From 3260f137873798b4b0c0c289373cc5e8fa2d93ed Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 3 Apr 2023 07:48:28 -0700 Subject: [PATCH] xmlrpclib replaced with xmlrpc in Python3 (#1012) The xmlrpclib of Python 2.x was replaced in Python 3 with xmlrpc [1]. Since Bandit no longer supports Python 2.x, it needs to update to the latest module name. As indicted in [2], xmlrpc is still not secure against maliciously constructed data. [1] https://python.readthedocs.io/en/v2.7.2/library/xmlrpclib.html [2] https://docs.python.org/3/library/xmlrpc.client.html#module-xmlrpc.client Signed-off-by: Eric Brown --- bandit/blacklists/imports.py | 4 ++-- examples/xml_xmlrpc.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bandit/blacklists/imports.py b/bandit/blacklists/imports.py index 3363c7fa4..cca7a4462 100644 --- a/bandit/blacklists/imports.py +++ b/bandit/blacklists/imports.py @@ -152,7 +152,7 @@ +------+---------------------+------------------------------------+-----------+ | ID | Name | Imports | Severity | +======+=====================+====================================+===========+ -| B411 | import_xmlrpclib | - xmlrpclib | high | +| B411 | import_xmlrpclib | - xmlrpc | high | +------+---------------------+------------------------------------+-----------+ B412: import_httpoxy @@ -374,7 +374,7 @@ def gen_blacklist(): "import_xmlrpclib", "B411", issue.Cwe.IMPROPER_INPUT_VALIDATION, - ["xmlrpclib"], + ["xmlrpc"], "Using {name} to parse untrusted XML data is known to be " "vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() " "function to monkey-patch xmlrpclib and mitigate XML " diff --git a/examples/xml_xmlrpc.py b/examples/xml_xmlrpc.py index d60e8c9b3..d98fda6dd 100644 --- a/examples/xml_xmlrpc.py +++ b/examples/xml_xmlrpc.py @@ -1,4 +1,4 @@ -import xmlrpclib +import xmlrpc from SimpleXMLRPCServer import SimpleXMLRPCServer def is_even(n):