How to use the bandit.blacklists.utils.build_conf_dict function in bandit

To help you get started, we’ve selected a few bandit examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github PyCQA / bandit / tests / unit / core / test_test_set.py View on Github external
def test_plugin():
    sets = []
    sets.append(utils.build_conf_dict(
        'telnet', 'B401', ['telnetlib'],
        'A telnet-related module is being imported.  Telnet is '
        'considered insecure. Use SSH or some other encrypted protocol.',
        'HIGH'
        ))

    sets.append(utils.build_conf_dict(
        'marshal', 'B302', ['marshal.load', 'marshal.loads'],
        'Deserialization with the marshal module is possibly dangerous.'
        ))

    return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
github PyCQA / bandit / bandit / blacklists / calls.py View on Github external
xml_msg
        ))

    sets.append(utils.build_conf_dict(
        'xml_bad_expatreader', 'B315', ['xml.sax.expatreader.create_parser'],
        xml_msg
        ))

    sets.append(utils.build_conf_dict(
        'xml_bad_expatbuilder', 'B316',
        ['xml.dom.expatbuilder.parse',
         'xml.dom.expatbuilder.parseString'],
        xml_msg
        ))

    sets.append(utils.build_conf_dict(
        'xml_bad_sax', 'B317',
        ['xml.sax.parse',
         'xml.sax.parseString',
         'xml.sax.make_parser'],
        xml_msg
        ))

    sets.append(utils.build_conf_dict(
        'xml_bad_minidom', 'B318',
        ['xml.dom.minidom.parse',
         'xml.dom.minidom.parseString'],
        xml_msg
        ))

    sets.append(utils.build_conf_dict(
        'xml_bad_pulldom', 'B319',
github PyCQA / bandit / bandit / blacklists / calls.py View on Github external
'ftplib', 'B321', ['ftplib.*'],
        'FTP-related functions are being called. FTP is considered '
        'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.',
        'HIGH'
        ))

    sets.append(utils.build_conf_dict(
        'input', 'B322', ['input'],
        'The input method in Python 2 will read from standard input, '
        'evaluate and run the resulting string as python source code. This '
        'is similar, though in many ways worse, then using eval. On Python '
        '2, use raw_input instead, input is safe in Python 3.',
        'HIGH'
        ))

    sets.append(utils.build_conf_dict(
        'unverified_context', 'B323', ['ssl._create_unverified_context'],
        'By default, Python will create a secure, verified ssl context for '
        'use in such classes as HTTPSConnection. However, it still allows '
        'using an insecure context via the _create_unverified_context that '
        'reverts to the previous behavior that does not validate certificates '
        'or perform hostname checks.'
        ))

    # skipped B324 (used in bandit/plugins/hashlib_new_insecure_functions.py)

    sets.append(utils.build_conf_dict(
        'tempnam', 'B325', ['os.tempnam', 'os.tmpnam'],
        'Use of os.tempnam() and os.tmpnam() is vulnerable to symlink '
        'attacks. Consider using tmpfile() instead.'
        ))
github PyCQA / bandit / bandit / blacklists / calls.py View on Github external
sets.append(utils.build_conf_dict(
        'xml_bad_etree', 'B320',
        ['lxml.etree.parse',
         'lxml.etree.fromstring',
         'lxml.etree.RestrictedElement',
         'lxml.etree.GlobalParserTLS',
         'lxml.etree.getDefaultParser',
         'lxml.etree.check_docinfo'],
        ('Using {name} to parse untrusted XML data is known to be '
         'vulnerable to XML attacks. Replace {name} with its '
         'defusedxml equivalent function.')
        ))

    # end of XML tests

    sets.append(utils.build_conf_dict(
        'ftplib', 'B321', ['ftplib.*'],
        'FTP-related functions are being called. FTP is considered '
        'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.',
        'HIGH'
        ))

    sets.append(utils.build_conf_dict(
        'input', 'B322', ['input'],
        'The input method in Python 2 will read from standard input, '
        'evaluate and run the resulting string as python source code. This '
        'is similar, though in many ways worse, then using eval. On Python '
        '2, use raw_input instead, input is safe in Python 3.',
        'HIGH'
        ))

    sets.append(utils.build_conf_dict(
github PyCQA / bandit / bandit / blacklists / calls.py View on Github external
'Crypto.Cipher.DES.new',
         'Crypto.Cipher.XOR.new',
         'Cryptodome.Cipher.ARC2.new',
         'Cryptodome.Cipher.ARC4.new',
         'Cryptodome.Cipher.Blowfish.new',
         'Cryptodome.Cipher.DES.new',
         'Cryptodome.Cipher.XOR.new',
         'cryptography.hazmat.primitives.ciphers.algorithms.ARC4',
         'cryptography.hazmat.primitives.ciphers.algorithms.Blowfish',
         'cryptography.hazmat.primitives.ciphers.algorithms.IDEA'],
        'Use of insecure cipher {name}. Replace with a known secure'
        ' cipher such as AES.',
        'HIGH'
        ))

    sets.append(utils.build_conf_dict(
        'cipher_modes', 'B305',
        ['cryptography.hazmat.primitives.ciphers.modes.ECB'],
        'Use of insecure cipher mode {name}.'
        ))

    sets.append(utils.build_conf_dict(
        'mktemp_q', 'B306', ['tempfile.mktemp'],
        'Use of insecure and deprecated function (mktemp).'
        ))

    sets.append(utils.build_conf_dict(
        'eval', 'B307', ['eval'],
        'Use of possibly insecure function - consider using safer '
        'ast.literal_eval.'
        ))
github PyCQA / bandit / bandit / blacklists / imports.py View on Github external
'import_xml_etree', 'B405',
        ['xml.etree.cElementTree', 'xml.etree.ElementTree'], xml_msg, 'LOW'))

    sets.append(utils.build_conf_dict(
        'import_xml_sax', 'B406', ['xml.sax'], xml_msg, 'LOW'))

    sets.append(utils.build_conf_dict(
        'import_xml_expat', 'B407', ['xml.dom.expatbuilder'], xml_msg, 'LOW'))

    sets.append(utils.build_conf_dict(
        'import_xml_minidom', 'B408', ['xml.dom.minidom'], xml_msg, 'LOW'))

    sets.append(utils.build_conf_dict(
        'import_xml_pulldom', 'B409', ['xml.dom.pulldom'], xml_msg, 'LOW'))

    sets.append(utils.build_conf_dict(
        'import_lxml', 'B410', ['lxml'], lxml_msg, 'LOW'))

    sets.append(utils.build_conf_dict(
        'import_xmlrpclib', 'B411', ['xmlrpclib'],
        'Using {name} to parse untrusted XML data is known to be '
        'vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() '
        'function to monkey-patch xmlrpclib and mitigate XML '
        'vulnerabilities.', 'HIGH'))

    sets.append(utils.build_conf_dict(
        'import_httpoxy', 'B412',
        ['wsgiref.handlers.CGIHandler', 'twisted.web.twcgi.CGIScript',
         'twisted.web.twcgi.CGIDirectory'],
        'Consider possible security implications associated with '
        '{name} module.', 'HIGH'
        ))
github PyCQA / bandit / bandit / blacklists / imports.py View on Github external
xml_msg = ('Using {name} to parse untrusted XML data is known to be '
               'vulnerable to XML attacks. Replace {name} with the equivalent '
               'defusedxml package, or make sure defusedxml.defuse_stdlib() '
               'is called.')
    lxml_msg = ('Using {name} to parse untrusted XML data is known to be '
                'vulnerable to XML attacks. Replace {name} with the '
                'equivalent defusedxml package.')

    sets.append(utils.build_conf_dict(
        'import_xml_etree', 'B405',
        ['xml.etree.cElementTree', 'xml.etree.ElementTree'], xml_msg, 'LOW'))

    sets.append(utils.build_conf_dict(
        'import_xml_sax', 'B406', ['xml.sax'], xml_msg, 'LOW'))

    sets.append(utils.build_conf_dict(
        'import_xml_expat', 'B407', ['xml.dom.expatbuilder'], xml_msg, 'LOW'))

    sets.append(utils.build_conf_dict(
        'import_xml_minidom', 'B408', ['xml.dom.minidom'], xml_msg, 'LOW'))

    sets.append(utils.build_conf_dict(
        'import_xml_pulldom', 'B409', ['xml.dom.pulldom'], xml_msg, 'LOW'))

    sets.append(utils.build_conf_dict(
        'import_lxml', 'B410', ['lxml'], lxml_msg, 'LOW'))

    sets.append(utils.build_conf_dict(
        'import_xmlrpclib', 'B411', ['xmlrpclib'],
        'Using {name} to parse untrusted XML data is known to be '
        'vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() '
        'function to monkey-patch xmlrpclib and mitigate XML '
github PyCQA / bandit / bandit / blacklists / calls.py View on Github external
sets.append(utils.build_conf_dict(
        'xml_bad_minidom', 'B318',
        ['xml.dom.minidom.parse',
         'xml.dom.minidom.parseString'],
        xml_msg
        ))

    sets.append(utils.build_conf_dict(
        'xml_bad_pulldom', 'B319',
        ['xml.dom.pulldom.parse',
         'xml.dom.pulldom.parseString'],
        xml_msg
        ))

    sets.append(utils.build_conf_dict(
        'xml_bad_etree', 'B320',
        ['lxml.etree.parse',
         'lxml.etree.fromstring',
         'lxml.etree.RestrictedElement',
         'lxml.etree.GlobalParserTLS',
         'lxml.etree.getDefaultParser',
         'lxml.etree.check_docinfo'],
        ('Using {name} to parse untrusted XML data is known to be '
         'vulnerable to XML attacks. Replace {name} with its '
         'defusedxml equivalent function.')
        ))

    # end of XML tests

    sets.append(utils.build_conf_dict(
        'ftplib', 'B321', ['ftplib.*'],
github PyCQA / bandit / bandit / blacklists / imports.py View on Github external
))

    sets.append(utils.build_conf_dict(
        'import_ftplib', 'B402', ['ftplib'],
        'A FTP-related module is being imported.  FTP is considered '
        'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.',
        'HIGH'
        ))

    sets.append(utils.build_conf_dict(
        'import_pickle', 'B403', ['pickle', 'cPickle', 'dill', 'shelve'],
        'Consider possible security implications associated with '
        '{name} module.', 'LOW'
        ))

    sets.append(utils.build_conf_dict(
        'import_subprocess', 'B404', ['subprocess'],
        'Consider possible security implications associated with '
        '{name} module.', 'LOW'
        ))

    # Most of this is based off of Christian Heimes' work on defusedxml:
    #   https://pypi.org/project/defusedxml/#defusedxml-sax

    xml_msg = ('Using {name} to parse untrusted XML data is known to be '
               'vulnerable to XML attacks. Replace {name} with the equivalent '
               'defusedxml package, or make sure defusedxml.defuse_stdlib() '
               'is called.')
    lxml_msg = ('Using {name} to parse untrusted XML data is known to be '
                'vulnerable to XML attacks. Replace {name} with the '
                'equivalent defusedxml package.')
github PyCQA / bandit / bandit / blacklists / calls.py View on Github external
['cryptography.hazmat.primitives.ciphers.modes.ECB'],
        'Use of insecure cipher mode {name}.'
        ))

    sets.append(utils.build_conf_dict(
        'mktemp_q', 'B306', ['tempfile.mktemp'],
        'Use of insecure and deprecated function (mktemp).'
        ))

    sets.append(utils.build_conf_dict(
        'eval', 'B307', ['eval'],
        'Use of possibly insecure function - consider using safer '
        'ast.literal_eval.'
        ))

    sets.append(utils.build_conf_dict(
        'mark_safe', 'B308', ['django.utils.safestring.mark_safe'],
        'Use of mark_safe() may expose cross-site scripting '
        'vulnerabilities and should be reviewed.'
        ))

    sets.append(utils.build_conf_dict(
        'httpsconnection', 'B309',
        ['httplib.HTTPSConnection',
         'http.client.HTTPSConnection',
         'six.moves.http_client.HTTPSConnection'],
        'Use of HTTPSConnection on older versions of Python prior to 2.7.9 '
        'and 3.4.3 do not provide security, see '
        'https://wiki.openstack.org/wiki/OSSN/OSSN-0033'
        ))

    sets.append(utils.build_conf_dict(