openstack/bandit
Code Issues Proposed changes

Refactor check_example to be clearer on error

Browse Source 
Currently the check_example in test_functional computes sums and
on error tells the developer the difference in sums, which is
confusing and error prone.

It also leads to false positives where sums may be correct, but
the exact number of MEDIUM, HIGH, etc is different. This was the
case for two tests: test_xml and test_secret_config_option.

The general_hardcoded_password test was also broken for py35
because it was assuming function args are ast.Name not ast.arg.
But surprisingly the tests passed because of a syntax error in
the example.

Change-Id: Icd06fb7ca27a8a01d6442f199775d474d436371b
This commit is contained in:
Eric Brown 2017-02-23 13:29:38 -08:00
parent 32b4714562
commit 87c8b70e7b
3 changed files with 247 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bandit/plugins/general_hardcoded_password.py
View File

@ -209,7 +209,7 @@ def hardcoded_password_default(context):
# go through all (param, value)s and look for candidates
for key, val in zip(context.node.args.args, defs):
if isinstance(key, ast.Name):
if isinstance(key, ast.Name) or isinstance(key, ast.arg):
check = key.arg if sys.version_info.major > 2 else key.id # Py3
if isinstance(val, ast.Str) and check in CANDIDATES:
return _report(val.s)

10
examples/hardcoded-passwords.py
View File

@ -13,10 +13,12 @@ def NoMatch2(password):
if password == "ajklawejrkl42348swfgkg":
print("Nice password!")
def doLogin(password="blerg"):
pass
def NoMatch3(a, b):
pass
doLogin(password="blerg")
password = "blerg"
d["password"] = "blerg"
def NoMatch3((a, b)):
pass

340
tests/functional/test_functional.py
View File

@ -69,17 +69,20 @@ class FunctionalTests(testtools.TestCase):
# reset scores for subsequent calls to check_example
self.b_mgr.scores = []
self.run_example(example_script, ignore_nosec=ignore_nosec)
expected = 0
result = 0
result = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 0}
}
for test_scores in self.b_mgr.scores:
for score_type in test_scores:
self.assertIn(score_type, expect)
for rating in expect[score_type]:
expected += (
expect[score_type][rating] * C.RANKING_VALUES[rating]
)
result += sum(test_scores[score_type])
self.assertEqual(expected, result)
for idx, rank in enumerate(C.RANKING):
result[score_type][rank] = (test_scores[score_type][idx] /
C.RANKING_VALUES[rank])
self.assertDictEqual(expect, result)
def check_metrics(self, example_script, expect):
'''A helper method to test the metrics being returned.
@ -108,34 +111,50 @@ class FunctionalTests(testtools.TestCase):
def test_binding(self):
'''Test the bind-to-0.0.0.0 example.'''
expect = {'SEVERITY': {'MEDIUM': 1}, 'CONFIDENCE': {'MEDIUM': 1}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0}
}
self.check_example('binding.py', expect)
def test_crypto_md5(self):
'''Test the `hashlib.md5` example.'''
expect = {'SEVERITY': {'MEDIUM': 11},
'CONFIDENCE': {'HIGH': 11}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 11, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 11}
}
self.check_example('crypto-md5.py', expect)
def test_ciphers(self):
'''Test the `Crypto.Cipher` example.'''
expect = {'SEVERITY': {'HIGH': 13},
'CONFIDENCE': {'HIGH': 13}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 13},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 13}
}
self.check_example('ciphers.py', expect)
def test_cipher_modes(self):
'''Test for insecure cipher modes.'''
expect = {'SEVERITY': {'MEDIUM': 1}, 'CONFIDENCE': {'HIGH': 1}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1}
}
self.check_example('cipher-modes.py', expect)
def test_eval(self):
'''Test the `eval` example.'''
expect = {'SEVERITY': {'MEDIUM': 3}, 'CONFIDENCE': {'HIGH': 3}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 3, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 3}
}
self.check_example('eval.py', expect)
def test_mark_safe(self):
'''Test the `mark_safe` example.'''
expect = {'SEVERITY': {'MEDIUM': 1}, 'CONFIDENCE': {'HIGH': 1}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1}
}
self.check_example('mark_safe.py', expect)
def test_exec(self):
@ -143,68 +162,106 @@ class FunctionalTests(testtools.TestCase):
filename = 'exec-{}.py'
if six.PY2:
filename = filename.format('py2')
expect = {'SEVERITY': {'MEDIUM': 2}, 'CONFIDENCE': {'HIGH': 2}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 2, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0,
'HIGH': 2}
}
else:
filename = filename.format('py3')
expect = {'SEVERITY': {'MEDIUM': 1}, 'CONFIDENCE': {'HIGH': 1}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0,
'HIGH': 1}
}
self.check_example(filename, expect)
def test_exec_as_root(self):
'''Test for the `run_as_root=True` keyword argument.'''
expect = {'SEVERITY': {'LOW': 5}, 'CONFIDENCE': {'MEDIUM': 5}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 5, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 5, 'HIGH': 0}
}
self.check_example('exec-as-root.py', expect)
def test_hardcoded_passwords(self):
'''Test for hard-coded passwords.'''
expect = {'SEVERITY': {'LOW': 7}, 'CONFIDENCE': {'MEDIUM': 7}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 8, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 8, 'HIGH': 0}
}
self.check_example('hardcoded-passwords.py', expect)
def test_hardcoded_tmp(self):
'''Test for hard-coded /tmp, /var/tmp, /dev/shm.'''
expect = {'SEVERITY': {'MEDIUM': 3}, 'CONFIDENCE': {'MEDIUM': 3}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 3, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 3, 'HIGH': 0}
}
self.check_example('hardcoded-tmp.py', expect)
def test_httplib_https(self):
'''Test for `httplib.HTTPSConnection`.'''
expect = {'SEVERITY': {'MEDIUM': 3}, 'CONFIDENCE': {'HIGH': 3}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 3, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 3}
}
self.check_example('httplib_https.py', expect)
def test_imports_aliases(self):
'''Test the `import X as Y` syntax.'''
expect = {
'SEVERITY': {'LOW': 4, 'MEDIUM': 5, 'HIGH': 0},
'CONFIDENCE': {'HIGH': 9}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 4, 'MEDIUM': 5, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 9}
}
self.check_example('imports-aliases.py', expect)
def test_imports_from(self):
'''Test the `from X import Y` syntax.'''
expect = {'SEVERITY': {'LOW': 3}, 'CONFIDENCE': {'HIGH': 3}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 3, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 3}
}
self.check_example('imports-from.py', expect)
def test_imports_function(self):
'''Test the `__import__` function.'''
expect = {'SEVERITY': {'LOW': 2}, 'CONFIDENCE': {'HIGH': 2}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 2, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}
}
self.check_example('imports-function.py', expect)
def test_telnet_usage(self):
'''Test for `import telnetlib` and Telnet.* calls.'''
expect = {'SEVERITY': {'HIGH': 2}, 'CONFIDENCE': {'HIGH': 2}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}
}
self.check_example('telnetlib.py', expect)
def test_ftp_usage(self):
'''Test for `import ftplib` and FTP.* calls.'''
expect = {'SEVERITY': {'HIGH': 2}, 'CONFIDENCE': {'HIGH': 2}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}
}
self.check_example('ftplib.py', expect)
def test_imports(self):
'''Test for dangerous imports.'''
expect = {'SEVERITY': {'LOW': 2}, 'CONFIDENCE': {'HIGH': 2}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 2, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}
}
self.check_example('imports.py', expect)
def test_mktemp(self):
'''Test for `tempfile.mktemp`.'''
expect = {'SEVERITY': {'MEDIUM': 4}, 'CONFIDENCE': {'HIGH': 4}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 4, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 4}
}
self.check_example('mktemp.py', expect)
def test_nonsense(self):
@ -214,7 +271,10 @@ class FunctionalTests(testtools.TestCase):
def test_okay(self):
'''Test a vulnerability-free file.'''
expect = {'SEVERITY': {}, 'CONFIDENCE': {}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 0}
}
self.check_example('okay.py', expect)
def test_os_chmod(self):
@ -225,75 +285,105 @@ class FunctionalTests(testtools.TestCase):
else:
filename = filename.format('py3')
expect = {
'SEVERITY': {'MEDIUM': 2, 'HIGH': 8},
'CONFIDENCE': {'MEDIUM': 1, 'HIGH': 9}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 2, 'HIGH': 8},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 9}
}
self.check_example(filename, expect)
def test_os_exec(self):
'''Test for `os.exec*`.'''
expect = {'SEVERITY': {'LOW': 8}, 'CONFIDENCE': {'MEDIUM': 8}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 8, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 8, 'HIGH': 0}
}
self.check_example('os-exec.py', expect)
def test_os_popen(self):
'''Test for `os.popen`.'''
expect = {'SEVERITY': {'LOW': 8, 'MEDIUM': 0, 'HIGH': 1},
'CONFIDENCE': {'HIGH': 9}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 8, 'MEDIUM': 0, 'HIGH': 1},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 9}
}
self.check_example('os-popen.py', expect)
def test_os_spawn(self):
'''Test for `os.spawn*`.'''
expect = {'SEVERITY': {'LOW': 8}, 'CONFIDENCE': {'MEDIUM': 8}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 8, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 8, 'HIGH': 0}
}
self.check_example('os-spawn.py', expect)
def test_os_startfile(self):
'''Test for `os.startfile`.'''
expect = {'SEVERITY': {'LOW': 3}, 'CONFIDENCE': {'MEDIUM': 3}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 3, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 3, 'HIGH': 0}
}
self.check_example('os-startfile.py', expect)
def test_os_system(self):
'''Test for `os.system`.'''
expect = {'SEVERITY': {'LOW': 1}, 'CONFIDENCE': {'HIGH': 1}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 1, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1}
}
self.check_example('os_system.py', expect)
def test_pickle(self):
'''Test for the `pickle` module.'''
expect = {
'SEVERITY': {'LOW': 2, 'MEDIUM': 6},
'CONFIDENCE': {'HIGH': 8}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 2, 'MEDIUM': 6, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 8}
}
self.check_example('pickle_deserialize.py', expect)
def test_popen_wrappers(self):
'''Test the `popen2` and `commands` modules.'''
expect = {'SEVERITY': {'LOW': 7}, 'CONFIDENCE': {'HIGH': 7}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 7, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 7}
}
self.check_example('popen_wrappers.py', expect)
def test_random_module(self):
'''Test for the `random` module.'''
expect = {'SEVERITY': {'LOW': 6}, 'CONFIDENCE': {'HIGH': 6}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 6, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 6}
}
self.check_example('random_module.py', expect)
def test_requests_ssl_verify_disabled(self):
'''Test for the `requests` library skipping verification.'''
expect = {'SEVERITY': {'HIGH': 7}, 'CONFIDENCE': {'HIGH': 7}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 7},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 7}
}
self.check_example('requests-ssl-verify-disabled.py', expect)
def test_skip(self):
'''Test `#nosec` and `#noqa` comments.'''
expect = {'SEVERITY': {'LOW': 5}, 'CONFIDENCE': {'HIGH': 5}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 5, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 5}
}
self.check_example('skip.py', expect)
def test_ignore_skip(self):
'''Test --ignore-nosec flag.'''
expect = {'SEVERITY': {'LOW': 7}, 'CONFIDENCE': {'HIGH': 7}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 7, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 7}
}
self.check_example('skip.py', expect, ignore_nosec=True)
def test_sql_statements(self):
'''Test for SQL injection through string building.'''
expect = {
'SEVERITY': {'MEDIUM': 14},
'CONFIDENCE': {'LOW': 8, 'MEDIUM': 6}}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 14, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 8, 'MEDIUM': 6, 'HIGH': 0}
}
self.check_example('sql_statements.py', expect)
def test_ssl_insecure_version(self):
@ -302,126 +392,164 @@ class FunctionalTests(testtools.TestCase):
'SEVERITY': {'LOW': 1, 'MEDIUM': 10, 'HIGH': 7},
'CONFIDENCE': {'LOW': 0, 'MEDIUM': 11, 'HIGH': 7}
}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 1, 'MEDIUM': 10, 'HIGH': 7},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 11, 'HIGH': 7}
}
self.check_example('ssl-insecure-version.py', expect)
def test_subprocess_shell(self):
'''Test for `subprocess.Popen` with `shell=True`.'''
expect = {
'SEVERITY': {'HIGH': 3, 'MEDIUM': 1, 'LOW': 14},
'CONFIDENCE': {'HIGH': 17, 'LOW': 1}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 14, 'MEDIUM': 1, 'HIGH': 3},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 1, 'MEDIUM': 0, 'HIGH': 17}
}
self.check_example('subprocess_shell.py', expect)
def test_urlopen(self):
'''Test for dangerous URL opening.'''
expect = {'SEVERITY': {'MEDIUM': 14}, 'CONFIDENCE': {'HIGH': 14}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 14, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 14}
}
self.check_example('urlopen.py', expect)
def test_utils_shell(self):
'''Test for `utils.execute*` with `shell=True`.'''
expect = {
'SEVERITY': {'LOW': 5},
'CONFIDENCE': {'HIGH': 5}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 5, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 5}
}
self.check_example('utils-shell.py', expect)
def test_wildcard_injection(self):
'''Test for wildcard injection in shell commands.'''
expect = {
'SEVERITY': {'HIGH': 4, 'MEDIUM': 0, 'LOW': 10},
'CONFIDENCE': {'MEDIUM': 5, 'HIGH': 9}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 10, 'MEDIUM': 0, 'HIGH': 4},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 5, 'HIGH': 9}
}
self.check_example('wildcard-injection.py', expect)
def test_yaml(self):
'''Test for `yaml.load`.'''
expect = {'SEVERITY': {'MEDIUM': 1}, 'CONFIDENCE': {'HIGH': 1}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1}
}
self.check_example('yaml_load.py', expect)
def test_jinja2_templating(self):
'''Test jinja templating for potential XSS bugs.'''
expect = {
'SEVERITY': {'HIGH': 4},
'CONFIDENCE': {'HIGH': 3, 'MEDIUM': 1}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 4},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 3}
}
self.check_example('jinja2_templating.py', expect)
def test_secret_config_option(self):
'''Test for `secret=True` in Oslo's config.'''
expect = {
'SEVERITY': {'LOW': 1, 'MEDIUM': 2},
'CONFIDENCE': {'MEDIUM': 3}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 3, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 1, 'MEDIUM': 2, 'HIGH': 0}
}
self.check_example('secret-config-option.py', expect)
def test_mako_templating(self):
'''Test Mako templates for XSS.'''
expect = {'SEVERITY': {'MEDIUM': 3}, 'CONFIDENCE': {'HIGH': 3}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 3, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 3}
}
self.check_example('mako_templating.py', expect)
def test_xml(self):
'''Test xml vulnerabilities.'''
expect = {'SEVERITY': {'LOW': 1, 'HIGH': 4},
'CONFIDENCE': {'HIGH': 1, 'MEDIUM': 4}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 1, 'MEDIUM': 4, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 5}
}
self.check_example('xml_etree_celementtree.py', expect)
expect = {'SEVERITY': {'LOW': 1, 'HIGH': 2},
'CONFIDENCE': {'HIGH': 1, 'MEDIUM': 2}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 1, 'MEDIUM': 2, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 3}
}
self.check_example('xml_expatbuilder.py', expect)
expect = {'SEVERITY': {'LOW': 3, 'HIGH': 1},
'CONFIDENCE': {'HIGH': 3, 'MEDIUM': 1}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 3, 'MEDIUM': 1, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 4}
}
self.check_example('xml_lxml.py', expect)
expect = {'SEVERITY': {'LOW': 2, 'HIGH': 2},
'CONFIDENCE': {'HIGH': 2, 'MEDIUM': 2}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 2, 'MEDIUM': 2, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 4}
}
self.check_example('xml_pulldom.py', expect)
expect = {'SEVERITY': {'HIGH': 1},
'CONFIDENCE': {'HIGH': 1}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1}
}
self.check_example('xml_xmlrpc.py', expect)
expect = {'SEVERITY': {'LOW': 1, 'HIGH': 4},
'CONFIDENCE': {'HIGH': 1, 'MEDIUM': 4}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 1, 'MEDIUM': 4, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 5}
}
self.check_example('xml_etree_elementtree.py', expect)
expect = {'SEVERITY': {'LOW': 1, 'HIGH': 1},
'CONFIDENCE': {'HIGH': 1, 'MEDIUM': 1}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 1, 'MEDIUM': 1, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}
}
self.check_example('xml_expatreader.py', expect)
expect = {'SEVERITY': {'LOW': 2, 'HIGH': 2},
'CONFIDENCE': {'HIGH': 2, 'MEDIUM': 2}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 2, 'MEDIUM': 2, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 4}
}
self.check_example('xml_minidom.py', expect)
expect = {'SEVERITY': {'LOW': 2, 'HIGH': 6},
'CONFIDENCE': {'HIGH': 2, 'MEDIUM': 6}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 2, 'MEDIUM': 6, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 8}
}
self.check_example('xml_sax.py', expect)
def test_httpoxy(self):
'''Test httpoxy vulnerability.'''
expect = {'SEVERITY': {'HIGH': 1},
'CONFIDENCE': {'HIGH': 1}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1}
}
self.check_example('httpoxy_cgihandler.py', expect)
self.check_example('httpoxy_twisted_script.py', expect)
self.check_example('httpoxy_twisted_directory.py', expect)
def test_asserts(self):
'''Test catching the use of assert.'''
expect = {'SEVERITY': {'LOW': 1},
'CONFIDENCE': {'HIGH': 1}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 1, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1}
}
self.check_example('assert.py', expect)
def test_paramiko_injection(self):
'''Test paramiko command execution.'''
expect = {'SEVERITY': {'MEDIUM': 2},
'CONFIDENCE': {'MEDIUM': 2}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 2, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 2, 'HIGH': 0}
}
self.check_example('paramiko_injection.py', expect)
def test_partial_path(self):
'''Test process spawning with partial file paths.'''
expect = {'SEVERITY': {'LOW': 11},
'CONFIDENCE': {'HIGH': 11}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 11, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 11}
}
self.check_example('partial_path_process.py', expect)
def test_try_except_continue(self):
@ -430,11 +558,17 @@ class FunctionalTests(testtools.TestCase):
if x.__name__ == 'try_except_continue'))
test._config = {'check_typed_exception': True}
expect = {'SEVERITY': {'LOW': 3}, 'CONFIDENCE': {'HIGH': 3}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 3, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 3}
}
self.check_example('try_except_continue.py', expect)
test._config = {'check_typed_exception': False}
expect = {'SEVERITY': {'LOW': 2}, 'CONFIDENCE': {'HIGH': 2}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 2, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}
}
self.check_example('try_except_continue.py', expect)
def test_try_except_pass(self):
@ -443,11 +577,17 @@ class FunctionalTests(testtools.TestCase):
if x.__name__ == 'try_except_pass'))
test._config = {'check_typed_exception': True}
expect = {'SEVERITY': {'LOW': 3}, 'CONFIDENCE': {'HIGH': 3}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 3, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 3}
}
self.check_example('try_except_pass.py', expect)
test._config = {'check_typed_exception': False}
expect = {'SEVERITY': {'LOW': 2}, 'CONFIDENCE': {'HIGH': 2}}
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 2, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}
}
self.check_example('try_except_pass.py', expect)
def test_metric_gathering(self):
@ -465,8 +605,8 @@ class FunctionalTests(testtools.TestCase):
def test_weak_cryptographic_key(self):
'''Test for weak key sizes.'''
expect = {
'SEVERITY': {'MEDIUM': 8, 'HIGH': 6},
'CONFIDENCE': {'HIGH': 14}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 8, 'HIGH': 6},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 14}
}
self.check_example('weak_cryptographic_key_sizes.py', expect)
@ -503,15 +643,15 @@ class FunctionalTests(testtools.TestCase):
def test_flask_debug_true(self):
expect = {
'SEVERITY': {'HIGH': 1},
'CONFIDENCE': {'MEDIUM': 1}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0}
}
self.check_example('flask_debug.py', expect)
def test_nosec(self):
expect = {
'SEVERITY': {},
'CONFIDENCE': {}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 0}
}
self.check_example('nosec.py', expect)
@ -545,7 +685,7 @@ class FunctionalTests(testtools.TestCase):
def test_blacklist_input(self):
expect = {
'SEVERITY': {'HIGH': 1},
'CONFIDENCE': {'HIGH': 1}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1}
}
self.check_example('input.py', expect)