Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement Added list comprehension #621

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Enhancement Added list comprehension #621

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
126 changes: 51 additions & 75 deletions bandit/blacklists/imports.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,33 +231,6 @@ def gen_blacklist():
:return: a dictionary mapping node types to a list of blacklist data
"""

sets = []
sets.append(utils.build_conf_dict(
'import_telnetlib', 'B401', ['telnetlib'],
'A telnet-related module is being imported. Telnet is '
'considered insecure. Use SSH or some other encrypted protocol.',
'HIGH'
))

sets.append(utils.build_conf_dict(
'import_ftplib', 'B402', ['ftplib'],
'A FTP-related module is being imported. FTP is considered '
'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.',
'HIGH'
))

sets.append(utils.build_conf_dict(
'import_pickle', 'B403', ['pickle', 'cPickle', 'dill', 'shelve'],
'Consider possible security implications associated with '
'{name} module.', 'LOW'
))

sets.append(utils.build_conf_dict(
'import_subprocess', 'B404', ['subprocess'],
'Consider possible security implications associated with '
'{name} module.', 'LOW'
))

# Most of this is based off of Christian Heimes' work on defusedxml:
# https://pypi.org/project/defusedxml/#defusedxml-sax

Expand All @@ -269,52 +242,55 @@ def gen_blacklist():
'vulnerable to XML attacks. Replace {name} with the '
'equivalent defusedxml package.')

sets.append(utils.build_conf_dict(
'import_xml_etree', 'B405',
['xml.etree.cElementTree', 'xml.etree.ElementTree'], xml_msg, 'LOW'))

sets.append(utils.build_conf_dict(
'import_xml_sax', 'B406', ['xml.sax'], xml_msg, 'LOW'))

sets.append(utils.build_conf_dict(
'import_xml_expat', 'B407', ['xml.dom.expatbuilder'], xml_msg, 'LOW'))

sets.append(utils.build_conf_dict(
'import_xml_minidom', 'B408', ['xml.dom.minidom'], xml_msg, 'LOW'))

sets.append(utils.build_conf_dict(
'import_xml_pulldom', 'B409', ['xml.dom.pulldom'], xml_msg, 'LOW'))

sets.append(utils.build_conf_dict(
'import_lxml', 'B410', ['lxml'], lxml_msg, 'LOW'))

sets.append(utils.build_conf_dict(
'import_xmlrpclib', 'B411', ['xmlrpclib'],
'Using {name} to parse untrusted XML data is known to be '
'vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() '
'function to monkey-patch xmlrpclib and mitigate XML '
'vulnerabilities.', 'HIGH'))

sets.append(utils.build_conf_dict(
'import_httpoxy', 'B412',
['wsgiref.handlers.CGIHandler', 'twisted.web.twcgi.CGIScript',
'twisted.web.twcgi.CGIDirectory'],
'Consider possible security implications associated with '
'{name} module.', 'HIGH'
))

sets.append(utils.build_conf_dict(
'import_pycrypto', 'B413',
['Crypto.Cipher',
'Crypto.Hash',
'Crypto.IO',
'Crypto.Protocol',
'Crypto.PublicKey',
'Crypto.Random',
'Crypto.Signature',
'Crypto.Util'],
'The pyCrypto library and its module {name} are no longer actively '
'maintained and have been deprecated. '
'Consider using pyca/cryptography library.', 'HIGH'))

BLACKLISTS = [
['import_telnetlib', 'B401', ['telnetlib'],
'A telnet-related module is being imported. Telnet is '
'considered insecure. Use SSH or some other encrypted protocol.',
'HIGH'],

['import_ftplib', 'B402', ['ftplib'],
'A FTP-related module is being imported. FTP is considered '
'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.',
'HIGH'],

['import_pickle', 'B403', ['pickle', 'cPickle', 'dill', 'shelve'],
'Consider possible security implications associated with '
'{name} module.', 'LOW'],

['import_subprocess', 'B404', ['subprocess'],
'Consider possible security implications associated with '
'{name} module.', 'LOW'],

['import_xml_etree', 'B405',
['xml.etree.cElementTree', 'xml.etree.ElementTree'],
xml_msg, 'LOW'],

['import_xml_sax', 'B406', ['xml.sax'], xml_msg, 'LOW'],
['import_xml_expat', 'B407', ['xml.dom.expatbuilder'], xml_msg, 'LOW'],
['import_xml_minidom', 'B408', ['xml.dom.minidom'], xml_msg, 'LOW'],
['import_xml_pulldom', 'B409', ['xml.dom.pulldom'], xml_msg, 'LOW'],
['import_lxml', 'B410', ['lxml'], lxml_msg, 'LOW'],

['import_xmlrpclib', 'B411', ['xmlrpclib'],
'Using {name} to parse untrusted XML data is known to be '
'vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() '
'function to monkey-patch xmlrpclib and mitigate XML '
'vulnerabilities.', 'HIGH'],

['import_httpoxy', 'B412',
['wsgiref.handlers.CGIHandler', 'twisted.web.twcgi.CGIScript',
'twisted.web.twcgi.CGIDirectory'],
'Consider possible security implications associated with '
'{name} module.', 'HIGH'],

['import_pycrypto', 'B413',
['Crypto.Cipher', 'Crypto.Hash', 'Crypto.IO', 'Crypto.Protocol',
'Crypto.PublicKey', 'Crypto.Random', 'Crypto.Signature',
'Crypto.Util'],
'The pyCrypto library and its module {name} are no longer actively '
'maintained and have been deprecated. '
'Consider using pyca/cryptography library.', 'HIGH']
]

sets = [utils.build_conf_dict(*blacklist) for blacklist in BLACKLISTS]
return {'Import': sets, 'ImportFrom': sets, 'Call': sets}