Introduce wildcards to blacklist_calls plugin

This change makes it so wildcards can be used in bandit.yaml when configuring function calls that should be alerted on. For example, it allows 'telnetlib.*' to be set as a blacklist entry, and will then alert on a call to telnetlib.Telnet() and any other functions in that namespace. It uses stdlib's fnmatch, which means the wildcards are Unix shell style. This change also hijacks the telnetlib import check, adding a wildcarded blacklist calls check as described above and adjusting tests and example naming accordingly. Change-Id: I0ff5891282ab762fd3dfc0447b20028d81d9afef
2015-09-02 18:00:23 -07:00 · 2015-09-02 18:00:23 -07:00 · 1ef271e26e
commit 1ef271e26e
parent 518c15c8a4
4 changed files with 19 additions and 8 deletions
--- a/bandit/config/bandit.yaml
+++ b/bandit/config/bandit.yaml
@ -149,10 +149,15 @@ blacklist_calls:
                Standard pseudo-random generators are not suitable for
                security/cryptographic purposes.
            level: LOW
-
+        - telnetlib:
+            qualnames:
+                - telnetlib.*
+            message: >
+                Telnet-related funtions are being called. Telnet is considered
+                insecure. Use SSH or some other encrypted protocol.
+            level: HIGH
        # Most of this is based off of Christian Heimes' work on defusedxml:
        #   https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
-
        - xml_bad_cElementTree:
            qualnames: 
                - xml.etree.cElementTree.parse
@ -275,8 +280,8 @@ blacklist_imports:
            imports: [telnetlib]
            level: HIGH
            message: >
-                Telnet is considered insecure. Use SSH or some other encrypted
-                protocol.
+                A telnet-related module is being imported.  Telnet is
+                considered insecure. Use SSH or some other encrypted protocol.
        - info_libs:
            imports: [pickle, cPickle, subprocess, Crypto]
            level: LOW
--- a/bandit/plugins/blacklist_calls.py
+++ b/bandit/plugins/blacklist_calls.py
@ -14,6 +14,8 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+import fnmatch
+
 import bandit
 from bandit.core.test_properties import *

@ -45,8 +47,12 @@ def blacklist_calls(context, config):
        if does_match and check[0]:
            matched_qn = False
            for qn in check[0]:
+                # case where string matches exactly
                if context.call_function_name_qual == qn:
                    matched_qn = True
+                # case where string matches to wildcard
+                elif fnmatch.fnmatch(context.call_function_name_qual, qn):
+                    matched_qn = True
            if not matched_qn:
                does_match = False

--- a/examples/imports-telnetlib.py
+++ b/examples/imports-telnetlib.py
--- a/tests/functional/test_functional.py
+++ b/tests/functional/test_functional.py
@ -146,10 +146,10 @@ class FunctionalTests(testtools.TestCase):
        expect = {'SEVERITY': {'LOW': 2}, 'CONFIDENCE': {'HIGH': 2}}
        self.check_example('imports-function.py', expect)

-    def test_imports_telnetlib(self):
-        '''Test for `import telnetlib`.'''
-        expect = {'SEVERITY': {'HIGH': 1}, 'CONFIDENCE': {'HIGH': 1}}
-        self.check_example('imports-telnetlib.py', expect)
+    def test_telnet_usage(self):
+        '''Test for `import telnetlib` and Telnet.* calls.'''
+        expect = {'SEVERITY': {'HIGH': 2}, 'CONFIDENCE': {'HIGH': 2}}
+        self.check_example('telnetlib.py', expect)

    def test_imports(self):
        '''Test for dangerous imports.'''