How to use the bandit.HIGH function in bandit
To help you get started, we’ve selected a few bandit examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
PyCQA / bandit / tests / unit / formatters / test_yaml.py View on Github 
def setUp(self):
super(YamlFormatterTests, self).setUp()
conf = config.BanditConfig()
self.manager = manager.BanditManager(conf, 'file')
(tmp_fd, self.tmp_fname) = tempfile.mkstemp()
self.context = {'filename': self.tmp_fname,
'lineno': 4,
'linerange': [4]}
self.check_name = 'hardcoded_bind_all_interfaces'
self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM,
'Possible binding to all interfaces.')
self.candidates = [issue.Issue(bandit.LOW, bandit.LOW, 'Candidate A',
lineno=1),
issue.Issue(bandit.HIGH, bandit.HIGH, 'Candiate B',
lineno=2)]
self.manager.out_file = self.tmp_fname
self.issue.fname = self.context['filename']
self.issue.lineno = self.context['lineno']
self.issue.linerange = self.context['linerange']
self.issue.test = self.check_name
self.manager.results.append(self.issue)
self.manager.metrics = metrics.Metrics()
# mock up the metrics
for key in ['_totals', 'binding.py']:
self.manager.metrics.data[key] = {'loc': 4, 'nosec': 2}
for (criteria, default) in constants.CRITERIA:def jinja2_autoescape_false(context):
# check type just to be safe
if isinstance(context.call_function_name_qual, str):
qualname_list = context.call_function_name_qual.split('.')
func = qualname_list[-1]
if 'jinja2' in qualname_list and func == 'Environment':
for node in ast.walk(context.node):
if isinstance(node, ast.keyword):
# definite autoescape = False
if (getattr(node, 'arg', None) == 'autoescape' and
(getattr(node.value, 'id', None) == 'False' or
getattr(node.value, 'value', None) is False)):
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.HIGH,
text="Using jinja2 templates with autoescape="
"False is dangerous and can lead to XSS. "
"Use autoescape=True or use the "
"select_autoescape function to mitigate XSS "
"vulnerabilities."
)
# found autoescape
if getattr(node, 'arg', None) == 'autoescape':
value = getattr(node, 'value', None)
if (getattr(value, 'id', None) == 'True' or
getattr(value, 'value', None) is True):
return
# Check if select_autoescape function is used.
elif isinstance(value, ast.Call) and getattr(
value.func, 'id', None) == 'select_autoescape':
returnimported = context.is_module_imported_exact('yaml')
qualname = context.call_function_name_qual
if not imported and isinstance(qualname, str):
return
qualname_list = qualname.split('.')
func = qualname_list[-1]
if all([
'yaml' in qualname_list,
func == 'load',
not context.check_call_arg_value('Loader', 'SafeLoader'),
not context.check_call_arg_value('Loader', 'CSafeLoader'),
]):
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.HIGH,
text="Use of unsafe yaml load. Allows instantiation of"
" arbitrary objects. Consider yaml.safe_load().",
lineno=context.node.lineno,
)def _classify_key_size(config, key_type, key_size):
if isinstance(key_size, str):
# size provided via a variable - can't process it at the moment
return
key_sizes = {
'DSA': [(config['weak_key_size_dsa_high'], bandit.HIGH),
(config['weak_key_size_dsa_medium'], bandit.MEDIUM)],
'RSA': [(config['weak_key_size_rsa_high'], bandit.HIGH),
(config['weak_key_size_rsa_medium'], bandit.MEDIUM)],
'EC': [(config['weak_key_size_ec_high'], bandit.HIGH),
(config['weak_key_size_ec_medium'], bandit.MEDIUM)],
}
for size, level in key_sizes[key_type]:
if key_size < size:
return bandit.Issue(
severity=level,
confidence=bandit.HIGH,
text='%s key sizes below %d bits are considered breakable. ' %
(key_type, size))call_argument = context.get_call_arg_at_position(0)
argument_string = ''
if isinstance(call_argument, list):
for li in call_argument:
argument_string = argument_string + ' %s' % li
elif isinstance(call_argument, str):
argument_string = call_argument
if argument_string != '':
for vulnerable_func in vulnerable_funcs:
if(
vulnerable_func in argument_string and
'*' in argument_string
):
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.MEDIUM,
text="Possible wildcard injection in call: %s" %
context.call_function_name_qual,
lineno=context.get_lineno_for_call_arg('shell'),
)value.func, 'id', None) == 'select_autoescape':
return
else:
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.MEDIUM,
text="Using jinja2 templates with autoescape="
"False is dangerous and can lead to XSS. "
"Ensure autoescape=True or use the "
"select_autoescape function to mitigate "
"XSS vulnerabilities."
)
# We haven't found a keyword named autoescape, indicating default
# behavior
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.HIGH,
text="By default, jinja2 sets autoescape to False. Consider "
"using autoescape=True or use the select_autoescape "def _get_result(check, im):
# substitute '{module}' for the imported module name
message = check[1].replace('{module}', im)
level = None
if check[2] == 'HIGH':
level = bandit.HIGH
elif check[2] == 'MEDIUM':
level = bandit.MEDIUM
elif check[2] == 'LOW':
level = bandit.LOW
return bandit.Issue(severity=level, confidence=bandit.HIGH, text=message)def set_bad_file_permissions(context):
if 'chmod' in context.call_function_name:
if context.call_args_count == 2:
mode = context.get_call_arg_at_position(1)
if (mode is not None and isinstance(mode, int) and
(mode & stat.S_IWOTH or mode & stat.S_IXGRP)):
# world writable is an HIGH, group executable is a MEDIUM
if mode & stat.S_IWOTH:
sev_level = bandit.HIGH
else:
sev_level = bandit.MEDIUM
filename = context.get_call_arg_at_position(0)
if filename is None:
filename = 'NOT PARSED'
return bandit.Issue(
severity=sev_level,
confidence=bandit.HIGH,
text="Chmod setting a permissive mask %s on file (%s)." %
(oct(mode), filename)
)def _report(strings):
reports = []
for string_data in strings:
if string_data.confidence == 1:
confidence = bandit.LOW
elif string_data.confidence == 2:
confidence = bandit.MEDIUM
elif string_data.confidence >= 3:
confidence = bandit.HIGH
if string_data.severity == 1:
severity = bandit.LOW
elif string_data.severity == 2:
severity = bandit.MEDIUM
elif string_data.severity >= 3:
severity = bandit.HIGH
if type(string_data.string) is not unicode:
string_data.string = string_data.string.decode('utf-8', errors='replace')
string_data.string = string_data.string.encode('ascii', errors='replace')
if len(string_data.string) > 12:
secret_start = string_data.string[:4]
secret_end = string_data.string[-4:]
try:
secret_start = secret_startmode = context.get_call_arg_at_position(1)
if (mode is not None and isinstance(mode, int) and
(mode & stat.S_IWOTH or mode & stat.S_IXGRP)):
# world writable is an HIGH, group executable is a MEDIUM
if mode & stat.S_IWOTH:
sev_level = bandit.HIGH
else:
sev_level = bandit.MEDIUM
filename = context.get_call_arg_at_position(0)
if filename is None:
filename = 'NOT PARSED'
return bandit.Issue(
severity=sev_level,
confidence=bandit.HIGH,
text="Chmod setting a permissive mask %s on file (%s)." %
(oct(mode), filename)
)bandit
Security oriented static analyser for python code.
Package Health Score
100 / 100Popular bandit functions
- bandit.blacklists.utils.build_conf_dict
- bandit.core.config.BanditConfig
- bandit.core.constants
- bandit.core.constants.RANKING
- bandit.core.context.Context
- bandit.core.docs_utils.get_url
- bandit.core.extension_loader
- bandit.core.extension_loader.MANAGER
- bandit.core.issue.Issue
- bandit.core.manager.BanditManager
- bandit.core.test_properties
- bandit.core.test_properties.checks
- bandit.core.test_properties.takes_config
- bandit.core.test_properties.test_id
- bandit.core.test_set.BanditTestSet
- bandit.core.utils
- bandit.HIGH
- bandit.Issue
- bandit.LOW
- bandit.MEDIUM