Not all use of ftplib is insecure #148
Labels
bug
Something isn't working
Comments
|
@ericwb was this closed by mistake? At $work we're hitting this false positive in Bandit 1.7.5. |
|
Possibly. We do have the following that finds cases of ftplib calls, but it doesn't distinguish between FTP and FTP_TLS. https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b321-ftplib |
ericwb
added a commit
to ericwb/bandit
that referenced
this issue
Jun 23, 2024
This change adds an FTP_TLS call to the examples. A high severity error is no longer reported as a result of the fix in PR PyCQA#1148 that explicitly now matches blacklist call qualified names rather than using a file glob. However, you will notice that there is one more high severity issue reported in the tests as a result of the import of ftplib.FTP_TLS because the blacklist import is only checking for "ftplib". Fixes: PyCQA#148 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Some use of ftplib is properly secure. See https://docs.python.org/2/library/ftplib.html
Specifically using ftplib.FTP_TLS mode is okay, where as ftplib.FTP is not.
The text was updated successfully, but these errors were encountered: