Bandit Output

[borjmz]

As mentioned in another issue, this is the bandit's OWIF analysis report, I hope it helps you, I would appreciate if you would give me acknowledgement if you decide to fix those and sure this helps the vendors to upgrade to safer updated versions. Thank you

Run started:2017-06-26 18:31:13.523631

Test results:

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/AT.py:47
46 return ''.join(autotimer.getXml())
47 except Exception:
48 pass

---

Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/BQE.py:313
312 class BQEUploadFile(resource.Resource):
313 FN = "/tmp/bouquets_backup.tar"
314 def init(self, session):

---

Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/BQE.py:354
353 self.putChild("api", BQEApiController(session))
354 self.putChild('tmp', static.File('/tmp'))
355 self.putChild('uploadrestore', BQEUploadFile(session))

---

Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/BouquetEditor.py:40
39
40 BACKUP_PATH = "/tmp"
41 BACKUP_FILENAME = "webbouqueteditor_backup.tar"

---

Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: ./plugin/controllers/BouquetEditor.py:579
578 tarFiles += "%s " % arg
579 lines = popen("tar cvf %s %s" % (backupFilename,tarFiles)).readlines()
580 remove(checkfile)

---

Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: ./plugin/controllers/BouquetEditor.py:608
607 check_tar = False
608 lines = popen('tar -tf %s' % backupFilename).readlines()
609 for line in lines:

---

Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: ./plugin/controllers/BouquetEditor.py:622
621 remove(bouquetfiles)
622 lines = popen('tar xvf %s -C / --exclude tmp/.webouquetedit' % backupFilename).readlines()
623 nimmanager.readTransponders()

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/ajax.py:251
250 wadd = week * 7
251 except Exception, e:
252 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/ajax.py:259
258 begintime = mktime( (now.tm_year, now.tm_mon, now.tm_mday+day + wadd, 0, 0, 0, -1, -1, -1) )
259 except Exception, e:
260 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/ajax.py:265
264 mode = int(config.OpenWebif.webcache.mepgmode.value)
265 except Exception, e:
266 pass

---

Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/base.py:223
222 oport = None
223 if fileExists("/tmp/.oscam/oscam.version"):
224 data = open("/tmp/.oscam/oscam.version", "r").readlines()

---

Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/base.py:224
223 if fileExists("/tmp/.oscam/oscam.version"):
224 data = open("/tmp/.oscam/oscam.version", "r").readlines()
225 for i in data:

---

Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/ipkg.py:59
58 import glob
59 tmpfiles = glob.glob('/tmp/*.ipk')
60 ipks = []

---

Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/ipkg.py:80
79 def CallOPKListGZ(self, request):
80 tmpFilename = "/tmp/opkg-list.gz"
81 if path.exists(tmpFilename):

---

Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: ./plugin/controllers/ipkg.py:83
82 remove(tmpFilename)
83 lines = popen('/usr/bin/opkg list | gzip > %s' % tmpFilename).readlines()
84 request.setHeader("Content-Disposition:", "attachment;filename="%s"" % (tmpFilename.split('/')[-1]))

---

Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: ./plugin/controllers/ipkg.py:124
123 try:
124 out = popen("opkg list")
125 for line in out:

---

Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: ./plugin/controllers/ipkg.py:124
123 try:
124 out = popen("opkg list")
125 for line in out:

---

Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: ./plugin/controllers/ipkg.py:136
135 "0"] } )
136 out = popen("opkg list-installed")
137 for line in out:

---

Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: ./plugin/controllers/ipkg.py:136
135 "0"] } )
136 out = popen("opkg list-installed")
137 for line in out:

---

Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: ./plugin/controllers/ipkg.py:141
140 map[package[0]][2] = "1"
141 out = popen("opkg list-upgradable")
142 for line in out:

---

Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: ./plugin/controllers/ipkg.py:141
140 map[package[0]][2] = "1"
141 out = popen("opkg list-upgradable")
142 for line in out:

---

Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/ipkg.py:245
244 import os
245 FN = "/tmp/" + filename
246 fileh = os.open(FN, os.O_WRONLY|os.O_CREAT )

---

Issue: [B405:blacklist] Using xml.etree.cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/config.py:8
7 from os import path, listdir
8 import xml.etree.cElementTree
9
10 from Plugins.Extensions.OpenWebif.init import _

---

Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval.
Severity: Medium Confidence: High
Location: ./plugin/controllers/models/config.py:150
149 try:
150 cnf = eval(path)
151 if cnf.class.name == "ConfigBoolean" or cnf.class.name == "ConfigEnableDisable" or cnf.class.name == "ConfigYesNo":

---

Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval.
Severity: Medium Confidence: High
Location: ./plugin/controllers/models/config.py:195
194 try:
195 data = getJsonFromConfig(eval(entry.text or ""))
196 text = _(entry.get("text", ""))

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/config.py:204
203 })
204 except Exception, e:
205 pass

---

Issue: [B313:blacklist] Using xml.etree.cElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
Location: ./plugin/controllers/models/config.py:263
262 setupfile = file(setupfile, 'r')
263 setupdom = xml.etree.cElementTree.parse(setupfile)
264 setupfile.close()

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/info.py:105
104 nic = str(nic)
105 except:
106 pass

---

Issue: [B104:hardcoded_bind_all_interfaces] Possible binding to all interfaces.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/models/info.py:174
173 if ip is None or len(ip) != 4:
174 return "0.0.0.0"
175 return "%d.%d.%d.%d" % (ip[0], ip[1], ip[2], ip[3])

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/info.py:476
475 ipaddress = list(tmpaddress)[0][4][0]
476 except:
477 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:23
22 from Components.About import about
23 except:
24 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:546
545 imagever = about.getImageVersionString()
546 except:
547 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:559
558 distro = oeline.split( )[1].replace("-all","")
559 except:
560 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:573
572 imagebuild = "0"
573 except:
574 # just in case

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:581
580 imagever = about.getImageVersionString()
581 except:
582 pass

---

Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:596
595 try:
596 driverdate = os.popen('/usr/bin/opkg -V0 list_installed dvb-modules').readline().split( )[2]
597 except:

---

Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:599
598 try:
599 driverdate = os.popen('/usr/bin/opkg -V0 list_installed dvb-proxy').readline().split( )[2]
600 except:

---

Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:602
601 try:
602 driverdate = os.popen('/usr/bin/opkg -V0 list_installed kernel-core-default-gos').readline().split( )[2]
603 except:

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:603
602 driverdate = os.popen('/usr/bin/opkg -V0 list_installed kernel-core-default-gos').readline().split( )[2]
603 except:
604 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/timers.py:37
36 filename = timer.Filename
37 except Exception, e:
38 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/timers.py:42
41 nextactivation = timer.next_activation
42 except Exception, e:
43 pass

---

Issue: [B405:blacklist] Using xml.etree.cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/timers.py:806
805 try:
806 import xml.etree.cElementTree
807 vpsfile = file(vpsfile, 'r')

---

Issue: [B313:blacklist] Using xml.etree.cElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
Location: ./plugin/controllers/models/timers.py:808
807 vpsfile = file(vpsfile, 'r')
808 vpsdom = xml.etree.cElementTree.parse(vpsfile)
809 vpsfile.close()

---

Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/web.py:199
198 #returns 'True' if the image supports the function "Power on without TV":
199 f = open("/tmp/powerup_without_waking_tv.txt", "r")
200 powerupWithoutWakingTv = f.read()

---

Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/web.py:213
212 #write "True" to file so that the box will power on ONCE skipping the HDMI-CEC communication:
213 f = open("/tmp/powerup_without_waking_tv.txt", "w")
214 f.write('True')

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:341
340 timeout = int(request.args["timeout"][0])
341 except Exception, e:
342 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:721
720 begintime = int(request.args["time"][0])
721 except Exception, e:
722 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:735
734 begintime = int(request.args["time"][0])
735 except Exception, e:
736 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:742
741 endtime = int(request.args["endTime"][0])
742 except Exception, e:
743 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:787
786 endtime = int(request.args["endtime"][0])
787 except Exception, e:
788 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:815
814 begintime = int(request.args["time"][0])
815 except Exception, e:
816 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:822
821 endtime = int(request.args["endTime"][0])
822 except Exception, e:
823 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:929
928 mnow["sref"] = serviceref.toString()
929 except Exception, e:
930 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:1107
1106 time = 0
1107 except Exception, e:
1108 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:1219
1218 config.OpenWebif.webcache.mepgmode.save()
1219 except Exception, e:
1220 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/httpserver.py:335
334 return self.resource.getChildWithDefault(path, request)
335 except:
336 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/httpserver.py:443
442 bonjour.registerService(service, True)
443 except:
444 pass

---

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/httpserver.py:448
447 enigma.e2avahi_announce(None, servicetype, port)
448 except:
449 pass

---

Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: ./setup_translate.py:33
32 print "Language compile %s -> %s" % (src, dest)
33 if os.system("msgfmt '%s' -o '%s'" % (src, dest)) != 0:
34 raise Exception, "Failed to compile: " + src

---

Code scanned:
Total lines of code: 8943
Total lines skipped (#nosec): 0

Run metrics:
Total issues (by severity):
Undefined: 0
Low: 39
Medium: 15
High: 5
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 11
High: 48
Files skipped (0):

[jbleyel]

Someone with high python skill can check this.
Some of the issues can be easy fixed without any functional impact.
Some of the issues are false positive.
Some of the issues cannot be fixed without missing functionality.
I can't do this because of no time.

[jbleyel]

bandit will now run after each commit

[Schimmelreiter]

And where can we see the result?

[jbleyel]

goto https://github.com/E2OpenPlugins/e2openplugin-OpenWebif
And you will see the new readme with a link

The bandit will call after each commit via travis.
And the ipk will also created after each commit via travis.

The ipk is here.
https://github.com/E2OpenPlugins/e2openplugin-OpenWebif/tree/gh-pages