How to use the bandit.core.test_properties.checks function in bandit
To help you get started, we’ve selected a few bandit examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
PyCQA / bandit / bandit / plugins / hashlib_new_insecure_functions.py View on Github 
@test.checks('Call')
def hashlib_new(context):
if isinstance(context.call_function_name_qual, str):
qualname_list = context.call_function_name_qual.split('.')
func = qualname_list[-1]
if 'hashlib' in qualname_list and func == 'new':
args = context.call_args
keywords = context.call_keywords
name = args[0] if args else keywords['name']
if isinstance(name, str) and name.lower() in ('md4', 'md5'):
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.HIGH,
text="Use of insecure MD4 or MD5 hash function.",
lineno=context.node.lineno,
)@test.checks('Call')
@test.test_id('B701')
def jinja2_autoescape_false(context):
# check type just to be safe
if isinstance(context.call_function_name_qual, str):
qualname_list = context.call_function_name_qual.split('.')
func = qualname_list[-1]
if 'jinja2' in qualname_list and func == 'Environment':
for node in ast.walk(context.node):
if isinstance(node, ast.keyword):
# definite autoescape = False
if (getattr(node, 'arg', None) == 'autoescape' and
(getattr(node.value, 'id', None) == 'False' or
getattr(node.value, 'value', None) is False)):
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.HIGH,@test.checks('Call')
@test.test_id('B502')
def ssl_with_bad_version(context, config):
"""**B502: Test for SSL use with bad version used**
Several highly publicized exploitable flaws have been discovered
in all versions of SSL and early versions of TLS. It is strongly
recommended that use of the following known broken protocol versions be
avoided:
- SSL v2
- SSL v3
- TLS v1
- TLS v1.1
This plugin test scans for calls to Python methods with parameters that
indicate the used broken SSL/TLS protocol versions. Currently, detection@test.checks('Str')
@test.test_id('BHES103')
def high_entropy_assign(context, config):
node = context.node
if isinstance(node.parent, ast.Assign):
strings = []
# looks for "some_var='candidate'"
for targ in node.parent.targets:
try:
target = targ.id
except AttributeError:
target = None
string_data = StringData(
string=node.s,
target=target,
node_type='assignment',
config=config@test.checks('Call')
@test.test_id('B609')
def linux_commands_wildcard_injection(context, config):
if not ('shell' in config and 'subprocess' in config):
return
vulnerable_funcs = ['chown', 'chmod', 'tar', 'rsync']
if context.call_function_name_qual in config['shell'] or (
context.call_function_name_qual in config['subprocess'] and
context.check_call_arg_value('shell', 'True')):
if context.call_args_count >= 1:
call_argument = context.get_call_arg_at_position(0)
argument_string = ''
if isinstance(call_argument, list):
for li in call_argument:
argument_string = argument_string + ' %s' % li
elif isinstance(call_argument, str):@test.checks('Assert')
def assert_used(context):
return bandit.Issue(
severity=bandit.LOW,
confidence=bandit.HIGH,
text=("Use of assert detected. The enclosed code "
"will be removed when compiling to optimised byte code.")@test.checks('ExceptHandler')
@test.test_id('B110')
def try_except_pass(context, config):
node = context.node
if len(node.body) == 1:
if (not config['check_typed_exception'] and
node.type is not None and
getattr(node.type, 'id', None) != 'Exception'):
return
if isinstance(node.body[0], ast.Pass):
return bandit.Issue(
severity=bandit.LOW,
confidence=bandit.HIGH,
text=("Try, Except, Pass detected.")
)@test.checks('Call')
@test.test_id('B501')
def request_with_no_cert_validation(context):
http_verbs = ('get', 'options', 'head', 'post', 'put', 'patch', 'delete')
if ('requests' in context.call_function_name_qual and
context.call_function_name in http_verbs):
if context.check_call_arg_value('verify', 'False'):
issue = bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.HIGH,
text="Requests call with verify=False disabling SSL "
"certificate checks, security issue.",
lineno=context.get_lineno_for_call_arg('verify'),
)
return issue@test.checks('Call')
@test.test_id('B703')
def django_mark_safe(context):
"""**B703: Potential XSS on mark_safe function**
.. seealso::
- https://docs.djangoproject.com/en/dev/topics/
security/#cross-site-scripting-xss-protection
- https://docs.djangoproject.com/en/dev/
ref/utils/#module-django.utils.safestring
- https://docs.djangoproject.com/en/dev/
ref/utils/#django.utils.html.format_html
.. versionadded:: 1.5.0
"""bandit
Security oriented static analyser for python code.
Package Health Score
100 / 100Popular bandit functions
- bandit.blacklists.utils.build_conf_dict
- bandit.core.config.BanditConfig
- bandit.core.constants
- bandit.core.constants.RANKING
- bandit.core.context.Context
- bandit.core.docs_utils.get_url
- bandit.core.extension_loader
- bandit.core.extension_loader.MANAGER
- bandit.core.issue.Issue
- bandit.core.manager.BanditManager
- bandit.core.test_properties
- bandit.core.test_properties.checks
- bandit.core.test_properties.takes_config
- bandit.core.test_properties.test_id
- bandit.core.test_set.BanditTestSet
- bandit.core.utils
- bandit.HIGH
- bandit.Issue
- bandit.LOW
- bandit.MEDIUM