Skip to content

Commit

Permalink
Merge branch 'main' into plugin_unit_tests
Browse files Browse the repository at this point in the history
  • Loading branch information
ericwb authored Mar 13, 2023
2 parents 7d15f64 + 02d73e9 commit 181de9c
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 33 deletions.
6 changes: 0 additions & 6 deletions bandit/blacklists/calls.py
Original file line number Diff line number Diff line change
Expand Up @@ -493,16 +493,10 @@ def gen_blacklist():
"B310",
issue.Cwe.PATH_TRAVERSAL,
[
"urllib.urlopen",
"urllib.request.urlopen",
"urllib.urlretrieve",
"urllib.request.urlretrieve",
"urllib.URLopener",
"urllib.request.URLopener",
"urllib.FancyURLopener",
"urllib.request.FancyURLopener",
"urllib2.urlopen",
"urllib2.Request",
"six.moves.urllib.request.urlopen",
"six.moves.urllib.request.urlretrieve",
"six.moves.urllib.request.URLopener",
Expand Down
29 changes: 2 additions & 27 deletions examples/urlopen.py
Original file line number Diff line number Diff line change
@@ -1,43 +1,18 @@
''' Example dangerous usage of urllib[2] opener functions
''' Example dangerous usage of urllib.request opener functions
The urllib and urllib2 opener functions and object can open http, ftp,
The urllib.request opener functions and object can open http, ftp,
and file urls. Often, the ability to open file urls is overlooked leading
to code that can unexpectedly open files on the local server. This
could be used by an attacker to leak information about the server.
'''


import urllib
import urllib2

# Python 3
import urllib.request

# Six
import six

def test_urlopen():
# urllib
url = urllib.quote('file:///bin/ls')
urllib.urlopen(url, 'blah', 32)
urllib.urlretrieve('file:///bin/ls', '/bin/ls2')
opener = urllib.URLopener()
opener.open('file:///bin/ls')
opener.retrieve('file:///bin/ls')
opener = urllib.FancyURLopener()
opener.open('file:///bin/ls')
opener.retrieve('file:///bin/ls')

# urllib2
handler = urllib2.HTTPBasicAuthHandler()
handler.add_password(realm='test',
uri='http://mysite.com',
user='bob')
opener = urllib2.build_opener(handler)
urllib2.install_opener(opener)
urllib2.urlopen('file:///bin/ls')
urllib2.Request('file:///bin/ls')

# Python 3
urllib.request.urlopen('file:///bin/ls')
urllib.request.urlretrieve('file:///bin/ls', '/bin/ls2')
Expand Down

0 comments on commit 181de9c

Please sign in to comment.