-
-
Notifications
You must be signed in to change notification settings - Fork 603
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False-positive when Loader= not used in yaml.load(foo, yaml.SafeLoader)
#546
Labels
bug
Something isn't working
Comments
ericwb
added a commit
to ericwb/bandit
that referenced
this issue
Jul 9, 2022
The yaml.load() function has a second argument that is typically passed as a kwarg. However, someone could pass as a positional argument as well. In such a case, Bandit would flag code passing a SafeLoader even though that is validly secure. The fix involves looking at the positional args. However, the convenience function to do so also had no handling of ast.Attribute as args. So get_call_arg_at_position() was modified to function much like call_args(). Closes PyCQA#546 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
ericwb
added a commit
that referenced
this issue
Jul 10, 2022
The yaml.load() function has a second argument that is typically passed as a kwarg. However, someone could pass as a positional argument as well. In such a case, Bandit would flag code passing a SafeLoader even though that is validly secure. The fix involves looking at the positional args. However, the convenience function to do so also had no handling of ast.Attribute as args. So get_call_arg_at_position() was modified to function much like call_args(). Closes #546 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
In the fix for #437, we forgot to handle positional arguments, it seems
context.get_call_arg_at_position
[1] can resolve this. PR #436 has all the related code one needs to edit.yaml.load(foo, yaml.SafeLoader)
, note noLoader=
keyword argument, we will alert off of it.p.s. Labels:
good first issue
,accuracy
[1]
bandit/bandit/core/context.py
Lines 284 to 285 in 09b0207
The text was updated successfully, but these errors were encountered: