ["cryptography.hazmat.primitives.ciphers.modes.ECB"], "Use of insecure cipher mode {name}.", ) ) sets.append( utils.build_conf_dict( "mktemp_q", "B306", ["tempfile.mktemp"], "Use of insecure and deprecated function (mktemp).", ) ) sets.append( utils.build_conf_dict( "eval", "B307", ["eval"], "Use of possibly insecure function - consider using safer " "ast.literal_eval.", ) ) sets.append( utils.build_conf_dict( "mark_safe", "B308", ["django.utils.safestring.mark_safe"], "Use of mark_safe() may expose cross-site scripting " "vulnerabilities and should be reviewed.", ) ) sets.append( utils.build_conf_dict( "httpsconnection", "B309", [ "httplib.HTTPSConnection", "http.client.HTTPSConnection", "six.moves.http_client.HTTPSConnection", ], "Use of HTTPSConnection on older versions of Python prior to 2.7.9" " and 3.4.3 do not provide security, see " "https://wiki.openstack.org/wiki/OSSN/OSSN-0033", ) ) sets.append( utils.build_conf_dict( "urllib_urlopen", "B310", [ "urllib.urlopen", "urllib.request.urlopen", "urllib.urlretrieve", "urllib.request.urlretrieve", "urllib.URLopener", "urllib.request.URLopener", "urllib.FancyURLopener", "urllib.request.FancyURLopener", "urllib2.urlopen", "urllib2.Request", "six.moves.urllib.request.urlopen", "six.moves.urllib.request.urlretrieve", "six.moves.urllib.request.URLopener", "six.moves.urllib.request.FancyURLopener", ], "Audit url open for permitted schemes. Allowing use of file:/ or " "custom schemes is often unexpected.", ) ) sets.append( utils.build_conf_dict( "random", "B311", [ "random.random", "random.randrange", "random.randint", "random.choice", "random.choices", "random.uniform", "random.triangular", ], "Standard pseudo-random generators are not suitable for " "security/cryptographic purposes.", "LOW", ) ) sets.append( utils.build_conf_dict( "telnetlib", "B312", ["telnetlib.*"], "Telnet-related functions are being called. Telnet is considered " "insecure. Use SSH or some other encrypted protocol.", "HIGH", ) ) # Most of this is based off of Christian Heimes' work on defusedxml: # https://pypi.org/project/defusedxml/#defusedxml-sax xml_msg = ( "Using {name} to parse untrusted XML data is known to be " "vulnerable to XML attacks. Replace {name} with its " "defusedxml equivalent function or make sure " "defusedxml.defuse_stdlib() is called" ) sets.append( utils.build_conf_dict( "xml_bad_cElementTree", "B313", [ "xml.etree.cElementTree.parse", "xml.etree.cElementTree.iterparse", "xml.etree.cElementTree.fromstring", "xml.etree.cElementTree.XMLParser", ], xml_msg, ) ) sets.append( utils.build_conf_dict( "xml_bad_ElementTree", "B314", [ "xml.etree.ElementTree.parse", "xml.etree.ElementTree.iterparse", "xml.etree.ElementTree.fromstring", "xml.etree.ElementTree.XMLParser", ], xml_msg, ) ) sets.append( utils.build_conf_dict( "xml_bad_expatreader", "B315", ["xml.sax.expatreader.create_parser"], xml_msg, ) ) sets.append( utils.build_conf_dict( "xml_bad_expatbuilder", "B316", ["xml.dom.expatbuilder.parse", "xml.dom.expatbuilder.parseString"], xml_msg, ) ) sets.append( utils.build_conf_dict( "xml_bad_sax", "B317", ["xml.sax.parse", "xml.sax.parseString", "xml.sax.make_parser"], xml_msg, ) ) sets.append( utils.build_conf_dict( "xml_bad_minidom", "B318", ["xml.dom.minidom.parse", "xml.dom.minidom.parseString"], xml_msg, ) ) sets.append( utils.build_conf_dict( "xml_bad_pulldom", "B319", ["xml.dom.pulldom.parse", "xml.dom.pulldom.parseString"], xml_msg, ) ) sets.append( utils.build_conf_dict( "xml_bad_etree", "B320", [ "lxml.etree.parse", "lxml.etree.fromstring", "lxml.etree.RestrictedElement", "lxml.etree.GlobalParserTLS", "lxml.etree.getDefaultParser", "lxml.etree.check_docinfo", ], ( "Using {name} to parse untrusted XML data is known to be " "vulnerable to XML attacks. Replace {name} with its " "defusedxml equivalent function." ), ) ) # end of XML tests sets.append( utils.build_conf_dict( "ftplib", "B321", ["ftplib.*"], "FTP-related functions are being called. FTP is considered " "insecure. Use SSH/SFTP/SCP or some other encrypted protocol.", "HIGH", ) ) # skipped B322 as the check for a call to input() has been removed sets.append( utils.build_conf_dict( "unverified_context", "B323", ["ssl._create_unverified_context"], "By default, Python will create a secure, verified ssl context for" " use in such classes as HTTPSConnection. However, it still allows" " using an insecure context via the _create_unverified_context " "that reverts to the previous behavior that does not validate " "certificates or perform hostname checks.", ) ) # skipped B324 (used in bandit/plugins/hashlib_new_insecure_functions.py) sets.append( utils.build_conf_dict( "tempnam", "B325", ["os.tempnam", "os.tmpnam"], "Use of os.tempnam() and os.tmpnam() is vulnerable to symlink " "attacks. Consider using tmpfile() instead.", ) ) return {"Call": sets}
def gen_blacklist(): """Generate a list of items to blacklist. Methods of this type, "bandit.blacklist" plugins, are used to build a list of items that bandit's built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage. :return: a dictionary mapping node types to a list of blacklist data """ sets = [] sets.append(utils.build_conf_dict( 'import_telnetlib', 'B401', ['telnetlib'], 'A telnet-related module is being imported. Telnet is ' 'considered insecure. Use SSH or some other encrypted protocol.', 'HIGH' )) sets.append(utils.build_conf_dict( 'import_ftplib', 'B402', ['ftplib'], 'A FTP-related module is being imported. FTP is considered ' 'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.', 'HIGH' )) sets.append(utils.build_conf_dict( 'import_pickle', 'B403', ['pickle', 'cPickle'], 'Consider possible security implications associated with ' '{name} module.', 'LOW' )) sets.append(utils.build_conf_dict( 'import_subprocess', 'B404', ['subprocess'], 'Consider possible security implications associated with ' '{name} module.', 'LOW' )) # Most of this is based off of Christian Heimes' work on defusedxml: # https://pypi.python.org/pypi/defusedxml/#defusedxml-sax xml_msg = ('Using {name} to parse untrusted XML data is known to be ' 'vulnerable to XML attacks. Replace {name} with the equivalent ' 'defusedxml package, or make sure defusedxml.defuse_stdlib() ' 'is called.') lxml_msg = ('Using {name} to parse untrusted XML data is known to be ' 'vulnerable to XML attacks. Replace {name} with the ' 'equivalent defusedxml package.') sets.append(utils.build_conf_dict( 'import_xml_etree', 'B405', ['xml.etree.cElementTree', 'xml.etree.ElementTree'], xml_msg, 'LOW')) sets.append(utils.build_conf_dict( 'import_xml_sax', 'B406', ['xml.sax'], xml_msg, 'LOW')) sets.append(utils.build_conf_dict( 'import_xml_expat', 'B407', ['xml.dom.expatbuilder'], xml_msg, 'LOW')) sets.append(utils.build_conf_dict( 'import_xml_minidom', 'B408', ['xml.dom.minidom'], xml_msg, 'LOW')) sets.append(utils.build_conf_dict( 'import_xml_pulldom', 'B409', ['xml.dom.pulldom'], xml_msg, 'LOW')) sets.append(utils.build_conf_dict( 'import_lxml', 'B410', ['lxml'], lxml_msg, 'LOW')) sets.append(utils.build_conf_dict( 'import_xmlrpclib', 'B411', ['xmlrpclib'], 'Using {name} to parse untrusted XML data is known to be ' 'vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() ' 'function to monkey-patch xmlrpclib and mitigate XML ' 'vulnerabilities.', 'HIGH')) sets.append(utils.build_conf_dict( 'import_httpoxy', 'B412', ['wsgiref.handlers.CGIHandler', 'twisted.web.twcgi.CGIScript', 'twisted.web.twcgi.CGIDirectory'], 'Consider possible security implications associated with ' '{name} module.', 'HIGH' )) return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
def gen_blacklist(): """Generate a list of items to blacklist. Methods of this type, "bandit.blacklist" plugins, are used to build a list of items that bandit's built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage. :return: a dictionary mapping node types to a list of blacklist data """ sets = [] sets.append( utils.build_conf_dict( "pickle", "B301", ["pickle.loads", "pickle.load", "pickle.Unpickler", "cPickle.loads", "cPickle.load", "cPickle.Unpickler"], "Pickle library appears to be in use, possible security issue.", ) ) sets.append( utils.build_conf_dict( "marshal", "B302", ["marshal.load", "marshal.loads"], "Deserialization with the marshal module is possibly dangerous.", ) ) sets.append( utils.build_conf_dict( "md5", "B303", [ "hashlib.md5", "Crypto.Hash.MD2.new", "Crypto.Hash.MD4.new", "Crypto.Hash.MD5.new", "cryptography.hazmat.primitives.hashes.MD5", ], "Use of insecure MD2, MD4, or MD5 hash function.", ) ) sets.append( utils.build_conf_dict( "ciphers", "B304", [ "Crypto.Cipher.ARC2.new", "Crypto.Cipher.ARC4.new", "Crypto.Cipher.Blowfish.new", "Crypto.Cipher.DES.new", "Crypto.Cipher.XOR.new", "cryptography.hazmat.primitives.ciphers.algorithms.ARC4", "cryptography.hazmat.primitives.ciphers.algorithms.Blowfish", "cryptography.hazmat.primitives.ciphers.algorithms.IDEA", ], "Use of insecure cipher {name}. Replace with a known secure" " cipher such as AES.", "HIGH", ) ) sets.append( utils.build_conf_dict( "cipher_modes", "B305", ["cryptography.hazmat.primitives.ciphers.modes.ECB"], "Use of insecure cipher mode {name}.", ) ) sets.append( utils.build_conf_dict( "mktemp_q", "B306", ["tempfile.mktemp"], "Use of insecure and deprecated function (mktemp)." ) ) sets.append( utils.build_conf_dict( "eval", "B307", ["eval"], "Use of possibly insecure function - consider using safer " "ast.literal_eval." ) ) sets.append( utils.build_conf_dict( "mark_safe", "B308", ["mark_safe"], "Use of mark_safe() may expose cross-site scripting " "vulnerabilities and should be reviewed.", ) ) sets.append( utils.build_conf_dict( "httpsconnection", "B309", ["httplib.HTTPSConnection", "http.client.HTTPSConnection", "six.moves.http_client.HTTPSConnection"], "Use of HTTPSConnection does not provide security, see " "https://wiki.openstack.org/wiki/OSSN/OSSN-0033", ) ) sets.append( utils.build_conf_dict( "urllib_urlopen", "B310", [ "urllib.urlopen", "urllib.request.urlopen", "urllib.urlretrieve", "urllib.request.urlretrieve", "urllib.URLopener", "urllib.request.URLopener", "urllib.FancyURLopener", "urllib.request.FancyURLopener", "urllib2.urlopen", "urllib2.Request", "six.moves.urllib.request.urlopen", "six.moves.urllib.request.urlretrieve", "six.moves.urllib.request.URLopener", "six.moves.urllib.request.FancyURLopener", ], "Audit url open for permitted schemes. Allowing use of file:/ or " "custom schemes is often unexpected.", ) ) sets.append( utils.build_conf_dict( "random", "B311", [ "random.random", "random.randrange", "random.randint", "random.choice", "random.uniform", "random.triangular", ], "Standard pseudo-random generators are not suitable for " "security/cryptographic purposes.", "LOW", ) ) sets.append( utils.build_conf_dict( "telnetlib", "B312", ["telnetlib.*"], "Telnet-related funtions are being called. Telnet is considered " "insecure. Use SSH or some other encrypted protocol.", "HIGH", ) ) # Most of this is based off of Christian Heimes' work on defusedxml: # https://pypi.python.org/pypi/defusedxml/#defusedxml-sax xml_msg = ( "Using {name} to parse untrusted XML data is known to be " "vulnerable to XML attacks. Replace {name} with its " "defusedxml equivalent function." ) sets.append( utils.build_conf_dict( "xml_bad_cElementTree", "B313", [ "xml.etree.cElementTree.parse", "xml.etree.cElementTree.iterparse", "xml.etree.cElementTree.fromstring", "xml.etree.cElementTree.XMLParser", ], xml_msg, ) ) sets.append( utils.build_conf_dict( "xml_bad_ElementTree", "B314", [ "xml.etree.ElementTree.parse", "xml.etree.ElementTree.iterparse", "xml.etree.ElementTree.fromstring", "xml.etree.ElementTree.XMLParser", ], xml_msg, ) ) sets.append(utils.build_conf_dict("xml_bad_expatreader", "B315", ["xml.sax.expatreader.create_parser"], xml_msg)) sets.append( utils.build_conf_dict( "xml_bad_expatbuilder", "B316", ["xml.dom.expatbuilder.parse", "xml.dom.expatbuilder.parseString"], xml_msg ) ) sets.append( utils.build_conf_dict( "xml_bad_sax", "B317", ["xml.sax.parse", "xml.sax.parseString", "xml.sax.make_parser"], xml_msg ) ) sets.append( utils.build_conf_dict( "xml_bad_minidom", "B318", ["xml.dom.minidom.parse", "xml.dom.minidom.parseString"], xml_msg ) ) sets.append( utils.build_conf_dict( "xml_bad_pulldom", "B319", ["xml.dom.pulldom.parse", "xml.dom.pulldom.parseString"], xml_msg ) ) sets.append( utils.build_conf_dict( "xml_bad_etree", "B320", [ "lxml.etree.parse", "lxml.etree.fromstring", "lxml.etree.RestrictedElement", "lxml.etree.GlobalParserTLS", "lxml.etree.getDefaultParser", "lxml.etree.check_docinfo", ], xml_msg, ) ) # end of XML tests sets.append( utils.build_conf_dict( "ftplib", "B321", ["ftplib.*"], "FTP-related funtions are being called. FTP is considered " "insecure. Use SSH/SFTP/SCP or some other encrypted protocol.", "HIGH", ) ) return {"Call": sets}
def gen_blacklist(): """Generate a list of items to blacklist. Methods of this type, "bandit.blacklist" plugins, are used to build a list of items that bandit's built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage. :return: a dictionary mapping node types to a list of blacklist data """ sets = [] sets.append( utils.build_conf_dict( 'pickle', 'B301', [ 'pickle.loads', 'pickle.load', 'pickle.Unpickler', 'cPickle.loads', 'cPickle.load', 'cPickle.Unpickler' ], 'Pickle library appears to be in use, possible security issue.')) sets.append( utils.build_conf_dict( 'marshal', 'B302', ['marshal.load', 'marshal.loads'], 'Deserialization with the marshal module is possibly dangerous.')) sets.append( utils.build_conf_dict( 'md5', 'B303', [ 'hashlib.md5', 'Crypto.Hash.MD2.new', 'Crypto.Hash.MD4.new', 'Crypto.Hash.MD5.new', 'Cryptodome.Hash.MD2.new', 'Cryptodome.Hash.MD4.new', 'Cryptodome.Hash.MD5.new', 'cryptography.hazmat.primitives.hashes.MD5' ], 'Use of insecure MD2, MD4, or MD5 hash function.')) sets.append( utils.build_conf_dict( 'ciphers', 'B304', [ 'Crypto.Cipher.ARC2.new', 'Crypto.Cipher.ARC4.new', 'Crypto.Cipher.Blowfish.new', 'Crypto.Cipher.DES.new', 'Crypto.Cipher.XOR.new', 'Cryptodome.Cipher.ARC2.new', 'Cryptodome.Cipher.ARC4.new', 'Cryptodome.Cipher.Blowfish.new', 'Cryptodome.Cipher.DES.new', 'Cryptodome.Cipher.XOR.new', 'cryptography.hazmat.primitives.ciphers.algorithms.ARC4', 'cryptography.hazmat.primitives.ciphers.algorithms.Blowfish', 'cryptography.hazmat.primitives.ciphers.algorithms.IDEA' ], 'Use of insecure cipher {name}. Replace with a known secure' ' cipher such as AES.', 'HIGH')) sets.append( utils.build_conf_dict( 'cipher_modes', 'B305', ['cryptography.hazmat.primitives.ciphers.modes.ECB'], 'Use of insecure cipher mode {name}.')) sets.append( utils.build_conf_dict( 'mktemp_q', 'B306', ['tempfile.mktemp'], 'Use of insecure and deprecated function (mktemp).')) sets.append( utils.build_conf_dict( 'eval', 'B307', ['eval'], 'Use of possibly insecure function - consider using safer ' 'ast.literal_eval.')) sets.append( utils.build_conf_dict( 'mark_safe', 'B308', ['django.utils.safestring.mark_safe'], 'Use of mark_safe() may expose cross-site scripting ' 'vulnerabilities and should be reviewed.')) sets.append( utils.build_conf_dict( 'httpsconnection', 'B309', [ 'httplib.HTTPSConnection', 'http.client.HTTPSConnection', 'six.moves.http_client.HTTPSConnection' ], 'Use of HTTPSConnection on older versions of Python prior to 2.7.9 ' 'and 3.4.3 do not provide security, see ' 'https://wiki.openstack.org/wiki/OSSN/OSSN-0033')) sets.append( utils.build_conf_dict( 'urllib_urlopen', 'B310', [ 'urllib.urlopen', 'urllib.request.urlopen', 'urllib.urlretrieve', 'urllib.request.urlretrieve', 'urllib.URLopener', 'urllib.request.URLopener', 'urllib.FancyURLopener', 'urllib.request.FancyURLopener', 'urllib2.urlopen', 'urllib2.Request', 'six.moves.urllib.request.urlopen', 'six.moves.urllib.request.urlretrieve', 'six.moves.urllib.request.URLopener', 'six.moves.urllib.request.FancyURLopener' ], 'Audit url open for permitted schemes. Allowing use of file:/ or ' 'custom schemes is often unexpected.')) sets.append( utils.build_conf_dict( 'random', 'B311', [ 'random.random', 'random.randrange', 'random.randint', 'random.choice', 'random.uniform', 'random.triangular' ], 'Standard pseudo-random generators are not suitable for ' 'security/cryptographic purposes.', 'LOW')) sets.append( utils.build_conf_dict( 'telnetlib', 'B312', ['telnetlib.*'], 'Telnet-related functions are being called. Telnet is considered ' 'insecure. Use SSH or some other encrypted protocol.', 'HIGH')) # Most of this is based off of Christian Heimes' work on defusedxml: # https://pypi.python.org/pypi/defusedxml/#defusedxml-sax xml_msg = ('Using {name} to parse untrusted XML data is known to be ' 'vulnerable to XML attacks. Replace {name} with its ' 'defusedxml equivalent function or make sure ' 'defusedxml.defuse_stdlib() is called') sets.append( utils.build_conf_dict('xml_bad_cElementTree', 'B313', [ 'xml.etree.cElementTree.parse', 'xml.etree.cElementTree.iterparse', 'xml.etree.cElementTree.fromstring', 'xml.etree.cElementTree.XMLParser' ], xml_msg)) sets.append( utils.build_conf_dict('xml_bad_ElementTree', 'B314', [ 'xml.etree.ElementTree.parse', 'xml.etree.ElementTree.iterparse', 'xml.etree.ElementTree.fromstring', 'xml.etree.ElementTree.XMLParser' ], xml_msg)) sets.append( utils.build_conf_dict('xml_bad_expatreader', 'B315', ['xml.sax.expatreader.create_parser'], xml_msg)) sets.append( utils.build_conf_dict( 'xml_bad_expatbuilder', 'B316', ['xml.dom.expatbuilder.parse', 'xml.dom.expatbuilder.parseString'], xml_msg)) sets.append( utils.build_conf_dict( 'xml_bad_sax', 'B317', ['xml.sax.parse', 'xml.sax.parseString', 'xml.sax.make_parser'], xml_msg)) sets.append( utils.build_conf_dict( 'xml_bad_minidom', 'B318', ['xml.dom.minidom.parse', 'xml.dom.minidom.parseString'], xml_msg)) sets.append( utils.build_conf_dict( 'xml_bad_pulldom', 'B319', ['xml.dom.pulldom.parse', 'xml.dom.pulldom.parseString'], xml_msg)) sets.append( utils.build_conf_dict('xml_bad_etree', 'B320', [ 'lxml.etree.parse', 'lxml.etree.fromstring', 'lxml.etree.RestrictedElement', 'lxml.etree.GlobalParserTLS', 'lxml.etree.getDefaultParser', 'lxml.etree.check_docinfo' ], ('Using {name} to parse untrusted XML data is known to be ' 'vulnerable to XML attacks. Replace {name} with its ' 'defusedxml equivalent function.'))) # end of XML tests sets.append( utils.build_conf_dict( 'ftplib', 'B321', ['ftplib.*'], 'FTP-related functions are being called. FTP is considered ' 'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.', 'HIGH')) sets.append( utils.build_conf_dict( 'input', 'B322', ['input'], 'The input method in Python 2 will read from standard input, ' 'evaluate and run the resulting string as python source code. This ' 'is similar, though in many ways worse, then using eval. On Python ' '2, use raw_input instead, input is safe in Python 3.', 'HIGH')) sets.append( utils.build_conf_dict( 'unverified_context', 'B323', ['ssl._create_unverified_context'], 'By default, Python will create a secure, verified ssl context for ' 'use in such classes as HTTPSConnection. However, it still allows ' 'using an insecure context via the _create_unverified_context that ' 'reverts to the previous behavior that does not validate certificates ' 'or perform hostname checks.')) return {'Call': sets}
def gen_blacklist(): """Generate a list of items to blacklist. Methods of this type, "bandit.blacklist" plugins, are used to build a list of items that bandit's built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage. :return: a dictionary mapping node types to a list of blacklist data """ sets = [] sets.append(utils.build_conf_dict( 'pickle', 'B301', ['pickle.loads', 'pickle.load', 'pickle.Unpickler', 'cPickle.loads', 'cPickle.load', 'cPickle.Unpickler'], 'Pickle library appears to be in use, possible security issue.' )) sets.append(utils.build_conf_dict( 'marshal', 'B302', ['marshal.load', 'marshal.loads'], 'Deserialization with the marshal module is possibly dangerous.' )) sets.append(utils.build_conf_dict( 'md5', 'B303', ['hashlib.md5', 'hashlib.sha1', 'Crypto.Hash.MD2.new', 'Crypto.Hash.MD4.new', 'Crypto.Hash.MD5.new', 'Crypto.Hash.SHA.new', 'Cryptodome.Hash.MD2.new', 'Cryptodome.Hash.MD4.new', 'Cryptodome.Hash.MD5.new', 'Cryptodome.Hash.SHA.new', 'cryptography.hazmat.primitives.hashes.MD5', 'cryptography.hazmat.primitives.hashes.SHA1'], 'Use of insecure MD2, MD4, MD5, or SHA1 hash function.' )) sets.append(utils.build_conf_dict( 'ciphers', 'B304', ['Crypto.Cipher.ARC2.new', 'Crypto.Cipher.ARC4.new', 'Crypto.Cipher.Blowfish.new', 'Crypto.Cipher.DES.new', 'Crypto.Cipher.XOR.new', 'Cryptodome.Cipher.ARC2.new', 'Cryptodome.Cipher.ARC4.new', 'Cryptodome.Cipher.Blowfish.new', 'Cryptodome.Cipher.DES.new', 'Cryptodome.Cipher.XOR.new', 'cryptography.hazmat.primitives.ciphers.algorithms.ARC4', 'cryptography.hazmat.primitives.ciphers.algorithms.Blowfish', 'cryptography.hazmat.primitives.ciphers.algorithms.IDEA'], 'Use of insecure cipher {name}. Replace with a known secure' ' cipher such as AES.', 'HIGH' )) sets.append(utils.build_conf_dict( 'cipher_modes', 'B305', ['cryptography.hazmat.primitives.ciphers.modes.ECB'], 'Use of insecure cipher mode {name}.' )) sets.append(utils.build_conf_dict( 'mktemp_q', 'B306', ['tempfile.mktemp'], 'Use of insecure and deprecated function (mktemp).' )) sets.append(utils.build_conf_dict( 'eval', 'B307', ['eval'], 'Use of possibly insecure function - consider using safer ' 'ast.literal_eval.' )) sets.append(utils.build_conf_dict( 'mark_safe', 'B308', ['django.utils.safestring.mark_safe'], 'Use of mark_safe() may expose cross-site scripting ' 'vulnerabilities and should be reviewed.' )) sets.append(utils.build_conf_dict( 'httpsconnection', 'B309', ['httplib.HTTPSConnection', 'http.client.HTTPSConnection', 'six.moves.http_client.HTTPSConnection'], 'Use of HTTPSConnection on older versions of Python prior to 2.7.9 ' 'and 3.4.3 do not provide security, see ' 'https://wiki.openstack.org/wiki/OSSN/OSSN-0033' )) sets.append(utils.build_conf_dict( 'urllib_urlopen', 'B310', ['urllib.urlopen', 'urllib.request.urlopen', 'urllib.urlretrieve', 'urllib.request.urlretrieve', 'urllib.URLopener', 'urllib.request.URLopener', 'urllib.FancyURLopener', 'urllib.request.FancyURLopener', 'urllib2.urlopen', 'urllib2.Request', 'six.moves.urllib.request.urlopen', 'six.moves.urllib.request.urlretrieve', 'six.moves.urllib.request.URLopener', 'six.moves.urllib.request.FancyURLopener'], 'Audit url open for permitted schemes. Allowing use of file:/ or ' 'custom schemes is often unexpected.' )) sets.append(utils.build_conf_dict( 'random', 'B311', ['random.random', 'random.randrange', 'random.randint', 'random.choice', 'random.uniform', 'random.triangular'], 'Standard pseudo-random generators are not suitable for ' 'security/cryptographic purposes.', 'LOW' )) sets.append(utils.build_conf_dict( 'telnetlib', 'B312', ['telnetlib.*'], 'Telnet-related functions are being called. Telnet is considered ' 'insecure. Use SSH or some other encrypted protocol.', 'HIGH' )) # Most of this is based off of Christian Heimes' work on defusedxml: # https://pypi.python.org/pypi/defusedxml/#defusedxml-sax xml_msg = ('Using {name} to parse untrusted XML data is known to be ' 'vulnerable to XML attacks. Replace {name} with its ' 'defusedxml equivalent function or make sure ' 'defusedxml.defuse_stdlib() is called') sets.append(utils.build_conf_dict( 'xml_bad_cElementTree', 'B313', ['xml.etree.cElementTree.parse', 'xml.etree.cElementTree.iterparse', 'xml.etree.cElementTree.fromstring', 'xml.etree.cElementTree.XMLParser'], xml_msg )) sets.append(utils.build_conf_dict( 'xml_bad_ElementTree', 'B314', ['xml.etree.ElementTree.parse', 'xml.etree.ElementTree.iterparse', 'xml.etree.ElementTree.fromstring', 'xml.etree.ElementTree.XMLParser'], xml_msg )) sets.append(utils.build_conf_dict( 'xml_bad_expatreader', 'B315', ['xml.sax.expatreader.create_parser'], xml_msg )) sets.append(utils.build_conf_dict( 'xml_bad_expatbuilder', 'B316', ['xml.dom.expatbuilder.parse', 'xml.dom.expatbuilder.parseString'], xml_msg )) sets.append(utils.build_conf_dict( 'xml_bad_sax', 'B317', ['xml.sax.parse', 'xml.sax.parseString', 'xml.sax.make_parser'], xml_msg )) sets.append(utils.build_conf_dict( 'xml_bad_minidom', 'B318', ['xml.dom.minidom.parse', 'xml.dom.minidom.parseString'], xml_msg )) sets.append(utils.build_conf_dict( 'xml_bad_pulldom', 'B319', ['xml.dom.pulldom.parse', 'xml.dom.pulldom.parseString'], xml_msg )) sets.append(utils.build_conf_dict( 'xml_bad_etree', 'B320', ['lxml.etree.parse', 'lxml.etree.fromstring', 'lxml.etree.RestrictedElement', 'lxml.etree.GlobalParserTLS', 'lxml.etree.getDefaultParser', 'lxml.etree.check_docinfo'], ('Using {name} to parse untrusted XML data is known to be ' 'vulnerable to XML attacks. Replace {name} with its ' 'defusedxml equivalent function.') )) # end of XML tests sets.append(utils.build_conf_dict( 'ftplib', 'B321', ['ftplib.*'], 'FTP-related functions are being called. FTP is considered ' 'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.', 'HIGH' )) sets.append(utils.build_conf_dict( 'input', 'B322', ['input'], 'The input method in Python 2 will read from standard input, ' 'evaluate and run the resulting string as python source code. This ' 'is similar, though in many ways worse, then using eval. On Python ' '2, use raw_input instead, input is safe in Python 3.', 'HIGH' )) sets.append(utils.build_conf_dict( 'unverified_context', 'B323', ['ssl._create_unverified_context'], 'By default, Python will create a secure, verified ssl context for ' 'use in such classes as HTTPSConnection. However, it still allows ' 'using an insecure context via the _create_unverified_context that ' 'reverts to the previous behavior that does not validate certificates ' 'or perform hostname checks.' )) return {'Call': sets}
def gen_blacklist(): """Generate a list of items to blacklist. Methods of this type, "bandit.blacklist" plugins, are used to build a list of items that bandit's built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage. :return: a dictionary mapping node types to a list of blacklist data """ sets = [] sets.append(utils.build_conf_dict( 'telnet', 'B401', ['telnetlib'], 'A telnet-related module is being imported. Telnet is ' 'considered insecure. Use SSH or some other encrypted protocol.', 'HIGH' )) sets.append(utils.build_conf_dict( 'ftp', 'B402', ['ftplib'], 'A FTP-related module is being imported. FTP is considered ' 'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.', 'HIGH' )) sets.append(utils.build_conf_dict( 'info_libs', 'B403', ['pickle', 'cPickle', 'subprocess', 'Crypto'], 'Consider possible security implications associated with ' '{name} module.', 'LOW' )) # Most of this is based off of Christian Heimes' work on defusedxml: # https://pypi.python.org/pypi/defusedxml/#defusedxml-sax sets.append(utils.build_conf_dict( 'xml_libs', 'B404', ['xml.etree.cElementTree', 'xml.etree.ElementTree', 'xml.sax.expatreader', 'xml.sax', 'xml.dom.expatbuilder', 'xml.dom.minidom', 'xml.dom.pulldom', 'lxml.etree', 'lxml'], 'Using {name} to parse untrusted XML data is known to be ' 'vulnerable to XML attacks. Replace {name} with the equivalent ' 'defusedxml package.', 'LOW' )) sets.append(utils.build_conf_dict( 'xml_libs_high', 'B405', ['xmlrpclib'], 'Using {name} to parse untrusted XML data is known to be ' 'vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() ' 'function to monkey-patch xmlrpclib and mitigate XML ' 'vulnerabilities.', 'HIGH' )) return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
def gen_blacklist(): """Generate a list of items to blacklist. Methods of this type, "bandit.blacklist" plugins, are used to build a list of items that bandit's built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage. :return: a dictionary mapping node types to a list of blacklist data """ sets = [] sets.append( utils.build_conf_dict( "import_telnetlib", "B401", issue.Cwe.CLEARTEXT_TRANSMISSION, ["telnetlib"], "A telnet-related module is being imported. Telnet is " "considered insecure. Use SSH or some other encrypted protocol.", "HIGH", )) sets.append( utils.build_conf_dict( "import_ftplib", "B402", issue.Cwe.CLEARTEXT_TRANSMISSION, ["ftplib"], "A FTP-related module is being imported. FTP is considered " "insecure. Use SSH/SFTP/SCP or some other encrypted protocol.", "HIGH", )) sets.append( utils.build_conf_dict( "import_pickle", "B403", issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, ["pickle", "cPickle", "dill", "shelve"], "Consider possible security implications associated with " "{name} module.", "LOW", )) sets.append( utils.build_conf_dict( "import_subprocess", "B404", issue.Cwe.OS_COMMAND_INJECTION, ["subprocess"], "Consider possible security implications associated with the " "subprocess module.", "LOW", )) # Most of this is based off of Christian Heimes' work on defusedxml: # https://pypi.org/project/defusedxml/#defusedxml-sax xml_msg = ("Using {name} to parse untrusted XML data is known to be " "vulnerable to XML attacks. Replace {name} with the equivalent " "defusedxml package, or make sure defusedxml.defuse_stdlib() " "is called.") lxml_msg = ("Using {name} to parse untrusted XML data is known to be " "vulnerable to XML attacks. Replace {name} with the " "equivalent defusedxml package.") sets.append( utils.build_conf_dict( "import_xml_etree", "B405", issue.Cwe.IMPROPER_INPUT_VALIDATION, ["xml.etree.cElementTree", "xml.etree.ElementTree"], xml_msg, "LOW", )) sets.append( utils.build_conf_dict( "import_xml_sax", "B406", issue.Cwe.IMPROPER_INPUT_VALIDATION, ["xml.sax"], xml_msg, "LOW", )) sets.append( utils.build_conf_dict( "import_xml_expat", "B407", issue.Cwe.IMPROPER_INPUT_VALIDATION, ["xml.dom.expatbuilder"], xml_msg, "LOW", )) sets.append( utils.build_conf_dict( "import_xml_minidom", "B408", issue.Cwe.IMPROPER_INPUT_VALIDATION, ["xml.dom.minidom"], xml_msg, "LOW", )) sets.append( utils.build_conf_dict( "import_xml_pulldom", "B409", issue.Cwe.IMPROPER_INPUT_VALIDATION, ["xml.dom.pulldom"], xml_msg, "LOW", )) sets.append( utils.build_conf_dict( "import_lxml", "B410", issue.Cwe.IMPROPER_INPUT_VALIDATION, ["lxml"], lxml_msg, "LOW", )) sets.append( utils.build_conf_dict( "import_xmlrpclib", "B411", issue.Cwe.IMPROPER_INPUT_VALIDATION, ["xmlrpclib"], "Using {name} to parse untrusted XML data is known to be " "vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() " "function to monkey-patch xmlrpclib and mitigate XML " "vulnerabilities.", "HIGH", )) sets.append( utils.build_conf_dict( "import_httpoxy", "B412", issue.Cwe.IMPROPER_ACCESS_CONTROL, [ "wsgiref.handlers.CGIHandler", "twisted.web.twcgi.CGIScript", "twisted.web.twcgi.CGIDirectory", ], "Consider possible security implications associated with " "{name} module.", "HIGH", )) sets.append( utils.build_conf_dict( "import_pycrypto", "B413", issue.Cwe.BROKEN_CRYPTO, [ "Crypto.Cipher", "Crypto.Hash", "Crypto.IO", "Crypto.Protocol", "Crypto.PublicKey", "Crypto.Random", "Crypto.Signature", "Crypto.Util", ], "The pyCrypto library and its module {name} are no longer actively" " maintained and have been deprecated. " "Consider using pyca/cryptography library.", "HIGH", )) sets.append( utils.build_conf_dict( "import_pyghmi", "B415", issue.Cwe.CLEARTEXT_TRANSMISSION, ["pyghmi"], "An IPMI-related module is being imported. IPMI is considered " "insecure. Use an encrypted protocol.", "HIGH", )) return {"Import": sets, "ImportFrom": sets, "Call": sets}
def gen_blacklist(): """Generate a list of items to blacklist. Methods of this type, "bandit.blacklist" plugins, are used to build a list of items that bandit's built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage. :return: a dictionary mapping node types to a list of blacklist data """ sets = [] # example: examples/import_base64 sets.append( utils.build_conf_dict('import_base64', 'B400', ['base64'], 'import_base64', 'HIGH')) # example: examples/import_socket.py sets.append( utils.build_conf_dict('import_socket', 'B401', ['socket'], 'import_socket', 'HIGH')) # example: examples/import_zlib.py sets.append( utils.build_conf_dict('import_zlib', 'B402', ['zlib'], 'import_zlib', 'HIGH')) # example: examples/import_urllib.py sets.append( utils.build_conf_dict('import_urllib', 'B403', ['urllib'], 'import_urllib', 'HIGH')) # example: examples/import_urllib.py sets.append( utils.build_conf_dict('import_pwd', 'B404', ['pwd'], 'import_pwd', 'HIGH')) # example: examples/import_http.py sets.append( utils.build_conf_dict('import_http', 'B405', ['http'], 'import_http', 'HIGH')) # example: examples/import_platform.py sets.append( utils.build_conf_dict('import_platform', 'B406', ['platform'], 'import_platform', 'HIGH')) # example: examples/import_os.py sets.append( utils.build_conf_dict('import_os', 'B407', ['os'], 'import_os', 'HIGH')) # example: examples/import_socketserver.py sets.append( utils.build_conf_dict('import_socketserver', 'B408', ['socketserver'], 'import_socketserver', 'HIGH')) # example: examples/import_requests.py sets.append( utils.build_conf_dict('import_requests', 'B409', ['requests'], 'import_requests', 'HIGH')) # example: examples/import_urllib2.py sets.append( utils.build_conf_dict('import_urllib2', 'B410', ['urllib2'], 'import_urllib2', 'HIGH')) # example: examples/import_subprocess.py sets.append( utils.build_conf_dict('import_subprocess', 'B411', ['subprocess'], 'import_subprocess', 'HIGH')) # example: examples/import_httplib.py sets.append( utils.build_conf_dict('import_httplib', 'B412', ['httplib'], 'import_httplib', 'HIGH')) # example: examples/import_urlparse.py sets.append( utils.build_conf_dict('import_urlparse', 'B413', ['urlparse'], 'import_urlparse', 'HIGH')) # example: examples/import_signal.py sets.append( utils.build_conf_dict('import_signal', 'B414', ['signal'], 'import_signal', 'HIGH')) # example: examples/import_multiprocessing.py sets.append( utils.build_conf_dict('import_multiprocessing', 'B415', ['multiprocessing'], 'import_multiprocessing', 'HIGH')) # example: examples/import_getpass.py sets.append( utils.build_conf_dict('import_getpass', 'B416', ['getpass'], 'import_getpass', 'HIGH')) # example: examples/new_import.py #sets.append(utils.build_conf_dict( # 'new_import', 'B499', [''], # 'new_import', # 'HIGH' # )) return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
def gen_blacklist(): """Generate a list of items to blacklist. Methods of this type, "bandit.blacklist" plugins, are used to build a list of items that bandit's built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage. :return: a dictionary mapping node types to a list of blacklist data """ sets = [] sets.append(utils.build_conf_dict( 'base64_b64decode', 'B300', ['base64.b64decode'], 'base64.b64decode' )) sets.append(utils.build_conf_dict( 'base64_b64encode', 'B301', ['base64.b64encode'], 'base64.b64encode' )) #examples/socket_gethostname.py sets.append(utils.build_conf_dict( 'socket_gethostname', 'B302', ['socket.gethostname'], 'socket.gethostname' )) #examples/socket_gethostname.py sets.append(utils.build_conf_dict( 'pwd_getpwuid', 'B303', ['pwd.getpwuid'], 'pwd.getpwuid' )) sets.append(utils.build_conf_dict( 'socket_socket', 'B304', ['socket.socket'], 'socket.socket' )) #examples/os_getuid.py sets.append(utils.build_conf_dict( 'os_getuid', 'B305', ['os.getuid'], 'os.getuid' )) #examples/zlib_decompress.py sets.append(utils.build_conf_dict( 'zlib_decompress', 'B306', ['zlib.decompress'], 'zlib.decompress' )) #examples/urllib_request_urlopen.py sets.append(utils.build_conf_dict( 'urllib_request', 'B307', ['urllib.request'], 'urllib.request' )) #examples/urllib_request_urlopen.py sets.append(utils.build_conf_dict( 'platform_system', 'B308', ['platform.system'], 'platform.system' )) #examples/os_chmod.py sets.append(utils.build_conf_dict( 'os_chmod', 'B315', ['os.chmod'], 'os.chmod' )) #examples/os_system.py sets.append(utils.build_conf_dict( 'os_system', 'B316', ['os.system'], 'os.system' )) #examples/os_environ.py sets.append(utils.build_conf_dict( 'os_environ', 'B317', ['os.environ'], 'os.environ' )) #examples/urllib2_urlopen.py sets.append(utils.build_conf_dict( 'urllib2_urlopen', 'B320', ['urllib2.urlopen'], 'urllib2_urlopen' )) #examples/urllib2_Request.py sets.append(utils.build_conf_dict( 'urllib2_Request', 'B321', ['urllib2.Request'], 'urllib2_Request' )) #examples/multiprocessing_Pool.py sets.append(utils.build_conf_dict( 'multiprocessing_Pool', 'B323', ['multiprocessing.Pool'], 'multiprocessing_Pool' )) #examples/multiprocessing_Pool.py sets.append(utils.build_conf_dict( 'signal_signal', 'B324', ['signal.signal'], 'signal_signal' )) #examples/getpass_getuser.py sets.append(utils.build_conf_dict( 'getpass_getuser', 'B329', ['getpass.getuser'], 'getpass_getuser' )) return {'Call': sets}
def gen_blacklist(): """Generate a list of items to blacklist. Methods of this type, "bandit.blacklist" plugins, are used to build a list of items that bandit's built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage. :return: a dictionary mapping node types to a list of blacklist data """ sets = [] sets.append(utils.build_conf_dict( 'import_telnetlib', 'B401', ['telnetlib'], 'A telnet-related module is being imported. Telnet is ' 'considered insecure. Use SSH or some other encrypted protocol.', 'HIGH' )) sets.append(utils.build_conf_dict( 'import_ftplib', 'B402', ['ftplib'], 'A FTP-related module is being imported. FTP is considered ' 'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.', 'HIGH' )) sets.append(utils.build_conf_dict( 'import_pickle', 'B403', ['pickle', 'cPickle'], 'Consider possible security implications associated with ' '{name} module.', 'LOW' )) sets.append(utils.build_conf_dict( 'import_subprocess', 'B404', ['subprocess'], 'Consider possible security implications associated with ' '{name} module.', 'LOW' )) # Most of this is based off of Christian Heimes' work on defusedxml: # https://pypi.org/project/defusedxml/#defusedxml-sax xml_msg = ('Using {name} to parse untrusted XML data is known to be ' 'vulnerable to XML attacks. Replace {name} with the equivalent ' 'defusedxml package, or make sure defusedxml.defuse_stdlib() ' 'is called.') lxml_msg = ('Using {name} to parse untrusted XML data is known to be ' 'vulnerable to XML attacks. Replace {name} with the ' 'equivalent defusedxml package.') sets.append(utils.build_conf_dict( 'import_xml_etree', 'B405', ['xml.etree.cElementTree', 'xml.etree.ElementTree'], xml_msg, 'LOW')) sets.append(utils.build_conf_dict( 'import_xml_sax', 'B406', ['xml.sax'], xml_msg, 'LOW')) sets.append(utils.build_conf_dict( 'import_xml_expat', 'B407', ['xml.dom.expatbuilder'], xml_msg, 'LOW')) sets.append(utils.build_conf_dict( 'import_xml_minidom', 'B408', ['xml.dom.minidom'], xml_msg, 'LOW')) sets.append(utils.build_conf_dict( 'import_xml_pulldom', 'B409', ['xml.dom.pulldom'], xml_msg, 'LOW')) sets.append(utils.build_conf_dict( 'import_lxml', 'B410', ['lxml'], lxml_msg, 'LOW')) sets.append(utils.build_conf_dict( 'import_xmlrpclib', 'B411', ['xmlrpclib'], 'Using {name} to parse untrusted XML data is known to be ' 'vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() ' 'function to monkey-patch xmlrpclib and mitigate XML ' 'vulnerabilities.', 'HIGH')) sets.append(utils.build_conf_dict( 'import_httpoxy', 'B412', ['wsgiref.handlers.CGIHandler', 'twisted.web.twcgi.CGIScript', 'twisted.web.twcgi.CGIDirectory'], 'Consider possible security implications associated with ' '{name} module.', 'HIGH' )) sets.append(utils.build_conf_dict( 'import_pycrypto', 'B413', ['Crypto.Cipher', 'Crypto.Hash', 'Crypto.IO', 'Crypto.Protocol', 'Crypto.PublicKey', 'Crypto.Random', 'Crypto.Signature', 'Crypto.Util'], 'The pyCrypto library and its module {name} are no longer actively ' 'maintained and have been deprecated. ' 'Consider using pyca/cryptography library.', 'HIGH')) sets.append(utils.build_conf_dict( 'import_pycryptodome', 'B414', ['Cryptodome.Cipher', 'Cryptodome.Hash', 'Cryptodome.IO', 'Cryptodome.Protocol', 'Cryptodome.PublicKey', 'Cryptodome.Random', 'Cryptodome.Signature', 'Cryptodome.Util'], 'The pycryptodome library is not considered a secure alternative ' 'to pycrypto.' 'Consider using pyca/cryptography library.', 'HIGH')) return {'Import': sets, 'ImportFrom': sets, 'Call': sets}