bandit.blacklists package

Submodules

bandit.blacklists.calls module

Blacklist various Python calls known to be dangerous

This blacklist data checks for a number of Python calls known to have possible security implications. The following blacklist tests are run against any function calls encoutered in the scanned code base, triggered by encoutering ast.Call nodes.

B301: pickle

Pickle library appears to be in use, possible security issue.

ID Name Calls Severity
B301 pickle
  • pickle.loads
  • pickle.load
  • pickle.Unpickler
  • cPickle.loads
  • cPickle.load
  • cPickle.Unpickler
Medium

B302: marshal

Deserialization with the marshal module is possibly dangerous.

ID Name Calls Severity
B302 marshal
  • marshal.load
  • marshal.loads
Medium

B303: md5

Use of insecure MD2, MD4, or MD5 hash function.

ID Name Calls Severity
B303 md5
  • hashlib.md5
  • Crypto.Hash.MD2.new
  • Crypto.Hash.MD4.new
  • Crypto.Hash.MD5.new
  • Cryptodome.Hash.MD2.new
  • Cryptodome.Hash.MD4.new
  • Cryptodome.Hash.MD5.new
  • cryptography.hazmat.primitives .hashes.MD5
Medium

B304 - B305: ciphers and modes

Use of insecure cipher or cipher mode. Replace with a known secure cipher such as AES.

ID Name Calls Severity
B304 ciphers
  • Crypto.Cipher.ARC2.new
  • Crypto.Cipher.ARC4.new
  • Crypto.Cipher.Blowfish.new
  • Crypto.Cipher.DES.new
  • Crypto.Cipher.XOR.new
  • Cryptodome.Cipher.ARC2.new
  • Cryptodome.Cipher.ARC4.new
  • Cryptodome.Cipher.Blowfish.new
  • Cryptodome.Cipher.DES.new
  • Cryptodome.Cipher.XOR.new
  • cryptography.hazmat.primitives .ciphers.algorithms.ARC4
  • cryptography.hazmat.primitives .ciphers.algorithms.Blowfish
  • cryptography.hazmat.primitives .ciphers.algorithms.IDEA
High
B305 cipher_modes
  • cryptography.hazmat.primitives .ciphers.modes.ECB
Medium

B306: mktemp_q

Use of insecure and deprecated function (mktemp).

ID Name Calls Severity
B306 mktemp_q
  • tempfile.mktemp
Medium

B307: eval

Use of possibly insecure function - consider using safer ast.literal_eval.

ID Name Calls Severity
B307 eval
  • eval
Medium

B308: mark_safe

Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.

ID Name Calls Severity
B308 mark_safe
  • django.utils.safestring.mark_safe
Medium

B309: httpsconnection

Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033

ID Name Calls Severity
B309 httpsconnection
  • httplib.HTTPSConnection
  • http.client.HTTPSConnection
  • six.moves.http_client .HTTPSConnection
Medium

B310: urllib_urlopen

Audit url open for permitted schemes. Allowing use of ‘file:” or custom schemes is often unexpected.

ID Name Calls Severity
B310 urllib_urlopen
  • urllib.urlopen
  • urllib.request.urlopen
  • urllib.urlretrieve
  • urllib.request.urlretrieve
  • urllib.URLopener
  • urllib.request.URLopener
  • urllib.FancyURLopener
  • urllib.request.FancyURLopener
  • urllib2.urlopen
  • urllib2.Request
  • six.moves.urllib.request.urlopen
  • six.moves.urllib.request .urlretrieve
  • six.moves.urllib.request .URLopener
  • six.moves.urllib.request .FancyURLopener
Medium

B311: random

Standard pseudo-random generators are not suitable for security/cryptographic purposes.

ID Name Calls Severity
B311 random
  • random.random
  • random.randrange
  • random.randint
  • random.choice
  • random.uniform
  • random.triangular
Low

B312: telnetlib

Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.

ID Name Calls Severity
B312 telnetlib
  • telnetlib.*
High

B313 - B320: XML

Most of this is based off of Christian Heimes’ work on defusedxml: https://pypi.python.org/pypi/defusedxml/#defusedxml-sax

Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents.

ID Name Calls Severity
B313 xml_bad_cElementTree
  • xml.etree.cElementTree.parse
  • xml.etree.cElementTree.iterparse
  • xml.etree.cElementTree.fromstring
  • xml.etree.cElementTree.XMLParser
Medium
B314 xml_bad_ElementTree
  • xml.etree.ElementTree.parse
  • xml.etree.ElementTree.iterparse
  • xml.etree.ElementTree.fromstring
  • xml.etree.ElementTree.XMLParser
Medium
B315 xml_bad_expatreader
  • xml.sax.expatreader.create_parser
Medium
B316 xml_bad_expatbuilder
  • xml.dom.expatbuilder.parse
  • xml.dom.expatbuilder.parseString
Medium
B317 xml_bad_sax
  • xml.sax.parse
  • xml.sax.parseString
  • xml.sax.make_parser
Medium
B318 xml_bad_minidom
  • xml.dom.minidom.parse
  • xml.dom.minidom.parseString
Medium
B319 xml_bad_pulldom
  • xml.dom.pulldom.parse
  • xml.dom.pulldom.parseString
Medium
B320 xml_bad_etree
  • lxml.etree.parse
  • lxml.etree.fromstring
  • lxml.etree.RestrictedElement
  • lxml.etree.GlobalParserTLS
  • lxml.etree.getDefaultParser
  • lxml.etree.check_docinfo
Medium

B321: ftplib

FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.

ID Name Calls Severity
B321 ftplib
  • ftplib.*
High

B322: input

The input method in Python 2 will read from standard input, evaluate and run the resulting string as python source code. This is similar, though in many ways worse, then using eval. On Python 2, use raw_input instead, input is safe in Python 3.

ID Name Calls Severity
B322 input
  • input
High

B323: unverified_context

By default, Python will create a secure, verified ssl context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.

ID Name Calls Severity
B322 unverified_context
  • ssl._create_unverified_context
Medium
bandit.blacklists.calls.gen_blacklist()

Generate a list of items to blacklist.

Methods of this type, “bandit.blacklist” plugins, are used to build a list of items that bandit’s built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage.

Returns:a dictionary mapping node types to a list of blacklist data

bandit.blacklists.imports module

Blacklist various Python imports known to be dangerous

This blacklist data checks for a number of Python modules known to have possible security implications. The following blacklist tests are run against any import statements or calls encountered in the scanned code base.

Note that the XML rules listed here are mostly based off of Christian Heimes’ work on defusedxml: https://pypi.python.org/pypi/defusedxml

B401: import_telnetlib

A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.

ID Name Imports Severity
B401 import_telnetlib
  • telnetlib
high

B402: import_ftplib

A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.

ID Name Imports Severity
B402 inport_ftplib
  • ftplib
high

B403: import_pickle

Consider possible security implications associated with these modules.

ID Name Imports Severity
B403 import_pickle
  • pickle
  • cPickle
low

B404: import_subprocess

Consider possible security implications associated with these modules.

ID Name Imports Severity
B404 import_subprocess
  • subprocess
low

B405: import_xml_etree

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID Name Imports Severity
B405 import_xml_etree
  • xml.etree.cElementTree
  • xml.etree.ElementTree
low

B406: import_xml_sax

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID Name Imports Severity
B406 import_xml_sax
  • xml.sax
low

B407: import_xml_expat

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID Name Imports Severity
B407 import_xml_expat
  • xml.dom.expatbuilder
low

B408: import_xml_minidom

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID Name Imports Severity
B408 import_xml_minidom
  • xml.dom.minidom
low

B409: import_xml_pulldom

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.

ID Name Imports Severity
B409 import_xml_pulldom
  • xml.dom.pulldom
low

B410: import_lxml

Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package.

ID Name Imports Severity
B410 import_lxml
  • lxml
low

B411: import_xmlrpclib

XMLRPC is particularly dangerous as it is also concerned with communicating data over a network. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate remote XML attacks.

ID Name Imports Severity
B411 import_xmlrpclib
  • xmlrpclib
high

B412: import_httpoxy

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. The use of CGI for web applications should be avoided to prevent this class of attack. More details are available at https://httpoxy.org/.

ID Name Imports Severity
B412 import_httpoxy
  • wsgiref.handlers.CGIHandler
  • twisted.web.twcgi.CGIScript
high
bandit.blacklists.imports.gen_blacklist()

Generate a list of items to blacklist.

Methods of this type, “bandit.blacklist” plugins, are used to build a list of items that bandit’s built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage.

Returns:a dictionary mapping node types to a list of blacklist data

bandit.blacklists.utils module

bandit.blacklists.utils.build_conf_dict(name, bid, qualnames, message, level=’MEDIUM’)

Build and return a blacklist configuration dict.

Module contents