Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix a false positive condition yaml_load
The yaml.load() function has a second argument that is typically passed as a kwarg. However, someone could pass as a positional argument as well. In such a case, Bandit would flag code passing a SafeLoader even though that is validly secure. The fix involves looking at the positional args. However, the convenience function to do so also had no handling of ast.Attribute as args. So get_call_arg_at_position() was modified to function much like call_args(). Closes PyCQA#546 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
- Loading branch information