openstack/bandit
Code Issues Proposed changes

Fixing up random to be less noisy

Browse Source 
This just targets specific functions within random, rather than
the module itself. We use the blacklist calls stuff for this so
there is now no need for a special plugin.

Change-Id: Iecb4cd3d23040f2c4139f468109ddfbb209bbfa4
Closes-Bug: 1422897
This commit is contained in:
Tim Kelsey 2015-07-15 12:42:18 +01:00
parent f899820dea
commit 782ca73271
5 changed files with 16 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bandit/config/bandit.yaml
View File

@ -77,6 +77,10 @@ blacklist_calls:
- urllib_urlopen:
qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request]
message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected."
- random:
qualnames: [random.random, random.randrange, random.randint, random.choice, random.uniform, random.triangular]
message: "Standard pseudo-random generators are not suitable for security/cryptographic purposes."
level: "LOW"
shell_injection:
# Start a process using the subprocess module, or one of its wrappers.

9
bandit/plugins/blacklist_calls.py
View File

@ -103,12 +103,9 @@ def _get_tuple_for_item(blacklist_object):
message = blacklist_object['message']
if 'level' in blacklist_object:
if blacklist_object['level'] == 'HIGH':
level = 'HIGH'
elif blacklist_object['level'] == 'MEDIUM':
level = 'MEDIUM'
elif blacklist_object['level'] == 'LOW':
level = 'LOW'
_level = blacklist_object['level'].upper()
if _level in {'HIGH', 'MEDIUM', 'LOW'}:
level = _level
if 'params' in blacklist_object:
params = blacklist_object['params']

48
bandit/plugins/crypto_random.py
View File

@ -1,48 +0,0 @@
# -*- coding:utf-8 -*-
#
# Copyright 2014 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import bandit
from bandit.core.test_properties import *
@checks('Call')
def random_lib_calls(context):
# Alerts on any usage of any random library function
# check type just to be safe
if type(context.call_function_name_qual) == str:
qualname_list = context.call_function_name_qual.split('.')
# if the library is random
if len(qualname_list) >= 2 and qualname_list[-2] == 'random':
return bandit.Issue(
severity=bandit.LOW,
confidence=bandit.HIGH,
text="Use of random is not suitable for security/"
"cryptographic purposes."
)
@checks('Import', 'ImportFrom')
def random_lib_imports(context):
# Alerts on importing the 'random' library
if context.is_module_being_imported('random'):
return bandit.Issue(
severity=bandit.LOW,
confidence=bandit.HIGH,
text="Random library should not be used for any security or "
"cryptographic purposes."
)

9
examples/random_module.py
View File

@ -3,7 +3,14 @@ import os
import somelib
bad = random.random()
bad = random.randrange()
bad = random.randint()
bad = random.choice()
bad = random.uniform()
bad = random.triangular()
good = os.urandom()
bad = random.choice([0,1,2,3])
good = random.SystemRandom()
unknown = random()
unknown = somelib.a.random()

2
tests/test_functional.py
View File

@ -236,7 +236,7 @@ class FunctionalTests(unittest.TestCase):
def test_random_module(self):
'''Test for the `random` module.'''
expect = {'SEVERITY': {'LOW': 3}, 'CONFIDENCE': {'HIGH': 3}}
expect = {'SEVERITY': {'LOW': 6}, 'CONFIDENCE': {'HIGH': 6}}
self.check_example('random_module.py', expect)
def test_requests_ssl_verify_disabled(self):