How to use the bandit.HIGH function in bandit

To help you get started, we’ve selected a few bandit examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github PyCQA / bandit / tests / unit / formatters / test_yaml.py View on Github external
def setUp(self):
        super(YamlFormatterTests, self).setUp()
        conf = config.BanditConfig()
        self.manager = manager.BanditManager(conf, 'file')
        (tmp_fd, self.tmp_fname) = tempfile.mkstemp()
        self.context = {'filename': self.tmp_fname,
                        'lineno': 4,
                        'linerange': [4]}
        self.check_name = 'hardcoded_bind_all_interfaces'
        self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM,
                                 'Possible binding to all interfaces.')

        self.candidates = [issue.Issue(bandit.LOW, bandit.LOW, 'Candidate A',
                                       lineno=1),
                           issue.Issue(bandit.HIGH, bandit.HIGH, 'Candiate B',
                                       lineno=2)]

        self.manager.out_file = self.tmp_fname

        self.issue.fname = self.context['filename']
        self.issue.lineno = self.context['lineno']
        self.issue.linerange = self.context['linerange']
        self.issue.test = self.check_name

        self.manager.results.append(self.issue)
        self.manager.metrics = metrics.Metrics()

        # mock up the metrics
        for key in ['_totals', 'binding.py']:
            self.manager.metrics.data[key] = {'loc': 4, 'nosec': 2}
            for (criteria, default) in constants.CRITERIA:
github PyCQA / bandit / bandit / plugins / jinja2_templates.py View on Github external
def jinja2_autoescape_false(context):
    # check type just to be safe
    if isinstance(context.call_function_name_qual, str):
        qualname_list = context.call_function_name_qual.split('.')
        func = qualname_list[-1]
        if 'jinja2' in qualname_list and func == 'Environment':
            for node in ast.walk(context.node):
                if isinstance(node, ast.keyword):
                    # definite autoescape = False
                    if (getattr(node, 'arg', None) == 'autoescape' and
                            (getattr(node.value, 'id', None) == 'False' or
                             getattr(node.value, 'value', None) is False)):
                        return bandit.Issue(
                            severity=bandit.HIGH,
                            confidence=bandit.HIGH,
                            text="Using jinja2 templates with autoescape="
                                 "False is dangerous and can lead to XSS. "
                                 "Use autoescape=True or use the "
                                 "select_autoescape function to mitigate XSS "
                                 "vulnerabilities."
                        )
                    # found autoescape
                    if getattr(node, 'arg', None) == 'autoescape':
                        value = getattr(node, 'value', None)
                        if (getattr(value, 'id', None) == 'True' or
                                getattr(value, 'value', None) is True):
                            return
                        # Check if select_autoescape function is used.
                        elif isinstance(value, ast.Call) and getattr(
                                value.func, 'id', None) == 'select_autoescape':
                            return
github PyCQA / bandit / bandit / plugins / yaml_load.py View on Github external
imported = context.is_module_imported_exact('yaml')
    qualname = context.call_function_name_qual
    if not imported and isinstance(qualname, str):
        return

    qualname_list = qualname.split('.')
    func = qualname_list[-1]
    if all([
            'yaml' in qualname_list,
            func == 'load',
            not context.check_call_arg_value('Loader', 'SafeLoader'),
            not context.check_call_arg_value('Loader', 'CSafeLoader'),
    ]):
        return bandit.Issue(
            severity=bandit.MEDIUM,
            confidence=bandit.HIGH,
            text="Use of unsafe yaml load. Allows instantiation of"
                 " arbitrary objects. Consider yaml.safe_load().",
            lineno=context.node.lineno,
        )
github PyCQA / bandit / bandit / plugins / weak_cryptographic_key.py View on Github external
def _classify_key_size(config, key_type, key_size):
    if isinstance(key_size, str):
        # size provided via a variable - can't process it at the moment
        return

    key_sizes = {
        'DSA': [(config['weak_key_size_dsa_high'], bandit.HIGH),
                (config['weak_key_size_dsa_medium'], bandit.MEDIUM)],
        'RSA': [(config['weak_key_size_rsa_high'], bandit.HIGH),
                (config['weak_key_size_rsa_medium'], bandit.MEDIUM)],
        'EC': [(config['weak_key_size_ec_high'], bandit.HIGH),
               (config['weak_key_size_ec_medium'], bandit.MEDIUM)],
    }

    for size, level in key_sizes[key_type]:
        if key_size < size:
            return bandit.Issue(
                severity=level,
                confidence=bandit.HIGH,
                text='%s key sizes below %d bits are considered breakable. ' %
                (key_type, size))
github PyCQA / bandit / bandit / plugins / injection_wildcard.py View on Github external
call_argument = context.get_call_arg_at_position(0)
            argument_string = ''
            if isinstance(call_argument, list):
                for li in call_argument:
                    argument_string = argument_string + ' %s' % li
            elif isinstance(call_argument, str):
                argument_string = call_argument

            if argument_string != '':
                for vulnerable_func in vulnerable_funcs:
                    if(
                            vulnerable_func in argument_string and
                            '*' in argument_string
                    ):
                        return bandit.Issue(
                            severity=bandit.HIGH,
                            confidence=bandit.MEDIUM,
                            text="Possible wildcard injection in call: %s" %
                            context.call_function_name_qual,
                            lineno=context.get_lineno_for_call_arg('shell'),
                        )
github PyCQA / bandit / bandit / plugins / jinja2_templates.py View on Github external
value.func, 'id', None) == 'select_autoescape':
                            return
                        else:
                            return bandit.Issue(
                                severity=bandit.HIGH,
                                confidence=bandit.MEDIUM,
                                text="Using jinja2 templates with autoescape="
                                     "False is dangerous and can lead to XSS. "
                                     "Ensure autoescape=True or use the "
                                     "select_autoescape function to mitigate "
                                     "XSS vulnerabilities."
                            )
            # We haven't found a keyword named autoescape, indicating default
            # behavior
            return bandit.Issue(
                severity=bandit.HIGH,
                confidence=bandit.HIGH,
                text="By default, jinja2 sets autoescape to False. Consider "
                     "using autoescape=True or use the select_autoescape "
github PyCQA / bandit / bandit / plugins / blacklist_imports.py View on Github external
def _get_result(check, im):
    # substitute '{module}' for the imported module name
    message = check[1].replace('{module}', im)

    level = None
    if check[2] == 'HIGH':
        level = bandit.HIGH
    elif check[2] == 'MEDIUM':
        level = bandit.MEDIUM
    elif check[2] == 'LOW':
        level = bandit.LOW

    return bandit.Issue(severity=level, confidence=bandit.HIGH, text=message)
github PyCQA / bandit / bandit / plugins / general_bad_file_permissions.py View on Github external
def set_bad_file_permissions(context):
    if 'chmod' in context.call_function_name:
        if context.call_args_count == 2:
            mode = context.get_call_arg_at_position(1)

            if (mode is not None and isinstance(mode, int) and
                    (mode & stat.S_IWOTH or mode & stat.S_IXGRP)):
                # world writable is an HIGH, group executable is a MEDIUM
                if mode & stat.S_IWOTH:
                    sev_level = bandit.HIGH
                else:
                    sev_level = bandit.MEDIUM

                filename = context.get_call_arg_at_position(0)
                if filename is None:
                    filename = 'NOT PARSED'
                return bandit.Issue(
                    severity=sev_level,
                    confidence=bandit.HIGH,
                    text="Chmod setting a permissive mask %s on file (%s)." %
                    (oct(mode), filename)
                )
github lyft / bandit-high-entropy-string / bandit_plugins / high_entropy_string.py View on Github external
def _report(strings):
    reports = []
    for string_data in strings:
        if string_data.confidence == 1:
            confidence = bandit.LOW
        elif string_data.confidence == 2:
            confidence = bandit.MEDIUM
        elif string_data.confidence >= 3:
            confidence = bandit.HIGH
        if string_data.severity == 1:
            severity = bandit.LOW
        elif string_data.severity == 2:
            severity = bandit.MEDIUM
        elif string_data.severity >= 3:
            severity = bandit.HIGH

        if type(string_data.string) is not unicode:
            string_data.string = string_data.string.decode('utf-8', errors='replace')
        string_data.string = string_data.string.encode('ascii', errors='replace')

        if len(string_data.string) > 12:
            secret_start = string_data.string[:4]
            secret_end = string_data.string[-4:]
            try:
                secret_start = secret_start
github PyCQA / bandit / bandit / plugins / general_bad_file_permissions.py View on Github external
mode = context.get_call_arg_at_position(1)

            if (mode is not None and isinstance(mode, int) and
                    (mode & stat.S_IWOTH or mode & stat.S_IXGRP)):
                # world writable is an HIGH, group executable is a MEDIUM
                if mode & stat.S_IWOTH:
                    sev_level = bandit.HIGH
                else:
                    sev_level = bandit.MEDIUM

                filename = context.get_call_arg_at_position(0)
                if filename is None:
                    filename = 'NOT PARSED'
                return bandit.Issue(
                    severity=sev_level,
                    confidence=bandit.HIGH,
                    text="Chmod setting a permissive mask %s on file (%s)." %
                    (oct(mode), filename)
                )