def test_plugin():
sets = []
sets.append(utils.build_conf_dict(
'telnet', 'B401', ['telnetlib'],
'A telnet-related module is being imported. Telnet is '
'considered insecure. Use SSH or some other encrypted protocol.',
'HIGH'
))
sets.append(utils.build_conf_dict(
'marshal', 'B302', ['marshal.load', 'marshal.loads'],
'Deserialization with the marshal module is possibly dangerous.'
))
return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
def test_plugin():
sets = []
sets.append(
utils.build_conf_dict(
'telnet', 'B401', ['telnetlib'],
'A telnet-related module is being imported. Telnet is '
'considered insecure. Use SSH or some other encrypted protocol.',
'HIGH'))
sets.append(
utils.build_conf_dict(
'marshal', 'B302', ['marshal.load', 'marshal.loads'],
'Deserialization with the marshal module is possibly dangerous.'))
return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
def test_profile_blacklist_compat(self):
data = [utils.build_conf_dict(
'marshal', 'B302', ['marshal.load', 'marshal.loads'],
('Deserialization with the marshal module is possibly '
'dangerous.'))]
profile = {'include': ['B001'], 'blacklist': {'Call': data}}
ts = test_set.BanditTestSet(self.config, profile)
blacklist = ts.get_tests('Call')[0]
self.assertNotIn('Import', blacklist._config)
self.assertNotIn('ImportFrom', blacklist._config)
self.assertEqual(len(blacklist._config['Call']), 1)
def test_plugin():
sets = []
sets.append(
utils.build_conf_dict(
"telnet",
"B401",
["telnetlib"],
"A telnet-related module is being imported. Telnet is "
"considered insecure. Use SSH or some other encrypted protocol.",
"HIGH",
)
)
sets.append(
utils.build_conf_dict(
"marshal",
"B302",
["marshal.load", "marshal.loads"],
"Deserialization with the marshal module is possibly dangerous.",
)
)
return {"Import": sets, "ImportFrom": sets, "Call": sets}
def test_profile_blacklist_compat(self):
data = [utils.build_conf_dict(
'marshal', 'B302', ['marshal.load', 'marshal.loads'],
('Deserialization with the marshal module is possibly '
'dangerous.'))]
profile = {'include': ['B001'], 'blacklist': {'Call': data}}
ts = test_set.BanditTestSet(self.config, profile)
blacklist = ts.get_tests('Call')[0]
self.assertNotIn('Import', blacklist._config)
self.assertNotIn('ImportFrom', blacklist._config)
self.assertEqual(1, len(blacklist._config['Call']))
def test_profile_blacklist_compat(self):
data = [
utils.build_conf_dict(
"marshal",
"B302",
issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
["marshal.load", "marshal.loads"],
("Deserialization with the marshal module is possibly "
"dangerous."),
)
]
profile = {"include": ["B001"], "blacklist": {"Call": data}}
ts = test_set.BanditTestSet(self.config, profile)
blacklist = ts.get_tests("Call")[0]
self.assertNotIn("Import", blacklist._config)
self.assertNotIn("ImportFrom", blacklist._config)
self.assertEqual(1, len(blacklist._config["Call"]))
def gen_blacklist():
"""Generate a list of items to blacklist.
Methods of this type, "bandit.blacklist" plugins, are used to build a list
of items that bandit's built in blacklisting tests will use to trigger
issues. They replace the older blacklist* test plugins and allow
blacklisted items to have a unique bandit ID for filtering and profile
usage.
:return: a dictionary mapping node types to a list of blacklist data
"""
sets = []
sets.append(
utils.build_conf_dict(
"pickle",
"B301",
[
"pickle.loads",
"pickle.load",
"pickle.Unpickler",
"cPickle.loads",
"cPickle.load",
"cPickle.Unpickler",
"dill.loads",
"dill.load",
"dill.Unpickler",
"shelve.open",
"shelve.DbfilenameShelf",
],
"Pickle and modules that wrap it can be unsafe when used to "
"deserialize untrusted data, possible security issue.",
)
)
sets.append(
utils.build_conf_dict(
"marshal",
"B302",
["marshal.load", "marshal.loads"],
"Deserialization with the marshal module is possibly dangerous.",
)
)
sets.append(
utils.build_conf_dict(
"md5",
"B303",
[
"hashlib.md5",
"hashlib.sha1",
"Crypto.Hash.MD2.new",
"Crypto.Hash.MD4.new",
"Crypto.Hash.MD5.new",
"Crypto.Hash.SHA.new",
"Cryptodome.Hash.MD2.new",
"Cryptodome.Hash.MD4.new",
"Cryptodome.Hash.MD5.new",
"Cryptodome.Hash.SHA.new",
"cryptography.hazmat.primitives.hashes.MD5",
"cryptography.hazmat.primitives.hashes.SHA1",
],
"Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
)
)
sets.append(
utils.build_conf_dict(
"ciphers",
"B304",
[
"Crypto.Cipher.ARC2.new",
"Crypto.Cipher.ARC4.new",
"Crypto.Cipher.Blowfish.new",
"Crypto.Cipher.DES.new",
"Crypto.Cipher.XOR.new",
"Cryptodome.Cipher.ARC2.new",
"Cryptodome.Cipher.ARC4.new",
"Cryptodome.Cipher.Blowfish.new",
"Cryptodome.Cipher.DES.new",
"Cryptodome.Cipher.XOR.new",
"cryptography.hazmat.primitives.ciphers.algorithms.ARC4",
"cryptography.hazmat.primitives.ciphers.algorithms.Blowfish",
"cryptography.hazmat.primitives.ciphers.algorithms.IDEA",
],
"Use of insecure cipher {name}. Replace with a known secure"
" cipher such as AES.",
"HIGH",
)
)
sets.append(
utils.build_conf_dict(
"cipher_modes",
"B305",
["cryptography.hazmat.primitives.ciphers.modes.ECB"],
"Use of insecure cipher mode {name}.",
)
)
sets.append(
utils.build_conf_dict(
"mktemp_q",
"B306",
["tempfile.mktemp"],
"Use of insecure and deprecated function (mktemp).",
)
)
sets.append(
utils.build_conf_dict(
"eval",
"B307",
["eval"],
"Use of possibly insecure function - consider using safer "
"ast.literal_eval.",
)
)
sets.append(
utils.build_conf_dict(
"mark_safe",
"B308",
["django.utils.safestring.mark_safe"],
"Use of mark_safe() may expose cross-site scripting "
"vulnerabilities and should be reviewed.",
)
)
sets.append(
utils.build_conf_dict(
"httpsconnection",
"B309",
[
"httplib.HTTPSConnection",
"http.client.HTTPSConnection",
"six.moves.http_client.HTTPSConnection",
],
"Use of HTTPSConnection on older versions of Python prior to 2.7.9"
" and 3.4.3 do not provide security, see "
"https://wiki.openstack.org/wiki/OSSN/OSSN-0033",
)
)
sets.append(
utils.build_conf_dict(
"urllib_urlopen",
"B310",
[
"urllib.urlopen",
"urllib.request.urlopen",
"urllib.urlretrieve",
"urllib.request.urlretrieve",
"urllib.URLopener",
"urllib.request.URLopener",
"urllib.FancyURLopener",
"urllib.request.FancyURLopener",
"urllib2.urlopen",
"urllib2.Request",
"six.moves.urllib.request.urlopen",
"six.moves.urllib.request.urlretrieve",
"six.moves.urllib.request.URLopener",
"six.moves.urllib.request.FancyURLopener",
],
"Audit url open for permitted schemes. Allowing use of file:/ or "
"custom schemes is often unexpected.",
)
)
sets.append(
utils.build_conf_dict(
"random",
"B311",
[
"random.random",
"random.randrange",
"random.randint",
"random.choice",
"random.choices",
"random.uniform",
"random.triangular",
],
"Standard pseudo-random generators are not suitable for "
"security/cryptographic purposes.",
"LOW",
)
)
sets.append(
utils.build_conf_dict(
"telnetlib",
"B312",
["telnetlib.*"],
"Telnet-related functions are being called. Telnet is considered "
"insecure. Use SSH or some other encrypted protocol.",
"HIGH",
)
)
# Most of this is based off of Christian Heimes' work on defusedxml:
# https://pypi.org/project/defusedxml/#defusedxml-sax
xml_msg = (
"Using {name} to parse untrusted XML data is known to be "
"vulnerable to XML attacks. Replace {name} with its "
"defusedxml equivalent function or make sure "
"defusedxml.defuse_stdlib() is called"
)
sets.append(
utils.build_conf_dict(
"xml_bad_cElementTree",
"B313",
[
"xml.etree.cElementTree.parse",
"xml.etree.cElementTree.iterparse",
"xml.etree.cElementTree.fromstring",
"xml.etree.cElementTree.XMLParser",
],
xml_msg,
)
)
sets.append(
utils.build_conf_dict(
"xml_bad_ElementTree",
"B314",
[
"xml.etree.ElementTree.parse",
"xml.etree.ElementTree.iterparse",
"xml.etree.ElementTree.fromstring",
"xml.etree.ElementTree.XMLParser",
],
xml_msg,
)
)
sets.append(
utils.build_conf_dict(
"xml_bad_expatreader",
"B315",
["xml.sax.expatreader.create_parser"],
xml_msg,
)
)
sets.append(
utils.build_conf_dict(
"xml_bad_expatbuilder",
"B316",
["xml.dom.expatbuilder.parse", "xml.dom.expatbuilder.parseString"],
xml_msg,
)
)
sets.append(
utils.build_conf_dict(
"xml_bad_sax",
"B317",
["xml.sax.parse", "xml.sax.parseString", "xml.sax.make_parser"],
xml_msg,
)
)
sets.append(
utils.build_conf_dict(
"xml_bad_minidom",
"B318",
["xml.dom.minidom.parse", "xml.dom.minidom.parseString"],
xml_msg,
)
)
sets.append(
utils.build_conf_dict(
"xml_bad_pulldom",
"B319",
["xml.dom.pulldom.parse", "xml.dom.pulldom.parseString"],
xml_msg,
)
)
sets.append(
utils.build_conf_dict(
"xml_bad_etree",
"B320",
[
"lxml.etree.parse",
"lxml.etree.fromstring",
"lxml.etree.RestrictedElement",
"lxml.etree.GlobalParserTLS",
"lxml.etree.getDefaultParser",
"lxml.etree.check_docinfo",
],
(
"Using {name} to parse untrusted XML data is known to be "
"vulnerable to XML attacks. Replace {name} with its "
"defusedxml equivalent function."
),
)
)
# end of XML tests
sets.append(
utils.build_conf_dict(
"ftplib",
"B321",
["ftplib.*"],
"FTP-related functions are being called. FTP is considered "
"insecure. Use SSH/SFTP/SCP or some other encrypted protocol.",
"HIGH",
)
)
# skipped B322 as the check for a call to input() has been removed
sets.append(
utils.build_conf_dict(
"unverified_context",
"B323",
["ssl._create_unverified_context"],
"By default, Python will create a secure, verified ssl context for"
" use in such classes as HTTPSConnection. However, it still allows"
" using an insecure context via the _create_unverified_context "
"that reverts to the previous behavior that does not validate "
"certificates or perform hostname checks.",
)
)
# skipped B324 (used in bandit/plugins/hashlib_new_insecure_functions.py)
sets.append(
utils.build_conf_dict(
"tempnam",
"B325",
["os.tempnam", "os.tmpnam"],
"Use of os.tempnam() and os.tmpnam() is vulnerable to symlink "
"attacks. Consider using tmpfile() instead.",
)
)
return {"Call": sets}
def gen_blacklist():
"""Generate a list of items to blacklist.
Methods of this type, "bandit.blacklist" plugins, are used to build a list
of items that bandit's built in blacklisting tests will use to trigger
issues. They replace the older blacklist* test plugins and allow
blacklisted items to have a unique bandit ID for filtering and profile
usage.
:return: a dictionary mapping node types to a list of blacklist data
"""
sets = []
sets.append(utils.build_conf_dict(
'import_telnetlib', 'B401', ['telnetlib'],
'A telnet-related module is being imported. Telnet is '
'considered insecure. Use SSH or some other encrypted protocol.',
'HIGH'
))
sets.append(utils.build_conf_dict(
'import_ftplib', 'B402', ['ftplib'],
'A FTP-related module is being imported. FTP is considered '
'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.',
'HIGH'
))
sets.append(utils.build_conf_dict(
'import_pickle', 'B403', ['pickle', 'cPickle'],
'Consider possible security implications associated with '
'{name} module.', 'LOW'
))
sets.append(utils.build_conf_dict(
'import_subprocess', 'B404', ['subprocess'],
'Consider possible security implications associated with '
'{name} module.', 'LOW'
))
# Most of this is based off of Christian Heimes' work on defusedxml:
# https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
xml_msg = ('Using {name} to parse untrusted XML data is known to be '
'vulnerable to XML attacks. Replace {name} with the equivalent '
'defusedxml package, or make sure defusedxml.defuse_stdlib() '
'is called.')
lxml_msg = ('Using {name} to parse untrusted XML data is known to be '
'vulnerable to XML attacks. Replace {name} with the '
'equivalent defusedxml package.')
sets.append(utils.build_conf_dict(
'import_xml_etree', 'B405',
['xml.etree.cElementTree', 'xml.etree.ElementTree'], xml_msg, 'LOW'))
sets.append(utils.build_conf_dict(
'import_xml_sax', 'B406', ['xml.sax'], xml_msg, 'LOW'))
sets.append(utils.build_conf_dict(
'import_xml_expat', 'B407', ['xml.dom.expatbuilder'], xml_msg, 'LOW'))
sets.append(utils.build_conf_dict(
'import_xml_minidom', 'B408', ['xml.dom.minidom'], xml_msg, 'LOW'))
sets.append(utils.build_conf_dict(
'import_xml_pulldom', 'B409', ['xml.dom.pulldom'], xml_msg, 'LOW'))
sets.append(utils.build_conf_dict(
'import_lxml', 'B410', ['lxml'], lxml_msg, 'LOW'))
sets.append(utils.build_conf_dict(
'import_xmlrpclib', 'B411', ['xmlrpclib'],
'Using {name} to parse untrusted XML data is known to be '
'vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() '
'function to monkey-patch xmlrpclib and mitigate XML '
'vulnerabilities.', 'HIGH'))
sets.append(utils.build_conf_dict(
'import_httpoxy', 'B412',
['wsgiref.handlers.CGIHandler', 'twisted.web.twcgi.CGIScript',
'twisted.web.twcgi.CGIDirectory'],
'Consider possible security implications associated with '
'{name} module.', 'HIGH'
))
return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
def gen_blacklist():
"""Generate a list of items to blacklist.
Methods of this type, "bandit.blacklist" plugins, are used to build a list
of items that bandit's built in blacklisting tests will use to trigger
issues. They replace the older blacklist* test plugins and allow
blacklisted items to have a unique bandit ID for filtering and profile
usage.
:return: a dictionary mapping node types to a list of blacklist data
"""
sets = []
sets.append(
utils.build_conf_dict(
"pickle",
"B301",
["pickle.loads", "pickle.load", "pickle.Unpickler", "cPickle.loads", "cPickle.load", "cPickle.Unpickler"],
"Pickle library appears to be in use, possible security issue.",
)
)
sets.append(
utils.build_conf_dict(
"marshal",
"B302",
["marshal.load", "marshal.loads"],
"Deserialization with the marshal module is possibly dangerous.",
)
)
sets.append(
utils.build_conf_dict(
"md5",
"B303",
[
"hashlib.md5",
"Crypto.Hash.MD2.new",
"Crypto.Hash.MD4.new",
"Crypto.Hash.MD5.new",
"cryptography.hazmat.primitives.hashes.MD5",
],
"Use of insecure MD2, MD4, or MD5 hash function.",
)
)
sets.append(
utils.build_conf_dict(
"ciphers",
"B304",
[
"Crypto.Cipher.ARC2.new",
"Crypto.Cipher.ARC4.new",
"Crypto.Cipher.Blowfish.new",
"Crypto.Cipher.DES.new",
"Crypto.Cipher.XOR.new",
"cryptography.hazmat.primitives.ciphers.algorithms.ARC4",
"cryptography.hazmat.primitives.ciphers.algorithms.Blowfish",
"cryptography.hazmat.primitives.ciphers.algorithms.IDEA",
],
"Use of insecure cipher {name}. Replace with a known secure" " cipher such as AES.",
"HIGH",
)
)
sets.append(
utils.build_conf_dict(
"cipher_modes",
"B305",
["cryptography.hazmat.primitives.ciphers.modes.ECB"],
"Use of insecure cipher mode {name}.",
)
)
sets.append(
utils.build_conf_dict(
"mktemp_q", "B306", ["tempfile.mktemp"], "Use of insecure and deprecated function (mktemp)."
)
)
sets.append(
utils.build_conf_dict(
"eval", "B307", ["eval"], "Use of possibly insecure function - consider using safer " "ast.literal_eval."
)
)
sets.append(
utils.build_conf_dict(
"mark_safe",
"B308",
["mark_safe"],
"Use of mark_safe() may expose cross-site scripting " "vulnerabilities and should be reviewed.",
)
)
sets.append(
utils.build_conf_dict(
"httpsconnection",
"B309",
["httplib.HTTPSConnection", "http.client.HTTPSConnection", "six.moves.http_client.HTTPSConnection"],
"Use of HTTPSConnection does not provide security, see " "https://wiki.openstack.org/wiki/OSSN/OSSN-0033",
)
)
sets.append(
utils.build_conf_dict(
"urllib_urlopen",
"B310",
[
"urllib.urlopen",
"urllib.request.urlopen",
"urllib.urlretrieve",
"urllib.request.urlretrieve",
"urllib.URLopener",
"urllib.request.URLopener",
"urllib.FancyURLopener",
"urllib.request.FancyURLopener",
"urllib2.urlopen",
"urllib2.Request",
"six.moves.urllib.request.urlopen",
"six.moves.urllib.request.urlretrieve",
"six.moves.urllib.request.URLopener",
"six.moves.urllib.request.FancyURLopener",
],
"Audit url open for permitted schemes. Allowing use of file:/ or " "custom schemes is often unexpected.",
)
)
sets.append(
utils.build_conf_dict(
"random",
"B311",
[
"random.random",
"random.randrange",
"random.randint",
"random.choice",
"random.uniform",
"random.triangular",
],
"Standard pseudo-random generators are not suitable for " "security/cryptographic purposes.",
"LOW",
)
)
sets.append(
utils.build_conf_dict(
"telnetlib",
"B312",
["telnetlib.*"],
"Telnet-related funtions are being called. Telnet is considered "
"insecure. Use SSH or some other encrypted protocol.",
"HIGH",
)
)
# Most of this is based off of Christian Heimes' work on defusedxml:
# https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
xml_msg = (
"Using {name} to parse untrusted XML data is known to be "
"vulnerable to XML attacks. Replace {name} with its "
"defusedxml equivalent function."
)
sets.append(
utils.build_conf_dict(
"xml_bad_cElementTree",
"B313",
[
"xml.etree.cElementTree.parse",
"xml.etree.cElementTree.iterparse",
"xml.etree.cElementTree.fromstring",
"xml.etree.cElementTree.XMLParser",
],
xml_msg,
)
)
sets.append(
utils.build_conf_dict(
"xml_bad_ElementTree",
"B314",
[
"xml.etree.ElementTree.parse",
"xml.etree.ElementTree.iterparse",
"xml.etree.ElementTree.fromstring",
"xml.etree.ElementTree.XMLParser",
],
xml_msg,
)
)
sets.append(utils.build_conf_dict("xml_bad_expatreader", "B315", ["xml.sax.expatreader.create_parser"], xml_msg))
sets.append(
utils.build_conf_dict(
"xml_bad_expatbuilder", "B316", ["xml.dom.expatbuilder.parse", "xml.dom.expatbuilder.parseString"], xml_msg
)
)
sets.append(
utils.build_conf_dict(
"xml_bad_sax", "B317", ["xml.sax.parse", "xml.sax.parseString", "xml.sax.make_parser"], xml_msg
)
)
sets.append(
utils.build_conf_dict(
"xml_bad_minidom", "B318", ["xml.dom.minidom.parse", "xml.dom.minidom.parseString"], xml_msg
)
)
sets.append(
utils.build_conf_dict(
"xml_bad_pulldom", "B319", ["xml.dom.pulldom.parse", "xml.dom.pulldom.parseString"], xml_msg
)
)
sets.append(
utils.build_conf_dict(
"xml_bad_etree",
"B320",
[
"lxml.etree.parse",
"lxml.etree.fromstring",
"lxml.etree.RestrictedElement",
"lxml.etree.GlobalParserTLS",
"lxml.etree.getDefaultParser",
"lxml.etree.check_docinfo",
],
xml_msg,
)
)
# end of XML tests
sets.append(
utils.build_conf_dict(
"ftplib",
"B321",
["ftplib.*"],
"FTP-related funtions are being called. FTP is considered "
"insecure. Use SSH/SFTP/SCP or some other encrypted protocol.",
"HIGH",
)
)
return {"Call": sets}
def gen_blacklist():
"""Generate a list of items to blacklist.
Methods of this type, "bandit.blacklist" plugins, are used to build a list
of items that bandit's built in blacklisting tests will use to trigger
issues. They replace the older blacklist* test plugins and allow
blacklisted items to have a unique bandit ID for filtering and profile
usage.
:return: a dictionary mapping node types to a list of blacklist data
"""
sets = []
sets.append(
utils.build_conf_dict(
'pickle', 'B301', [
'pickle.loads', 'pickle.load', 'pickle.Unpickler',
'cPickle.loads', 'cPickle.load', 'cPickle.Unpickler'
],
'Pickle library appears to be in use, possible security issue.'))
sets.append(
utils.build_conf_dict(
'marshal', 'B302', ['marshal.load', 'marshal.loads'],
'Deserialization with the marshal module is possibly dangerous.'))
sets.append(
utils.build_conf_dict(
'md5', 'B303', [
'hashlib.md5', 'Crypto.Hash.MD2.new', 'Crypto.Hash.MD4.new',
'Crypto.Hash.MD5.new', 'Cryptodome.Hash.MD2.new',
'Cryptodome.Hash.MD4.new', 'Cryptodome.Hash.MD5.new',
'cryptography.hazmat.primitives.hashes.MD5'
], 'Use of insecure MD2, MD4, or MD5 hash function.'))
sets.append(
utils.build_conf_dict(
'ciphers', 'B304', [
'Crypto.Cipher.ARC2.new', 'Crypto.Cipher.ARC4.new',
'Crypto.Cipher.Blowfish.new', 'Crypto.Cipher.DES.new',
'Crypto.Cipher.XOR.new', 'Cryptodome.Cipher.ARC2.new',
'Cryptodome.Cipher.ARC4.new', 'Cryptodome.Cipher.Blowfish.new',
'Cryptodome.Cipher.DES.new', 'Cryptodome.Cipher.XOR.new',
'cryptography.hazmat.primitives.ciphers.algorithms.ARC4',
'cryptography.hazmat.primitives.ciphers.algorithms.Blowfish',
'cryptography.hazmat.primitives.ciphers.algorithms.IDEA'
], 'Use of insecure cipher {name}. Replace with a known secure'
' cipher such as AES.', 'HIGH'))
sets.append(
utils.build_conf_dict(
'cipher_modes', 'B305',
['cryptography.hazmat.primitives.ciphers.modes.ECB'],
'Use of insecure cipher mode {name}.'))
sets.append(
utils.build_conf_dict(
'mktemp_q', 'B306', ['tempfile.mktemp'],
'Use of insecure and deprecated function (mktemp).'))
sets.append(
utils.build_conf_dict(
'eval', 'B307', ['eval'],
'Use of possibly insecure function - consider using safer '
'ast.literal_eval.'))
sets.append(
utils.build_conf_dict(
'mark_safe', 'B308', ['django.utils.safestring.mark_safe'],
'Use of mark_safe() may expose cross-site scripting '
'vulnerabilities and should be reviewed.'))
sets.append(
utils.build_conf_dict(
'httpsconnection', 'B309', [
'httplib.HTTPSConnection', 'http.client.HTTPSConnection',
'six.moves.http_client.HTTPSConnection'
],
'Use of HTTPSConnection on older versions of Python prior to 2.7.9 '
'and 3.4.3 do not provide security, see '
'https://wiki.openstack.org/wiki/OSSN/OSSN-0033'))
sets.append(
utils.build_conf_dict(
'urllib_urlopen', 'B310', [
'urllib.urlopen', 'urllib.request.urlopen',
'urllib.urlretrieve', 'urllib.request.urlretrieve',
'urllib.URLopener', 'urllib.request.URLopener',
'urllib.FancyURLopener', 'urllib.request.FancyURLopener',
'urllib2.urlopen', 'urllib2.Request',
'six.moves.urllib.request.urlopen',
'six.moves.urllib.request.urlretrieve',
'six.moves.urllib.request.URLopener',
'six.moves.urllib.request.FancyURLopener'
],
'Audit url open for permitted schemes. Allowing use of file:/ or '
'custom schemes is often unexpected.'))
sets.append(
utils.build_conf_dict(
'random', 'B311', [
'random.random', 'random.randrange', 'random.randint',
'random.choice', 'random.uniform', 'random.triangular'
], 'Standard pseudo-random generators are not suitable for '
'security/cryptographic purposes.', 'LOW'))
sets.append(
utils.build_conf_dict(
'telnetlib', 'B312', ['telnetlib.*'],
'Telnet-related functions are being called. Telnet is considered '
'insecure. Use SSH or some other encrypted protocol.', 'HIGH'))
# Most of this is based off of Christian Heimes' work on defusedxml:
# https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
xml_msg = ('Using {name} to parse untrusted XML data is known to be '
'vulnerable to XML attacks. Replace {name} with its '
'defusedxml equivalent function or make sure '
'defusedxml.defuse_stdlib() is called')
sets.append(
utils.build_conf_dict('xml_bad_cElementTree', 'B313', [
'xml.etree.cElementTree.parse', 'xml.etree.cElementTree.iterparse',
'xml.etree.cElementTree.fromstring',
'xml.etree.cElementTree.XMLParser'
], xml_msg))
sets.append(
utils.build_conf_dict('xml_bad_ElementTree', 'B314', [
'xml.etree.ElementTree.parse', 'xml.etree.ElementTree.iterparse',
'xml.etree.ElementTree.fromstring',
'xml.etree.ElementTree.XMLParser'
], xml_msg))
sets.append(
utils.build_conf_dict('xml_bad_expatreader', 'B315',
['xml.sax.expatreader.create_parser'], xml_msg))
sets.append(
utils.build_conf_dict(
'xml_bad_expatbuilder', 'B316',
['xml.dom.expatbuilder.parse', 'xml.dom.expatbuilder.parseString'],
xml_msg))
sets.append(
utils.build_conf_dict(
'xml_bad_sax', 'B317',
['xml.sax.parse', 'xml.sax.parseString', 'xml.sax.make_parser'],
xml_msg))
sets.append(
utils.build_conf_dict(
'xml_bad_minidom', 'B318',
['xml.dom.minidom.parse', 'xml.dom.minidom.parseString'], xml_msg))
sets.append(
utils.build_conf_dict(
'xml_bad_pulldom', 'B319',
['xml.dom.pulldom.parse', 'xml.dom.pulldom.parseString'], xml_msg))
sets.append(
utils.build_conf_dict('xml_bad_etree', 'B320', [
'lxml.etree.parse', 'lxml.etree.fromstring',
'lxml.etree.RestrictedElement', 'lxml.etree.GlobalParserTLS',
'lxml.etree.getDefaultParser', 'lxml.etree.check_docinfo'
], ('Using {name} to parse untrusted XML data is known to be '
'vulnerable to XML attacks. Replace {name} with its '
'defusedxml equivalent function.')))
# end of XML tests
sets.append(
utils.build_conf_dict(
'ftplib', 'B321', ['ftplib.*'],
'FTP-related functions are being called. FTP is considered '
'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.',
'HIGH'))
sets.append(
utils.build_conf_dict(
'input', 'B322', ['input'],
'The input method in Python 2 will read from standard input, '
'evaluate and run the resulting string as python source code. This '
'is similar, though in many ways worse, then using eval. On Python '
'2, use raw_input instead, input is safe in Python 3.', 'HIGH'))
sets.append(
utils.build_conf_dict(
'unverified_context', 'B323', ['ssl._create_unverified_context'],
'By default, Python will create a secure, verified ssl context for '
'use in such classes as HTTPSConnection. However, it still allows '
'using an insecure context via the _create_unverified_context that '
'reverts to the previous behavior that does not validate certificates '
'or perform hostname checks.'))
return {'Call': sets}
def gen_blacklist():
"""Generate a list of items to blacklist.
Methods of this type, "bandit.blacklist" plugins, are used to build a list
of items that bandit's built in blacklisting tests will use to trigger
issues. They replace the older blacklist* test plugins and allow
blacklisted items to have a unique bandit ID for filtering and profile
usage.
:return: a dictionary mapping node types to a list of blacklist data
"""
sets = []
sets.append(utils.build_conf_dict(
'pickle', 'B301',
['pickle.loads',
'pickle.load',
'pickle.Unpickler',
'cPickle.loads',
'cPickle.load',
'cPickle.Unpickler'],
'Pickle library appears to be in use, possible security issue.'
))
sets.append(utils.build_conf_dict(
'marshal', 'B302', ['marshal.load', 'marshal.loads'],
'Deserialization with the marshal module is possibly dangerous.'
))
sets.append(utils.build_conf_dict(
'md5', 'B303',
['hashlib.md5',
'hashlib.sha1',
'Crypto.Hash.MD2.new',
'Crypto.Hash.MD4.new',
'Crypto.Hash.MD5.new',
'Crypto.Hash.SHA.new',
'Cryptodome.Hash.MD2.new',
'Cryptodome.Hash.MD4.new',
'Cryptodome.Hash.MD5.new',
'Cryptodome.Hash.SHA.new',
'cryptography.hazmat.primitives.hashes.MD5',
'cryptography.hazmat.primitives.hashes.SHA1'],
'Use of insecure MD2, MD4, MD5, or SHA1 hash function.'
))
sets.append(utils.build_conf_dict(
'ciphers', 'B304',
['Crypto.Cipher.ARC2.new',
'Crypto.Cipher.ARC4.new',
'Crypto.Cipher.Blowfish.new',
'Crypto.Cipher.DES.new',
'Crypto.Cipher.XOR.new',
'Cryptodome.Cipher.ARC2.new',
'Cryptodome.Cipher.ARC4.new',
'Cryptodome.Cipher.Blowfish.new',
'Cryptodome.Cipher.DES.new',
'Cryptodome.Cipher.XOR.new',
'cryptography.hazmat.primitives.ciphers.algorithms.ARC4',
'cryptography.hazmat.primitives.ciphers.algorithms.Blowfish',
'cryptography.hazmat.primitives.ciphers.algorithms.IDEA'],
'Use of insecure cipher {name}. Replace with a known secure'
' cipher such as AES.',
'HIGH'
))
sets.append(utils.build_conf_dict(
'cipher_modes', 'B305',
['cryptography.hazmat.primitives.ciphers.modes.ECB'],
'Use of insecure cipher mode {name}.'
))
sets.append(utils.build_conf_dict(
'mktemp_q', 'B306', ['tempfile.mktemp'],
'Use of insecure and deprecated function (mktemp).'
))
sets.append(utils.build_conf_dict(
'eval', 'B307', ['eval'],
'Use of possibly insecure function - consider using safer '
'ast.literal_eval.'
))
sets.append(utils.build_conf_dict(
'mark_safe', 'B308', ['django.utils.safestring.mark_safe'],
'Use of mark_safe() may expose cross-site scripting '
'vulnerabilities and should be reviewed.'
))
sets.append(utils.build_conf_dict(
'httpsconnection', 'B309',
['httplib.HTTPSConnection',
'http.client.HTTPSConnection',
'six.moves.http_client.HTTPSConnection'],
'Use of HTTPSConnection on older versions of Python prior to 2.7.9 '
'and 3.4.3 do not provide security, see '
'https://wiki.openstack.org/wiki/OSSN/OSSN-0033'
))
sets.append(utils.build_conf_dict(
'urllib_urlopen', 'B310',
['urllib.urlopen',
'urllib.request.urlopen',
'urllib.urlretrieve',
'urllib.request.urlretrieve',
'urllib.URLopener',
'urllib.request.URLopener',
'urllib.FancyURLopener',
'urllib.request.FancyURLopener',
'urllib2.urlopen',
'urllib2.Request',
'six.moves.urllib.request.urlopen',
'six.moves.urllib.request.urlretrieve',
'six.moves.urllib.request.URLopener',
'six.moves.urllib.request.FancyURLopener'],
'Audit url open for permitted schemes. Allowing use of file:/ or '
'custom schemes is often unexpected.'
))
sets.append(utils.build_conf_dict(
'random', 'B311',
['random.random',
'random.randrange',
'random.randint',
'random.choice',
'random.uniform',
'random.triangular'],
'Standard pseudo-random generators are not suitable for '
'security/cryptographic purposes.',
'LOW'
))
sets.append(utils.build_conf_dict(
'telnetlib', 'B312', ['telnetlib.*'],
'Telnet-related functions are being called. Telnet is considered '
'insecure. Use SSH or some other encrypted protocol.',
'HIGH'
))
# Most of this is based off of Christian Heimes' work on defusedxml:
# https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
xml_msg = ('Using {name} to parse untrusted XML data is known to be '
'vulnerable to XML attacks. Replace {name} with its '
'defusedxml equivalent function or make sure '
'defusedxml.defuse_stdlib() is called')
sets.append(utils.build_conf_dict(
'xml_bad_cElementTree', 'B313',
['xml.etree.cElementTree.parse',
'xml.etree.cElementTree.iterparse',
'xml.etree.cElementTree.fromstring',
'xml.etree.cElementTree.XMLParser'],
xml_msg
))
sets.append(utils.build_conf_dict(
'xml_bad_ElementTree', 'B314',
['xml.etree.ElementTree.parse',
'xml.etree.ElementTree.iterparse',
'xml.etree.ElementTree.fromstring',
'xml.etree.ElementTree.XMLParser'],
xml_msg
))
sets.append(utils.build_conf_dict(
'xml_bad_expatreader', 'B315', ['xml.sax.expatreader.create_parser'],
xml_msg
))
sets.append(utils.build_conf_dict(
'xml_bad_expatbuilder', 'B316',
['xml.dom.expatbuilder.parse',
'xml.dom.expatbuilder.parseString'],
xml_msg
))
sets.append(utils.build_conf_dict(
'xml_bad_sax', 'B317',
['xml.sax.parse',
'xml.sax.parseString',
'xml.sax.make_parser'],
xml_msg
))
sets.append(utils.build_conf_dict(
'xml_bad_minidom', 'B318',
['xml.dom.minidom.parse',
'xml.dom.minidom.parseString'],
xml_msg
))
sets.append(utils.build_conf_dict(
'xml_bad_pulldom', 'B319',
['xml.dom.pulldom.parse',
'xml.dom.pulldom.parseString'],
xml_msg
))
sets.append(utils.build_conf_dict(
'xml_bad_etree', 'B320',
['lxml.etree.parse',
'lxml.etree.fromstring',
'lxml.etree.RestrictedElement',
'lxml.etree.GlobalParserTLS',
'lxml.etree.getDefaultParser',
'lxml.etree.check_docinfo'],
('Using {name} to parse untrusted XML data is known to be '
'vulnerable to XML attacks. Replace {name} with its '
'defusedxml equivalent function.')
))
# end of XML tests
sets.append(utils.build_conf_dict(
'ftplib', 'B321', ['ftplib.*'],
'FTP-related functions are being called. FTP is considered '
'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.',
'HIGH'
))
sets.append(utils.build_conf_dict(
'input', 'B322', ['input'],
'The input method in Python 2 will read from standard input, '
'evaluate and run the resulting string as python source code. This '
'is similar, though in many ways worse, then using eval. On Python '
'2, use raw_input instead, input is safe in Python 3.',
'HIGH'
))
sets.append(utils.build_conf_dict(
'unverified_context', 'B323', ['ssl._create_unverified_context'],
'By default, Python will create a secure, verified ssl context for '
'use in such classes as HTTPSConnection. However, it still allows '
'using an insecure context via the _create_unverified_context that '
'reverts to the previous behavior that does not validate certificates '
'or perform hostname checks.'
))
return {'Call': sets}
def gen_blacklist():
"""Generate a list of items to blacklist.
Methods of this type, "bandit.blacklist" plugins, are used to build a list
of items that bandit's built in blacklisting tests will use to trigger
issues. They replace the older blacklist* test plugins and allow
blacklisted items to have a unique bandit ID for filtering and profile
usage.
:return: a dictionary mapping node types to a list of blacklist data
"""
sets = []
sets.append(utils.build_conf_dict(
'telnet', 'B401', ['telnetlib'],
'A telnet-related module is being imported. Telnet is '
'considered insecure. Use SSH or some other encrypted protocol.',
'HIGH'
))
sets.append(utils.build_conf_dict(
'ftp', 'B402', ['ftplib'],
'A FTP-related module is being imported. FTP is considered '
'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.',
'HIGH'
))
sets.append(utils.build_conf_dict(
'info_libs', 'B403', ['pickle', 'cPickle', 'subprocess', 'Crypto'],
'Consider possible security implications associated with '
'{name} module.', 'LOW'
))
# Most of this is based off of Christian Heimes' work on defusedxml:
# https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
sets.append(utils.build_conf_dict(
'xml_libs', 'B404',
['xml.etree.cElementTree',
'xml.etree.ElementTree',
'xml.sax.expatreader',
'xml.sax',
'xml.dom.expatbuilder',
'xml.dom.minidom',
'xml.dom.pulldom',
'lxml.etree',
'lxml'],
'Using {name} to parse untrusted XML data is known to be '
'vulnerable to XML attacks. Replace {name} with the equivalent '
'defusedxml package.', 'LOW'
))
sets.append(utils.build_conf_dict(
'xml_libs_high', 'B405', ['xmlrpclib'],
'Using {name} to parse untrusted XML data is known to be '
'vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() '
'function to monkey-patch xmlrpclib and mitigate XML '
'vulnerabilities.', 'HIGH'
))
return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
def gen_blacklist():
"""Generate a list of items to blacklist.
Methods of this type, "bandit.blacklist" plugins, are used to build a list
of items that bandit's built in blacklisting tests will use to trigger
issues. They replace the older blacklist* test plugins and allow
blacklisted items to have a unique bandit ID for filtering and profile
usage.
:return: a dictionary mapping node types to a list of blacklist data
"""
sets = []
sets.append(
utils.build_conf_dict(
"import_telnetlib",
"B401",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["telnetlib"],
"A telnet-related module is being imported. Telnet is "
"considered insecure. Use SSH or some other encrypted protocol.",
"HIGH",
))
sets.append(
utils.build_conf_dict(
"import_ftplib",
"B402",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["ftplib"],
"A FTP-related module is being imported. FTP is considered "
"insecure. Use SSH/SFTP/SCP or some other encrypted protocol.",
"HIGH",
))
sets.append(
utils.build_conf_dict(
"import_pickle",
"B403",
issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
["pickle", "cPickle", "dill", "shelve"],
"Consider possible security implications associated with "
"{name} module.",
"LOW",
))
sets.append(
utils.build_conf_dict(
"import_subprocess",
"B404",
issue.Cwe.OS_COMMAND_INJECTION,
["subprocess"],
"Consider possible security implications associated with the "
"subprocess module.",
"LOW",
))
# Most of this is based off of Christian Heimes' work on defusedxml:
# https://pypi.org/project/defusedxml/#defusedxml-sax
xml_msg = ("Using {name} to parse untrusted XML data is known to be "
"vulnerable to XML attacks. Replace {name} with the equivalent "
"defusedxml package, or make sure defusedxml.defuse_stdlib() "
"is called.")
lxml_msg = ("Using {name} to parse untrusted XML data is known to be "
"vulnerable to XML attacks. Replace {name} with the "
"equivalent defusedxml package.")
sets.append(
utils.build_conf_dict(
"import_xml_etree",
"B405",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.etree.cElementTree", "xml.etree.ElementTree"],
xml_msg,
"LOW",
))
sets.append(
utils.build_conf_dict(
"import_xml_sax",
"B406",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.sax"],
xml_msg,
"LOW",
))
sets.append(
utils.build_conf_dict(
"import_xml_expat",
"B407",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.expatbuilder"],
xml_msg,
"LOW",
))
sets.append(
utils.build_conf_dict(
"import_xml_minidom",
"B408",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.minidom"],
xml_msg,
"LOW",
))
sets.append(
utils.build_conf_dict(
"import_xml_pulldom",
"B409",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.pulldom"],
xml_msg,
"LOW",
))
sets.append(
utils.build_conf_dict(
"import_lxml",
"B410",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["lxml"],
lxml_msg,
"LOW",
))
sets.append(
utils.build_conf_dict(
"import_xmlrpclib",
"B411",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xmlrpclib"],
"Using {name} to parse untrusted XML data is known to be "
"vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() "
"function to monkey-patch xmlrpclib and mitigate XML "
"vulnerabilities.",
"HIGH",
))
sets.append(
utils.build_conf_dict(
"import_httpoxy",
"B412",
issue.Cwe.IMPROPER_ACCESS_CONTROL,
[
"wsgiref.handlers.CGIHandler",
"twisted.web.twcgi.CGIScript",
"twisted.web.twcgi.CGIDirectory",
],
"Consider possible security implications associated with "
"{name} module.",
"HIGH",
))
sets.append(
utils.build_conf_dict(
"import_pycrypto",
"B413",
issue.Cwe.BROKEN_CRYPTO,
[
"Crypto.Cipher",
"Crypto.Hash",
"Crypto.IO",
"Crypto.Protocol",
"Crypto.PublicKey",
"Crypto.Random",
"Crypto.Signature",
"Crypto.Util",
],
"The pyCrypto library and its module {name} are no longer actively"
" maintained and have been deprecated. "
"Consider using pyca/cryptography library.",
"HIGH",
))
sets.append(
utils.build_conf_dict(
"import_pyghmi",
"B415",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["pyghmi"],
"An IPMI-related module is being imported. IPMI is considered "
"insecure. Use an encrypted protocol.",
"HIGH",
))
return {"Import": sets, "ImportFrom": sets, "Call": sets}
def gen_blacklist():
"""Generate a list of items to blacklist.
Methods of this type, "bandit.blacklist" plugins, are used to build a list
of items that bandit's built in blacklisting tests will use to trigger
issues. They replace the older blacklist* test plugins and allow
blacklisted items to have a unique bandit ID for filtering and profile
usage.
:return: a dictionary mapping node types to a list of blacklist data
"""
sets = []
# example: examples/import_base64
sets.append(
utils.build_conf_dict('import_base64', 'B400', ['base64'],
'import_base64', 'HIGH'))
# example: examples/import_socket.py
sets.append(
utils.build_conf_dict('import_socket', 'B401', ['socket'],
'import_socket', 'HIGH'))
# example: examples/import_zlib.py
sets.append(
utils.build_conf_dict('import_zlib', 'B402', ['zlib'], 'import_zlib',
'HIGH'))
# example: examples/import_urllib.py
sets.append(
utils.build_conf_dict('import_urllib', 'B403', ['urllib'],
'import_urllib', 'HIGH'))
# example: examples/import_urllib.py
sets.append(
utils.build_conf_dict('import_pwd', 'B404', ['pwd'], 'import_pwd',
'HIGH'))
# example: examples/import_http.py
sets.append(
utils.build_conf_dict('import_http', 'B405', ['http'], 'import_http',
'HIGH'))
# example: examples/import_platform.py
sets.append(
utils.build_conf_dict('import_platform', 'B406', ['platform'],
'import_platform', 'HIGH'))
# example: examples/import_os.py
sets.append(
utils.build_conf_dict('import_os', 'B407', ['os'], 'import_os',
'HIGH'))
# example: examples/import_socketserver.py
sets.append(
utils.build_conf_dict('import_socketserver', 'B408', ['socketserver'],
'import_socketserver', 'HIGH'))
# example: examples/import_requests.py
sets.append(
utils.build_conf_dict('import_requests', 'B409', ['requests'],
'import_requests', 'HIGH'))
# example: examples/import_urllib2.py
sets.append(
utils.build_conf_dict('import_urllib2', 'B410', ['urllib2'],
'import_urllib2', 'HIGH'))
# example: examples/import_subprocess.py
sets.append(
utils.build_conf_dict('import_subprocess', 'B411', ['subprocess'],
'import_subprocess', 'HIGH'))
# example: examples/import_httplib.py
sets.append(
utils.build_conf_dict('import_httplib', 'B412', ['httplib'],
'import_httplib', 'HIGH'))
# example: examples/import_urlparse.py
sets.append(
utils.build_conf_dict('import_urlparse', 'B413', ['urlparse'],
'import_urlparse', 'HIGH'))
# example: examples/import_signal.py
sets.append(
utils.build_conf_dict('import_signal', 'B414', ['signal'],
'import_signal', 'HIGH'))
# example: examples/import_multiprocessing.py
sets.append(
utils.build_conf_dict('import_multiprocessing', 'B415',
['multiprocessing'], 'import_multiprocessing',
'HIGH'))
# example: examples/import_getpass.py
sets.append(
utils.build_conf_dict('import_getpass', 'B416', ['getpass'],
'import_getpass', 'HIGH'))
# example: examples/new_import.py
#sets.append(utils.build_conf_dict(
# 'new_import', 'B499', [''],
# 'new_import',
# 'HIGH'
# ))
return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
def gen_blacklist():
"""Generate a list of items to blacklist.
Methods of this type, "bandit.blacklist" plugins, are used to build a list
of items that bandit's built in blacklisting tests will use to trigger
issues. They replace the older blacklist* test plugins and allow
blacklisted items to have a unique bandit ID for filtering and profile
usage.
:return: a dictionary mapping node types to a list of blacklist data
"""
sets = []
sets.append(utils.build_conf_dict(
'base64_b64decode', 'B300', ['base64.b64decode'],
'base64.b64decode'
))
sets.append(utils.build_conf_dict(
'base64_b64encode', 'B301', ['base64.b64encode'],
'base64.b64encode'
))
#examples/socket_gethostname.py
sets.append(utils.build_conf_dict(
'socket_gethostname', 'B302', ['socket.gethostname'],
'socket.gethostname'
))
#examples/socket_gethostname.py
sets.append(utils.build_conf_dict(
'pwd_getpwuid', 'B303', ['pwd.getpwuid'],
'pwd.getpwuid'
))
sets.append(utils.build_conf_dict(
'socket_socket', 'B304', ['socket.socket'],
'socket.socket'
))
#examples/os_getuid.py
sets.append(utils.build_conf_dict(
'os_getuid', 'B305', ['os.getuid'],
'os.getuid'
))
#examples/zlib_decompress.py
sets.append(utils.build_conf_dict(
'zlib_decompress', 'B306', ['zlib.decompress'],
'zlib.decompress'
))
#examples/urllib_request_urlopen.py
sets.append(utils.build_conf_dict(
'urllib_request', 'B307', ['urllib.request'],
'urllib.request'
))
#examples/urllib_request_urlopen.py
sets.append(utils.build_conf_dict(
'platform_system', 'B308', ['platform.system'],
'platform.system'
))
#examples/os_chmod.py
sets.append(utils.build_conf_dict(
'os_chmod', 'B315', ['os.chmod'],
'os.chmod'
))
#examples/os_system.py
sets.append(utils.build_conf_dict(
'os_system', 'B316', ['os.system'],
'os.system'
))
#examples/os_environ.py
sets.append(utils.build_conf_dict(
'os_environ', 'B317', ['os.environ'],
'os.environ'
))
#examples/urllib2_urlopen.py
sets.append(utils.build_conf_dict(
'urllib2_urlopen', 'B320', ['urllib2.urlopen'],
'urllib2_urlopen'
))
#examples/urllib2_Request.py
sets.append(utils.build_conf_dict(
'urllib2_Request', 'B321', ['urllib2.Request'],
'urllib2_Request'
))
#examples/multiprocessing_Pool.py
sets.append(utils.build_conf_dict(
'multiprocessing_Pool', 'B323', ['multiprocessing.Pool'],
'multiprocessing_Pool'
))
#examples/multiprocessing_Pool.py
sets.append(utils.build_conf_dict(
'signal_signal', 'B324', ['signal.signal'],
'signal_signal'
))
#examples/getpass_getuser.py
sets.append(utils.build_conf_dict(
'getpass_getuser', 'B329', ['getpass.getuser'],
'getpass_getuser'
))
return {'Call': sets}
def gen_blacklist():
"""Generate a list of items to blacklist.
Methods of this type, "bandit.blacklist" plugins, are used to build a list
of items that bandit's built in blacklisting tests will use to trigger
issues. They replace the older blacklist* test plugins and allow
blacklisted items to have a unique bandit ID for filtering and profile
usage.
:return: a dictionary mapping node types to a list of blacklist data
"""
sets = []
sets.append(utils.build_conf_dict(
'import_telnetlib', 'B401', ['telnetlib'],
'A telnet-related module is being imported. Telnet is '
'considered insecure. Use SSH or some other encrypted protocol.',
'HIGH'
))
sets.append(utils.build_conf_dict(
'import_ftplib', 'B402', ['ftplib'],
'A FTP-related module is being imported. FTP is considered '
'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.',
'HIGH'
))
sets.append(utils.build_conf_dict(
'import_pickle', 'B403', ['pickle', 'cPickle'],
'Consider possible security implications associated with '
'{name} module.', 'LOW'
))
sets.append(utils.build_conf_dict(
'import_subprocess', 'B404', ['subprocess'],
'Consider possible security implications associated with '
'{name} module.', 'LOW'
))
# Most of this is based off of Christian Heimes' work on defusedxml:
# https://pypi.org/project/defusedxml/#defusedxml-sax
xml_msg = ('Using {name} to parse untrusted XML data is known to be '
'vulnerable to XML attacks. Replace {name} with the equivalent '
'defusedxml package, or make sure defusedxml.defuse_stdlib() '
'is called.')
lxml_msg = ('Using {name} to parse untrusted XML data is known to be '
'vulnerable to XML attacks. Replace {name} with the '
'equivalent defusedxml package.')
sets.append(utils.build_conf_dict(
'import_xml_etree', 'B405',
['xml.etree.cElementTree', 'xml.etree.ElementTree'], xml_msg, 'LOW'))
sets.append(utils.build_conf_dict(
'import_xml_sax', 'B406', ['xml.sax'], xml_msg, 'LOW'))
sets.append(utils.build_conf_dict(
'import_xml_expat', 'B407', ['xml.dom.expatbuilder'], xml_msg, 'LOW'))
sets.append(utils.build_conf_dict(
'import_xml_minidom', 'B408', ['xml.dom.minidom'], xml_msg, 'LOW'))
sets.append(utils.build_conf_dict(
'import_xml_pulldom', 'B409', ['xml.dom.pulldom'], xml_msg, 'LOW'))
sets.append(utils.build_conf_dict(
'import_lxml', 'B410', ['lxml'], lxml_msg, 'LOW'))
sets.append(utils.build_conf_dict(
'import_xmlrpclib', 'B411', ['xmlrpclib'],
'Using {name} to parse untrusted XML data is known to be '
'vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() '
'function to monkey-patch xmlrpclib and mitigate XML '
'vulnerabilities.', 'HIGH'))
sets.append(utils.build_conf_dict(
'import_httpoxy', 'B412',
['wsgiref.handlers.CGIHandler', 'twisted.web.twcgi.CGIScript',
'twisted.web.twcgi.CGIDirectory'],
'Consider possible security implications associated with '
'{name} module.', 'HIGH'
))
sets.append(utils.build_conf_dict(
'import_pycrypto', 'B413',
['Crypto.Cipher',
'Crypto.Hash',
'Crypto.IO',
'Crypto.Protocol',
'Crypto.PublicKey',
'Crypto.Random',
'Crypto.Signature',
'Crypto.Util'],
'The pyCrypto library and its module {name} are no longer actively '
'maintained and have been deprecated. '
'Consider using pyca/cryptography library.', 'HIGH'))
sets.append(utils.build_conf_dict(
'import_pycryptodome', 'B414',
['Cryptodome.Cipher',
'Cryptodome.Hash',
'Cryptodome.IO',
'Cryptodome.Protocol',
'Cryptodome.PublicKey',
'Cryptodome.Random',
'Cryptodome.Signature',
'Cryptodome.Util'],
'The pycryptodome library is not considered a secure alternative '
'to pycrypto.'
'Consider using pyca/cryptography library.', 'HIGH'))
return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
