Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inconsistency of random.Random detection between different platforms #926

Closed
shiftinv opened this issue Jul 9, 2022 · 0 comments · Fixed by #940
Closed

Inconsistency of random.Random detection between different platforms #926

shiftinv opened this issue Jul 9, 2022 · 0 comments · Fixed by #940
Labels
bug Something isn't working

Comments

@shiftinv
Copy link
Contributor

shiftinv commented Jul 9, 2022

Describe the bug

The blacklisting module uses fnmatch for matching call names, which results in differing behavior on Windows vs other platforms.

if name is not None and fnmatch.fnmatch(name, qn):

Particularly, usage of random.random generally results in B311 being emitted:

utils.build_conf_dict(
"random",
"B311",
issue.Cwe.INSUFFICIENT_RANDOM_VALUES,
[
"random.random",

Since fnmatch calls os.path.normcase, this blacklist entry also matches random.Random on Windows, but not Linux.

# Windows
> bandit test.py
...
[main]  INFO    running on Python 3.9.9
Run started:2022-07-09 21:22:28.141846

Test results:
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
   Severity: Low   Confidence: High
   CWE: CWE-330 (https://cwe.mitre.org/data/definitions/330.html)
   Location: test.py:2:4
   More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random
1       import random
2       x = random.Random()

...
# Linux
$ bandit test.py
...
[main]  INFO    running on Python 3.9.9
Run started:2022-07-09 21:15:31.888486

Test results:
        No issues identified.

Reproduction steps

Run bandit on the following code on Windows and Linux:

import random
x = random.Random()

Expected behavior

I'm not exactly sure what the correct behavior should be - probably random.Random resulting in B311 on all platforms, not just Windows - but it should be consistent regardless of platform.

Bandit version

1.7.4 (Default)

Python version

3.9

Additional context

No response

@shiftinv shiftinv added the bug Something isn't working label Jul 9, 2022
@shiftinv shiftinv changed the title Inconsistency of random.random detection between different platforms Inconsistency of random.Random detection between different platforms Jul 9, 2022
shiftinv added a commit to shiftinv/bandit that referenced this issue Aug 12, 2022
The lowercase `random.random` already matches `random.Random` on Windows as well
(due to being case-insensitive), but not on other platforms.

Resolves: PyCQA#926
rkuczer added a commit to rkuczer/bandit that referenced this issue Apr 19, 2023
ericwb added a commit that referenced this issue May 22, 2023
The lowercase `random.random` already matches `random.Random` on Windows as well
(due to being case-insensitive), but not on other platforms.

Resolves: #926

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant