openstack/bandit
Code Issues Proposed changes

Pretty up the plugin documentation

Browse Source 
* Add test IDs in the title of the plugin
* Make use of proper sphinx tags
* Add new Plugin ID Groupings section to plugins index

Change-Id: Ic0015da7fc9648564ea11250ba30ef301f3cd6bd
This commit is contained in:
Eric Brown 2016-01-13 17:08:34 -08:00
parent 398eddfaa7
commit 0ff55f1e2b
22 changed files with 269 additions and 271 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
bandit/plugins/app_debug.py
View File

@ -15,8 +15,10 @@
# under the License.
r"""
Description
-----------
======================================================
B201: Test for use of flask app with debug set to true
======================================================
Running Flask applications in debug mode results in the Werkzeug debugger
being enabled. This includes a feature that allows arbitrary code execution.
Documentation for both Flask [1]_ and Werkzeug [2]_ strongly suggests that
@ -25,12 +27,8 @@ debug mode should never be enabled on production systems.
Operating a production server with debug mode enabled was the probable cause
of the Patreon breach in 2015 [3]_.
Config Options
--------------
None
:Example:
Sample Output
-------------
.. code-block:: none
>> Issue: A Flask app appears to be run with debug=True, which exposes
@ -41,11 +39,11 @@ Sample Output
10 app.run(debug=True)
11
References
----------
.. [1] http://flask.pocoo.org/docs/0.10/quickstart/#debug-mode
.. [2] http://werkzeug.pocoo.org/docs/0.10/debug/
.. [3] http://labs.detectify.com/post/130332638391/how-patreon-got-hacked-publicly-exposed-werkzeug # noqa
.. seealso::
.. [1] http://flask.pocoo.org/docs/0.10/quickstart/#debug-mode
.. [2] http://werkzeug.pocoo.org/docs/0.10/debug/
.. [3] http://labs.detectify.com/post/130332638391/how-patreon-got-hacked-publicly-exposed-werkzeug # noqa
.. versionadded:: 0.15.0

16
bandit/plugins/asserts.py
View File

@ -15,8 +15,10 @@
# under the License.
r"""
Description
-----------
============================
B101: Test for use of assert
============================
This plugin test checks for the use of the Python ``assert`` keyword. It was
discovered that some projects used assert to enforce interface constraints.
However, assert is removed with compiling to optimised byte code (python -o
@ -27,12 +29,8 @@ Please see
https://docs.python.org/2/reference/simple_stmts.html#the-assert-statement for
more info on ``assert``
Config Options
--------------
None
:Example:
Sample Output
-------------
.. code-block:: none
>> Issue: Use of assert detected. The enclosed code will be removed when
@ -42,8 +40,8 @@ Sample Output
1 assert logged_in
2 display_assets()
References
----------
.. seealso::
- https://bugs.launchpad.net/juniperopenstack/+bug/1456193
- https://bugs.launchpad.net/heat/+bug/1397883
- https://docs.python.org/2/reference/simple_stmts.html#the-assert-statement

20
bandit/plugins/blacklist_calls.py
View File

@ -15,8 +15,10 @@
# under the License.
r"""
Description
-----------
=================================
B301: Test for black listed calls
=================================
A number of Python methods and functions are known to have potential security
implications. The blacklist calls plugin test is designed to detect the use of
these methods by scanning code for method calls and checking for their presence
@ -41,8 +43,8 @@ in the provided output message, to be replaced with the actual method name.
Due to the nature of the test, confidence is always reported as HIGH
Config Options
--------------
**Config Options:**
.. code-block:: yaml
blacklist_calls:
@ -64,8 +66,8 @@ Config Options
Deserialization with the {func} is possibly dangerous.
level: LOW
Sample Output
-------------
:Example:
.. code-block:: none
>> Issue: Pickle library appears to be in use, possible security issue.
@ -76,9 +78,9 @@ Sample Output
20 print(cPickle.loads(serialized))
21
References
----------
- https://security.openstack.org
.. seealso::
- https://security.openstack.org
.. versionadded:: 0.9.0

19
bandit/plugins/blacklist_imports.py
View File

@ -73,7 +73,7 @@ def gen_config(name):
@test.checks('Import', 'ImportFrom')
@test.test_id('B401')
def blacklist_imports(context, config):
"""blacklist_imports
"""**B401: Test for blacklisted imports**
A number of Python modules are known to provide collections of
functionality with potential security implications. The blacklist imports
@ -102,7 +102,7 @@ def blacklist_imports(context, config):
Due to the nature of the test, confidence is always reported as HIGH
Config Options:
**Config Options:**
.. code-block:: yaml
@ -126,7 +126,7 @@ def blacklist_imports(context, config):
level: LOW
Sample Output:
:Example:
.. code-block:: none
@ -149,9 +149,9 @@ def blacklist_imports(context, config):
21 xml.sax.parseString(xmlString, ExampleContentHandler())
22 xml.sax.parse('notaxmlfilethatexists.xml', ExampleContentHandler())
References:
.. seealso::
- https://security.openstack.org
- https://security.openstack.org
.. versionadded:: 0.9.0
"""
@ -171,7 +171,7 @@ def blacklist_imports(context, config):
@test.checks('Call')
@test.test_id('B402')
def blacklist_import_func(context, config):
"""blacklist_import_func
"""**B402: Test for blacklisted import functions**
This test is in all ways identical blacklist_imports. However, it
is designed to catch modules that have been imported using Python's special
@ -186,8 +186,7 @@ def blacklist_import_func(context, config):
This test shares the configuration provided for the standard
blacklist_imports test.
Sample Output:
:Example:
.. code-block:: none
@ -211,9 +210,9 @@ def blacklist_import_func(context, config):
22 xml.sax.parse('notaxmlfilethatexists.xml', ExampleContentHandler())
References:
.. seealso::
- https://security.openstack.org
- https://security.openstack.org
.. versionadded:: 0.9.0
"""

21
bandit/plugins/crypto_request_no_cert_validation.py
View File

@ -15,8 +15,10 @@
# under the License.
r"""
Description
-----------
=============================================
B501: Test for missing certificate validation
=============================================
Encryption in general is typically critical to the security of many
applications. Using TLS can greatly increase security by guaranteeing the
identity of the party you are communicating with. This is accomplished by one
@ -27,12 +29,9 @@ When request methods are used certificates are validated automatically which is
the desired behavior. If certificate validation is explicitly turned off
Bandit will return a HIGH severity error.
Config Options
--------------
None
Sample Output
-------------
:Example:
.. code-block:: none
>> Issue: [request_with_no_cert_validation] Requests call with verify=False
@ -43,10 +42,10 @@ Sample Output
4 requests.get('https://gmail.com', verify=False)
5 requests.post('https://gmail.com', verify=True)
References
----------
- https://security.openstack.org/guidelines/dg_move-data-securely.html
- https://security.openstack.org/guidelines/dg_validate-certificates.html
.. seealso::
- https://security.openstack.org/guidelines/dg_move-data-securely.html
- https://security.openstack.org/guidelines/dg_validate-certificates.html
.. versionadded:: 0.9.0

16
bandit/plugins/exec.py
View File

@ -15,17 +15,15 @@
# under the License.
r"""
Description
-----------
==============================
B102: Test for the use of exec
==============================
This plugin test checks for the use of Python's `exec` method or keyword. The
Python docs succinctly describe why the use of `exec` is risky.
Config Options
--------------
None
:Example:
Sample Output
-------------
.. code-block:: none
>> Issue: Use of exec detected.
@ -34,8 +32,8 @@ Sample Output
1 exec("do evil")
2 exec "do evil"
References
----------
.. seealso::
- https://docs.python.org/2.0/ref/exec.html
- TODO: add info on exec and similar to sec best practice and link here

18
bandit/plugins/exec_as_root.py
View File

@ -13,8 +13,10 @@
# under the License.
r"""
Description
-----------
==================================================
B111: Test for the use of rootwrap running as root
==================================================
Running commands as root dramatically increase their potential risk. Running
commands with restricted user privileges provides defense in depth against
command injection attacks, or developer and configuration error. This plugin
@ -22,8 +24,8 @@ test checks for specific methods being called with a keyword parameter
`run_as_root` set to True, a common OpenStack idiom.
Config Options
--------------
**Config Options:**
This test plugin takes a similarly named configuration block,
`execute_with_run_as_root_equals_true`, providing a list, `function_names`, of
function names. A call to any of these named functions will be checked for a
@ -41,8 +43,8 @@ issue.
- nova.utils.trycmd
Sample Output
-------------
:Example:
.. code-block:: none
>> Issue: Execute with run_as_root=True identified, possible security
@ -53,8 +55,8 @@ Sample Output
26 nova_utils.trycmd('gcc --version', run_as_root=True)
27
References
----------
.. seealso::
- https://security.openstack.org/guidelines/dg_rootwrap-recommendations-and-plans.html # noqa
- https://security.openstack.org/guidelines/dg_use-oslo-rootwrap-securely.html

22
bandit/plugins/general_bad_file_permissions.py
View File

@ -15,8 +15,10 @@
# under the License.
r"""
Description
-----------
==================================================
B103: Test for setting permissive file permissions
==================================================
POSIX based operating systems utilize a permissions model to protect access to
parts of the file system. This model supports three roles "owner", "group"
and "world" each role may have a combination of "read", "write" or "execute"
@ -27,12 +29,8 @@ to set particularly permissive control flags. A MEDIUM warning is generated if
a file is set to group executable and a HIGH warning is reported if a file is
set world writable. Warnings are given with HIGH confidence.
Config Options
--------------
None
:Example:
Sample Output
-------------
.. code-block:: none
>> Issue: Probable insecure usage of temp file/directory.
@ -49,11 +47,11 @@ Sample Output
17 os.chmod(key_file, 0o777)
18
References
----------
- https://security.openstack.org/guidelines/dg_apply-restrictive-file-permissions.html # noqa
- https://en.wikipedia.org/wiki/File_system_permissions
- https://security.openstack.org
.. seealso::
- https://security.openstack.org/guidelines/dg_apply-restrictive-file-permissions.html # noqa
- https://en.wikipedia.org/wiki/File_system_permissions
- https://security.openstack.org
.. versionadded:: 0.9.0

16
bandit/plugins/general_bind_all_interfaces.py
View File

@ -15,19 +15,17 @@
# under the License.
r"""
Description
-----------
========================================
B104: Test for binding to all interfaces
========================================
Binding to all network interfaces can potentially open up a service to traffic
on unintended interfaces, that may not be properly documented or secured. This
plugin test looks for a string pattern "0.0.0.0" that may indicate a hardcoded
binding to all network interfaces.
Config Options
--------------
None
:Example:
Sample Output
-------------
.. code-block:: none
>> Issue: Possible binding to all interfaces.
@ -37,8 +35,8 @@ Sample Output
4 s.bind(('0.0.0.0', 31137))
5 s.bind(('192.168.0.1', 8080))
References
----------
.. seealso::
- __TODO__ : add best practice info on binding to all interfaces, and link
here.

20
bandit/plugins/general_hardcoded_password.py
View File

@ -15,8 +15,10 @@
# under the License.
r"""
Description
-----------
==========================================
B105: Test for use of hard-coded passwords
==========================================
The use of hard-coded passwords increases the possibility of password guessing
tremendously. This plugin test looks for all string literals and checks to see
if they exist in a list of likely default passwords. If they are found in the
@ -24,8 +26,8 @@ list, a LOW severity issue is reported.
Note: this test is very noisy and likely to result in many false positives.
Config Options
--------------
**Config Options:**
This plugin test takes a similarly named config block, `hardcoded_password`.
Here a path, `word_list`, can be given to indicate where the default password
word list file may be found.
@ -38,8 +40,8 @@ word list file may be found.
word_list: "%(site_data_dir)s/wordlist/default-passwords"
Sample Output
-------------
:Example:
.. code-block:: none
>> Issue: Possible hardcoded password '(root)'
@ -49,9 +51,9 @@ Sample Output
5 if password == "root":
6 print("OK, logged in")
References
----------
- https://www.owasp.org/index.php/Use_of_hard-coded_password
.. seealso::
- https://www.owasp.org/index.php/Use_of_hard-coded_password
.. versionadded:: 0.9.0

18
bandit/plugins/general_hardcoded_tmp.py
View File

@ -15,8 +15,10 @@
# under the License.
r"""
Description
-----------
===================================================
B108: Test for insecure usage of tmp file/directory
===================================================
Safely creating a temporary file or directory means following a number of rules
(see the references for more details). This plugin test looks for strings
starting with (configurable) commonly used temporary paths, for example:
@ -26,8 +28,8 @@ starting with (configurable) commonly used temporary paths, for example:
- /dev/shm
- etc
Config Options
--------------
**Config Options:**
This test plugin takes a similarly named config block,
`hardcoded_tmp_directory`. The config block provides a Python list, `tmp_dirs`,
that lists string fragments indicating possible temporary file paths. Any
@ -40,8 +42,8 @@ issue.
tmp_dirs: ['/tmp', '/var/tmp', '/dev/shm']
Sample Output
-------------
:Example:
.. code-block: none
>> Issue: Probable insecure usage of temp file/directory.
@ -50,8 +52,8 @@ Sample Output
1 f = open('/tmp/abc', 'w')
2 f.write('def')
References
----------
.. seealso::
- https://security.openstack.org/guidelines/dg_using-temporary-files-securely.html # noqa
.. versionadded:: 0.9.0

22
bandit/plugins/injection_paramiko.py
View File

@ -15,8 +15,10 @@
# under the License.
r"""
Description
-----------
==============================================
B601: Test for shell injection within Paramiko
==============================================
Paramiko is a Python library designed to work with the SSH2 protocol for secure
(encrypted and authenticated) connections to remote machines. It is intended to
run commands on a remote host. These commands are run within a shell on the
@ -25,13 +27,8 @@ reports a MEDIUM issue when it detects the use of Paramiko's "exec_command" or
"invoke_shell" methods advising the user to check inputs are correctly
sanitized.
:Example:
Config Options
--------------
None
Sample Output
-------------
.. code-block:: none
>> Issue: Possible shell injection via Paramiko call, check inputs are
@ -50,12 +47,11 @@ Sample Output
10 SSHClient.invoke_shell('something; bad; here\n')
11
References
----------
.. seealso::
- https://security.openstack.org
- https://github.com/paramiko/paramiko
- https://www.owasp.org/index.php/Command_Injection
- https://security.openstack.org
- https://github.com/paramiko/paramiko
- https://www.owasp.org/index.php/Command_Injection
.. versionadded:: 0.12.0

90
bandit/plugins/injection_shell.py
View File

@ -101,7 +101,7 @@ def gen_config(name):
@test.checks('Call')
@test.test_id('B602')
def subprocess_popen_with_shell_equals_true(context, config):
"""subprocess_popen_with_shell_equals_true
"""**B602: Test for use of popen with shell equals true**
Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
@ -133,7 +133,7 @@ def subprocess_popen_with_shell_equals_true(context, config):
- :doc:`../plugins/start_process_with_a_shell`
- :doc:`../plugins/start_process_with_partial_path`
Config Options:
**Config Options:**
This plugin test shares a configuration with others in the same family,
namely `shell_injection`. This configuration is divided up into three
@ -155,7 +155,7 @@ def subprocess_popen_with_shell_equals_true(context, config):
- subprocess.call
Sample Output:
:Example:
.. code-block:: none
@ -182,12 +182,12 @@ def subprocess_popen_with_shell_equals_true(context, config):
27 subprocess.Popen('/bin/ls %s' % ('something',), shell=True)
28 subprocess.Popen('/bin/ls {}'.format('something'), shell=True)
References:
.. seealso::
- https://security.openstack.org
- https://docs.python.org/2/library/subprocess.html#frequently-used-arguments # noqa
- https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
- https://security.openstack.org/guidelines/dg_avoid-shell-true.html
- https://security.openstack.org
- https://docs.python.org/2/library/subprocess.html#frequently-used-arguments # noqa
- https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
- https://security.openstack.org/guidelines/dg_avoid-shell-true.html
.. versionadded:: 0.9.0
"""
@ -227,7 +227,7 @@ def subprocess_popen_with_shell_equals_true(context, config):
@test.checks('Call')
@test.test_id('B603')
def subprocess_without_shell_equals_true(context, config):
"""subprocess_without_shell_equals_true
"""**B603: Test for use of subprocess with shell equals true**
Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
@ -251,7 +251,7 @@ def subprocess_without_shell_equals_true(context, config):
- :doc:`../plugins/start_process_with_a_shell`
- :doc:`../plugins/start_process_with_partial_path`
Config Options:
**Config Options:**
This plugin test shares a configuration with others in the same family,
namely `shell_injection`. This configuration is divided up into three
@ -271,8 +271,7 @@ def subprocess_without_shell_equals_true(context, config):
- subprocess.Popen
- subprocess.call
Sample Output:
:Example:
.. code-block:: none
@ -283,12 +282,12 @@ def subprocess_without_shell_equals_true(context, config):
23 subprocess.check_output(['/bin/ls', '-l'])
24
References:
.. seealso::
- https://security.openstack.org
- https://docs.python.org/2/library/subprocess.html#frequently-used-arguments # noqa
- https://security.openstack.org/guidelines/dg_avoid-shell-true.html
- https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
- https://security.openstack.org
- https://docs.python.org/2/library/subprocess.html#frequently-used-arguments # noqa
- https://security.openstack.org/guidelines/dg_avoid-shell-true.html
- https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
.. versionadded:: 0.9.0
"""
@ -307,7 +306,7 @@ def subprocess_without_shell_equals_true(context, config):
@test.checks('Call')
@test.test_id('B604')
def any_other_function_with_shell_equals_true(context, config):
"""any_other_function_with_shell_equals_true
"""**B604: Test for any function with shell equals true**
Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
@ -329,7 +328,7 @@ def any_other_function_with_shell_equals_true(context, config):
- :doc:`../plugins/start_process_with_a_shell`
- :doc:`../plugins/start_process_with_partial_path`
Config Options:
**Config Options:**
This plugin test shares a configuration with others in the same family,
namely `shell_injection`. This configuration is divided up into three
@ -351,7 +350,7 @@ def any_other_function_with_shell_equals_true(context, config):
utils.execute, utils.execute_with_timeout]
Sample Output:
:Example:
.. code-block:: none
@ -363,15 +362,10 @@ def any_other_function_with_shell_equals_true(context, config):
9 Popen('/bin/gcc --version', shell=True)
10
References:
.. seealso::
- https://security.openstack.org/guidelines/dg_avoid-shell-true.html
- https://security.openstack.org/guidelines/dg_use-subprocess-securely.html # noqa
"""
"""Alerts on any function call that includes a shell=True parameter.
Multiple 'helpers' with varying names have been identified across
various OpenStack projects.
.. versionadded:: 0.9.0
"""
@ -390,7 +384,7 @@ def any_other_function_with_shell_equals_true(context, config):
@test.checks('Call')
@test.test_id('B605')
def start_process_with_a_shell(context, config):
"""start_process_with_a_shell
"""**B605: Test for starting a process with a shell**
Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
@ -413,7 +407,7 @@ def start_process_with_a_shell(context, config):
- :doc:`../plugins/start_process_with_partial_path`
- :doc:`../plugins/subprocess_popen_with_shell_equals_true`
Config Options:
**Config Options:**
This plugin test shares a configuration with others in the same family,
namely `shell_injection`. This configuration is divided up into three
@ -440,7 +434,7 @@ def start_process_with_a_shell(context, config):
- commands.getoutput
- commands.getstatusoutput
Sample Output:
:Example:
.. code-block:: none
@ -450,12 +444,12 @@ def start_process_with_a_shell(context, config):
2
3 os.system('/bin/echo hi')
References:
.. seealso::
- https://security.openstack.org
- https://docs.python.org/2/library/os.html#os.system
- https://docs.python.org/2/library/subprocess.html#frequently-used-arguments # noqa
- https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
- https://security.openstack.org
- https://docs.python.org/2/library/os.html#os.system
- https://docs.python.org/2/library/subprocess.html#frequently-used-arguments # noqa
- https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
.. versionadded:: 0.10.0
"""
@ -491,7 +485,7 @@ def start_process_with_a_shell(context, config):
@test.checks('Call')
@test.test_id('B606')
def start_process_with_no_shell(context, config):
"""start_process_with_no_shell
"""**B606: Test for starting a process with no shell**
Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
@ -512,7 +506,7 @@ def start_process_with_no_shell(context, config):
- :doc:`../plugins/start_process_with_partial_path`
- :doc:`../plugins/subprocess_popen_with_shell_equals_true`
Config Options:
**Config Options:**
This plugin test shares a configuration with others in the same family,
namely `shell_injection`. This configuration is divided up into three
@ -544,7 +538,7 @@ def start_process_with_no_shell(context, config):
- os.spawnvpe
- os.startfile
Sample Output:
:Example:
.. code-block:: none
@ -556,12 +550,12 @@ def start_process_with_no_shell(context, config):
8 os.spawnve(mode, path, args, env)
9 os.spawnvp(mode, file, args)
References:
.. seealso::
- https://security.openstack.org
- https://docs.python.org/2/library/os.html#os.system
- https://docs.python.org/2/library/subprocess.html#frequently-used-arguments # noqa
- https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
- https://security.openstack.org
- https://docs.python.org/2/library/os.html#os.system
- https://docs.python.org/2/library/subprocess.html#frequently-used-arguments # noqa
- https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
.. versionadded:: 0.10.0
"""
@ -578,7 +572,7 @@ def start_process_with_no_shell(context, config):
@test.checks('Call')
@test.test_id('B607')
def start_process_with_partial_path(context, config):
"""start_process_with_partial_path
"""**B607: Test for starting a process with a partial path**
Python possesses many mechanisms to invoke an external executable. If the
desired executable path is not fully qualified relative to the filesystem
@ -597,7 +591,7 @@ def start_process_with_partial_path(context, config):
looking for paths that do not start at the filesystem root, that is, do not
have a leading '/' character.
Config Options:
**Config Options:**
This plugin test shares a configuration with others in the same family,
namely `shell_injection`. This configuration is divided up into three
@ -632,7 +626,7 @@ def start_process_with_partial_path(context, config):
- os.execle
Sample Output:
:Example:
.. code-block:: none
@ -642,10 +636,10 @@ def start_process_with_partial_path(context, config):
2 from subprocess import Popen as pop
3 pop('gcc --version', shell=False)
References:
.. seealso::
- https://security.openstack.org
- https://docs.python.org/2/library/os.html#process-management
- https://security.openstack.org
- https://docs.python.org/2/library/os.html#process-management
.. versionadded:: 0.13.0
"""

20
bandit/plugins/injection_sql.py
View File

@ -15,8 +15,10 @@
# under the License.
r"""
Description
-----------
============================
B608: Test for SQL injection
============================
An SQL injection attack consists of insertion or "injection" of a SQL query via
the input data given to an application. It is a very common attack vector. This
plugin test looks for strings that resemble SQL statements that are involved in
@ -35,13 +37,9 @@ If so, a MEDIUM issue is reported. For example:
- cursor.execute("SELECT %s FROM derp;" % var)
Config Options
--------------
None
:Example:
Sample Output
-------------
.. code-block:: none
>> Issue: Possible SQL injection vector through string-based query
@ -52,10 +50,10 @@ Sample Output
4 query = "UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier
5
References
----------
- https://www.owasp.org/index.php/SQL_Injection
- https://security.openstack.org/guidelines/dg_parameterize-database-queries.html # noqa
.. seealso::
- https://www.owasp.org/index.php/SQL_Injection
- https://security.openstack.org/guidelines/dg_parameterize-database-queries.html # noqa
.. versionadded:: 0.9.0

24
bandit/plugins/injection_wildcard.py
View File

@ -15,8 +15,10 @@
# under the License.
r"""
Description
-----------
========================================
B609: Test for use of wildcard injection
========================================
Python provides a number of methods that emulate the behavior of standard Linux
command line utilities. Like their Linux counterparts, these commands may take
a wildcard "\*" character in place of a file system path. This is interpreted
@ -40,8 +42,8 @@ As well as any method configured in the shell or subprocess injection test
configurations.
Config Options
--------------
**Config Options:**
This plugin test shares a configuration with others in the same family, namely
`shell_injection`. This configuration is divided up into three sections,
`subprocess`, `shell` and `no_shell`. They each list Python calls that spawn
@ -75,8 +77,8 @@ methods are fully qualified and de-aliased prior to checking.
- os.execle
Sample Output
-------------
:Example:
.. code-block:: none
>> Issue: Possible wildcard injection in call: subprocess.Popen
@ -94,11 +96,11 @@ Sample Output
12 subp.Popen("/bin/chmod *")
References
----------
- https://security.openstack.org
- https://en.wikipedia.org/wiki/Wildcard_character
- http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
.. seealso::
- https://security.openstack.org
- https://en.wikipedia.org/wiki/Wildcard_character
- http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
.. versionadded:: 0.9.0

50
bandit/plugins/insecure_ssl_tls.py
View File

@ -39,7 +39,7 @@ def gen_config(name):
@test.checks('Call')
@test.test_id('B502')
def ssl_with_bad_version(context, config):
"""Test for SSL use with bad version used
"""**B502: Test for SSL use with bad version used**
Several highly publicized exploitable flaws have been discovered
in all versions of SSL and early versions of TLS. It is strongly
@ -80,7 +80,7 @@ def ssl_with_bad_version(context, config):
``OP_NO_SSLv3`` flags for this purpose.
Config Options:
**Config Options:**
.. code-block:: yaml
@ -95,7 +95,7 @@ def ssl_with_bad_version(context, config):
- TLSv1_METHOD # strict option
Sample Output:
:Example:
.. code-block:: none
@ -107,12 +107,12 @@ def ssl_with_bad_version(context, config):
13 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)
14 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)
References:
.. seealso::
- http://heartbleed.com/
- https://poodlebleed.com/
- https://security.openstack.org/
- https://security.openstack.org/guidelines/dg_move-data-securely.html
- http://heartbleed.com/
- https://poodlebleed.com/
- https://security.openstack.org/
- https://security.openstack.org/guidelines/dg_move-data-securely.html
.. versionadded:: 0.9.0
"""
@ -155,7 +155,7 @@ def ssl_with_bad_version(context, config):
@test.checks('FunctionDef')
@test.test_id('B503')
def ssl_with_bad_defaults(context, config):
"""Test for SSL use with bad defaults specified
"""**B503: Test for SSL use with bad defaults specified**
This plugin is part of a family of tests that detect the use of known bad
versions of SSL/TLS, please see :doc:`../plugins/ssl_with_bad_version` for
@ -171,14 +171,13 @@ def ssl_with_bad_defaults(context, config):
- :doc:`../plugins/ssl_with_bad_version`
- :doc:`../plugins/ssl_with_no_version`
Config Options:
**Config Options:**
This test shares the configuration provided for the standard
:doc:`../plugins/ssl_with_bad_version` test, please refer to its
documentation.
Sample Output:
:Example:
.. code-block:: none
@ -190,12 +189,12 @@ def ssl_with_bad_defaults(context, config):
28 def open_ssl_socket(version=SSL.SSLv2_METHOD):
29 pass
References:
.. seealso::
- http://heartbleed.com/
- https://poodlebleed.com/
- https://security.openstack.org/
- https://security.openstack.org/guidelines/dg_move-data-securely.html
- http://heartbleed.com/
- https://poodlebleed.com/
- https://security.openstack.org/
- https://security.openstack.org/guidelines/dg_move-data-securely.html
.. versionadded:: 0.9.0
"""
@ -216,7 +215,7 @@ def ssl_with_bad_defaults(context, config):
@test.checks('Call')
@test.test_id('B504')
def ssl_with_no_version(context):
"""Test for SSL use with no version specified
"""**B504: Test for SSL use with no version specified**
This plugin is part of a family of tests that detect the use of known bad
versions of SSL/TLS, please see :doc:`../plugins/ssl_with_bad_version` for
@ -232,14 +231,13 @@ def ssl_with_no_version(context):
- :doc:`../plugins/ssl_with_bad_version`
- :doc:`../plugins/ssl_with_bad_defaults`
Config Options:
**Config Options:**
This test shares the configuration provided for the standard
:doc:`../plugins/ssl_with_bad_version` test, please refer to its
documentation.
Sample Output:
:Example:
.. code-block:: none
@ -252,12 +250,12 @@ def ssl_with_no_version(context):
23 ssl.wrap_socket()
24
References:
.. seealso::
- http://heartbleed.com/
- https://poodlebleed.com/
- https://security.openstack.org/
- https://security.openstack.org/guidelines/dg_move-data-securely.html
- http://heartbleed.com/
- https://poodlebleed.com/
- https://security.openstack.org/
- https://security.openstack.org/guidelines/dg_move-data-securely.html
.. versionadded:: 0.9.0
"""

28
bandit/plugins/jinja2_templates.py
View File

@ -15,8 +15,10 @@
# under the License.
r"""
Description
-----------
==========================================
B701: Test for not auto escaping in jinja2
==========================================
Jinja2 is a Python HTML templating system. It is typically used to build web
applications, though appears in other places well, notably the Ansible
automation system. When configuring the Jinja2 environment, the option to use
@ -29,13 +31,7 @@ Unfortunately, autoescaping is False by default. Thus this plugin test will
warn on omission of an autoescape setting, as well as an explicit setting of
false. A HIGH severity warning is generated in either of these scenarios.
Config Options
--------------
None
Sample Output
-------------
:Example:
.. code-block:: none
@ -60,13 +56,13 @@ Sample Output
17
References
----------
- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://realpython.com/blog/python/primer-on-jinja-templating/
- http://jinja.pocoo.org/docs/dev/api/#autoescaping
- https://security.openstack.org
- https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html
.. seealso::
- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://realpython.com/blog/python/primer-on-jinja-templating/
- http://jinja.pocoo.org/docs/dev/api/#autoescaping
- https://security.openstack.org
- https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html
.. versionadded:: 0.10.0

24
bandit/plugins/mako_templates.py
View File

@ -13,8 +13,10 @@
# under the License.
r"""
Description
-----------
====================================
B702: Test for use of mako templates
====================================
Mako is a Python templating system often used to build web applications. It is
the default templating system used in Pylons and Pyramid. Unlike Jinja2 (an
alternative templating system), Mako has no environment wide variable escaping
@ -23,12 +25,8 @@ before use to prevent possible vulnerabilities to Cross Site Scripting (XSS)
attacks.
Config Options
--------------
None
:Example:
Sample Output
-------------
.. code-block:: none
>> Issue: Mako templates allow HTML/JS rendering by default and are
@ -42,12 +40,12 @@ Sample Output
11 template.Template("hern")
References
----------
- http://www.makotemplates.org/
- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://security.openstack.org
- https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html
.. seealso::
- http://www.makotemplates.org/
- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://security.openstack.org
- https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html
.. versionadded:: 0.10.0

21
bandit/plugins/secret_config_option.py
View File

@ -13,8 +13,10 @@
# under the License.
r"""
Description
-----------
===============================================================
B109: Test for a password based config option not marked secret
===============================================================
Passwords are sensitive and must be protected appropriately. In OpenStack
Oslo there is an option to mark options "secret" which will ensure that they
are not logged. This plugin detects usages of oslo configuration functions
@ -26,8 +28,9 @@ If such a value is found a MEDIUM severity error is generated. If 'False' or
Bandit can't determine the value of secret it will return a LOW confidence
issue.
Config Options
--------------
**Config Options:**
.. code-block:: yaml
password_config_option_not_marked_secret:
@ -35,8 +38,8 @@ Config Options
- oslo.config.cfg.StrOpt
- oslo_config.cfg.StrOpt
Sample Output
-------------
:Example:
.. code-block:: none
>> Issue: [password_config_option_not_marked_secret] oslo config option
@ -58,9 +61,9 @@ Sample Output
22 help="LDAP bind user password"),
23 cfg.StrOpt('ldap_password_attribute',
References
----------
- https://security.openstack.org/guidelines/dg_protect-sensitive-data-in-files.html # noqa
.. seealso::
- https://security.openstack.org/guidelines/dg_protect-sensitive-data-in-files.html # noqa
.. versionadded:: 0.10.0

20
bandit/plugins/try_except_pass.py
View File

@ -15,8 +15,10 @@
# under the License.
r"""
Description
-----------
=========================================
B110: Test for a pass in the except block
=========================================
Errors in Python code bases are typically communicated using ``Exceptions``.
An exception object is 'raised' in the event of an error and can be 'caught' at
a later point in the program, typically some error handling or logging action
@ -51,16 +53,16 @@ would not generate a warning if the configuration option
except ZeroDivisionError:
pass
Config Options
--------------
**Config Options:**
.. code-block:: yaml
try_except_pass:
check_typed_exception: True
Sample Output
-------------
:Example:
.. code-block:: none
>> Issue: Try, Except, Pass detected.
@ -70,9 +72,9 @@ Sample Output
4 except:
5 pass
References
----------
- https://security.openstack.org
.. seealso::
- https://security.openstack.org
.. versionadded:: 0.13.0

16
bandit/plugins/weak_cryptographic_key.py
View File

@ -13,20 +13,18 @@
# under the License.
r"""
Description
-----------
=========================================
B505: Test for weak cryptographic key use
=========================================
As computational power increases, so does the ability to break ciphers with
smaller key lengths. The recommended key length size is 2048 and higher. 1024
bits and below are now considered breakable. This plugin test checks for use
of any key less than 2048 bits and returns a high severity error if lower than
1024 and a medium severity error greater than 1024 but less than 2048.
Config Options
--------------
None
:Example:
Sample Output
-------------
.. code-block:: none
>> Issue: DSA key sizes below 1024 bits are considered breakable.
@ -37,8 +35,8 @@ Sample Output
37 backends.default_backend())
38 rsa.generate_private_key(3,
References
----------
.. seealso::
- http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
- https://security.openstack.org/guidelines/dg_strong-crypto.html

17
doc/source/plugins/index.rst
View File

@ -65,6 +65,23 @@ To register your plugin, you have two options:
bandit.plugins =
mako = bandit_mako
Plugin ID Groupings
-------------------
======= ===========
ID Description
======= ===========
B1xx misc tests
B2xx application/framework miss-configuration
B3xx blacklists (calls)
B4xx blacklists (imports)
B5xx cryptography
B6xx injection
B7xx XSS
======= ===========
Complete Test Plugin Listing
----------------------------