How to use the bandit.Issue function in bandit
To help you get started, we’ve selected a few bandit examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
PyCQA / bandit / bandit / plugins / mako_templates.py View on Github 
def use_of_mako_templates(context):
# check type just to be safe
if isinstance(context.call_function_name_qual, str):
qualname_list = context.call_function_name_qual.split('.')
func = qualname_list[-1]
if 'mako' in qualname_list and func == 'Template':
# unlike Jinja2, mako does not have a template wide autoescape
# feature and thus each variable must be carefully sanitized.
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.HIGH,
text="Mako templates allow HTML/JS rendering by default and "
"are inherently open to XSS attacks. Ensure variables "def jinja2_autoescape_false(context):
# check type just to be safe
if isinstance(context.call_function_name_qual, str):
qualname_list = context.call_function_name_qual.split('.')
func = qualname_list[-1]
if 'jinja2' in qualname_list and func == 'Environment':
for node in ast.walk(context.node):
if isinstance(node, ast.keyword):
# definite autoescape = False
if (getattr(node, 'arg', None) == 'autoescape' and
(getattr(node.value, 'id', None) == 'False' or
getattr(node.value, 'value', None) is False)):
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.HIGH,
text="Using jinja2 templates with autoescape="
"False is dangerous and can lead to XSS. "
"Use autoescape=True or use the "
"select_autoescape function to mitigate XSS "
"vulnerabilities."
)
# found autoescape
if getattr(node, 'arg', None) == 'autoescape':
value = getattr(node, 'value', None)
if (getattr(value, 'id', None) == 'True' or
getattr(value, 'value', None) is True):
return
# Check if select_autoescape function is used.
elif isinstance(value, ast.Call) and getattr(if context.call_args_count >= 1:
call_argument = context.get_call_arg_at_position(0)
argument_string = ''
if isinstance(call_argument, list):
for li in call_argument:
argument_string = argument_string + ' %s' % li
elif isinstance(call_argument, str):
argument_string = call_argument
if argument_string != '':
for vulnerable_func in vulnerable_funcs:
if(
vulnerable_func in argument_string and
'*' in argument_string
):
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.MEDIUM,
text="Possible wildcard injection in call: %s" %
context.call_function_name_qual,
lineno=context.get_lineno_for_call_arg('shell'),
)3 os.system('/bin/echo hi')
.. seealso::
- https://security.openstack.org
- https://docs.python.org/3/library/os.html#os.system
- https://docs.python.org/3/library/subprocess.html#frequently-used-arguments # noqa
- https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
.. versionadded:: 0.10.0
"""
if config and context.call_function_name_qual in config['shell']:
if len(context.call_args) > 0:
sev = _evaluate_shell_call(context)
if sev == bandit.LOW:
return bandit.Issue(
severity=bandit.LOW,
confidence=bandit.HIGH,
text='Starting a process with a shell: '
'Seems safe, but may be changed in the future, '
'consider rewriting without shell'
)
else:
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.HIGH,
text='Starting a process with a shell, possible injection'
' detected, security issue.'def hardcoded_sql_expressions(context):
val = _evaluate_ast(context.node)
if _check_string(val[1]):
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.MEDIUM if val[0] else bandit.LOW,
text="Possible SQL injection vector through string-based "
"query construction."parent = node._bandit_parent
while not isinstance(parent, (ast.Module, ast.FunctionDef)):
parent = parent._bandit_parent
secure = evaluate_call(xss_var, parent)
elif isinstance(xss_var, ast.BinOp):
is_mod = isinstance(xss_var.op, ast.Mod)
is_left_str = isinstance(xss_var.left, ast.Str)
if is_mod and is_left_str:
parent = node._bandit_parent
while not isinstance(parent, (ast.Module, ast.FunctionDef)):
parent = parent._bandit_parent
new_call = transform2call(xss_var)
secure = evaluate_call(new_call, parent)
if not secure:
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.HIGH,
text=description
)elif isinstance(value, ast.Call) and getattr(
value.func, 'id', None) == 'select_autoescape':
return
else:
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.MEDIUM,
text="Using jinja2 templates with autoescape="
"False is dangerous and can lead to XSS. "
"Ensure autoescape=True or use the "
"select_autoescape function to mitigate "
"XSS vulnerabilities."
)
# We haven't found a keyword named autoescape, indicating default
# behavior
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.HIGH,
text="By default, jinja2 sets autoescape to False. Consider "
"using autoescape=True or use the select_autoescape "def try_except_continue(context, config):
node = context.node
if len(node.body) == 1:
if (not config['check_typed_exception'] and
node.type is not None and
getattr(node.type, 'id', None) != 'Exception'):
return
if isinstance(node.body[0], ast.Continue):
return bandit.Issue(
severity=bandit.LOW,
confidence=bandit.HIGH,
text=("Try, Except, Continue detected."))def execute_with_run_as_root_equals_true(context, config):
if (context.call_function_name_qual in config['function_names']):
if context.check_call_arg_value('run_as_root', 'True'):
return bandit.Issue(
severity=bandit.LOW,
confidence=bandit.MEDIUM,
text="Execute with run_as_root=True identified, possible "
"security issue.",
lineno=context.get_lineno_for_call_arg('run_as_root'),
)def _report(value):
return bandit.Issue(
severity=bandit.LOW,
confidence=bandit.MEDIUM,
text=("Possible hardcoded password: '%s'" % value))bandit
Security oriented static analyser for python code.
Package Health Score
97 / 100Popular bandit functions
- bandit.blacklists.utils.build_conf_dict
- bandit.core.config.BanditConfig
- bandit.core.constants
- bandit.core.constants.RANKING
- bandit.core.context.Context
- bandit.core.docs_utils.get_url
- bandit.core.extension_loader
- bandit.core.extension_loader.MANAGER
- bandit.core.issue.Issue
- bandit.core.manager.BanditManager
- bandit.core.test_properties
- bandit.core.test_properties.checks
- bandit.core.test_properties.takes_config
- bandit.core.test_properties.test_id
- bandit.core.test_set.BanditTestSet
- bandit.core.utils
- bandit.HIGH
- bandit.Issue
- bandit.LOW
- bandit.MEDIUM