Skip to content

Bandit Output #621

Closed
Closed
@borjmz

Description

@borjmz

As mentioned in another issue, this is the bandit's OWIF analysis report, I hope it helps you, I would appreciate if you would give me acknowledgement if you decide to fix those and sure this helps the vendors to upgrade to safer updated versions. Thank you

Run started:2017-06-26 18:31:13.523631

Test results:

Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/AT.py:47
46 return ''.join(autotimer.getXml())
47 except Exception:
48 pass


Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/BQE.py:313
312 class BQEUploadFile(resource.Resource):
313 FN = "/tmp/bouquets_backup.tar"
314 def init(self, session):


Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/BQE.py:354
353 self.putChild("api", BQEApiController(session))
354 self.putChild('tmp', static.File('/tmp'))
355 self.putChild('uploadrestore', BQEUploadFile(session))


Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/BouquetEditor.py:40
39
40 BACKUP_PATH = "/tmp"
41 BACKUP_FILENAME = "webbouqueteditor_backup.tar"


Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: ./plugin/controllers/BouquetEditor.py:579
578 tarFiles += "%s " % arg
579 lines = popen("tar cvf %s %s" % (backupFilename,tarFiles)).readlines()
580 remove(checkfile)


Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: ./plugin/controllers/BouquetEditor.py:608
607 check_tar = False
608 lines = popen('tar -tf %s' % backupFilename).readlines()
609 for line in lines:


Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: ./plugin/controllers/BouquetEditor.py:622
621 remove(bouquetfiles)
622 lines = popen('tar xvf %s -C / --exclude tmp/.webouquetedit' % backupFilename).readlines()
623 nimmanager.readTransponders()


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/ajax.py:251
250 wadd = week * 7
251 except Exception, e:
252 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/ajax.py:259
258 begintime = mktime( (now.tm_year, now.tm_mon, now.tm_mday+day + wadd, 0, 0, 0, -1, -1, -1) )
259 except Exception, e:
260 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/ajax.py:265
264 mode = int(config.OpenWebif.webcache.mepgmode.value)
265 except Exception, e:
266 pass


Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/base.py:223
222 oport = None
223 if fileExists("/tmp/.oscam/oscam.version"):
224 data = open("/tmp/.oscam/oscam.version", "r").readlines()


Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/base.py:224
223 if fileExists("/tmp/.oscam/oscam.version"):
224 data = open("/tmp/.oscam/oscam.version", "r").readlines()
225 for i in data:


Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/ipkg.py:59
58 import glob
59 tmpfiles = glob.glob('/tmp/*.ipk')
60 ipks = []


Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/ipkg.py:80
79 def CallOPKListGZ(self, request):
80 tmpFilename = "/tmp/opkg-list.gz"
81 if path.exists(tmpFilename):


Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: ./plugin/controllers/ipkg.py:83
82 remove(tmpFilename)
83 lines = popen('/usr/bin/opkg list | gzip > %s' % tmpFilename).readlines()
84 request.setHeader("Content-Disposition:", "attachment;filename="%s"" % (tmpFilename.split('/')[-1]))


Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: ./plugin/controllers/ipkg.py:124
123 try:
124 out = popen("opkg list")
125 for line in out:


Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: ./plugin/controllers/ipkg.py:124
123 try:
124 out = popen("opkg list")
125 for line in out:


Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: ./plugin/controllers/ipkg.py:136
135 "0"] } )
136 out = popen("opkg list-installed")
137 for line in out:


Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: ./plugin/controllers/ipkg.py:136
135 "0"] } )
136 out = popen("opkg list-installed")
137 for line in out:


Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: ./plugin/controllers/ipkg.py:141
140 map[package[0]][2] = "1"
141 out = popen("opkg list-upgradable")
142 for line in out:


Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: ./plugin/controllers/ipkg.py:141
140 map[package[0]][2] = "1"
141 out = popen("opkg list-upgradable")
142 for line in out:


Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/ipkg.py:245
244 import os
245 FN = "/tmp/" + filename
246 fileh = os.open(FN, os.O_WRONLY|os.O_CREAT )


Issue: [B405:blacklist] Using xml.etree.cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/config.py:8
7 from os import path, listdir
8 import xml.etree.cElementTree
9
10 from Plugins.Extensions.OpenWebif.init import _


Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval.
Severity: Medium Confidence: High
Location: ./plugin/controllers/models/config.py:150
149 try:
150 cnf = eval(path)
151 if cnf.class.name == "ConfigBoolean" or cnf.class.name == "ConfigEnableDisable" or cnf.class.name == "ConfigYesNo":


Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval.
Severity: Medium Confidence: High
Location: ./plugin/controllers/models/config.py:195
194 try:
195 data = getJsonFromConfig(eval(entry.text or ""))
196 text = _(entry.get("text", ""))


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/config.py:204
203 })
204 except Exception, e:
205 pass


Issue: [B313:blacklist] Using xml.etree.cElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
Location: ./plugin/controllers/models/config.py:263
262 setupfile = file(setupfile, 'r')
263 setupdom = xml.etree.cElementTree.parse(setupfile)
264 setupfile.close()


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/info.py:105
104 nic = str(nic)
105 except:
106 pass


Issue: [B104:hardcoded_bind_all_interfaces] Possible binding to all interfaces.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/models/info.py:174
173 if ip is None or len(ip) != 4:
174 return "0.0.0.0"
175 return "%d.%d.%d.%d" % (ip[0], ip[1], ip[2], ip[3])


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/info.py:476
475 ipaddress = list(tmpaddress)[0][4][0]
476 except:
477 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:23
22 from Components.About import about
23 except:
24 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:546
545 imagever = about.getImageVersionString()
546 except:
547 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:559
558 distro = oeline.split( )[1].replace("-all","")
559 except:
560 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:573
572 imagebuild = "0"
573 except:
574 # just in case


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:581
580 imagever = about.getImageVersionString()
581 except:
582 pass


Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:596
595 try:
596 driverdate = os.popen('/usr/bin/opkg -V0 list_installed dvb-modules').readline().split( )[2]
597 except:


Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:599
598 try:
599 driverdate = os.popen('/usr/bin/opkg -V0 list_installed dvb-proxy').readline().split( )[2]
600 except:


Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:602
601 try:
602 driverdate = os.popen('/usr/bin/opkg -V0 list_installed kernel-core-default-gos').readline().split( )[2]
603 except:


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/owibranding.py:603
602 driverdate = os.popen('/usr/bin/opkg -V0 list_installed kernel-core-default-gos').readline().split( )[2]
603 except:
604 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/timers.py:37
36 filename = timer.Filename
37 except Exception, e:
38 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/timers.py:42
41 nextactivation = timer.next_activation
42 except Exception, e:
43 pass


Issue: [B405:blacklist] Using xml.etree.cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
Location: ./plugin/controllers/models/timers.py:806
805 try:
806 import xml.etree.cElementTree
807 vpsfile = file(vpsfile, 'r')


Issue: [B313:blacklist] Using xml.etree.cElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
Location: ./plugin/controllers/models/timers.py:808
807 vpsfile = file(vpsfile, 'r')
808 vpsdom = xml.etree.cElementTree.parse(vpsfile)
809 vpsfile.close()


Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/web.py:199
198 #returns 'True' if the image supports the function "Power on without TV":
199 f = open("/tmp/powerup_without_waking_tv.txt", "r")
200 powerupWithoutWakingTv = f.read()


Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./plugin/controllers/web.py:213
212 #write "True" to file so that the box will power on ONCE skipping the HDMI-CEC communication:
213 f = open("/tmp/powerup_without_waking_tv.txt", "w")
214 f.write('True')


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:341
340 timeout = int(request.args["timeout"][0])
341 except Exception, e:
342 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:721
720 begintime = int(request.args["time"][0])
721 except Exception, e:
722 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:735
734 begintime = int(request.args["time"][0])
735 except Exception, e:
736 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:742
741 endtime = int(request.args["endTime"][0])
742 except Exception, e:
743 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:787
786 endtime = int(request.args["endtime"][0])
787 except Exception, e:
788 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:815
814 begintime = int(request.args["time"][0])
815 except Exception, e:
816 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:822
821 endtime = int(request.args["endTime"][0])
822 except Exception, e:
823 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:929
928 mnow["sref"] = serviceref.toString()
929 except Exception, e:
930 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:1107
1106 time = 0
1107 except Exception, e:
1108 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/controllers/web.py:1219
1218 config.OpenWebif.webcache.mepgmode.save()
1219 except Exception, e:
1220 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/httpserver.py:335
334 return self.resource.getChildWithDefault(path, request)
335 except:
336 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/httpserver.py:443
442 bonjour.registerService(service, True)
443 except:
444 pass


Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: ./plugin/httpserver.py:448
447 enigma.e2avahi_announce(None, servicetype, port)
448 except:
449 pass


Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: ./setup_translate.py:33
32 print "Language compile %s -> %s" % (src, dest)
33 if os.system("msgfmt '%s' -o '%s'" % (src, dest)) != 0:
34 raise Exception, "Failed to compile: " + src


Code scanned:
Total lines of code: 8943
Total lines skipped (#nosec): 0

Run metrics:
Total issues (by severity):
Undefined: 0
Low: 39
Medium: 15
High: 5
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 11
High: 48
Files skipped (0):

Metadata

Metadata

Assignees

No one assigned

    Labels

    LOW 📌Considered to be of lower priority

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions