From 5809d1bec788f88c88c99afd42b80c58ea876363 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Sat, 9 Jul 2022 06:23:50 +1000 Subject: [PATCH] Add case for global exec (#570) * Add case for global exec * Include group writable in medium permissions and update comments (which updates the docs) * Update test assertions since there will be more medium and high warnings given. * Add some extra examples * Update tests and baseline * Refactor stat check * Update tests/functional/test_functional.py * Update examples/os-chmod-py2.py * Update os-chmod-py2.py * Update test_functional.py * Update os-chmod-py3.py * Update os-chmod-py3.py * Update os-chmod.py * Update general_bad_file_permissions.py Co-authored-by: Eric Brown --- bandit/plugins/general_bad_file_permissions.py | 18 +++++++++++++++--- examples/os-chmod.py | 4 +++- tests/functional/test_functional.py | 4 ++-- 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/bandit/plugins/general_bad_file_permissions.py b/bandit/plugins/general_bad_file_permissions.py index 68e091b2f..7d3fce4df 100644 --- a/bandit/plugins/general_bad_file_permissions.py +++ b/bandit/plugins/general_bad_file_permissions.py @@ -14,8 +14,8 @@ This plugin test looks for the use of ``chmod`` and will alert when it is used to set particularly permissive control flags. A MEDIUM warning is generated if -a file is set to group executable and a HIGH warning is reported if a file is -set world writable. Warnings are given with HIGH confidence. +a file is set to group write or executable and a HIGH warning is reported if a +file is set world write or executable. Warnings are given with HIGH confidence. :Example: @@ -49,6 +49,9 @@ .. versionchanged:: 1.7.3 CWE information added +.. versionchanged:: 1.7.5 + Added checks for S_IWGRP and S_IXOTH + """ # noqa: E501 import stat @@ -57,6 +60,15 @@ from bandit.core import test_properties as test +def _stat_is_dangerous(mode): + return ( + mode & stat.S_IWOTH + or mode & stat.S_IWGRP + or mode & stat.S_IXGRP + or mode & stat.S_IXOTH + ) + + @test.checks("Call") @test.test_id("B103") def set_bad_file_permissions(context): @@ -67,7 +79,7 @@ def set_bad_file_permissions(context): if ( mode is not None and isinstance(mode, int) - and (mode & stat.S_IWOTH or mode & stat.S_IXGRP) + and _stat_is_dangerous(mode) ): # world writable is an HIGH, group executable is a MEDIUM if mode & stat.S_IWOTH: diff --git a/examples/os-chmod.py b/examples/os-chmod.py index 65560f6ac..f7fff8517 100644 --- a/examples/os-chmod.py +++ b/examples/os-chmod.py @@ -14,4 +14,6 @@ os.chmod('/etc/hosts', 0o777) os.chmod('/tmp/oh_hai', 0x1ff) os.chmod('/etc/passwd', stat.S_IRWXU) -os.chmod(key_file, 0o777) +os.chmod(keyfile, 0o777) +os.chmod('~/hidden_exec', stat.S_IXGRP) +os.chmod('~/hidden_exec', stat.S_IXOTH) diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 1d1bd7e47..16d07c0a7 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -300,8 +300,8 @@ def test_subdirectory_okay(self): def test_os_chmod(self): """Test setting file permissions.""" expect = { - "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 2, "HIGH": 8}, - "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 1, "HIGH": 9}, + "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 4, "HIGH": 8}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 1, "HIGH": 11}, } self.check_example("os-chmod.py", expect)