Use qualname list to avoid false positive on load()

The code checking for yaml.load() issues had false positives on json.load() and foo.load(). This patch checks the qualnames of the load function to avoid false positives. Change-Id: I22ffb9e852e31d04dc49c4ad949d1417e70f8828 Closes-bug: 1622615
openstack-archive · Oct 6, 2016 · e98515f · e98515f
1 parent 8e76fcb
commit e98515f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/bandit/plugins/yaml_load.py b/bandit/plugins/yaml_load.py
@@ -55,8 +55,10 @@
 @test.test_id('B506')
 @test.checks('Call')
 def yaml_load(context):
-    if context.is_module_imported_like('yaml'):
-        if context.call_function_name_qual.endswith('.load'):
+    if type(context.call_function_name_qual) == str:
+        qualname_list = context.call_function_name_qual.split('.')
+        func = qualname_list[-1]
+        if 'yaml' in qualname_list and func == 'load':
             if not context.check_call_arg_value('Loader', 'SafeLoader'):
                 return bandit.Issue(
                     severity=bandit.MEDIUM,

diff --git a/examples/yaml_load.py b/examples/yaml_load.py
@@ -1,7 +1,12 @@
+import json
 import yaml
 
 def test_yaml_load():
     ystr = yaml.dump({'a' : 1, 'b' : 2, 'c' : 3})
     y = yaml.load(ystr)
     yaml.dump(y)
     y = yaml.load(ystr, Loader=yaml.SafeLoader)
+
+def test_json_load():
+    # no issue should be found
+    j = json.load("{}")