Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

document that random.choices() isn't secure either #728

Merged
merged 2 commits into from
Aug 24, 2021
Merged

document that random.choices() isn't secure either #728

merged 2 commits into from
Aug 24, 2021

Conversation

taybin
Copy link
Contributor

@taybin taybin commented Aug 20, 2021
edited
Loading

Because random.choices() wasn't explicitly listed in the "don't use this" list, I initially thought it was safer version of random.choice().

I realized my mistake and used secret.choice() eventually, but this PR is to add random.choices() to the unsafe list.

@sigmavirus24
Copy link
Member

I believe this also needs to be added to a test/example file to ensure no regression

@taybin
Copy link
Contributor Author

taybin commented Aug 22, 2021

@sigmavirus24 Something like this?

sigmavirus24
sigmavirus24 reviewed Aug 22, 2021
View reviewed changes
examples/random_module.py Outdated

bad = random.random()
bad = random.randrange()
bad = random.randint()
bad = random.choice()
if sys.version_info.major >= 3 and sys.version_info.minor >= 6:
bad = random.choices()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code is never actually ran, so there's little reason to have this guard I think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes a lot of sense. Fixed.

ericwb
ericwb requested changes Aug 23, 2021
View reviewed changes
Copy link
Member

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just need a quick fix to the functional tests.

examples/random_module.py
@@ -6,6 +6,7 @@
bad = random.randrange()
bad = random.randint()
bad = random.choice()
bad = random.choices()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You've introduced a new functional test by including this line. As a result the tests will fail, because Bandit will flag this line as a vulnerability. You'll want to update test_functional.test_random_module()

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. Okay, thank you.

@ericwb ericwb enabled auto-merge (squash) August 24, 2021 00:33
ericwb
ericwb approved these changes Aug 24, 2021
View reviewed changes
Copy link
Member

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ericwb ericwb merged commit d4faa78 into PyCQA:master Aug 24, 2021
@taybin taybin deleted the random_choices branch August 31, 2021 13:38
mikespallino pushed a commit to mikespallino/bandit that referenced this pull request Jan 7, 2022
@taybin @mikespallino
document that random.choices() isn't secure either (PyCQA#728)
5225fd1 
* document that random.choices() isn't secure either

* add random.choices() to tests
This was referenced Jan 25, 2022
Merged
Merged
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericwb ericwb ericwb approved these changes

@sigmavirus24 sigmavirus24 sigmavirus24 approved these changes

@ghugo ghugo Awaiting requested review from ghugo

@lukehinds lukehinds Awaiting requested review from lukehinds

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@taybin @sigmavirus24 @ericwb