/
dynamic-urllib-use-detected.yaml
57 lines (57 loc) · 2.01 KB
/
dynamic-urllib-use-detected.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
rules:
- id: dynamic-urllib-use-detected
patterns:
- pattern-not: urllib.$W("...")
- pattern-not: urllib.request.$W("...")
- pattern-not: $OPENER.$W("...")
- pattern-either:
- pattern: urllib.urlopen(...)
- pattern: urllib.request.urlopen(...)
- pattern: urllib.urlretrieve(...)
- pattern: urllib.request.urlretrieve(...)
- patterns:
- pattern-either:
- pattern-inside: |
$OPENER = urllib.URLopener(...)
...
- pattern-inside: |
$OPENER = urllib.request.URLopener(...)
...
- pattern-inside: |
$OPENER = urllib.FancyURLopener(...)
...
- pattern-inside: |
$OPENER = urllib.request.FancyURLopener(...)
...
- pattern-either:
- pattern: $OPENER.open(...)
- pattern: $OPENER.retrieve(...)
message: >-
Detected a dynamic value being used with urllib. urllib supports 'file://' schemes,
so a dynamic value controlled by a malicious actor may allow them to read arbitrary
files.
Audit uses of urllib calls to ensure user data cannot control the URLs, or consider
using the 'requests' library instead.
metadata:
cwe:
- 'CWE-939: Improper Authorization in Handler for Custom URL Scheme'
owasp: 'A01:2017 - Injection'
source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/blacklists/calls.py#L163
bandit-code: B310
asvs:
section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
control_id: 5.2.4 Dynamic Code Execution Features
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
version: '4'
category: security
technology:
- python
references:
- https://cwe.mitre.org/data/definitions/939.html
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
languages: [python]
severity: WARNING