-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement flake8-bandit
#1646
Comments
\cc @edgarrmondragon - easier to track here than to keep incrementing the count in the README. I'll populate the checklist. |
thanks @charliermarsh! |
By the way: the scripts are pretty bad right now, but it might save you some time (and would love help improving):
The main limitations right now are:
|
Thanks, I'll take a look at those. They might be really helpful for bandit's blacklist tests. |
See: #1646. Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com>
Please implement the configurations for it as well e.g https://bandit.readthedocs.io/en/latest/config.html#bandit-settings |
@ahmedbilal - I think [tool.ruff.per-file-ignores]
"excluded_dir" = ["S"] |
ref: #1646 Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com>
Not sure if this is the best place to ask, but do flake8-bandit and bandit have the same linters? |
Also @charliermarsh do you think it would be helpful to pin all of the issues that are trackers for implementing a package to the top? It would make it easier for people to understand our progress, and to contribute to one. |
Yeah, I believe |
I am also interested in picking up some of the leftover rules. Has any decision been made on the Clicked through some ported rules and it looks like |
These rules have already been implemented: |
@charliermarsh I think is more a generic question rather than specific to this rule set, but are you implementing them with the exact same behaviour of the originals? I am getting the same (odd) behaviour in ruff and flake8
With this sample code: import random
import time
time.sleep(random.choice(range(1, 5))) I was wondering if this behaviour is going to be reviewed or fixed in Ruff? Thanks! |
@pygaiwan This is the intended behavior of that rule and not odd at all. The Bandit is a security linter so its goal is to have essentially zero false negatives, at the cost of some false positives, so it's quite common that you will have to review bandit errors and decide whether or not it's an actual issue and put a You can also globally disable rules you don't care about. |
Five rules left :) |
## Summary Adds all `S4XX` rules to the [flake8-bandit](https://github.com/tylerwince/flake8-bandit) plugin port. There is a lot of documentation to write, some tests can be expanded and implementation can probably be refactored to be more compact. As there is some discussion on whether this is actually useful. (See: #1646 (comment)), wanted to check which rules we want to have before I go through the process of polishing this up. ## Test Plan Fixtures for all rules based on `flake8-bandit` [tests](https://github.com/tylerwince/flake8-bandit/tree/main/tests) ## Issue link Refers: #1646
## Summary Adds `S504` rule for the [flake8-bandit](https://github.com/tylerwince/flake8-bandit) plugin port. Checks for calls to `ssl.wrap_socket` which have no `ssl_version` argument set. See also https://bandit.readthedocs.io/en/latest/_modules/bandit/plugins/insecure_ssl_tls.html#ssl_with_no_version ## Test Plan Fixture added ## Issue Link Refers: #1646
## Summary Adds S502 rule for the [flake8-bandit](https://github.com/tylerwince/flake8-bandit) plugin port. Checks for calls to any function with keywords arguments `ssl_version` or `method` or for kwargs `method` in calls to `OpenSSL.SSL.Context` and `ssl_version` in calls to `ssl.wrap_socket` which have an insecure ssl_version valu. See also https://bandit.readthedocs.io/en/latest/_modules/bandit/plugins/insecure_ssl_tls.html#ssl_with_bad_version ## Test Plan Fixture added ## Issue Link Refers: #1646
## Summary Adds S503 rule for the [flake8-bandit](https://github.com/tylerwince/flake8-bandit) plugin port. Checks for function defs argument defaults which have an insecure ssl_version value. See also https://bandit.readthedocs.io/en/latest/_modules/bandit/plugins/insecure_ssl_tls.html#ssl_with_bad_defaults Some logic and the `const` can be shared with #9390. When one of the two is merged. ## Test Plan Fixture added ## Issue Link Refers: #1646
S503 was addressed by #9391 so there's only S610 and S703 left! |
How is S703 different from S308, by the way? They seem redundant to me. |
Per PyCQA/bandit#294 (comment), it would seem so. Would seem like S308 was first and then S703 covered S308 but did not want to have a breaking change. |
Part of #1646. ## Summary Implement `S610` rule from `flake8-bandit`. Upstream references: - Implementation: https://github.com/PyCQA/bandit/blob/1.7.8/bandit/plugins/django_sql_injection.py#L20-L97 - Test cases: https://github.com/PyCQA/bandit/blob/1.7.8/examples/django_sql_injection_extra.py - Test assertion: https://github.com/PyCQA/bandit/blob/1.7.8/tests/functional/test_functional.py#L517-L524 The implementation in `bandit` targets additional arguments (`params`, `order_by` and `select_params`) but doesn't seem to do anything with them in the end, so I did not include them in the implementation. Note that this rule could be prone to false positives, as ideally we would want to check if `extra()` is tied to a [Django queryset](https://docs.djangoproject.com/en/5.0/ref/models/querysets/), but AFAIK Ruff is not able to resolve classes outside of the current module. ## Test Plan Snapshot tests
S101
:assert_used
S102
:exec_used
S103
:set_bad_file_permissions
S104
:hardcoded_bind_all_interfaces
S105
:hardcoded_password_string
S106
:hardcoded_password_funcarg
S107
:hardcoded_password_default
S108
:hardcoded_tmp_directory
S109
:password_config_option_not_marked_secret
S110
:try_except_pass
S111
:execute_with_run_as_root_equals_true
S112
:try_except_continue
S113
:request_without_timeout
S201
:flask_debug_true
S202
:tarfile_unsafe_members
S301
:pickle
S302
:marshal
S303
:md5
S304
:ciphers
S305
:cipher_modes
S306
:mktemp_q
S307
:eval
S308
:mark_safe
S311
:random
S312
:telnetlib
S313
:xml_bad_cElementTree
S314
:xml_bad_ElementTree
S315
:xml_bad_expatreader
S316
:xml_bad_expatbuilder
S317
:xml_bad_sax
S318
:xml_bad_minidom
S319
:xml_bad_pulldom
S320
:xml_bad_etree
S321
:ftplib
S323
:unverified_context
S324
:hashlib
S310
:urllib_urlopen
S401
:import_telnetlib
S402
:import_ftplib
S403
:import_pickle
S404
:import_subprocess
S405
:import_xml_etree
S406
:import_xml_sax
S407
:import_xml_expat
S408
:import_xml_minidom
S409
:import_xml_pulldom
S410
:import_lxml
S411
:import_xmlrpclib
S412
:import_httpoxy
S413
:import_pycrypto
S415
:import_pyghmi
S501
:request_with_no_cert_validation
S502
:ssl_with_bad_version
S503
:ssl_with_bad_defaults
S504
:ssl_with_no_version
S505
:weak_cryptographic_key
S506
:yaml_load
S507
:ssh_no_host_key_verification
S508
:snmp_insecure_version
S509
:snmp_weak_cryptography
S601
:paramiko_calls
S602
:subprocess_popen_with_shell_equals_true
S603
:subprocess_without_shell_equals_true
S604
:any_other_function_with_shell_equals_true
S605
:start_process_with_a_shell
S606
:start_process_with_no_shell
S607
:start_process_with_partial_path
S608
:hardcoded_sql_expressions
S609
:linux_commands_wildcard_injection
S610
:django_extra_used
S611
:django_rawsql_used
S612
:logging_config_insecure_listen
S701
:jinja2_autoescape_false
S702
:use_of_mako_templates
S703
:django_mark_safe
The text was updated successfully, but these errors were encountered: