Implement flake8-bandit
#1646
Comments
|
\cc @edgarrmondragon - easier to track here than to keep incrementing the count in the README. I'll populate the checklist. |
|
thanks @charliermarsh! |
|
By the way: the scripts are pretty bad right now, but it might save you some time (and would love help improving): The main limitations right now are:
|
Thanks, I'll take a look at those. They might be really helpful for bandit's blacklist tests. |
See: #1646. Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com>
|
Please implement the configurations for it as well e.g https://bandit.readthedocs.io/en/latest/config.html#bandit-settings |
|
@ahmedbilal - I think [tool.ruff.per-file-ignores]
"excluded_dir" = ["S"] |
ref: #1646 Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com>
|
Not sure if this is the best place to ask, but do flake8-bandit and bandit have the same linters? |
|
Also @charliermarsh do you think it would be helpful to pin all of the issues that are trackers for implementing a package to the top? It would make it easier for people to understand our progress, and to contribute to one. |
Yeah, I believe |
ruff has reimplemented the bandit rules[1], so we can use that as a better-integrated tool with the rest of our stack. We enable all the bandit rules and selectively disable some across the codebase and some in just tests where they don't make sense (e.g. flagging use of `assert` or using insecure crypto). For bonus points we can get rid of the GitPython dependency, which has a history of (non-exploitable in our context) security issues. [1] Per astral-sh/ruff#1646 they've implemented nearly all of them, and the remaining ones aren't that important IMO.
|
I am also interested in picking up some of the leftover rules. Has any decision been made on the Clicked through some ported rules and it looks like |
|
These rules have already been implemented: |
|
@charliermarsh I think is more a generic question rather than specific to this rule set, but are you implementing them with the exact same behaviour of the originals? I am getting the same (odd) behaviour in ruff and flake8 With this sample code: import random
import time
time.sleep(random.choice(range(1, 5)))I was wondering if this behaviour is going to be reviewed or fixed in Ruff? Thanks! |
|
@pygaiwan This is the intended behavior of that rule and not odd at all. The Bandit is a security linter so its goal is to have essentially zero false negatives, at the cost of some false positives, so it's quite common that you will have to review bandit errors and decide whether or not it's an actual issue and put a You can also globally disable rules you don't care about. |
|
Five rules left :) |
## Summary Adds all `S4XX` rules to the [flake8-bandit](https://github.com/tylerwince/flake8-bandit) plugin port. There is a lot of documentation to write, some tests can be expanded and implementation can probably be refactored to be more compact. As there is some discussion on whether this is actually useful. (See: #1646 (comment)), wanted to check which rules we want to have before I go through the process of polishing this up. ## Test Plan Fixtures for all rules based on `flake8-bandit` [tests](https://github.com/tylerwince/flake8-bandit/tree/main/tests) ## Issue link Refers: #1646
## Summary Adds `S504` rule for the [flake8-bandit](https://github.com/tylerwince/flake8-bandit) plugin port. Checks for calls to `ssl.wrap_socket` which have no `ssl_version` argument set. See also https://bandit.readthedocs.io/en/latest/_modules/bandit/plugins/insecure_ssl_tls.html#ssl_with_no_version ## Test Plan Fixture added ## Issue Link Refers: #1646
## Summary Adds S502 rule for the [flake8-bandit](https://github.com/tylerwince/flake8-bandit) plugin port. Checks for calls to any function with keywords arguments `ssl_version` or `method` or for kwargs `method` in calls to `OpenSSL.SSL.Context` and `ssl_version` in calls to `ssl.wrap_socket` which have an insecure ssl_version valu. See also https://bandit.readthedocs.io/en/latest/_modules/bandit/plugins/insecure_ssl_tls.html#ssl_with_bad_version ## Test Plan Fixture added ## Issue Link Refers: #1646
## Summary Adds S503 rule for the [flake8-bandit](https://github.com/tylerwince/flake8-bandit) plugin port. Checks for function defs argument defaults which have an insecure ssl_version value. See also https://bandit.readthedocs.io/en/latest/_modules/bandit/plugins/insecure_ssl_tls.html#ssl_with_bad_defaults Some logic and the `const` can be shared with #9390. When one of the two is merged. ## Test Plan Fixture added ## Issue Link Refers: #1646
|
S503 was addressed by #9391 so there's only S610 and S703 left! |
|
How is S703 different from S308, by the way? They seem redundant to me. |
Per PyCQA/bandit#294 (comment), it would seem so. Would seem like S308 was first and then S703 covered S308 but did not want to have a breaking change. |
Part of #1646. ## Summary Implement `S610` rule from `flake8-bandit`. Upstream references: - Implementation: https://github.com/PyCQA/bandit/blob/1.7.8/bandit/plugins/django_sql_injection.py#L20-L97 - Test cases: https://github.com/PyCQA/bandit/blob/1.7.8/examples/django_sql_injection_extra.py - Test assertion: https://github.com/PyCQA/bandit/blob/1.7.8/tests/functional/test_functional.py#L517-L524 The implementation in `bandit` targets additional arguments (`params`, `order_by` and `select_params`) but doesn't seem to do anything with them in the end, so I did not include them in the implementation. Note that this rule could be prone to false positives, as ideally we would want to check if `extra()` is tied to a [Django queryset](https://docs.djangoproject.com/en/5.0/ref/models/querysets/), but AFAIK Ruff is not able to resolve classes outside of the current module. ## Test Plan Snapshot tests
S101:assert_usedS102:exec_usedS103:set_bad_file_permissionsS104:hardcoded_bind_all_interfacesS105:hardcoded_password_stringS106:hardcoded_password_funcargS107:hardcoded_password_defaultS108:hardcoded_tmp_directoryS109:password_config_option_not_marked_secretS110:try_except_passS111:execute_with_run_as_root_equals_trueS112:try_except_continueS113:request_without_timeoutS201:flask_debug_trueS202:tarfile_unsafe_membersS301:pickleS302:marshalS303:md5S304:ciphersS305:cipher_modesS306:mktemp_qS307:evalS308:mark_safeS311:randomS312:telnetlibS313:xml_bad_cElementTreeS314:xml_bad_ElementTreeS315:xml_bad_expatreaderS316:xml_bad_expatbuilderS317:xml_bad_saxS318:xml_bad_minidomS319:xml_bad_pulldomS320:xml_bad_etreeS321:ftplibS323:unverified_contextS324:hashlibS310:urllib_urlopenS401:import_telnetlibS402:import_ftplibS403:import_pickleS404:import_subprocessS405:import_xml_etreeS406:import_xml_saxS407:import_xml_expatS408:import_xml_minidomS409:import_xml_pulldomS410:import_lxmlS411:import_xmlrpclibS412:import_httpoxyS413:import_pycryptoS415:import_pyghmiS501:request_with_no_cert_validationS502:ssl_with_bad_versionS503:ssl_with_bad_defaultsS504:ssl_with_no_versionS505:weak_cryptographic_keyS506:yaml_loadS507:ssh_no_host_key_verificationS508:snmp_insecure_versionS509:snmp_weak_cryptographyS601:paramiko_callsS602:subprocess_popen_with_shell_equals_trueS603:subprocess_without_shell_equals_trueS604:any_other_function_with_shell_equals_trueS605:start_process_with_a_shellS606:start_process_with_no_shellS607:start_process_with_partial_pathS608:hardcoded_sql_expressionsS609:linux_commands_wildcard_injectionS610:django_extra_usedS611:django_rawsql_usedS612:logging_config_insecure_listenS701:jinja2_autoescape_falseS702:use_of_mako_templatesS703:django_mark_safeThe text was updated successfully, but these errors were encountered: