bandit.blacklists package¶
Submodules¶
bandit.blacklists.calls module¶
Blacklist various Python calls known to be dangerous¶
This blacklist data checks for a number of Python calls known to have possible security implications. The following blacklist tests are run against any function calls encoutered in the scanned code base, triggered by encoutering ast.Call nodes.
B301: pickle¶
Pickle library appears to be in use, possible security issue.
ID | Name | Calls | Severity |
---|---|---|---|
B301 | pickle |
|
Medium |
B302: marshal¶
Deserialization with the marshal module is possibly dangerous.
ID | Name | Calls | Severity |
---|---|---|---|
B302 | marshal |
|
Medium |
B303: md5¶
Use of insecure MD2, MD4, or MD5 hash function.
ID | Name | Calls | Severity |
---|---|---|---|
B303 | md5 |
|
Medium |
B304 - B305: ciphers and modes¶
Use of insecure cipher or cipher mode. Replace with a known secure cipher such as AES.
ID | Name | Calls | Severity |
---|---|---|---|
B304 | ciphers |
|
High |
B305 | cipher_modes |
|
Medium |
B306: mktemp_q¶
Use of insecure and deprecated function (mktemp).
ID | Name | Calls | Severity |
---|---|---|---|
B306 | mktemp_q |
|
Medium |
B307: eval¶
Use of possibly insecure function - consider using safer ast.literal_eval.
ID | Name | Calls | Severity |
---|---|---|---|
B307 | eval |
|
Medium |
B308: mark_safe¶
Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
ID | Name | Calls | Severity |
---|---|---|---|
B308 | mark_safe |
|
Medium |
B309: httpsconnection¶
Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033
ID | Name | Calls | Severity |
---|---|---|---|
B309 | httpsconnection |
|
Medium |
B310: urllib_urlopen¶
Audit url open for permitted schemes. Allowing use of ‘file:” or custom schemes is often unexpected.
ID | Name | Calls | Severity |
---|---|---|---|
B310 | urllib_urlopen |
|
Medium |
B311: random¶
Standard pseudo-random generators are not suitable for security/cryptographic purposes.
ID | Name | Calls | Severity |
---|---|---|---|
B311 | random |
|
Low |
B312: telnetlib¶
Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.
ID | Name | Calls | Severity |
---|---|---|---|
B312 | telnetlib |
|
High |
B313 - B320: XML¶
Most of this is based off of Christian Heimes’ work on defusedxml: https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents.
ID | Name | Calls | Severity |
---|---|---|---|
B313 | xml_bad_cElementTree |
|
Medium |
B314 | xml_bad_ElementTree |
|
Medium |
B315 | xml_bad_expatreader |
|
Medium |
B316 | xml_bad_expatbuilder |
|
Medium |
B317 | xml_bad_sax |
|
Medium |
B318 | xml_bad_minidom |
|
Medium |
B319 | xml_bad_pulldom |
|
Medium |
B320 | xml_bad_etree |
|
Medium |
B321: ftplib¶
FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.
ID | Name | Calls | Severity |
---|---|---|---|
B321 | ftplib |
|
High |
B322: input¶
The input method in Python 2 will read from standard input, evaluate and run the resulting string as python source code. This is similar, though in many ways worse, then using eval. On Python 2, use raw_input instead, input is safe in Python 3.
ID | Name | Calls | Severity |
---|---|---|---|
B322 | input |
|
High |
B323: unverified_context¶
By default, Python will create a secure, verified ssl context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.
ID | Name | Calls | Severity |
---|---|---|---|
B322 | unverified_context |
|
Medium |
-
bandit.blacklists.calls.
gen_blacklist
()¶ Generate a list of items to blacklist.
Methods of this type, “bandit.blacklist” plugins, are used to build a list of items that bandit’s built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage.
Returns: a dictionary mapping node types to a list of blacklist data
bandit.blacklists.imports module¶
Blacklist various Python imports known to be dangerous¶
This blacklist data checks for a number of Python modules known to have possible security implications. The following blacklist tests are run against any import statements or calls encountered in the scanned code base.
Note that the XML rules listed here are mostly based off of Christian Heimes’ work on defusedxml: https://pypi.python.org/pypi/defusedxml
B401: import_telnetlib¶
A telnet-related module is being imported. Telnet is considered insecure. Use SSH or some other encrypted protocol.
ID | Name | Imports | Severity |
---|---|---|---|
B401 | import_telnetlib |
|
high |
B402: import_ftplib¶
A FTP-related module is being imported. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.
ID | Name | Imports | Severity |
---|---|---|---|
B402 | inport_ftplib |
|
high |
B403: import_pickle¶
Consider possible security implications associated with these modules.
ID | Name | Imports | Severity |
---|---|---|---|
B403 | import_pickle |
|
low |
B404: import_subprocess¶
Consider possible security implications associated with these modules.
ID | Name | Imports | Severity |
---|---|---|---|
B404 | import_subprocess |
|
low |
B405: import_xml_etree¶
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
ID | Name | Imports | Severity |
---|---|---|---|
B405 | import_xml_etree |
|
low |
B406: import_xml_sax¶
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
ID | Name | Imports | Severity |
---|---|---|---|
B406 | import_xml_sax |
|
low |
B407: import_xml_expat¶
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
ID | Name | Imports | Severity |
---|---|---|---|
B407 | import_xml_expat |
|
low |
B408: import_xml_minidom¶
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
ID | Name | Imports | Severity |
---|---|---|---|
B408 | import_xml_minidom |
|
low |
B409: import_xml_pulldom¶
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
ID | Name | Imports | Severity |
---|---|---|---|
B409 | import_xml_pulldom |
|
low |
B410: import_lxml¶
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package.
ID | Name | Imports | Severity |
---|---|---|---|
B410 | import_lxml |
|
low |
B411: import_xmlrpclib¶
XMLRPC is particularly dangerous as it is also concerned with communicating data over a network. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate remote XML attacks.
ID | Name | Imports | Severity |
---|---|---|---|
B411 | import_xmlrpclib |
|
high |
B412: import_httpoxy¶
httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. The use of CGI for web applications should be avoided to prevent this class of attack. More details are available at https://httpoxy.org/.
ID | Name | Imports | Severity |
---|---|---|---|
B412 | import_httpoxy |
|
high |
-
bandit.blacklists.imports.
gen_blacklist
()¶ Generate a list of items to blacklist.
Methods of this type, “bandit.blacklist” plugins, are used to build a list of items that bandit’s built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage.
Returns: a dictionary mapping node types to a list of blacklist data
bandit.blacklists.utils module¶
-
bandit.blacklists.utils.
build_conf_dict
(name, bid, qualnames, message, level=’MEDIUM’)¶ Build and return a blacklist configuration dict.