From 3df571af5c51e5bb8cc2aabdd3de8fc215d9de9b Mon Sep 17 00:00:00 2001 From: "david.marinho@codacy.com" Date: Wed, 23 Jul 2025 11:58:46 +0100 Subject: [PATCH 1/5] Bump Bandit 1.8.6 --- .gitignore | 4 + .../BlacklistDocTransformer.scala | 1 + .../transformers/PluginsDocGenerator.scala | 6 +- docs/description/B101.md | 175 +++++++- docs/description/B102.md | 168 ++++++- docs/description/B103.md | 195 +++++++-- docs/description/B104.md | 171 +++++++- docs/description/B105.md | 208 +++++++-- docs/description/B106.md | 202 +++++++-- docs/description/B107.md | 203 +++++++-- docs/description/B108.md | 172 +++++++- docs/description/B109.md | 200 ++++++++- docs/description/B110.md | 182 ++++++-- docs/description/B111.md | 214 ++++++++- docs/description/B112.md | 182 ++++++-- docs/description/B113.md | 192 ++++++-- docs/description/B201.md | 189 ++++++-- docs/description/B202.md | 173 +++++++- docs/description/B324.md | 171 +++++++- docs/description/B501.md | 185 +++++++- docs/description/B502.md | 223 +++++++--- docs/description/B503.md | 175 +++++++- docs/description/B504.md | 178 +++++++- docs/description/B505.md | 184 +++++++- docs/description/B506.md | 186 +++++++- docs/description/B507.md | 185 +++++++- docs/description/B508.md | 171 +++++++- docs/description/B509.md | 172 +++++++- docs/description/B601.md | 185 +++++++- docs/description/B602.md | 241 ++++++---- docs/description/B603.md | 199 +++++++-- docs/description/B604.md | 214 ++++++--- docs/description/B605.md | 219 +++++++--- docs/description/B606.md | 207 ++++++--- docs/description/B607.md | 222 +++++++--- docs/description/B608.md | 176 +++++++- docs/description/B609.md | 216 ++++++--- docs/description/B610.md | 169 ++++++- docs/description/B611.md | 169 ++++++- docs/description/B612.md | 186 +++++++- docs/description/B613.md | 162 +++++++ docs/description/B614.md | 162 +++++++ docs/description/B615.md | 161 +++++++ docs/description/B701.md | 205 +++++++-- docs/description/B702.md | 185 +++++++- docs/description/B703.md | 169 ++++++- docs/description/B704.md | 161 +++++++ docs/description/description.json | 296 +++---------- docs/patterns.json | 412 ++++-------------- requirements.txt | 2 +- 50 files changed, 7225 insertions(+), 1760 deletions(-) create mode 100644 docs/description/B613.md create mode 100644 docs/description/B614.md create mode 100644 docs/description/B615.md create mode 100644 docs/description/B704.md diff --git a/.gitignore b/.gitignore index c3d3eb8..2702871 100755 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,7 @@ .bloop .metals .bsp/ + + +#Ignore vscode AI rules +.github/copilot-instructions.md diff --git a/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala b/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala index 439e6f2..c752ac9 100644 --- a/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala +++ b/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala @@ -70,6 +70,7 @@ object BlacklistDocTransformer extends IPatternDocTransformer { Level.Warn, Pattern.Category.Security, SecuritySubcategories.get(patternIdCapitalized), + Some(Pattern.ScanType.SAST), Set.empty, Set.empty, enabled = DefaultPatterns.list.contains(patternIdCapitalized.value) diff --git a/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala b/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala index c780f86..99ddae2 100644 --- a/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala +++ b/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala @@ -4,7 +4,7 @@ import docs.transformers.utils.HtmlLoader import scala.xml._ import better.files._ -import com.codacy.plugins.api.results.Pattern.Category +import com.codacy.plugins.api.results.Pattern.{Category, ScanType} import com.codacy.plugins.api.results.Result.Level import com.codacy.plugins.api.results.Pattern import docs.{DefaultPatterns, SecuritySubcategories} @@ -52,7 +52,7 @@ object PluginsDocTransformer extends IPatternDocTransformer { divs <- htmlPluginsDocs if (divs \@ "id").startsWith(patternId.value.toLowerCase()) divsChildren <- divs.child.filter { node => - val l = node.labels + val l = node.label l == "h1" || l == "h2" || l == "p" } } yield divsChildren @@ -80,6 +80,8 @@ object PluginsDocTransformer extends IPatternDocTransformer { severity, Category.Security, SecuritySubcategories.get(patternIdCapitalized), + Some(ScanType.SAST), + Set.empty, Set.empty, enabled = DefaultPatterns.list.contains(patternIdCapitalized.value) ) diff --git a/docs/description/B101.md b/docs/description/B101.md index d76e5e0..031b59b 100644 --- a/docs/description/B101.md +++ b/docs/description/B101.md @@ -1,33 +1,160 @@ -## B101: Test for use of assert +Bandit -This plugin test checks for the use of the Python `assert` keyword. It -was discovered that some projects used assert to enforce interface -constraints. However, assert is removed with compiling to optimised byte -code (python -o producing \*.pyo files). This caused various protections -to be removed. Consider raising a semantically meaningful error or -`AssertionError` instead. +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: + assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -Please see - -for more info on `assert`. +Bandit -**Config Options:** +- +- Test Plugins +- B101: assert_used +- View page source -You can configure files that skip this check. This is often useful when -you use assert statements in test cases. +------------------------------------------------------------------------ -`assert_used: -skips: ['*_test.py', '*test_*.py']` +# B101: assert_used + +Next -Example: +------------------------------------------------------------------------ - +© Copyright 2025, Bandit Developers. - >> Issue: Use of assert detected. The enclosed code will be removed when - compiling to optimised byte code. - Severity: Low Confidence: High - CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) - Location: ./examples/assert.py:1 - 1 assert logged_in - 2 display_assets() \ No newline at end of file +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B102.md b/docs/description/B102.md index 422279e..a668440 100644 --- a/docs/description/B102.md +++ b/docs/description/B102.md @@ -1,14 +1,162 @@ -## B102: Test for the use of exec +Bandit -This plugin test checks for the use of Python’s exec method or keyword. -The Python docs succinctly describe why the use of exec is risky. +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: + exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -Example: +Bandit - +- +- Test Plugins +- B102: exec_used +- View page source - >> Issue: Use of exec detected. - Severity: Medium Confidence: High - CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) - Location: ./examples/exec.py:2 - 1 exec("do evil") \ No newline at end of file +------------------------------------------------------------------------ + +# B102: exec_used + +Previous + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B103.md b/docs/description/B103.md index 3b9a077..0fc0086 100644 --- a/docs/description/B103.md +++ b/docs/description/B103.md @@ -1,33 +1,162 @@ -## B103: Test for setting permissive file permissions - -POSIX based operating systems utilize a permissions model to protect -access to parts of the file system. This model supports three roles -“owner”, “group” and “world” each role may have a combination of “read”, -“write” or “execute” flags sets. Python provides `chmod` to manipulate -POSIX style permissions. - -This plugin test looks for the use of `chmod` and will alert when it is -used to set particularly permissive control flags. A MEDIUM warning is -generated if a file is set to group executable and a HIGH warning is -reported if a file is set world writable. Warnings are given with HIGH -confidence. - -Example: - - - - >> Issue: Probable insecure usage of temp file/directory. - Severity: Medium Confidence: Medium - CWE: CWE-732 (https://cwe.mitre.org/data/definitions/732.html) - Location: ./examples/os-chmod.py:15 - 14 os.chmod('/etc/hosts', 0o777) - 15 os.chmod('/tmp/oh_hai', 0x1ff) - 16 os.chmod('/etc/passwd', stat.S_IRWXU) - - >> Issue: Chmod setting a permissive mask 0777 on file (key_file). - Severity: High Confidence: High - CWE: CWE-732 (https://cwe.mitre.org/data/definitions/732.html) - Location: ./examples/os-chmod.py:17 - 16 os.chmod('/etc/passwd', stat.S_IRWXU) - 17 os.chmod(key_file, 0o777) - 18 \ No newline at end of file +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: + set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B103: set_bad_file_permissions +- View page source + +------------------------------------------------------------------------ + +# B103: set_bad_file_permissions + +Previous + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B104.md b/docs/description/B104.md index f5c467a..e0fda53 100644 --- a/docs/description/B104.md +++ b/docs/description/B104.md @@ -1,18 +1,161 @@ -## B104: Test for binding to all interfaces +Bandit -Binding to all network interfaces can potentially open up a service to -traffic on unintended interfaces, that may not be properly documented or -secured. This plugin test looks for a string pattern “0.0.0.0” that may -indicate a hardcoded binding to all network interfaces. +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -Example: +Bandit - +- +- Test Plugins +- B104: hardcoded_bind_all_interfaces +- View page source - >> Issue: Possible binding to all interfaces. - Severity: Medium Confidence: Medium - CWE: CWE-605 (https://cwe.mitre.org/data/definitions/605.html) - Location: ./examples/binding.py:4 - 3 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - 4 s.bind(('0.0.0.0', 31137)) - 5 s.bind(('192.168.0.1', 8080)) \ No newline at end of file +------------------------------------------------------------------------ + +# B104: hardcoded_bind_all_interfaces + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B105.md b/docs/description/B105.md index ed2a8aa..78c1b7b 100644 --- a/docs/description/B105.md +++ b/docs/description/B105.md @@ -1,46 +1,162 @@ -**B105: Test for use of hard-coded password strings** - -The use of hard-coded passwords increases the possibility of password -guessing tremendously. This plugin test looks for all string literals -and checks the following conditions: - -- assigned to a variable that looks like a password - -- assigned to a dict key that looks like a password - -- used in a comparison with a variable that looks like a password - -Variables are considered to look like a password if they have match any -one of: - -- “password” - -- “pass” - -- “passwd” - -- “pwd” - -- “secret” - -- “token” - -- “secrete” - -Note: this can be noisy and may generate false positives. - -**Config Options:** - -None - -Example - - - - >> Issue: Possible hardcoded password '(root)' - Severity: Low Confidence: Low - Location: ./examples/hardcoded-passwords.py:5 - 4 def someFunction2(password): - 5 if password == "root": - 6 print("OK, logged in") - +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: + hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B105: hardcoded_password_string +- View page source + +------------------------------------------------------------------------ + +# B105: hardcoded_password_string + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B106.md b/docs/description/B106.md index 6feacfe..95e0f02 100644 --- a/docs/description/B106.md +++ b/docs/description/B106.md @@ -1,41 +1,161 @@ -**B106: Test for use of hard-coded password function arguments** - -The use of hard-coded passwords increases the possibility of password -guessing tremendously. This plugin test looks for all function calls -being passed a keyword argument that is a string literal. It checks that -the assigned local variable does not look like a password. - -Variables are considered to look like a password if they have match any -one of: - -- “password” - -- “pass” - -- “passwd” - -- “pwd” - -- “secret” - -- “token” - -- “secrete” - -Note: this can be noisy and may generate false positives. - -**Config Options:** - -None - -Example - - - - >> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded - password: 'blerg' - Severity: Low Confidence: Medium - Location: ./examples/hardcoded-passwords.py:16 - 15 - 16 doLogin(password="blerg") - +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B106: hardcoded_password_funcarg +- View page source + +------------------------------------------------------------------------ + +# B106: hardcoded_password_funcarg + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B107.md b/docs/description/B107.md index bed135d..25cb587 100644 --- a/docs/description/B107.md +++ b/docs/description/B107.md @@ -1,42 +1,161 @@ -**B107: Test for use of hard-coded password argument defaults** - -The use of hard-coded passwords increases the possibility of password -guessing tremendously. This plugin test looks for all function -definitions that specify a default string literal for some argument. It -checks that the argument does not look like a password. - -Variables are considered to look like a password if they have match any -one of: - -- “password” - -- “pass” - -- “passwd” - -- “pwd” - -- “secret” - -- “token” - -- “secrete” - -Note: this can be noisy and may generate false positives. - -**Config Options:** - -None - -Example - - - - >> Issue: [B107:hardcoded_password_default] Possible hardcoded - password: 'Admin' - Severity: Low Confidence: Medium - Location: ./examples/hardcoded-passwords.py:1 - - 1 def someFunction(user, password="Admin"): - 2 print("Hi " + user) - +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B107: hardcoded_password_default +- View page source + +------------------------------------------------------------------------ + +# B107: hardcoded_password_default + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B108.md b/docs/description/B108.md index 9ed20db..0fca302 100644 --- a/docs/description/B108.md +++ b/docs/description/B108.md @@ -1,17 +1,163 @@ -## B108: Test for insecure usage of tmp file/directory +Bandit -Safely creating a temporary file or directory means following a number -of rules (see the references for more details). This plugin test looks -for strings starting with (configurable) commonly used temporary paths, -for example: +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: + hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -**Config Options:** +Bandit -This test plugin takes a similarly named config block, -hardcoded\_tmp\_directory. The config block provides a Python list, -tmp\_dirs, that lists string fragments indicating possible temporary -file paths. Any string starting with one of these fragments will report -a MEDIUM confidence issue. +- +- Test Plugins +- B108: hardcoded_tmp_directory +- View page source -`hardcoded_tmp_directory: -tmp_dirs: ['/tmp', '/var/tmp', '/dev/shm']` \ No newline at end of file +------------------------------------------------------------------------ + +# B108: hardcoded_tmp_directory + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B109.md b/docs/description/B109.md index deba8df..10432d0 100644 --- a/docs/description/B109.md +++ b/docs/description/B109.md @@ -1,7 +1,154 @@ -# B109: Test for a password based config option not marked secret +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B109: password_config_option_not_marked_secret +- View page source + +------------------------------------------------------------------------ + +# B109: password_config_option_not_marked_secret This plugin has been removed. +B109: Test for a password based config option not marked secret + Passwords are sensitive and must be protected appropriately. In OpenStack Oslo there is an option to mark options “secret” which will ensure that they are not logged. This plugin detects usages of oslo @@ -13,32 +160,59 @@ If such a value is found a MEDIUM severity error is generated. If confidence issue. If Bandit can’t determine the value of secret it will return a LOW confidence issue. -Config Options: +**Config Options:** -`password_config_option_not_marked_secret: -function_names: -- oslo.config.cfg.StrOpt -- oslo_config.cfg.StrOpt` + password_config_option_not_marked_secret: + function_names: + - oslo.config.cfg.StrOpt + - oslo_config.cfg.StrOpt -Example: +Example: >> Issue: [password_config_option_not_marked_secret] oslo config option possibly not marked secret=True identified. - Severity: Medium Confidence: Low - Location: examples/secret-config-option.py:12 + Severity: Medium Confidence: Low + Location: examples/secret-config-option.py:12 11 help="User's password"), 12 cfg.StrOpt('nova_password', 13 secret=secret, 14 help="Nova user password"), 15 ] - + >> Issue: [password_config_option_not_marked_secret] oslo config option not marked secret=True identified, security issue. - Severity: Medium Confidence: Medium - Location: examples/secret-config-option.py:21 + Severity: Medium Confidence: Medium + Location: examples/secret-config-option.py:21 20 help="LDAP ubind ser name"), 21 cfg.StrOpt('ldap_password', 22 help="LDAP bind user password"), - 23 cfg.StrOpt('ldap_password_attribute', \ No newline at end of file + 23 cfg.StrOpt('ldap_password_attribute', + +See also + +- https://security.openstack.org/guidelines/dg_protect-sensitive-data-in-files.html + +Added in version 0.10.0. + +Deprecated since version 1.5.0: This plugin was removed + + +Next + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B110.md b/docs/description/B110.md index 47fab65..96b4b27 100644 --- a/docs/description/B110.md +++ b/docs/description/B110.md @@ -1,38 +1,162 @@ -## B110: Test for a pass in the except block +Bandit -Errors in Python code bases are typically communicated using -`Exceptions`. An exception object is ‘raised’ in the event of an error -and can be ‘caught’ at a later point in the program, typically some -error handling or logging action will then be performed. +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: + try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -However, it is possible to catch an exception and silently ignore it. -This is illustrated with the following example +Bandit -This pattern is considered bad practice in general, but also represents -a potential security issue. A larger than normal volume of errors from a -service can indicate an attempt is being made to disrupt or interfere -with it. Thus errors should, at the very least, be logged. +- +- Test Plugins +- B110: try_except_pass +- View page source -There are rare situations where it is desirable to suppress errors, but -this is typically done with specific exception types, rather than the -base Exception class (or no type). To accommodate this, the test may be -configured to ignore ‘try, except, pass’ where the exception is typed. -For example, the following would not generate a warning if the -configuration option `checked_typed_exception` is set to False: +------------------------------------------------------------------------ -**Config Options:** +# B110: try_except_pass -`try_except_pass: -check_typed_exception: True` + + -Example: +------------------------------------------------------------------------ - +© Copyright 2025, Bandit Developers. - >> Issue: Try, Except, Pass detected. - Severity: Low Confidence: High - CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) - Location: ./examples/try_except_pass.py:4 - 3 a = 1 - 4 except: - 5 pass \ No newline at end of file +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B111.md b/docs/description/B111.md index 4674654..1d8ecc4 100644 --- a/docs/description/B111.md +++ b/docs/description/B111.md @@ -1,34 +1,216 @@ -# B111: Test for the use of rootwrap running as root +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B111: execute_with_run_as_root_equals_true +- View page source + +------------------------------------------------------------------------ + +# B111: execute_with_run_as_root_equals_true This plugin has been removed. +B111: Test for the use of rootwrap running as root + Running commands as root dramatically increase their potential risk. Running commands with restricted user privileges provides defense in depth against command injection attacks, or developer and configuration error. This plugin test checks for specific methods being called with a -keyword parameter run\_as\_root set to True, a common OpenStack idiom. - +keyword parameter run_as_root set to True, a common OpenStack idiom. **Config Options:** -This test plugin takes a similarly named configuration block, execute_with_run_as_root_equals_true, providing a list, function_names, of function names. A call to any of these named functions will be checked for a run_as_root keyword parameter, and if True, will report a Low severity issue. +This test plugin takes a similarly named configuration block, +execute_with_run_as_root_equals_true, providing a list, function_names, +of function names. A call to any of these named functions will be +checked for a run_as_root keyword parameter, and if True, will report a +Low severity issue. -execute_with_run_as_root_equals_true: - function_names: -- ceilometer.utils.execute -- cinder.utils.execute -- neutron.agent.linux.utils.execute -- nova.utils.execute -- nova.utils.trycmd + execute_with_run_as_root_equals_true: + function_names: + - ceilometer.utils.execute + - cinder.utils.execute + - neutron.agent.linux.utils.execute + - nova.utils.execute + - nova.utils.trycmd -Example: +Example: >> Issue: Execute with run_as_root=True identified, possible security - issue. - Severity: Low Confidence: Medium - Location: ./examples/exec-as-root.py:26 + issue. + Severity: Low Confidence: Medium + Location: ./examples/exec-as-root.py:26 25 nova_utils.trycmd('gcc --version') 26 nova_utils.trycmd('gcc --version', run_as_root=True) - 27 \ No newline at end of file + 27 + +See also + +- https://security.openstack.org/guidelines/dg_rootwrap-recommendations-and-plans.html + +- https://security.openstack.org/guidelines/dg_use-oslo-rootwrap-securely.html + +Added in version 0.10.0. + +Deprecated since version 1.5.0: This plugin was removed + +Previous + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B112.md b/docs/description/B112.md index 4807603..8b84c2c 100644 --- a/docs/description/B112.md +++ b/docs/description/B112.md @@ -1,38 +1,162 @@ -## B112: Test for a continue in the except block +Bandit -Errors in Python code bases are typically communicated using -`Exceptions`. An exception object is ‘raised’ in the event of an error -and can be ‘caught’ at a later point in the program, typically some -error handling or logging action will then be performed. +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: + try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -However, it is possible to catch an exception and silently ignore it -while in a loop. This is illustrated with the following example +Bandit -This pattern is considered bad practice in general, but also represents -a potential security issue. A larger than normal volume of errors from a -service can indicate an attempt is being made to disrupt or interfere -with it. Thus errors should, at the very least, be logged. +- +- Test Plugins +- B112: try_except_continue +- View page source -There are rare situations where it is desirable to suppress errors, but -this is typically done with specific exception types, rather than the -base Exception class (or no type). To accommodate this, the test may be -configured to ignore ‘try, except, continue’ where the exception is -typed. For example, the following would not generate a warning if the -configuration option `checked_typed_exception` is set to False: +------------------------------------------------------------------------ -**Config Options:** +# B112: try_except_continue -`try_except_continue: -check_typed_exception: True` + + -Example: +------------------------------------------------------------------------ - +© Copyright 2025, Bandit Developers. - >> Issue: Try, Except, Continue detected. - Severity: Low Confidence: High - CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) - Location: ./examples/try_except_continue.py:5 - 4 a = i - 5 except: - 6 continue \ No newline at end of file +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B113.md b/docs/description/B113.md index b07251b..69741bc 100644 --- a/docs/description/B113.md +++ b/docs/description/B113.md @@ -1,30 +1,162 @@ -## B113: Test for missing requests timeout - -This plugin test checks for requests calls without a timeout specified. - -Nearly all production code should use this parameter in nearly all requests, Failure to do so can cause your program to hang indefinitely. - -When request methods are used without the timeout parameter set, Bandit will return a MEDIUM severity error. - -Example: - - - - >> Issue: [B113:request_without_timeout] Requests call without timeout - Severity: Medium Confidence: Low - CWE: CWE-400 (https://cwe.mitre.org/data/definitions/400.html) - More Info: https://bandit.readthedocs.io/en/latest/plugins/b113_request_without_timeout.html - Location: examples/requests-missing-timeout.py:3:0 - 2 - 3 requests.get('https://gmail.com') - 4 requests.get('https://gmail.com', timeout=None) - - -------------------------------------------------- - >> Issue: [B113:request_without_timeout] Requests call with timeout set to None - Severity: Medium Confidence: Low - CWE: CWE-400 (https://cwe.mitre.org/data/definitions/400.html) - More Info: https://bandit.readthedocs.io/en/latest/plugins/b113_request_without_timeout.html - Location: examples/requests-missing-timeout.py:4:0 - 3 requests.get('https://gmail.com') - 4 requests.get('https://gmail.com', timeout=None) - 5 requests.get('https://gmail.com', timeout=5) \ No newline at end of file +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: + request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B113: request_without_timeout +- View page source + +------------------------------------------------------------------------ + +# B113: request_without_timeout + + +Next + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B201.md b/docs/description/B201.md index 61d8e57..e77613c 100644 --- a/docs/description/B201.md +++ b/docs/description/B201.md @@ -1,27 +1,162 @@ -## B201: Test for use of flask app with debug set to true - -Running Flask applications in debug mode results in the Werkzeug -debugger being enabled. This includes a feature that allows arbitrary -code execution. Documentation for both Flask -1 and -Werkzeug -2 -strongly suggests that debug mode should never be enabled on production -systems. - -Operating a production server with debug mode enabled was the probable -cause of the Patreon breach in 2015 -3. - -Example: - - - - >> Issue: A Flask app appears to be run with debug=True, which exposes - the Werkzeug debugger and allows the execution of arbitrary code. - Severity: High Confidence: High - CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html) - Location: examples/flask_debug.py:10 - 9 #bad - 10 app.run(debug=True) - 11 \ No newline at end of file +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: + flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B201: flask_debug_true +- View page source + +------------------------------------------------------------------------ + +# B201: flask_debug_true + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B202.md b/docs/description/B202.md index 28ec50f..2005154 100644 --- a/docs/description/B202.md +++ b/docs/description/B202.md @@ -1,26 +1,161 @@ -## B202: Test for tarfile.extractall +Bandit -This plugin will look for usage of tarfile.extractall() +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: + tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -Severity are set as follows: +Bandit -* tarfile.extractalll(members=function(tarfile)) - LOW -* tarfile.extractalll(members=?) - member is not a function - MEDIUM -* tarfile.extractall() - members from the archive is trusted - HIGH +- +- Test Plugins +- B202: tarfile_unsafe_members +- View page source -Use tarfile.extractall(members=function_name) and define a function that will inspect each member. Discard files that contain a directory traversal sequences such as ../ or \.. along with all special filetypes unless you explicitly need them. +------------------------------------------------------------------------ -Example: +# B202: tarfile_unsafe_members - +Previous +Next - >> Issue: [B202:tarfile_unsafe_members] tarfile.extractall used without - any validation. You should check members and discard dangerous ones - Severity: High Confidence: High - CWE: CWE-22 (https://cwe.mitre.org/data/definitions/22.html) - Location: examples/tarfile_extractall.py:8 - More Info: - https://bandit.readthedocs.io/en/latest/plugins/b202_tarfile_unsafe_members.html - 7 tar = tarfile.open(filename) - 8 tar.extractall(path=tempfile.mkdtemp()) - 9 tar.close() \ No newline at end of file +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B324.md b/docs/description/B324.md index 2a498ca..9efda6a 100644 --- a/docs/description/B324.md +++ b/docs/description/B324.md @@ -1,21 +1,162 @@ -## B324: Test use of insecure md4, md5, or sha1 hash functions in hashlib +Bandit -This plugin checks for the usage of the insecure MD4, MD5, or SHA1 hash functions in hashlib and crypt. The hashlib.new function provides the ability to construct a new hashing object using the named algorithm. This can be used to create insecure hash functions like MD4 and MD5 if they are passed as algorithm names to this function. +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: + hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -For Python versions prior to 3.9, this check is similar to B303 blacklist except that this checks for insecure hash functions created using hashlib.new function. For Python version 3.9 and later, this check does additional checking for usage of keyword usedforsecurity on all function variations of hashlib. +Bandit -Similar to hashlib, this plugin also checks for usage of one of the crypt module’s weak hashes. crypt also permits MD5 among other weak hash variants. +- +- Test Plugins +- B324: hashlib +- View page source -Example: +------------------------------------------------------------------------ - +# B324: hashlib - >> Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for - security. Consider usedforsecurity=False - Severity: High Confidence: High - CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) - Location: examples/hashlib_new_insecure_functions.py:3:0 - More Info: https://bandit.readthedocs.io/en/latest/plugins/b324_hashlib.html - 2 - 3 hashlib.new('md5') - 4 \ No newline at end of file + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B501.md b/docs/description/B501.md index b0f0c8a..b86d842 100644 --- a/docs/description/B501.md +++ b/docs/description/B501.md @@ -1,24 +1,161 @@ -## B501: Test for missing certificate validation - -Encryption in general is typically critical to the security of many -applications. Using TLS can greatly increase security by guaranteeing -the identity of the party you are communicating with. This is -accomplished by one or both parties presenting trusted certificates -during the connection initialization phase of TLS. - -When request methods are used certificates are validated automatically -which is the desired behavior. If certificate validation is explicitly -turned off Bandit will return a HIGH severity error. - -Example: - - - - >> Issue: [request_with_no_cert_validation] Call to requests with - verify=False disabling SSL certificate checks, security issue. - Severity: High Confidence: High - CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html) - Location: examples/requests-ssl-verify-disabled.py:4 - 3 requests.get('https://gmail.com', verify=True) - 4 requests.get('https://gmail.com', verify=False) - 5 requests.post('https://gmail.com', verify=True) \ No newline at end of file +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B501: request_with_no_cert_validation +- View page source + +------------------------------------------------------------------------ + +# B501: request_with_no_cert_validation + +Previous + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B502.md b/docs/description/B502.md index 9cc4f85..c3ba3ec 100644 --- a/docs/description/B502.md +++ b/docs/description/B502.md @@ -1,61 +1,162 @@ -**B502: Test for SSL use with bad version used** - -Several highly publicized exploitable flaws have been discovered in all -versions of SSL and early versions of TLS. It is strongly recommended -that use of the following known broken protocol versions be avoided: - -- SSL v2 - -- SSL v3 - -- TLS v1 - -- TLS v1.1 - -This plugin test scans for calls to Python methods with parameters that -indicate the used broken SSL/TLS protocol versions. Currently, detection -supports methods using Python’s native SSL/TLS support and the pyOpenSSL -module. A HIGH severity warning will be reported whenever known broken -protocol versions are detected. - -It is worth noting that native support for TLS 1.2 is only available in -more recent Python versions, specifically 2.7.9 and up, and 3.x - -A note on ‘SSLv23’: - -Amongst the available SSL/TLS versions provided by Python/pyOpenSSL -there exists the option to use SSLv23. This very poorly named option -actually means “use the highest version of SSL/TLS supported by both the -server and client”. This may (and should be) a version well in advance -of SSL v2 or v3. Bandit can scan for the use of SSLv23 if desired, but -its detection does not necessarily indicate a problem. - -When using SSLv23 it is important to also provide flags to explicitly -exclude bad versions of SSL/TLS from the protocol versions considered. -Both the Python native and pyOpenSSL modules provide the `OP_NO_SSLv2` -and `OP_NO_SSLv3` flags for this purpose. - -**Config Options:** - - ssl_with_bad_version: - bad_protocol_versions: - - PROTOCOL_SSLv2 - - SSLv2_METHOD - - SSLv23_METHOD - - PROTOCOL_SSLv3 # strict option - - PROTOCOL_TLSv1 # strict option - - SSLv3_METHOD # strict option - - TLSv1_METHOD # strict option - -Example - - - - >> Issue: ssl.wrap_socket call with insecure SSL/TLS protocol version - identified, security issue. - Severity: High Confidence: High - Location: ./examples/ssl-insecure-version.py:13 - 12 # strict tests - 13 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3) - 14 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1) - +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: + ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B502: ssl_with_bad_version +- View page source + +------------------------------------------------------------------------ + +# B502: ssl_with_bad_version + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B503.md b/docs/description/B503.md index a0595e5..60abbc4 100644 --- a/docs/description/B503.md +++ b/docs/description/B503.md @@ -1,31 +1,162 @@ -**B503: Test for SSL use with bad defaults specified** +Bandit -This plugin is part of a family of tests that detect the use of known -bad versions of SSL/TLS, please see +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: + ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -../plugins/ssl\_with\_bad\_version for a complete discussion. -Specifically, this plugin test scans for Python methods with default -parameter values that specify the use of broken SSL/TLS protocol -versions. Currently, detection supports methods using Python’s native -SSL/TLS support and the pyOpenSSL module. A MEDIUM severity warning will -be reported whenever known broken protocol versions are detected. +Bandit -**Config Options:** +- +- Test Plugins +- B503: ssl_with_bad_defaults +- View page source -This test shares the configuration provided for the standard +------------------------------------------------------------------------ -../plugins/ssl\_with\_bad\_version test, please refer to its -documentation. +# B503: ssl_with_bad_defaults -Example + + - +------------------------------------------------------------------------ - >> Issue: Function definition identified with insecure SSL/TLS protocol - version by default, possible security issue. - Severity: Medium Confidence: Medium - Location: ./examples/ssl-insecure-version.py:28 - 27 - 28 def open_ssl_socket(version=SSL.SSLv2_METHOD): - 29 pass +© Copyright 2025, Bandit Developers. +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B504.md b/docs/description/B504.md index d069b21..9d262a5 100644 --- a/docs/description/B504.md +++ b/docs/description/B504.md @@ -1,32 +1,162 @@ -**B504: Test for SSL use with no version specified** +Bandit -This plugin is part of a family of tests that detect the use of known -bad versions of SSL/TLS, please see +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: + ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -../plugins/ssl\_with\_bad\_version for a complete discussion. -Specifically, This plugin test scans for specific methods in Python’s -native SSL/TLS support and the pyOpenSSL module that configure the -version of SSL/TLS protocol to use. These methods are known to provide -default value that maximize compatibility, but permit use of the -aforementioned broken protocol versions. A LOW severity warning will be -reported whenever this is detected. +Bandit -**Config Options:** +- +- Test Plugins +- B504: ssl_with_no_version +- View page source -This test shares the configuration provided for the standard +------------------------------------------------------------------------ -../plugins/ssl\_with\_bad\_version test, please refer to its -documentation. +# B504: ssl_with_no_version -Example + + - +------------------------------------------------------------------------ - >> Issue: ssl.wrap_socket call with no SSL/TLS protocol version - specified, the default SSLv23 could be insecure, possible security - issue. - Severity: Low Confidence: Medium - Location: ./examples/ssl-insecure-version.py:23 - 22 - 23 ssl.wrap_socket() - 24 +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B505.md b/docs/description/B505.md index 85a33f7..b2f5fbb 100644 --- a/docs/description/B505.md +++ b/docs/description/B505.md @@ -1,23 +1,161 @@ -## B505: Test for weak cryptographic key use - -As computational power increases, so does the ability to break ciphers -with smaller key lengths. The recommended key length size for RSA and -DSA algorithms is 2048 and higher. 1024 bits and below are now -considered breakable. EC key length sizes are recommended to be 224 and -higher with 160 and below considered breakable. This plugin test checks -for use of any key less than those limits and returns a high severity -error if lower than the lower threshold and a medium severity error for -those lower than the higher threshold. - -Example: - - - - >> Issue: DSA key sizes below 1024 bits are considered breakable. - Severity: High Confidence: High - CWE: CWE-326 (https://cwe.mitre.org/data/definitions/326.html) - Location: examples/weak_cryptographic_key_sizes.py:36 - 35 # Also incorrect: without keyword args - 36 dsa.generate_private_key(512, - 37 backends.default_backend()) - 38 rsa.generate_private_key(3, \ No newline at end of file +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: + weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B505: weak_cryptographic_key +- View page source + +------------------------------------------------------------------------ + +# B505: weak_cryptographic_key + + +Next + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B506.md b/docs/description/B506.md index 6e26382..9704e5d 100644 --- a/docs/description/B506.md +++ b/docs/description/B506.md @@ -1,24 +1,162 @@ -## B506: Test for use of yaml load - -This plugin test checks for the unsafe usage of the `yaml.load` function -from the PyYAML package. The yaml.load function provides the ability to -construct an arbitrary Python object, which may be dangerous if you -receive a YAML document from an untrusted source. The function -yaml.safe\_load limits this ability to simple Python objects like -integers or lists. - -Please see for -more information on `yaml.load` and yaml.safe\_load - -Example: - - - - >> Issue: [yaml_load] Use of unsafe yaml load. Allows instantiation of - arbitrary objects. Consider yaml.safe_load(). - Severity: Medium Confidence: High - CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) - Location: examples/yaml_load.py:5 - 4 ystr = yaml.dump({'a' : 1, 'b' : 2, 'c' : 3}) - 5 y = yaml.load(ystr) - 6 yaml.dump(y) \ No newline at end of file +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: + yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B506: yaml_load +- View page source + +------------------------------------------------------------------------ + +# B506: yaml_load + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B507.md b/docs/description/B507.md index c050369..9fb6e2b 100644 --- a/docs/description/B507.md +++ b/docs/description/B507.md @@ -1,24 +1,161 @@ -## B507: Test for missing host key validation - -Encryption in general is typically critical to the security of many -applications. Using SSH can greatly increase security by guaranteeing -the identity of the party you are communicating with. This is -accomplished by one or both parties presenting trusted host keys during -the connection initialization phase of SSH. - -When paramiko methods are used, host keys are verified by default. If -host key verification is disabled, Bandit will return a HIGH severity -error. - -Example: - - - - >> Issue: [B507:ssh_no_host_key_verification] Paramiko call with policy set - to automatically trust the unknown host key. - Severity: High Confidence: Medium - CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html) - Location: examples/no_host_key_verification.py:4 - 3 ssh_client = client.SSHClient() - 4 ssh_client.set_missing_host_key_policy(client.AutoAddPolicy) - 5 ssh_client.set_missing_host_key_policy(client.WarningPolicy) \ No newline at end of file +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B507: ssh_no_host_key_verification +- View page source + +------------------------------------------------------------------------ + +# B507: ssh_no_host_key_verification + +Previous + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B508.md b/docs/description/B508.md index 6304d54..25c7e0e 100644 --- a/docs/description/B508.md +++ b/docs/description/B508.md @@ -1,17 +1,162 @@ -## B508: Checking for insecure SNMP versions +Bandit -Please update your code to use more secure versions of SNMP. +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: + snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -Example: +Bandit - +- +- Test Plugins +- B508: snmp_insecure_version +- View page source - >> Issue: [B508:snmp_insecure_version_check] The use of SNMPv1 and - SNMPv2 is insecure. You should use SNMPv3 if able. - Severity: Medium Confidence: High - CWE: CWE-319 (https://cwe.mitre.org/data/definitions/319.html) - Location: examples/snmp.py:4:4 - More Info: https://bandit.readthedocs.io/en/latest/plugins/b508_snmp_insecure_version_check.html - 3 # SHOULD FAIL - 4 a = CommunityData('public', mpModel=0) - 5 # SHOULD FAIL \ No newline at end of file +------------------------------------------------------------------------ + +# B508: snmp_insecure_version + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B509.md b/docs/description/B509.md index b513de4..697d951 100644 --- a/docs/description/B509.md +++ b/docs/description/B509.md @@ -1,20 +1,162 @@ -## B509: Checking for weak cryptography +Bandit -Please update your code to use more secure versions of SNMP. For example: +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: + snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -Instead of: -`CommunityData(‘public’, mpModel=0)` -Use (Defaults to usmHMACMD5AuthProtocol and usmDESPrivProtocol -`UsmUserData(“securityName”, “authName”, “privName”)` +Bandit -Example: +- +- Test Plugins +- B509: snmp_weak_cryptography +- View page source - +------------------------------------------------------------------------ - >> Issue: [B509:snmp_crypto_check] You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure - Severity: Medium CWE: CWE-319 (https://cwe.mitre.org/data/definitions/319.html) Confidence: High - Location: examples/snmp.py:6:11 - More Info: https://bandit.readthedocs.io/en/latest/plugins/b509_snmp_crypto_check.html - 5 # SHOULD FAIL - 6 insecure = UsmUserData("securityName") - 7 # SHOULD FAIL \ No newline at end of file +# B509: snmp_weak_cryptography + + +Next + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B601.md b/docs/description/B601.md index c990f7f..339265c 100644 --- a/docs/description/B601.md +++ b/docs/description/B601.md @@ -1,22 +1,163 @@ -## B601: Test for shell injection within Paramiko - -Paramiko is a Python library designed to work with the SSH2 protocol for -secure (encrypted and authenticated) connections to remote machines. It -is intended to run commands on a remote host. These commands are run -within a shell on the target and are thus vulnerable to various shell -injection attacks. Bandit reports a MEDIUM issue when it detects the use -of Paramiko’s “exec\_command” method advising the user to check inputs -are correctly sanitized. - -Example: - - - - >> Issue: Possible shell injection via Paramiko call, check inputs are - properly sanitized. - Severity: Medium Confidence: Medium - CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) - Location: ./examples/paramiko_injection.py:4 - 3 # this is not safe - 4 paramiko.exec_command('something; really; unsafe') - 5 \ No newline at end of file +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: + paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B601: paramiko_calls +- View page source + +------------------------------------------------------------------------ + +# B601: paramiko_calls + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B602.md b/docs/description/B602.md index 0b30e5b..a94717f 100644 --- a/docs/description/B602.md +++ b/docs/description/B602.md @@ -1,79 +1,162 @@ -**B602: Test for use of popen with shell equals true** - -Python possesses many mechanisms to invoke an external executable. -However, doing so may present a security issue if appropriate care is -not taken to sanitize any user provided or variable input. - -This plugin test is part of a family of tests built to check for process -spawning and warn appropriately. Specifically, this test looks for the -spawning of a subprocess using a command shell. This type of subprocess -invocation is dangerous as it is vulnerable to various shell injection -attacks. Great care should be taken to sanitize all input in order to -mitigate this risk. Calls of this type are identified by a parameter of -‘shell=True’ being given. - -Additionally, this plugin scans the command string given and adjusts its -reported severity based on how it is presented. If the command string is -a simple static string containing no special shell characters, then the -resulting issue has low severity. If the string is static, but contains -shell formatting characters or wildcards, then the reported issue is -medium. Finally, if the string is computed using Python’s string -manipulation or formatting operations, then the reported issue has high -severity. These severity levels reflect the likelihood that the code is -vulnerable to injection. - -See also: - -- ../plugins/linux\_commands\_wildcard\_injection -- ../plugins/subprocess\_without\_shell\_equals\_true -- ../plugins/start\_process\_with\_no\_shell -- ../plugins/start\_process\_with\_a\_shell -- ../plugins/start\_process\_with\_partial\_path - -**Config Options:** - -This plugin test shares a configuration with others in the same family, -namely shell\_injection. This configuration is divided up into three -sections, subprocess, shell and no\_shell. They each list Python calls -that spawn subprocesses, invoke commands within a shell, or invoke -commands without a shell (by replacing the calling process) -respectively. - -This plugin specifically scans for methods listed in subprocess section -that have shell=True specified. - - shell_injection: - - # Start a process using the subprocess module, or one of its - wrappers. - subprocess: - - subprocess.Popen - - subprocess.call - -Example - - - - >> Issue: subprocess call with shell=True seems safe, but may be - changed in the future, consider rewriting without shell - Severity: Low Confidence: High - Location: ./examples/subprocess_shell.py:21 - 20 subprocess.check_call(['/bin/ls', '-l'], shell=False) - 21 subprocess.check_call('/bin/ls -l', shell=True) - 22 - - >> Issue: call with shell=True contains special shell characters, - consider moving extra logic into Python code - Severity: Medium Confidence: High - Location: ./examples/subprocess_shell.py:26 - 25 - 26 subprocess.Popen('/bin/ls *', shell=True) - 27 subprocess.Popen('/bin/ls %s' % ('something',), shell=True) - - >> Issue: subprocess call with shell=True identified, security issue. - Severity: High Confidence: High - Location: ./examples/subprocess_shell.py:27 - 26 subprocess.Popen('/bin/ls *', shell=True) - 27 subprocess.Popen('/bin/ls %s' % ('something',), shell=True) - 28 subprocess.Popen('/bin/ls {}'.format('something'), shell=True) - +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B602: subprocess_popen_with_shell_equals_true +- View page source + +------------------------------------------------------------------------ + +# B602: subprocess_popen_with_shell_equals_true + +Previous + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B603.md b/docs/description/B603.md index 38096f7..ce8d9c7 100644 --- a/docs/description/B603.md +++ b/docs/description/B603.md @@ -1,54 +1,163 @@ -**B603: Test for use of subprocess without shell equals true** +Bandit -Python possesses many mechanisms to invoke an external executable. -However, doing so may present a security issue if appropriate care is -not taken to sanitize any user provided or variable input. +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -This plugin test is part of a family of tests built to check for process -spawning and warn appropriately. Specifically, this test looks for the -spawning of a subprocess without the use of a command shell. This type -of subprocess invocation is not vulnerable to shell injection attacks, -but care should still be taken to ensure validity of input. +Bandit -Because this is a lesser issue than that described in -subprocess\_popen\_with\_shell\_equals\_true a LOW severity warning is -reported. +- +- Test Plugins +- B603: subprocess_without_shell_equals_true +- View page source -See also: +------------------------------------------------------------------------ -- ../plugins/linux\_commands\_wildcard\_injection -- ../plugins/subprocess\_popen\_with\_shell\_equals\_true -- ../plugins/start\_process\_with\_no\_shell -- ../plugins/start\_process\_with\_a\_shell -- ../plugins/start\_process\_with\_partial\_path +# B603: subprocess_without_shell_equals_true -**Config Options:** + + -This plugin test shares a configuration with others in the same family, -namely shell\_injection. This configuration is divided up into three -sections, subprocess, shell and no\_shell. They each list Python calls -that spawn subprocesses, invoke commands within a shell, or invoke -commands without a shell (by replacing the calling process) -respectively. +------------------------------------------------------------------------ -This plugin specifically scans for methods listed in subprocess section -that have shell=False specified. - - shell_injection: - # Start a process using the subprocess module, or one of its - wrappers. - subprocess: - - subprocess.Popen - - subprocess.call - -Example - - - - >> Issue: subprocess call - check for execution of untrusted input. - Severity: Low Confidence: High - Location: ./examples/subprocess_shell.py:23 - 22 - 23 subprocess.check_output(['/bin/ls', '-l']) - 24 +© Copyright 2025, Bandit Developers. +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B604.md b/docs/description/B604.md index beb8f97..0c82359 100644 --- a/docs/description/B604.md +++ b/docs/description/B604.md @@ -1,54 +1,162 @@ -**B604: Test for any function with shell equals true** - -Python possesses many mechanisms to invoke an external executable. -However, doing so may present a security issue if appropriate care is -not taken to sanitize any user provided or variable input. - -This plugin test is part of a family of tests built to check for process -spawning and warn appropriately. Specifically, this plugin test -interrogates method calls for the presence of a keyword parameter shell -equalling true. It is related to detection of shell injection issues and -is intended to catch custom wrappers to vulnerable methods that may have -been created. - -See also: - -- ../plugins/linux\_commands\_wildcard\_injection -- ../plugins/subprocess\_popen\_with\_shell\_equals\_true -- ../plugins/subprocess\_without\_shell\_equals\_true -- ../plugins/start\_process\_with\_no\_shell -- ../plugins/start\_process\_with\_a\_shell -- ../plugins/start\_process\_with\_partial\_path - -**Config Options:** - -This plugin test shares a configuration with others in the same family, -namely shell\_injection. This configuration is divided up into three -sections, subprocess, shell and no\_shell. They each list Python calls -that spawn subprocesses, invoke commands within a shell, or invoke -commands without a shell (by replacing the calling process) -respectively. - -Specifically, this plugin excludes those functions listed under the -subprocess section, these methods are tested in a separate specific test -plugin and this exclusion prevents duplicate issue reporting. - - shell_injection: - # Start a process using the subprocess module, or one of its - wrappers. - subprocess: [subprocess.Popen, subprocess.call, - subprocess.check_call, subprocess.check_output - execute_with_timeout] - -Example - - - - >> Issue: Function call with shell=True parameter identified, possible - security issue. - Severity: Medium Confidence: High - Location: ./examples/subprocess_shell.py:9 - 8 pop('/bin/gcc --version', shell=True) - 9 Popen('/bin/gcc --version', shell=True) - 10 +Bandit +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B604: any_other_function_with_shell_equals_true +- View page source + +------------------------------------------------------------------------ + +# B604: any_other_function_with_shell_equals_true + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B605.md b/docs/description/B605.md index 15c7bdd..72ab3e9 100644 --- a/docs/description/B605.md +++ b/docs/description/B605.md @@ -1,58 +1,161 @@ -**B605: Test for starting a process with a shell** - -Python possesses many mechanisms to invoke an external executable. -However, doing so may present a security issue if appropriate care is -not taken to sanitize any user provided or variable input. - -This plugin test is part of a family of tests built to check for process -spawning and warn appropriately. Specifically, this test looks for the -spawning of a subprocess using a command shell. This type of subprocess -invocation is dangerous as it is vulnerable to various shell injection -attacks. Great care should be taken to sanitize all input in order to -mitigate this risk. Calls of this type are identified by the use of -certain commands which are known to use shells. Bandit will report a LOW -severity warning. - -See also: - -- ../plugins/linux\_commands\_wildcard\_injection -- ../plugins/subprocess\_without\_shell\_equals\_true -- ../plugins/start\_process\_with\_no\_shell -- ../plugins/start\_process\_with\_partial\_path -- ../plugins/subprocess\_popen\_with\_shell\_equals\_true - -**Config Options:** - -This plugin test shares a configuration with others in the same family, -namely shell\_injection. This configuration is divided up into three -sections, subprocess, shell and no\_shell. They each list Python calls -that spawn subprocesses, invoke commands within a shell, or invoke -commands without a shell (by replacing the calling process) -respectively. - -This plugin specifically scans for methods listed in shell section. - - shell_injection: - shell: - - os.system - - os.popen - - os.popen2 - - os.popen3 - - os.popen4 - - popen2.popen2 - - popen2.popen3 - - popen2.popen4 - - popen2.Popen3 - - popen2.Popen4 - - commands.getoutput - - commands.getstatusoutput - -Example - - - - >> Issue: Starting a process with a shell: check for injection. - Severity: Low Confidence: Medium - Location: examples/os_system.py:3 - 2 - 3 os.system('/bin/echo hi') +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B605: start_process_with_a_shell +- View page source + +------------------------------------------------------------------------ + +# B605: start_process_with_a_shell + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B606.md b/docs/description/B606.md index c885766..8cea033 100644 --- a/docs/description/B606.md +++ b/docs/description/B606.md @@ -1,64 +1,161 @@ -**B606: Test for starting a process with no shell** +Bandit -Python possesses many mechanisms to invoke an external executable. -However, doing so may present a security issue if appropriate care is -not taken to sanitize any user provided or variable input. +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -This plugin test is part of a family of tests built to check for process -spawning and warn appropriately. Specifically, this test looks for the -spawning of a subprocess in a way that doesn’t use a shell. Although -this is generally safe, it maybe useful for penetration testing -workflows to track where external system calls are used. As such a LOW -severity message is generated. +Bandit -See also: +- +- Test Plugins +- B606: start_process_with_no_shell +- View page source -- ../plugins/linux\_commands\_wildcard\_injection -- ../plugins/subprocess\_without\_shell\_equals\_true -- ../plugins/start\_process\_with\_a\_shell -- ../plugins/start\_process\_with\_partial\_path -- ../plugins/subprocess\_popen\_with\_shell\_equals\_true +------------------------------------------------------------------------ -**Config Options:** +# B606: start_process_with_no_shell -This plugin test shares a configuration with others in the same family, -namely shell\_injection. This configuration is divided up into three -sections, subprocess, shell and no\_shell. They each list Python calls -that spawn subprocesses, invoke commands within a shell, or invoke -commands without a shell (by replacing the calling process) -respectively. + + -This plugin specifically scans for methods listed in no\_shell section. +------------------------------------------------------------------------ - shell_injection: - no_shell: - - os.execl - - os.execle - - os.execlp - - os.execlpe - - os.execv - - os.execve - - os.execvp - - os.execvpe - - os.spawnl - - os.spawnle - - os.spawnlp - - os.spawnlpe - - os.spawnv - - os.spawnve - - os.spawnvp - - os.spawnvpe - - os.startfile - -Example - - - - >> Issue: [start_process_with_no_shell] Starting a process without a - shell. - Severity: Low Confidence: Medium - Location: examples/os-spawn.py:8 - 7 os.spawnv(mode, path, args) - 8 os.spawnve(mode, path, args, env) - 9 os.spawnvp(mode, file, args) +© Copyright 2025, Bandit Developers. +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B607.md b/docs/description/B607.md index d161c2a..80047f2 100644 --- a/docs/description/B607.md +++ b/docs/description/B607.md @@ -1,62 +1,162 @@ -**B607: Test for starting a process with a partial path** - -Python possesses many mechanisms to invoke an external executable. If -the desired executable path is not fully qualified relative to the -filesystem root then this may present a potential security risk. - -In POSIX environments, the PATH environment variable is used to specify -a set of standard locations that will be searched for the first matching -named executable. While convenient, this behavior may allow a malicious -actor to exert control over a system. If they are able to adjust the -contents of the PATH variable, or manipulate the file system, then a -bogus executable may be discovered in place of the desired one. This -executable will be invoked with the user privileges of the Python -process that spawned it, potentially a highly privileged user. - -This test will scan the parameters of all configured Python methods, -looking for paths that do not start at the filesystem root, that is, do -not have a leading ‘/’ character. - -**Config Options:** - -This plugin test shares a configuration with others in the same family, -namely shell\_injection. This configuration is divided up into three -sections, subprocess, shell and no\_shell. They each list Python calls -that spawn subprocesses, invoke commands within a shell, or invoke -commands without a shell (by replacing the calling process) -respectively. - -This test will scan parameters of all methods in all sections. Note that -methods are fully qualified and de-aliased prior to checking. - - shell_injection: - # Start a process using the subprocess module, or one of its - wrappers. - subprocess: - - subprocess.Popen - - subprocess.call - - # Start a process with a function vulnerable to shell injection. - shell: - - os.system - - os.popen - - popen2.Popen3 - - popen2.Popen4 - - commands.getoutput - - commands.getstatusoutput - # Start a process with a function that is not vulnerable to shell - injection. - no_shell: - - os.execl - - os.execle - -Example - - - - >> Issue: Starting a process with a partial executable path - Severity: Low Confidence: High - Location: ./examples/partial_path_process.py:3 - 2 from subprocess import Popen as pop - 3 pop('gcc --version', shell=False) +Bandit +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B607: start_process_with_partial_path +- View page source + +------------------------------------------------------------------------ + +# B607: start_process_with_partial_path + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B608.md b/docs/description/B608.md index 7e8b795..ea59ed4 100644 --- a/docs/description/B608.md +++ b/docs/description/B608.md @@ -1,26 +1,162 @@ -## B608: Test for SQL injection +Bandit -An SQL injection attack consists of insertion or “injection” of a SQL query via the input data given to an application. It is a very common attack vector. This plugin test looks for strings that resemble SQL statements that are involved in some form of string building operation. For example: +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: + hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -* “SELECT %s FROM derp;” % var -* “SELECT thing FROM ” + tab -* “SELECT ” + val + ” FROM ” + tab + … -* “SELECT {} FROM derp;”.format(var) -* f”SELECT foo FROM bar WHERE id = {product}” -* -Unless care is taken to sanitize and control the input data when building such SQL statement strings, an injection attack becomes possible. If strings of this nature are discovered, a LOW confidence issue is reported. In order to boost result confidence, this plugin test will also check to see if the discovered string is in use with standard Python DBAPI calls execute or executemany. If so, a MEDIUM issue is reported. For example: +Bandit -* cursor.execute(“SELECT %s FROM derp;” % var) +- +- Test Plugins +- B608: hardcoded_sql_expressions +- View page source -Example: +------------------------------------------------------------------------ - +# B608: hardcoded_sql_expressions - >> Issue: Possible SQL injection vector through string-based query - construction. - Severity: Medium Confidence: Low - CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html) - Location: ./examples/sql_statements.py:4 - 3 query = "DELETE FROM foo WHERE id = '%s'" % identifier - 4 query = "UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier - 5 + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B609.md b/docs/description/B609.md index be3ac6d..a8f5cc0 100644 --- a/docs/description/B609.md +++ b/docs/description/B609.md @@ -1,72 +1,162 @@ -## B609: Test for use of wildcard injection +Bandit -Python provides a number of methods that emulate the behavior of -standard Linux command line utilities. Like their Linux counterparts, -these commands may take a wildcard “\*” character in place of a file -system path. This is interpreted to mean “any and all files or folders” -and can be used to build partially qualified paths, such as -“/home/user/\*”. +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions -The use of partially qualified paths may result in unintended -consequences if an unexpected file or symlink is placed into the path -location given. This becomes particularly dangerous when combined with -commands used to manipulate file permissions or copy data off of a -system. +Bandit -This test plugin looks for usage of the following commands in -conjunction with wild card parameters: +- +- Test Plugins +- B609: linux_commands_wildcard_injection +- View page source -As well as any method configured in the shell or subprocess injection -test configurations. +------------------------------------------------------------------------ -**Config Options:** +# B609: linux_commands_wildcard_injection -This plugin test shares a configuration with others in the same family, -namely shell\_injection. This configuration is divided up into three -sections, subprocess, shell and no\_shell. They each list Python calls -that spawn subprocesses, invoke commands within a shell, or invoke -commands without a shell (by replacing the calling process) -respectively. + + -This test will scan parameters of all methods in all sections. Note that -methods are fully qualified and de-aliased prior to checking. +------------------------------------------------------------------------ - # shell_injection: - # Start a process using the subprocess module, or one of its wrappers. - subprocess: - subprocess.Popen - subprocess.call +© Copyright 2025, Bandit Developers. - # Start a process with a function vulnerable to shell injection. - shell: - - os.system - - os.popen - - popen2.Popen3 - - popen2.Popen4 - - commands.getoutput - - commands.getstatusoutput - # Start a process with a function that is not vulnerable to shell - injection. - no_shell: - - os.execl - - os.execle - -Example: - - - - >> Issue: Possible wildcard injection in call: subprocess.Popen - Severity: High Confidence: Medium - CWE-78 (https://cwe.mitre.org/data/definitions/78.html) - Location: ./examples/wildcard-injection.py:8 - 7 o.popen2('/bin/chmod *') - 8 subp.Popen('/bin/chown *', shell=True) - 9 - - >> Issue: subprocess call - check for execution of untrusted input. - Severity: Low Confidence: High - CWE-78 (https://cwe.mitre.org/data/definitions/78.html) - Location: ./examples/wildcard-injection.py:11 - 10 # Not vulnerable to wildcard injection - 11 subp.Popen('/bin/rsync *') - 12 subp.Popen("/bin/chmod *") \ No newline at end of file +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B610.md b/docs/description/B610.md index e73da1b..e175e13 100644 --- a/docs/description/B610.md +++ b/docs/description/B610.md @@ -1,13 +1,162 @@ -**B610: Potential SQL injection on extra function** +Bandit -Example: +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: + django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions - +Bandit - >> Issue: [B610:django_extra_used] Use of extra potential SQL attack vector. - Severity: Medium Confidence: Medium - CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html) - Location: examples/django_sql_injection_extra.py:29:0 - More Info: https://bandit.readthedocs.io/en/latest/plugins/b610_django_extra_used.html - 28 tables_str = 'django_content_type" WHERE "auth_user"."username"="admin' - 29 User.objects.all().extra(tables=[tables_str]).distinct() +- +- Test Plugins +- B610: django_extra_used +- View page source + +------------------------------------------------------------------------ + +# B610: django_extra_used + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B611.md b/docs/description/B611.md index 4a2abf2..f96cf55 100644 --- a/docs/description/B611.md +++ b/docs/description/B611.md @@ -1,13 +1,162 @@ -**B611: Potential SQL injection on RawSQL function** +Bandit -Example: +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: + django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions - +Bandit - >> Issue: [B611:django_rawsql_used] Use of RawSQL potential SQL attack vector. - Severity: Medium Confidence: Medium - CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html) - Location: examples/django_sql_injection_raw.py:11:26 - More Info: https://bandit.readthedocs.io/en/latest/plugins/b611_django_rawsql_used.html - 10 ' WHERE "username"="admin" OR 1=%s --' - 11 User.objects.annotate(val=RawSQL(raw, [0])) +- +- Test Plugins +- B611: django_rawsql_used +- View page source + +------------------------------------------------------------------------ + +# B611: django_rawsql_used + +Previous + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B612.md b/docs/description/B612.md index 57ae200..e7167b6 100644 --- a/docs/description/B612.md +++ b/docs/description/B612.md @@ -1,24 +1,162 @@ -## B612: Test for insecure use of logging.config.listen - -This plugin test checks for the unsafe usage of the logging.config.listen function. -The logging.config.listen function provides the ability to listen for external -configuration files on a socket server. Because portions of the configuration -are passed through eval(), use of this function may open its users to a security risk. -While the function only binds to a socket on localhost, and so does not accept connections -from remote machines, there are scenarios where untrusted code could be run under the account -of the process which calls listen(). - -logging.config.listen provides the ability to verify bytes received across the socket -with signature verification or encryption/decryption. - -Example: - - - - >> Issue: [B612:logging_config_listen] Use of insecure - logging.config.listen detected. - Severity: Medium Confidence: High - CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html) - Location: examples/logging_config_insecure_listen.py:3:4 - 2 - 3 t = logging.config.listen(9999) \ No newline at end of file +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B612: logging_config_insecure_listen +- View page source + +------------------------------------------------------------------------ + +# B612: logging_config_insecure_listen + + +Next + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B613.md b/docs/description/B613.md new file mode 100644 index 0000000..1fdd279 --- /dev/null +++ b/docs/description/B613.md @@ -0,0 +1,162 @@ +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: + trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B613: trojansource +- View page source + +------------------------------------------------------------------------ + +# B613: trojansource + + +Next + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B614.md b/docs/description/B614.md new file mode 100644 index 0000000..3538e5a --- /dev/null +++ b/docs/description/B614.md @@ -0,0 +1,162 @@ +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: + pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B614: pytorch_load +- View page source + +------------------------------------------------------------------------ + +# B614: pytorch_load + +Previous + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B615.md b/docs/description/B615.md new file mode 100644 index 0000000..e905ea0 --- /dev/null +++ b/docs/description/B615.md @@ -0,0 +1,161 @@ +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B615: huggingface_unsafe_download +- View page source + +------------------------------------------------------------------------ + +# B615: huggingface_unsafe_download + +Previous + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B701.md b/docs/description/B701.md index ee878d0..82df86b 100644 --- a/docs/description/B701.md +++ b/docs/description/B701.md @@ -1,43 +1,162 @@ -## B701: Test for not auto escaping in jinja2 - -Jinja2 is a Python HTML templating system. It is typically used to build -web applications, though appears in other places well, notably the -Ansible automation system. When configuring the Jinja2 environment, the -option to use autoescaping on input can be specified. When autoescaping -is enabled, Jinja2 will filter input strings to escape any HTML content -submitted via template variables. Without escaping HTML input the -application becomes vulnerable to Cross Site Scripting (XSS) attacks. - -Unfortunately, autoescaping is False by default. Thus this plugin test -will warn on omission of an autoescape setting, as well as an explicit -setting of false. A HIGH severity warning is generated in either of -these scenarios. - -Example: - - - - >> Issue: Using jinja2 templates with autoescape=False is dangerous and can - lead to XSS. Use autoescape=True to mitigate XSS vulnerabilities. - Severity: High Confidence: High - CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html) - Location: ./examples/jinja2_templating.py:11 - 10 templateEnv = jinja2.Environment(autoescape=False, - loader=templateLoader) - 11 Environment(loader=templateLoader, - 12 load=templateLoader, - 13 autoescape=False) - 14 - - >> Issue: By default, jinja2 sets autoescape to False. Consider using - autoescape=True or use the select_autoescape function to mitigate XSS - vulnerabilities. - Severity: High Confidence: High - CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html) - Location: ./examples/jinja2_templating.py:15 - 14 - 15 Environment(loader=templateLoader, - 16 load=templateLoader) - 17 - 18 Environment(autoescape=select_autoescape(['html', 'htm', 'xml']), - 19 loader=templateLoader) \ No newline at end of file +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: + jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B701: jinja2_autoescape_false +- View page source + +------------------------------------------------------------------------ + +# B701: jinja2_autoescape_false + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B702.md b/docs/description/B702.md index e245133..7de4386 100644 --- a/docs/description/B702.md +++ b/docs/description/B702.md @@ -1,23 +1,162 @@ -## B702: Test for use of mako templates - -Mako is a Python templating system often used to build web applications. -It is the default templating system used in Pylons and Pyramid. Unlike -Jinja2 (an alternative templating system), Mako has no environment wide -variable escaping mechanism. Because of this, all input variables must -be carefully escaped before use to prevent possible vulnerabilities to -Cross Site Scripting (XSS) attacks. - -Example: - - - - >> Issue: Mako templates allow HTML/JS rendering by default and are - inherently open to XSS attacks. Ensure variables in all templates are - properly sanitized via the 'n', 'h' or 'x' flags (depending on context). - For example, to HTML escape the variable 'data' do ${ data |h }. - Severity: Medium Confidence: High - CWE: CWE-80 (https://cwe.mitre.org/data/definitions/80.html) - Location: ./examples/mako_templating.py:10 - 9 - 10 mako.template.Template("hern") - 11 template.Template("hern") \ No newline at end of file +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: + use_of_mako_templates + - B703: django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B702: use_of_mako_templates +- View page source + +------------------------------------------------------------------------ + +# B702: use_of_mako_templates + + +Next + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B703.md b/docs/description/B703.md index c7785b0..724bf5f 100644 --- a/docs/description/B703.md +++ b/docs/description/B703.md @@ -1,13 +1,162 @@ -**B703: Potential XSS on mark\_safe function** +Bandit -Example: +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: + django_mark_safe + - B704: markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions - +Bandit - >> Issue: [B703:django_mark_safe] Potential XSS on mark_safe function. - Severity: Medium Confidence: High - CWE: CWE-80 (https://cwe.mitre.org/data/definitions/80.html) - Location: examples/mark_safe_insecure.py:159:4 - More Info: https://bandit.readthedocs.io/en/latest/plugins/b703_django_mark_safe.html - 158 str_arg = 'could be insecure' - 159 safestring.mark_safe(str_arg) \ No newline at end of file +- +- Test Plugins +- B703: django_mark_safe +- View page source + +------------------------------------------------------------------------ + +# B703: django_mark_safe + + + + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/B704.md b/docs/description/B704.md new file mode 100644 index 0000000..f024bf6 --- /dev/null +++ b/docs/description/B704.md @@ -0,0 +1,161 @@ +Bandit + +- Getting + Started +- Configuration +- Integrations +- Test + Plugins + - Writing Tests + - Config Generation + - Example Test Plugin + - Plugin ID Groupings + - Complete Test Plugin Listing + - B101: assert_used + - B102: exec_used + - B103: set_bad_file_permissions + - B104: + hardcoded_bind_all_interfaces + - B105: hardcoded_password_string + - B106: + hardcoded_password_funcarg + - B107: + hardcoded_password_default + - B108: hardcoded_tmp_directory + - B109: + password_config_option_not_marked_secret + - B110: try_except_pass + - B111: + execute_with_run_as_root_equals_true + - B112: try_except_continue + - B113: request_without_timeout + - B201: flask_debug_true + - B202: tarfile_unsafe_members + - B324: hashlib + - B501: + request_with_no_cert_validation + - B502: ssl_with_bad_version + - B503: ssl_with_bad_defaults + - B504: ssl_with_no_version + - B505: weak_cryptographic_key + - B506: yaml_load + - B507: + ssh_no_host_key_verification + - B508: snmp_insecure_version + - B509: snmp_weak_cryptography + - B601: paramiko_calls + - B602: + subprocess_popen_with_shell_equals_true + - B603: + subprocess_without_shell_equals_true + - B604: + any_other_function_with_shell_equals_true + - B605: + start_process_with_a_shell + - B606: + start_process_with_no_shell + - B607: + start_process_with_partial_path + - B608: hardcoded_sql_expressions + - B609: + linux_commands_wildcard_injection + - B610: django_extra_used + - B611: django_rawsql_used + - B612: + logging_config_insecure_listen + - B613: trojansource + - B614: pytorch_load + - B615: + huggingface_unsafe_download + - B701: jinja2_autoescape_false + - B702: use_of_mako_templates + - B703: django_mark_safe + - B704: + markupsafe_markup_xss +- Blacklist Plugins +- Report Formatters +- Continuous Integration and Deployment (CI/CD) +- Frequently + Asked Questions + +Bandit + +- +- Test Plugins +- B704: markupsafe_markup_xss +- View page source + +------------------------------------------------------------------------ + +# B704: markupsafe_markup_xss + +Previous +Next + +------------------------------------------------------------------------ + +© Copyright 2025, Bandit Developers. + +Built with Sphinx +using a theme provided by +Read the Docs. diff --git a/docs/description/description.json b/docs/description/description.json index f15787d..3b0962c 100644 --- a/docs/description/description.json +++ b/docs/description/description.json @@ -1,391 +1,221 @@ [ { "patternId" : "B101", "title" : "assert_used", - "description" : "B101: Test for use of assert", + "description" : "B101: assert_used — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B102", "title" : "exec_used", - "description" : "B102: Test for the use of exec", + "description" : "B102: exec_used — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B103", "title" : "set_bad_file_permissions", - "description" : "B103: Test for setting permissive file permissions", + "description" : "B103: set_bad_file_permissions — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B104", "title" : "hardcoded_bind_all_interfaces", - "description" : "B104: Test for binding to all interfaces", + "description" : "B104: hardcoded_bind_all_interfaces — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B105", "title" : "hardcoded_password_string", - "description" : "B105: Test for use of hard-coded password strings", + "description" : "B105: hardcoded_password_string — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B106", "title" : "hardcoded_password_funcarg", - "description" : "B106: Test for use of hard-coded password function arguments", + "description" : "B106: hardcoded_password_funcarg — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B107", "title" : "hardcoded_password_default", - "description" : "B107: Test for use of hard-coded password argument defaults", + "description" : "B107: hardcoded_password_default — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B108", "title" : "hardcoded_tmp_directory", - "description" : "B108: Test for insecure usage of tmp file/directory", + "description" : "B108: hardcoded_tmp_directory — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B109", - "title" : "Test for a password based config option not marked secret", - "description" : "B109: Test for a password based config option not marked secret", + "title" : "password_config_option_not_marked_secret", + "description" : "B109: password_config_option_not_marked_secret — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B110", "title" : "try_except_pass", - "description" : "B110: Test for a pass in the except block", + "description" : "B110: try_except_pass — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B111", - "title" : "Test for the use of rootwrap running as root", - "description" : "B111: Test for the use of rootwrap running as root", + "title" : "execute_with_run_as_root_equals_true", + "description" : "B111: execute_with_run_as_root_equals_true — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B112", "title" : "try_except_continue", - "description" : "B112: Test for a continue in the except block", + "description" : "B112: try_except_continue — Bandit documentation ", "parameters" : [ ] -},{ +}, { "patternId" : "B113", "title" : "request_without_timeout", - "description" : "B113: Test for missing requests timeout", + "description" : "B113: request_without_timeout — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B201", "title" : "flask_debug_true", - "description" : "B201: Test for use of flask app with debug set to true", + "description" : "B201: flask_debug_true — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B202", "title" : "tarfile_unsafe_members", - "description" : "B202: Test for tarfile.extractall", - "parameters" : [ ] -}, { - "patternId" : "B301", - "title" : "pickle", - "description" : "B301: Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.", - "parameters" : [ ] -}, { - "patternId" : "B302", - "title" : "marshal", - "description" : "B302: Deserialization with the marshal module is possibly dangerous.", - "parameters" : [ ] -}, { - "patternId" : "B303", - "title" : "md5", - "description" : "B303: Use of insecure MD2, MD4, MD5, or SHA1 hash function.", - "parameters" : [ ] -}, { - "patternId" : "B304", - "title" : "B304: ciphers and modes", - "description" : "B304: Use of insecure cipher or cipher mode", - "parameters" : [ ] -}, { - "patternId" : "B305", - "title" : "B305: ciphers and modes", - "description" : "B305: Use of insecure cipher or cipher mode", - "parameters" : [ ] -}, { - "patternId" : "B306", - "title" : "mktemp_q", - "description" : "B306: Use of insecure and deprecated function (mktemp).", - "parameters" : [ ] -}, { - "patternId" : "B307", - "title" : "eval", - "description" : "B307: Use of possibly insecure function - consider using safer ast.literal_eval.", - "parameters" : [ ] -}, { - "patternId" : "B308", - "title" : "mark_safe", - "description" : "B308: Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.", - "parameters" : [ ] -}, { - "patternId" : "B309", - "title" : "httpsconnection", - "description" : "B309: Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033", - "parameters" : [ ] -}, { - "patternId" : "B310", - "title" : "urllib_urlopen", - "description" : "B310: Audit url open for permitted schemes", - "parameters" : [ ] -}, { - "patternId" : "B311", - "title" : "random", - "description" : "B311: Standard pseudo-random generators are not suitable for security/cryptographic purposes.", - "parameters" : [ ] -}, { - "patternId" : "B312", - "title" : "telnetlib", - "description" : "B312: Telnet-related functions are being called", - "parameters" : [ ] -}, { - "patternId" : "B313", - "title" : "B313: XML", - "description" : "B313: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", - "parameters" : [ ] -}, { - "patternId" : "B314", - "title" : "B314: XML", - "description" : "B314: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", - "parameters" : [ ] -}, { - "patternId" : "B315", - "title" : "B315: XML", - "description" : "B315: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", - "parameters" : [ ] -}, { - "patternId" : "B316", - "title" : "B316: XML", - "description" : "B316: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", - "parameters" : [ ] -}, { - "patternId" : "B317", - "title" : "B317: XML", - "description" : "B317: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", - "parameters" : [ ] -}, { - "patternId" : "B318", - "title" : "B318: XML", - "description" : "B318: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", - "parameters" : [ ] -}, { - "patternId" : "B319", - "title" : "B319: XML", - "description" : "B319: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", - "parameters" : [ ] -}, { - "patternId" : "B320", - "title" : "B320: XML", - "description" : "B320: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", - "parameters" : [ ] -}, { - "patternId" : "B321", - "title" : "ftplib", - "description" : "B321: FTP-related functions are being called", - "parameters" : [ ] -}, { - "patternId" : "B322", - "title" : "input", - "description" : "B322: The check for this call has been removed.", - "parameters" : [ ] -}, { - "patternId" : "B323", - "title" : "unverified_context", - "description" : "B323: By default, Python will create a secure, verified ssl context for use in such classes as HTTPSConnection", + "description" : "B202: tarfile_unsafe_members — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B324", "title" : "hashlib", - "description" : "B324: Test use of insecure md4, md5, or sha1 hash functions in hashlib", - "parameters" : [ ] -}, { - "patternId" : "B325", - "title" : "tempnam", - "description" : "B325: Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks", - "parameters" : [ ] -}, { - "patternId" : "B401", - "title" : "import_telnetlib", - "description" : "B401: A telnet-related module is being imported", - "parameters" : [ ] -}, { - "patternId" : "B402", - "title" : "import_ftplib", - "description" : "B402: A FTP-related module is being imported", - "parameters" : [ ] -}, { - "patternId" : "B403", - "title" : "import_pickle", - "description" : "B403: Consider possible security implications associated with these modules.", - "parameters" : [ ] -}, { - "patternId" : "B404", - "title" : "import_subprocess", - "description" : "B404: Consider possible security implications associated with these modules.", - "parameters" : [ ] -}, { - "patternId" : "B405", - "title" : "import_xml_etree", - "description" : "B405: Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks", - "parameters" : [ ] -}, { - "patternId" : "B406", - "title" : "import_xml_sax", - "description" : "B406: Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks", - "parameters" : [ ] -}, { - "patternId" : "B407", - "title" : "import_xml_expat", - "description" : "B407: Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks", - "parameters" : [ ] -}, { - "patternId" : "B408", - "title" : "import_xml_minidom", - "description" : "B408: Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks", - "parameters" : [ ] -}, { - "patternId" : "B409", - "title" : "import_xml_pulldom", - "description" : "B409: Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks", - "parameters" : [ ] -}, { - "patternId" : "B410", - "title" : "import_lxml", - "description" : "B410: Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks", - "parameters" : [ ] -}, { - "patternId" : "B411", - "title" : "import_xmlrpclib", - "description" : "B411: XMLRPC is particularly dangerous as it is also concerned with communicating data over a network", - "parameters" : [ ] -}, { - "patternId" : "B412", - "title" : "import_httpoxy", - "description" : "B412: httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments", - "parameters" : [ ] -}, { - "patternId" : "B413", - "title" : "import_pycrypto", - "description" : "B413: pycrypto library is known to have publicly disclosed buffer overflow vulnerability https://github.com/dlitz/pycrypto/issues/176", - "parameters" : [ ] -}, { - "patternId" : "B414", - "title" : "import_pycryptodome", - "description" : "B414: This import blacklist has been removed", + "description" : "B324: hashlib — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B501", "title" : "request_with_no_cert_validation", - "description" : "B501: Test for missing certificate validation", + "description" : "B501: request_with_no_cert_validation — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B502", "title" : "ssl_with_bad_version", - "description" : "B502: Test for SSL use with bad version used", + "description" : "B502: ssl_with_bad_version — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B503", "title" : "ssl_with_bad_defaults", - "description" : "B503: Test for SSL use with bad defaults specified", + "description" : "B503: ssl_with_bad_defaults — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B504", "title" : "ssl_with_no_version", - "description" : "B504: Test for SSL use with no version specified", + "description" : "B504: ssl_with_no_version — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B505", "title" : "weak_cryptographic_key", - "description" : "B505: Test for weak cryptographic key use", + "description" : "B505: weak_cryptographic_key — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B506", "title" : "yaml_load", - "description" : "B506: Test for use of yaml load", + "description" : "B506: yaml_load — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B507", "title" : "ssh_no_host_key_verification", - "description" : "B507: Test for missing host key validation", + "description" : "B507: ssh_no_host_key_verification — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B508", "title" : "snmp_insecure_version", - "description" : "B508: Checking for insecure SNMP versions", + "description" : "B508: snmp_insecure_version — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B509", "title" : "snmp_weak_cryptography", - "description" : "B509: Checking for weak cryptography", + "description" : "B509: snmp_weak_cryptography — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B601", "title" : "paramiko_calls", - "description" : "B601: Test for shell injection within Paramiko", + "description" : "B601: paramiko_calls — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B602", "title" : "subprocess_popen_with_shell_equals_true", - "description" : "B602: Test for use of popen with shell equals true", + "description" : "B602: subprocess_popen_with_shell_equals_true — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B603", "title" : "subprocess_without_shell_equals_true", - "description" : "B603: Test for use of subprocess without shell equals true", + "description" : "B603: subprocess_without_shell_equals_true — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B604", "title" : "any_other_function_with_shell_equals_true", - "description" : "B604: Test for any function with shell equals true", + "description" : "B604: any_other_function_with_shell_equals_true — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B605", "title" : "start_process_with_a_shell", - "description" : "B605: Test for starting a process with a shell", + "description" : "B605: start_process_with_a_shell — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B606", "title" : "start_process_with_no_shell", - "description" : "B606: Test for starting a process with no shell", + "description" : "B606: start_process_with_no_shell — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B607", "title" : "start_process_with_partial_path", - "description" : "B607: Test for starting a process with a partial path", + "description" : "B607: start_process_with_partial_path — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B608", "title" : "hardcoded_sql_expressions", - "description" : "B608: Test for SQL injection", + "description" : "B608: hardcoded_sql_expressions — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B609", "title" : "linux_commands_wildcard_injection", - "description" : "B609: Test for use of wildcard injection", + "description" : "B609: linux_commands_wildcard_injection — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B610", "title" : "django_extra_used", - "description" : "B610: Potential SQL injection on extra function", + "description" : "B610: django_extra_used — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B611", "title" : "django_rawsql_used", - "description" : "B611: Potential SQL injection on RawSQL function", + "description" : "B611: django_rawsql_used — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B612", "title" : "logging_config_insecure_listen", - "description" : "B612: Test for insecure use of logging.config.listen", + "description" : "B612: logging_config_insecure_listen — Bandit documentation ", + "parameters" : [ ] +}, { + "patternId" : "B613", + "title" : "trojansource", + "description" : "B613: trojansource — Bandit documentation ", + "parameters" : [ ] +}, { + "patternId" : "B614", + "title" : "pytorch_load", + "description" : "B614: pytorch_load — Bandit documentation ", + "parameters" : [ ] +}, { + "patternId" : "B615", + "title" : "huggingface_unsafe_download", + "description" : "B615: huggingface_unsafe_download — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B701", "title" : "jinja2_autoescape_false", - "description" : "B701: Test for not auto escaping in jinja2", + "description" : "B701: jinja2_autoescape_false — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B702", "title" : "use_of_mako_templates", - "description" : "B702: Test for use of mako templates", + "description" : "B702: use_of_mako_templates — Bandit documentation ", "parameters" : [ ] }, { "patternId" : "B703", "title" : "django_mark_safe", - "description" : "B703: Potential XSS on mark_safe function", + "description" : "B703: django_mark_safe — Bandit documentation ", + "parameters" : [ ] +}, { + "patternId" : "B704", + "title" : "markupsafe_markup_xss", + "description" : "B704: markupsafe_markup_xss — Bandit documentation ", "parameters" : [ ] } ] diff --git a/docs/patterns.json b/docs/patterns.json index 59e99bb..a9bbac0 100644 --- a/docs/patterns.json +++ b/docs/patterns.json @@ -1,10 +1,11 @@ { "name" : "bandit", - "version" : "1.8.3", + "version" : "1.8.6", "patterns" : [ { "patternId" : "B101", "level" : "Warning", "category" : "Security", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false @@ -13,14 +14,16 @@ "level" : "Warning", "category" : "Security", "subcategory" : "InputValidation", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true }, { "patternId" : "B103", - "level" : "Error", + "level" : "Warning", "category" : "Security", "subcategory" : "FileAccess", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -28,6 +31,7 @@ "patternId" : "B104", "level" : "Warning", "category" : "Security", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -36,6 +40,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "Auth", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -44,6 +49,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "Auth", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false @@ -52,6 +58,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "Auth", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -60,6 +67,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "FileAccess", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -68,6 +76,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "Auth", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -75,6 +84,7 @@ "patternId" : "B110", "level" : "Warning", "category" : "Security", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -83,6 +93,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "Auth", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -90,348 +101,58 @@ "patternId" : "B112", "level" : "Warning", "category" : "Security", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true }, { - "patternId" : "B113", - "level" : "Warning", - "category" : "Security", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B201", - "level" : "Error", - "category" : "Security", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B202", - "level" : "Error", - "category" : "Security", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B301", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B302", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B303", - "level" : "Warning", - "category" : "Security", - "subcategory" : "Cryptography", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B304", - "level" : "Warning", - "category" : "Security", - "subcategory" : "Cryptography", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B305", - "level" : "Warning", - "category" : "Security", - "subcategory" : "Cryptography", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B306", - "level" : "Warning", - "category" : "Security", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B307", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InputValidation", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B308", - "level" : "Warning", - "category" : "Security", - "subcategory" : "XSS", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B309", - "level" : "Warning", - "category" : "Security", - "subcategory" : "SSL", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B310", - "level" : "Warning", - "category" : "Security", - "subcategory" : "HTTP", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B311", - "level" : "Warning", - "category" : "Security", - "subcategory" : "Cryptography", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B312", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B313", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InputValidation", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B314", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InputValidation", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B315", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InputValidation", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B316", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InputValidation", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B317", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InputValidation", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B318", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InputValidation", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B319", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InputValidation", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B320", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InputValidation", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B321", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B322", + "patternId" : "B113", "level" : "Warning", "category" : "Security", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false }, { - "patternId" : "B323", - "level" : "Warning", - "category" : "Security", - "parameters" : [ ], - "languages" : [ ], - "enabled" : false - }, { - "patternId" : "B324", - "level" : "Error", - "category" : "Security", - "parameters" : [ ], - "languages" : [ ], - "enabled" : false - }, { - "patternId" : "B325", - "level" : "Warning", - "category" : "Security", - "parameters" : [ ], - "languages" : [ ], - "enabled" : false - }, { - "patternId" : "B401", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B402", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B403", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B404", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B405", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B406", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B407", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B408", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B409", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B410", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : true - }, { - "patternId" : "B411", + "patternId" : "B201", "level" : "Warning", "category" : "Security", - "subcategory" : "InsecureModulesLibraries", + "subcategory" : "UnexpectedBehaviour", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true }, { - "patternId" : "B412", - "level" : "Warning", - "category" : "Security", - "subcategory" : "InsecureModulesLibraries", - "parameters" : [ ], - "languages" : [ ], - "enabled" : false - }, { - "patternId" : "B413", + "patternId" : "B202", "level" : "Warning", "category" : "Security", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false }, { - "patternId" : "B414", + "patternId" : "B324", "level" : "Warning", "category" : "Security", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false }, { "patternId" : "B501", - "level" : "Error", + "level" : "Warning", "category" : "Security", "subcategory" : "SSL", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true }, { "patternId" : "B502", - "level" : "Error", + "level" : "Warning", "category" : "Security", "subcategory" : "SSL", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -440,6 +161,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "SSL", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -448,14 +170,16 @@ "level" : "Warning", "category" : "Security", "subcategory" : "SSL", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true }, { "patternId" : "B505", - "level" : "Error", + "level" : "Warning", "category" : "Security", "subcategory" : "Cryptography", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -464,27 +188,32 @@ "level" : "Warning", "category" : "Security", "subcategory" : "InputValidation", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true }, { "patternId" : "B507", - "level" : "Error", + "level" : "Warning", "category" : "Security", + "subcategory" : "Auth", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false }, { - "patternId" : "B508", - "level" : "Error", - "category" : "Security", - "parameters" : [ ], - "languages" : [ ], - "enabled" : false + "patternId" : "B508", + "level" : "Warning", + "category" : "Security", + "scanType" : "SAST", + "parameters" : [ ], + "languages" : [ ], + "enabled" : false }, { "patternId" : "B509", - "level" : "Error", + "level" : "Warning", "category" : "Security", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false @@ -493,14 +222,16 @@ "level" : "Warning", "category" : "Security", "subcategory" : "CommandInjection", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true }, { "patternId" : "B602", - "level" : "Error", + "level" : "Warning", "category" : "Security", "subcategory" : "CommandInjection", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -509,6 +240,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "CommandInjection", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -517,6 +249,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "CommandInjection", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -525,6 +258,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "CommandInjection", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false @@ -533,6 +267,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "CommandInjection", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -541,6 +276,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "CommandInjection", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false @@ -549,6 +285,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "SQLInjection", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -557,6 +294,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "InputValidation", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -564,6 +302,7 @@ "patternId" : "B610", "level" : "Warning", "category" : "Security", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false @@ -571,6 +310,8 @@ "patternId" : "B611", "level" : "Warning", "category" : "Security", + "subcategory" : "SQLInjection", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false @@ -578,14 +319,40 @@ "patternId" : "B612", "level" : "Warning", "category" : "Security", + "scanType" : "SAST", + "parameters" : [ ], + "languages" : [ ], + "enabled" : false + }, { + "patternId" : "B613", + "level" : "Warning", + "category" : "Security", + "scanType" : "SAST", + "parameters" : [ ], + "languages" : [ ], + "enabled" : false + }, { + "patternId" : "B614", + "level" : "Warning", + "category" : "Security", + "scanType" : "SAST", + "parameters" : [ ], + "languages" : [ ], + "enabled" : false + }, { + "patternId" : "B615", + "level" : "Warning", + "category" : "Security", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false }, { "patternId" : "B701", - "level" : "Error", + "level" : "Warning", "category" : "Security", "subcategory" : "XSS", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -594,6 +361,7 @@ "level" : "Warning", "category" : "Security", "subcategory" : "XSS", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -601,6 +369,16 @@ "patternId" : "B703", "level" : "Warning", "category" : "Security", + "subcategory" : "XSS", + "scanType" : "SAST", + "parameters" : [ ], + "languages" : [ ], + "enabled" : false + }, { + "patternId" : "B704", + "level" : "Warning", + "category" : "Security", + "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false diff --git a/requirements.txt b/requirements.txt index 7e4787d..b055de0 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1 @@ -bandit==1.8.3 +bandit==1.8.6 From ed0fa5d1197feeb0693940039b5f0243eab36a49 Mon Sep 17 00:00:00 2001 From: "david.marinho@codacy.com" Date: Wed, 23 Jul 2025 16:27:27 +0100 Subject: [PATCH 2/5] bump bandit 1.8.6 without updating any docs --- .github/copilot-instructions.md | 49 +++ .gitignore | 4 - .../BlacklistDocTransformer.scala | 1 - .../transformers/PluginsDocGenerator.scala | 6 +- docs/description/B101.md | 175 +------- docs/description/B102.md | 168 +------ docs/description/B103.md | 195 ++------- docs/description/B104.md | 171 +------- docs/description/B105.md | 208 ++------- docs/description/B106.md | 202 ++------- docs/description/B107.md | 203 ++------- docs/description/B108.md | 172 +------- docs/description/B109.md | 200 +-------- docs/description/B110.md | 182 ++------ docs/description/B111.md | 214 +-------- docs/description/B112.md | 182 ++------ docs/description/B113.md | 192 ++------ docs/description/B201.md | 189 ++------ docs/description/B202.md | 173 +------- docs/description/B324.md | 171 +------- docs/description/B501.md | 185 +------- docs/description/B502.md | 223 +++------- docs/description/B503.md | 175 +------- docs/description/B504.md | 178 +------- docs/description/B505.md | 184 +------- docs/description/B506.md | 186 +------- docs/description/B507.md | 185 +------- docs/description/B508.md | 171 +------- docs/description/B509.md | 172 +------- docs/description/B601.md | 185 +------- docs/description/B602.md | 241 ++++------ docs/description/B603.md | 199 ++------- docs/description/B604.md | 214 +++------ docs/description/B605.md | 219 +++------- docs/description/B606.md | 207 +++------ docs/description/B607.md | 222 +++------- docs/description/B608.md | 176 +------- docs/description/B609.md | 216 +++------ docs/description/B610.md | 169 +------ docs/description/B611.md | 169 +------ docs/description/B612.md | 186 +------- docs/description/B701.md | 205 ++------- docs/description/B702.md | 185 +------- docs/description/B703.md | 169 +------ docs/description/description.json | 296 ++++++++++--- docs/patterns.json | 412 ++++++++++++++---- 46 files changed, 1808 insertions(+), 6578 deletions(-) create mode 100644 .github/copilot-instructions.md diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md new file mode 100644 index 0000000..c255378 --- /dev/null +++ b/.github/copilot-instructions.md @@ -0,0 +1,49 @@ +--- +# Codacy Rules +Configuration for AI behavior when interacting with Codacy's MCP Server + +## After ANY successful `edit_file` or `reapply` operation +- YOU MUST IMMEDIATELY run the `codacy_cli_analyze` tool from Codacy's MCP Server for each file that was edited, with: + - `rootPath`: set to the workspace path + - `file`: set to the path of the edited file + - `tool`: leave empty or unset +- If any issues are found in the new edits, propose and apply fixes for them. +- > NOTE: Failure to follow this rule is considered a critical error. + +## CRITICAL: Dependencies and Security Checks +- IMMEDIATELY after ANY of these actions: + - Running npm/yarn/pnpm install + - Adding dependencies to package.json + - Adding requirements to requirements.txt + - Adding dependencies to pom.xml + - Adding dependencies to build.gradle + - Any other package manager operations +- You MUST run the `codacy_cli_analyze` tool with: + - `rootPath`: set to the workspace path + - `tool`: set to "trivy" + - `file`: leave empty or unset +- If any vulnerabilities are found because of the newly added packages: + - Stop all other operations + - Propose and apply fixes for the security issues + - Only continue with the original task after security issues are resolved +- EXAMPLE: + - After: npm install react-markdown + - Do: Run codacy_cli_analyze with trivy + - Before: Continuing with any other tasks + +## General +- Repeat the relevant steps for each modified file. +- "Propose fixes" means to both suggest and, if possible, automatically apply the fixes. +- You MUST NOT wait for the user to ask for analysis or remind you to run the tool. +- Do not run `codacy_cli_analyze` looking for changes in duplicated code or code complexity metrics. +- Do not run `codacy_cli_analyze` looking for changes in code coverage. +- Do not try to manually install Codacy CLI using either brew, npm, npx, or any other package manager. +- If the Codacy CLI is not installed, just run the `codacy_cli_analyze` tool from Codacy's MCP Server. +- When calling `codacy_cli_analyze`, only send provider, organization and repository if the project is a git repository. + +## Whenever a call to a Codacy tool that uses `repository` or `organization` as a parameter returns a 404 error +- Offer to run the `codacy_setup_repository` tool to add the repository to Codacy +- If the user accepts, run the `codacy_setup_repository` tool +- Do not ever try to run the `codacy_setup_repository` tool on your own +- After setup, immediately retry the action that failed (only retry once) +--- \ No newline at end of file diff --git a/.gitignore b/.gitignore index 2702871..c3d3eb8 100755 --- a/.gitignore +++ b/.gitignore @@ -17,7 +17,3 @@ .bloop .metals .bsp/ - - -#Ignore vscode AI rules -.github/copilot-instructions.md diff --git a/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala b/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala index c752ac9..439e6f2 100644 --- a/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala +++ b/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala @@ -70,7 +70,6 @@ object BlacklistDocTransformer extends IPatternDocTransformer { Level.Warn, Pattern.Category.Security, SecuritySubcategories.get(patternIdCapitalized), - Some(Pattern.ScanType.SAST), Set.empty, Set.empty, enabled = DefaultPatterns.list.contains(patternIdCapitalized.value) diff --git a/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala b/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala index 99ddae2..c780f86 100644 --- a/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala +++ b/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala @@ -4,7 +4,7 @@ import docs.transformers.utils.HtmlLoader import scala.xml._ import better.files._ -import com.codacy.plugins.api.results.Pattern.{Category, ScanType} +import com.codacy.plugins.api.results.Pattern.Category import com.codacy.plugins.api.results.Result.Level import com.codacy.plugins.api.results.Pattern import docs.{DefaultPatterns, SecuritySubcategories} @@ -52,7 +52,7 @@ object PluginsDocTransformer extends IPatternDocTransformer { divs <- htmlPluginsDocs if (divs \@ "id").startsWith(patternId.value.toLowerCase()) divsChildren <- divs.child.filter { node => - val l = node.label + val l = node.labels l == "h1" || l == "h2" || l == "p" } } yield divsChildren @@ -80,8 +80,6 @@ object PluginsDocTransformer extends IPatternDocTransformer { severity, Category.Security, SecuritySubcategories.get(patternIdCapitalized), - Some(ScanType.SAST), - Set.empty, Set.empty, enabled = DefaultPatterns.list.contains(patternIdCapitalized.value) ) diff --git a/docs/description/B101.md b/docs/description/B101.md index 031b59b..d76e5e0 100644 --- a/docs/description/B101.md +++ b/docs/description/B101.md @@ -1,160 +1,33 @@ -Bandit +## B101: Test for use of assert -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: - assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +This plugin test checks for the use of the Python `assert` keyword. It +was discovered that some projects used assert to enforce interface +constraints. However, assert is removed with compiling to optimised byte +code (python -o producing \*.pyo files). This caused various protections +to be removed. Consider raising a semantically meaningful error or +`AssertionError` instead. -Bandit +Please see + +for more info on `assert`. -- -- Test Plugins -- B101: assert_used -- View page source +**Config Options:** ------------------------------------------------------------------------- +You can configure files that skip this check. This is often useful when +you use assert statements in test cases. -# B101: assert_used +`assert_used: +skips: ['*_test.py', '*test_*.py']` - -Next ------------------------------------------------------------------------- +Example: -© Copyright 2025, Bandit Developers. + -Built with Sphinx -using a theme provided by -Read the Docs. + >> Issue: Use of assert detected. The enclosed code will be removed when + compiling to optimised byte code. + Severity: Low Confidence: High + CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) + Location: ./examples/assert.py:1 + 1 assert logged_in + 2 display_assets() \ No newline at end of file diff --git a/docs/description/B102.md b/docs/description/B102.md index a668440..422279e 100644 --- a/docs/description/B102.md +++ b/docs/description/B102.md @@ -1,162 +1,14 @@ -Bandit +## B102: Test for the use of exec -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: - exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +This plugin test checks for the use of Python’s exec method or keyword. +The Python docs succinctly describe why the use of exec is risky. -Bandit +Example: -- -- Test Plugins -- B102: exec_used -- View page source + ------------------------------------------------------------------------- - -# B102: exec_used - -Previous - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. + >> Issue: Use of exec detected. + Severity: Medium Confidence: High + CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) + Location: ./examples/exec.py:2 + 1 exec("do evil") \ No newline at end of file diff --git a/docs/description/B103.md b/docs/description/B103.md index 0fc0086..3b9a077 100644 --- a/docs/description/B103.md +++ b/docs/description/B103.md @@ -1,162 +1,33 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: - set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B103: set_bad_file_permissions -- View page source - ------------------------------------------------------------------------- - -# B103: set_bad_file_permissions - -Previous - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +## B103: Test for setting permissive file permissions + +POSIX based operating systems utilize a permissions model to protect +access to parts of the file system. This model supports three roles +“owner”, “group” and “world” each role may have a combination of “read”, +“write” or “execute” flags sets. Python provides `chmod` to manipulate +POSIX style permissions. + +This plugin test looks for the use of `chmod` and will alert when it is +used to set particularly permissive control flags. A MEDIUM warning is +generated if a file is set to group executable and a HIGH warning is +reported if a file is set world writable. Warnings are given with HIGH +confidence. + +Example: + + + + >> Issue: Probable insecure usage of temp file/directory. + Severity: Medium Confidence: Medium + CWE: CWE-732 (https://cwe.mitre.org/data/definitions/732.html) + Location: ./examples/os-chmod.py:15 + 14 os.chmod('/etc/hosts', 0o777) + 15 os.chmod('/tmp/oh_hai', 0x1ff) + 16 os.chmod('/etc/passwd', stat.S_IRWXU) + + >> Issue: Chmod setting a permissive mask 0777 on file (key_file). + Severity: High Confidence: High + CWE: CWE-732 (https://cwe.mitre.org/data/definitions/732.html) + Location: ./examples/os-chmod.py:17 + 16 os.chmod('/etc/passwd', stat.S_IRWXU) + 17 os.chmod(key_file, 0o777) + 18 \ No newline at end of file diff --git a/docs/description/B104.md b/docs/description/B104.md index e0fda53..f5c467a 100644 --- a/docs/description/B104.md +++ b/docs/description/B104.md @@ -1,161 +1,18 @@ -Bandit +## B104: Test for binding to all interfaces -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +Binding to all network interfaces can potentially open up a service to +traffic on unintended interfaces, that may not be properly documented or +secured. This plugin test looks for a string pattern “0.0.0.0” that may +indicate a hardcoded binding to all network interfaces. -Bandit +Example: -- -- Test Plugins -- B104: hardcoded_bind_all_interfaces -- View page source + ------------------------------------------------------------------------- - -# B104: hardcoded_bind_all_interfaces - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. + >> Issue: Possible binding to all interfaces. + Severity: Medium Confidence: Medium + CWE: CWE-605 (https://cwe.mitre.org/data/definitions/605.html) + Location: ./examples/binding.py:4 + 3 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + 4 s.bind(('0.0.0.0', 31137)) + 5 s.bind(('192.168.0.1', 8080)) \ No newline at end of file diff --git a/docs/description/B105.md b/docs/description/B105.md index 78c1b7b..ed2a8aa 100644 --- a/docs/description/B105.md +++ b/docs/description/B105.md @@ -1,162 +1,46 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: - hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B105: hardcoded_password_string -- View page source - ------------------------------------------------------------------------- - -# B105: hardcoded_password_string - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +**B105: Test for use of hard-coded password strings** + +The use of hard-coded passwords increases the possibility of password +guessing tremendously. This plugin test looks for all string literals +and checks the following conditions: + +- assigned to a variable that looks like a password + +- assigned to a dict key that looks like a password + +- used in a comparison with a variable that looks like a password + +Variables are considered to look like a password if they have match any +one of: + +- “password” + +- “pass” + +- “passwd” + +- “pwd” + +- “secret” + +- “token” + +- “secrete” + +Note: this can be noisy and may generate false positives. + +**Config Options:** + +None + +Example + + + + >> Issue: Possible hardcoded password '(root)' + Severity: Low Confidence: Low + Location: ./examples/hardcoded-passwords.py:5 + 4 def someFunction2(password): + 5 if password == "root": + 6 print("OK, logged in") + diff --git a/docs/description/B106.md b/docs/description/B106.md index 95e0f02..6feacfe 100644 --- a/docs/description/B106.md +++ b/docs/description/B106.md @@ -1,161 +1,41 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B106: hardcoded_password_funcarg -- View page source - ------------------------------------------------------------------------- - -# B106: hardcoded_password_funcarg - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +**B106: Test for use of hard-coded password function arguments** + +The use of hard-coded passwords increases the possibility of password +guessing tremendously. This plugin test looks for all function calls +being passed a keyword argument that is a string literal. It checks that +the assigned local variable does not look like a password. + +Variables are considered to look like a password if they have match any +one of: + +- “password” + +- “pass” + +- “passwd” + +- “pwd” + +- “secret” + +- “token” + +- “secrete” + +Note: this can be noisy and may generate false positives. + +**Config Options:** + +None + +Example + + + + >> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded + password: 'blerg' + Severity: Low Confidence: Medium + Location: ./examples/hardcoded-passwords.py:16 + 15 + 16 doLogin(password="blerg") + diff --git a/docs/description/B107.md b/docs/description/B107.md index 25cb587..bed135d 100644 --- a/docs/description/B107.md +++ b/docs/description/B107.md @@ -1,161 +1,42 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B107: hardcoded_password_default -- View page source - ------------------------------------------------------------------------- - -# B107: hardcoded_password_default - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +**B107: Test for use of hard-coded password argument defaults** + +The use of hard-coded passwords increases the possibility of password +guessing tremendously. This plugin test looks for all function +definitions that specify a default string literal for some argument. It +checks that the argument does not look like a password. + +Variables are considered to look like a password if they have match any +one of: + +- “password” + +- “pass” + +- “passwd” + +- “pwd” + +- “secret” + +- “token” + +- “secrete” + +Note: this can be noisy and may generate false positives. + +**Config Options:** + +None + +Example + + + + >> Issue: [B107:hardcoded_password_default] Possible hardcoded + password: 'Admin' + Severity: Low Confidence: Medium + Location: ./examples/hardcoded-passwords.py:1 + + 1 def someFunction(user, password="Admin"): + 2 print("Hi " + user) + diff --git a/docs/description/B108.md b/docs/description/B108.md index 0fca302..9ed20db 100644 --- a/docs/description/B108.md +++ b/docs/description/B108.md @@ -1,163 +1,17 @@ -Bandit +## B108: Test for insecure usage of tmp file/directory -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: - hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +Safely creating a temporary file or directory means following a number +of rules (see the references for more details). This plugin test looks +for strings starting with (configurable) commonly used temporary paths, +for example: -Bandit +**Config Options:** -- -- Test Plugins -- B108: hardcoded_tmp_directory -- View page source +This test plugin takes a similarly named config block, +hardcoded\_tmp\_directory. The config block provides a Python list, +tmp\_dirs, that lists string fragments indicating possible temporary +file paths. Any string starting with one of these fragments will report +a MEDIUM confidence issue. ------------------------------------------------------------------------- - -# B108: hardcoded_tmp_directory - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +`hardcoded_tmp_directory: +tmp_dirs: ['/tmp', '/var/tmp', '/dev/shm']` \ No newline at end of file diff --git a/docs/description/B109.md b/docs/description/B109.md index 10432d0..deba8df 100644 --- a/docs/description/B109.md +++ b/docs/description/B109.md @@ -1,154 +1,7 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B109: password_config_option_not_marked_secret -- View page source - ------------------------------------------------------------------------- - -# B109: password_config_option_not_marked_secret +# B109: Test for a password based config option not marked secret This plugin has been removed. -B109: Test for a password based config option not marked secret - Passwords are sensitive and must be protected appropriately. In OpenStack Oslo there is an option to mark options “secret” which will ensure that they are not logged. This plugin detects usages of oslo @@ -160,59 +13,32 @@ If such a value is found a MEDIUM severity error is generated. If confidence issue. If Bandit can’t determine the value of secret it will return a LOW confidence issue. -**Config Options:** +Config Options: - password_config_option_not_marked_secret: - function_names: - - oslo.config.cfg.StrOpt - - oslo_config.cfg.StrOpt +`password_config_option_not_marked_secret: +function_names: +- oslo.config.cfg.StrOpt +- oslo_config.cfg.StrOpt` -Example: +Example: >> Issue: [password_config_option_not_marked_secret] oslo config option possibly not marked secret=True identified. - Severity: Medium Confidence: Low - Location: examples/secret-config-option.py:12 + Severity: Medium Confidence: Low + Location: examples/secret-config-option.py:12 11 help="User's password"), 12 cfg.StrOpt('nova_password', 13 secret=secret, 14 help="Nova user password"), 15 ] - + >> Issue: [password_config_option_not_marked_secret] oslo config option not marked secret=True identified, security issue. - Severity: Medium Confidence: Medium - Location: examples/secret-config-option.py:21 + Severity: Medium Confidence: Medium + Location: examples/secret-config-option.py:21 20 help="LDAP ubind ser name"), 21 cfg.StrOpt('ldap_password', 22 help="LDAP bind user password"), - 23 cfg.StrOpt('ldap_password_attribute', - -See also - -- https://security.openstack.org/guidelines/dg_protect-sensitive-data-in-files.html - -Added in version 0.10.0. - -Deprecated since version 1.5.0: This plugin was removed - - -Next - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. + 23 cfg.StrOpt('ldap_password_attribute', \ No newline at end of file diff --git a/docs/description/B110.md b/docs/description/B110.md index 96b4b27..47fab65 100644 --- a/docs/description/B110.md +++ b/docs/description/B110.md @@ -1,162 +1,38 @@ -Bandit +## B110: Test for a pass in the except block -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: - try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +Errors in Python code bases are typically communicated using +`Exceptions`. An exception object is ‘raised’ in the event of an error +and can be ‘caught’ at a later point in the program, typically some +error handling or logging action will then be performed. -Bandit +However, it is possible to catch an exception and silently ignore it. +This is illustrated with the following example -- -- Test Plugins -- B110: try_except_pass -- View page source +This pattern is considered bad practice in general, but also represents +a potential security issue. A larger than normal volume of errors from a +service can indicate an attempt is being made to disrupt or interfere +with it. Thus errors should, at the very least, be logged. ------------------------------------------------------------------------- +There are rare situations where it is desirable to suppress errors, but +this is typically done with specific exception types, rather than the +base Exception class (or no type). To accommodate this, the test may be +configured to ignore ‘try, except, pass’ where the exception is typed. +For example, the following would not generate a warning if the +configuration option `checked_typed_exception` is set to False: -# B110: try_except_pass +**Config Options:** - - +`try_except_pass: +check_typed_exception: True` ------------------------------------------------------------------------- +Example: -© Copyright 2025, Bandit Developers. + -Built with Sphinx -using a theme provided by -Read the Docs. + >> Issue: Try, Except, Pass detected. + Severity: Low Confidence: High + CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) + Location: ./examples/try_except_pass.py:4 + 3 a = 1 + 4 except: + 5 pass \ No newline at end of file diff --git a/docs/description/B111.md b/docs/description/B111.md index 1d8ecc4..4674654 100644 --- a/docs/description/B111.md +++ b/docs/description/B111.md @@ -1,216 +1,34 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B111: execute_with_run_as_root_equals_true -- View page source - ------------------------------------------------------------------------- - -# B111: execute_with_run_as_root_equals_true +# B111: Test for the use of rootwrap running as root This plugin has been removed. -B111: Test for the use of rootwrap running as root - Running commands as root dramatically increase their potential risk. Running commands with restricted user privileges provides defense in depth against command injection attacks, or developer and configuration error. This plugin test checks for specific methods being called with a -keyword parameter run_as_root set to True, a common OpenStack idiom. +keyword parameter run\_as\_root set to True, a common OpenStack idiom. + **Config Options:** -This test plugin takes a similarly named configuration block, -execute_with_run_as_root_equals_true, providing a list, function_names, -of function names. A call to any of these named functions will be -checked for a run_as_root keyword parameter, and if True, will report a -Low severity issue. +This test plugin takes a similarly named configuration block, execute_with_run_as_root_equals_true, providing a list, function_names, of function names. A call to any of these named functions will be checked for a run_as_root keyword parameter, and if True, will report a Low severity issue. - execute_with_run_as_root_equals_true: - function_names: - - ceilometer.utils.execute - - cinder.utils.execute - - neutron.agent.linux.utils.execute - - nova.utils.execute - - nova.utils.trycmd +execute_with_run_as_root_equals_true: + function_names: +- ceilometer.utils.execute +- cinder.utils.execute +- neutron.agent.linux.utils.execute +- nova.utils.execute +- nova.utils.trycmd -Example: +Example: >> Issue: Execute with run_as_root=True identified, possible security - issue. - Severity: Low Confidence: Medium - Location: ./examples/exec-as-root.py:26 + issue. + Severity: Low Confidence: Medium + Location: ./examples/exec-as-root.py:26 25 nova_utils.trycmd('gcc --version') 26 nova_utils.trycmd('gcc --version', run_as_root=True) - 27 - -See also - -- https://security.openstack.org/guidelines/dg_rootwrap-recommendations-and-plans.html - -- https://security.openstack.org/guidelines/dg_use-oslo-rootwrap-securely.html - -Added in version 0.10.0. - -Deprecated since version 1.5.0: This plugin was removed - -Previous - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. + 27 \ No newline at end of file diff --git a/docs/description/B112.md b/docs/description/B112.md index 8b84c2c..4807603 100644 --- a/docs/description/B112.md +++ b/docs/description/B112.md @@ -1,162 +1,38 @@ -Bandit +## B112: Test for a continue in the except block -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: - try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +Errors in Python code bases are typically communicated using +`Exceptions`. An exception object is ‘raised’ in the event of an error +and can be ‘caught’ at a later point in the program, typically some +error handling or logging action will then be performed. -Bandit +However, it is possible to catch an exception and silently ignore it +while in a loop. This is illustrated with the following example -- -- Test Plugins -- B112: try_except_continue -- View page source +This pattern is considered bad practice in general, but also represents +a potential security issue. A larger than normal volume of errors from a +service can indicate an attempt is being made to disrupt or interfere +with it. Thus errors should, at the very least, be logged. ------------------------------------------------------------------------- +There are rare situations where it is desirable to suppress errors, but +this is typically done with specific exception types, rather than the +base Exception class (or no type). To accommodate this, the test may be +configured to ignore ‘try, except, continue’ where the exception is +typed. For example, the following would not generate a warning if the +configuration option `checked_typed_exception` is set to False: -# B112: try_except_continue +**Config Options:** - - +`try_except_continue: +check_typed_exception: True` ------------------------------------------------------------------------- +Example: -© Copyright 2025, Bandit Developers. + -Built with Sphinx -using a theme provided by -Read the Docs. + >> Issue: Try, Except, Continue detected. + Severity: Low Confidence: High + CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) + Location: ./examples/try_except_continue.py:5 + 4 a = i + 5 except: + 6 continue \ No newline at end of file diff --git a/docs/description/B113.md b/docs/description/B113.md index 69741bc..b07251b 100644 --- a/docs/description/B113.md +++ b/docs/description/B113.md @@ -1,162 +1,30 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: - request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B113: request_without_timeout -- View page source - ------------------------------------------------------------------------- - -# B113: request_without_timeout - - -Next - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +## B113: Test for missing requests timeout + +This plugin test checks for requests calls without a timeout specified. + +Nearly all production code should use this parameter in nearly all requests, Failure to do so can cause your program to hang indefinitely. + +When request methods are used without the timeout parameter set, Bandit will return a MEDIUM severity error. + +Example: + + + + >> Issue: [B113:request_without_timeout] Requests call without timeout + Severity: Medium Confidence: Low + CWE: CWE-400 (https://cwe.mitre.org/data/definitions/400.html) + More Info: https://bandit.readthedocs.io/en/latest/plugins/b113_request_without_timeout.html + Location: examples/requests-missing-timeout.py:3:0 + 2 + 3 requests.get('https://gmail.com') + 4 requests.get('https://gmail.com', timeout=None) + + -------------------------------------------------- + >> Issue: [B113:request_without_timeout] Requests call with timeout set to None + Severity: Medium Confidence: Low + CWE: CWE-400 (https://cwe.mitre.org/data/definitions/400.html) + More Info: https://bandit.readthedocs.io/en/latest/plugins/b113_request_without_timeout.html + Location: examples/requests-missing-timeout.py:4:0 + 3 requests.get('https://gmail.com') + 4 requests.get('https://gmail.com', timeout=None) + 5 requests.get('https://gmail.com', timeout=5) \ No newline at end of file diff --git a/docs/description/B201.md b/docs/description/B201.md index e77613c..61d8e57 100644 --- a/docs/description/B201.md +++ b/docs/description/B201.md @@ -1,162 +1,27 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: - flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B201: flask_debug_true -- View page source - ------------------------------------------------------------------------- - -# B201: flask_debug_true - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +## B201: Test for use of flask app with debug set to true + +Running Flask applications in debug mode results in the Werkzeug +debugger being enabled. This includes a feature that allows arbitrary +code execution. Documentation for both Flask +1 and +Werkzeug +2 +strongly suggests that debug mode should never be enabled on production +systems. + +Operating a production server with debug mode enabled was the probable +cause of the Patreon breach in 2015 +3. + +Example: + + + + >> Issue: A Flask app appears to be run with debug=True, which exposes + the Werkzeug debugger and allows the execution of arbitrary code. + Severity: High Confidence: High + CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html) + Location: examples/flask_debug.py:10 + 9 #bad + 10 app.run(debug=True) + 11 \ No newline at end of file diff --git a/docs/description/B202.md b/docs/description/B202.md index 2005154..28ec50f 100644 --- a/docs/description/B202.md +++ b/docs/description/B202.md @@ -1,161 +1,26 @@ -Bandit +## B202: Test for tarfile.extractall -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: - tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +This plugin will look for usage of tarfile.extractall() -Bandit +Severity are set as follows: -- -- Test Plugins -- B202: tarfile_unsafe_members -- View page source +* tarfile.extractalll(members=function(tarfile)) - LOW +* tarfile.extractalll(members=?) - member is not a function - MEDIUM +* tarfile.extractall() - members from the archive is trusted - HIGH ------------------------------------------------------------------------- +Use tarfile.extractall(members=function_name) and define a function that will inspect each member. Discard files that contain a directory traversal sequences such as ../ or \.. along with all special filetypes unless you explicitly need them. -# B202: tarfile_unsafe_members +Example: -Previous -Next + ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. + >> Issue: [B202:tarfile_unsafe_members] tarfile.extractall used without + any validation. You should check members and discard dangerous ones + Severity: High Confidence: High + CWE: CWE-22 (https://cwe.mitre.org/data/definitions/22.html) + Location: examples/tarfile_extractall.py:8 + More Info: + https://bandit.readthedocs.io/en/latest/plugins/b202_tarfile_unsafe_members.html + 7 tar = tarfile.open(filename) + 8 tar.extractall(path=tempfile.mkdtemp()) + 9 tar.close() \ No newline at end of file diff --git a/docs/description/B324.md b/docs/description/B324.md index 9efda6a..2a498ca 100644 --- a/docs/description/B324.md +++ b/docs/description/B324.md @@ -1,162 +1,21 @@ -Bandit +## B324: Test use of insecure md4, md5, or sha1 hash functions in hashlib -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: - hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +This plugin checks for the usage of the insecure MD4, MD5, or SHA1 hash functions in hashlib and crypt. The hashlib.new function provides the ability to construct a new hashing object using the named algorithm. This can be used to create insecure hash functions like MD4 and MD5 if they are passed as algorithm names to this function. -Bandit +For Python versions prior to 3.9, this check is similar to B303 blacklist except that this checks for insecure hash functions created using hashlib.new function. For Python version 3.9 and later, this check does additional checking for usage of keyword usedforsecurity on all function variations of hashlib. -- -- Test Plugins -- B324: hashlib -- View page source +Similar to hashlib, this plugin also checks for usage of one of the crypt module’s weak hashes. crypt also permits MD5 among other weak hash variants. ------------------------------------------------------------------------- +Example: -# B324: hashlib + - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. + >> Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for + security. Consider usedforsecurity=False + Severity: High Confidence: High + CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) + Location: examples/hashlib_new_insecure_functions.py:3:0 + More Info: https://bandit.readthedocs.io/en/latest/plugins/b324_hashlib.html + 2 + 3 hashlib.new('md5') + 4 \ No newline at end of file diff --git a/docs/description/B501.md b/docs/description/B501.md index b86d842..b0f0c8a 100644 --- a/docs/description/B501.md +++ b/docs/description/B501.md @@ -1,161 +1,24 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B501: request_with_no_cert_validation -- View page source - ------------------------------------------------------------------------- - -# B501: request_with_no_cert_validation - -Previous - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +## B501: Test for missing certificate validation + +Encryption in general is typically critical to the security of many +applications. Using TLS can greatly increase security by guaranteeing +the identity of the party you are communicating with. This is +accomplished by one or both parties presenting trusted certificates +during the connection initialization phase of TLS. + +When request methods are used certificates are validated automatically +which is the desired behavior. If certificate validation is explicitly +turned off Bandit will return a HIGH severity error. + +Example: + + + + >> Issue: [request_with_no_cert_validation] Call to requests with + verify=False disabling SSL certificate checks, security issue. + Severity: High Confidence: High + CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html) + Location: examples/requests-ssl-verify-disabled.py:4 + 3 requests.get('https://gmail.com', verify=True) + 4 requests.get('https://gmail.com', verify=False) + 5 requests.post('https://gmail.com', verify=True) \ No newline at end of file diff --git a/docs/description/B502.md b/docs/description/B502.md index c3ba3ec..9cc4f85 100644 --- a/docs/description/B502.md +++ b/docs/description/B502.md @@ -1,162 +1,61 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: - ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B502: ssl_with_bad_version -- View page source - ------------------------------------------------------------------------- - -# B502: ssl_with_bad_version - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +**B502: Test for SSL use with bad version used** + +Several highly publicized exploitable flaws have been discovered in all +versions of SSL and early versions of TLS. It is strongly recommended +that use of the following known broken protocol versions be avoided: + +- SSL v2 + +- SSL v3 + +- TLS v1 + +- TLS v1.1 + +This plugin test scans for calls to Python methods with parameters that +indicate the used broken SSL/TLS protocol versions. Currently, detection +supports methods using Python’s native SSL/TLS support and the pyOpenSSL +module. A HIGH severity warning will be reported whenever known broken +protocol versions are detected. + +It is worth noting that native support for TLS 1.2 is only available in +more recent Python versions, specifically 2.7.9 and up, and 3.x + +A note on ‘SSLv23’: + +Amongst the available SSL/TLS versions provided by Python/pyOpenSSL +there exists the option to use SSLv23. This very poorly named option +actually means “use the highest version of SSL/TLS supported by both the +server and client”. This may (and should be) a version well in advance +of SSL v2 or v3. Bandit can scan for the use of SSLv23 if desired, but +its detection does not necessarily indicate a problem. + +When using SSLv23 it is important to also provide flags to explicitly +exclude bad versions of SSL/TLS from the protocol versions considered. +Both the Python native and pyOpenSSL modules provide the `OP_NO_SSLv2` +and `OP_NO_SSLv3` flags for this purpose. + +**Config Options:** + + ssl_with_bad_version: + bad_protocol_versions: + - PROTOCOL_SSLv2 + - SSLv2_METHOD + - SSLv23_METHOD + - PROTOCOL_SSLv3 # strict option + - PROTOCOL_TLSv1 # strict option + - SSLv3_METHOD # strict option + - TLSv1_METHOD # strict option + +Example + + + + >> Issue: ssl.wrap_socket call with insecure SSL/TLS protocol version + identified, security issue. + Severity: High Confidence: High + Location: ./examples/ssl-insecure-version.py:13 + 12 # strict tests + 13 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3) + 14 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1) + diff --git a/docs/description/B503.md b/docs/description/B503.md index 60abbc4..a0595e5 100644 --- a/docs/description/B503.md +++ b/docs/description/B503.md @@ -1,162 +1,31 @@ -Bandit +**B503: Test for SSL use with bad defaults specified** -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: - ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +This plugin is part of a family of tests that detect the use of known +bad versions of SSL/TLS, please see -Bandit +../plugins/ssl\_with\_bad\_version for a complete discussion. +Specifically, this plugin test scans for Python methods with default +parameter values that specify the use of broken SSL/TLS protocol +versions. Currently, detection supports methods using Python’s native +SSL/TLS support and the pyOpenSSL module. A MEDIUM severity warning will +be reported whenever known broken protocol versions are detected. -- -- Test Plugins -- B503: ssl_with_bad_defaults -- View page source +**Config Options:** ------------------------------------------------------------------------- +This test shares the configuration provided for the standard -# B503: ssl_with_bad_defaults +../plugins/ssl\_with\_bad\_version test, please refer to its +documentation. - - +Example ------------------------------------------------------------------------- + -© Copyright 2025, Bandit Developers. + >> Issue: Function definition identified with insecure SSL/TLS protocol + version by default, possible security issue. + Severity: Medium Confidence: Medium + Location: ./examples/ssl-insecure-version.py:28 + 27 + 28 def open_ssl_socket(version=SSL.SSLv2_METHOD): + 29 pass -Built with Sphinx -using a theme provided by -Read the Docs. diff --git a/docs/description/B504.md b/docs/description/B504.md index 9d262a5..d069b21 100644 --- a/docs/description/B504.md +++ b/docs/description/B504.md @@ -1,162 +1,32 @@ -Bandit +**B504: Test for SSL use with no version specified** -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: - ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +This plugin is part of a family of tests that detect the use of known +bad versions of SSL/TLS, please see -Bandit +../plugins/ssl\_with\_bad\_version for a complete discussion. +Specifically, This plugin test scans for specific methods in Python’s +native SSL/TLS support and the pyOpenSSL module that configure the +version of SSL/TLS protocol to use. These methods are known to provide +default value that maximize compatibility, but permit use of the +aforementioned broken protocol versions. A LOW severity warning will be +reported whenever this is detected. -- -- Test Plugins -- B504: ssl_with_no_version -- View page source +**Config Options:** ------------------------------------------------------------------------- +This test shares the configuration provided for the standard -# B504: ssl_with_no_version +../plugins/ssl\_with\_bad\_version test, please refer to its +documentation. - - +Example ------------------------------------------------------------------------- + -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. + >> Issue: ssl.wrap_socket call with no SSL/TLS protocol version + specified, the default SSLv23 could be insecure, possible security + issue. + Severity: Low Confidence: Medium + Location: ./examples/ssl-insecure-version.py:23 + 22 + 23 ssl.wrap_socket() + 24 diff --git a/docs/description/B505.md b/docs/description/B505.md index b2f5fbb..85a33f7 100644 --- a/docs/description/B505.md +++ b/docs/description/B505.md @@ -1,161 +1,23 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: - weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B505: weak_cryptographic_key -- View page source - ------------------------------------------------------------------------- - -# B505: weak_cryptographic_key - - -Next - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +## B505: Test for weak cryptographic key use + +As computational power increases, so does the ability to break ciphers +with smaller key lengths. The recommended key length size for RSA and +DSA algorithms is 2048 and higher. 1024 bits and below are now +considered breakable. EC key length sizes are recommended to be 224 and +higher with 160 and below considered breakable. This plugin test checks +for use of any key less than those limits and returns a high severity +error if lower than the lower threshold and a medium severity error for +those lower than the higher threshold. + +Example: + + + + >> Issue: DSA key sizes below 1024 bits are considered breakable. + Severity: High Confidence: High + CWE: CWE-326 (https://cwe.mitre.org/data/definitions/326.html) + Location: examples/weak_cryptographic_key_sizes.py:36 + 35 # Also incorrect: without keyword args + 36 dsa.generate_private_key(512, + 37 backends.default_backend()) + 38 rsa.generate_private_key(3, \ No newline at end of file diff --git a/docs/description/B506.md b/docs/description/B506.md index 9704e5d..6e26382 100644 --- a/docs/description/B506.md +++ b/docs/description/B506.md @@ -1,162 +1,24 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: - yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B506: yaml_load -- View page source - ------------------------------------------------------------------------- - -# B506: yaml_load - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +## B506: Test for use of yaml load + +This plugin test checks for the unsafe usage of the `yaml.load` function +from the PyYAML package. The yaml.load function provides the ability to +construct an arbitrary Python object, which may be dangerous if you +receive a YAML document from an untrusted source. The function +yaml.safe\_load limits this ability to simple Python objects like +integers or lists. + +Please see for +more information on `yaml.load` and yaml.safe\_load + +Example: + + + + >> Issue: [yaml_load] Use of unsafe yaml load. Allows instantiation of + arbitrary objects. Consider yaml.safe_load(). + Severity: Medium Confidence: High + CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) + Location: examples/yaml_load.py:5 + 4 ystr = yaml.dump({'a' : 1, 'b' : 2, 'c' : 3}) + 5 y = yaml.load(ystr) + 6 yaml.dump(y) \ No newline at end of file diff --git a/docs/description/B507.md b/docs/description/B507.md index 9fb6e2b..c050369 100644 --- a/docs/description/B507.md +++ b/docs/description/B507.md @@ -1,161 +1,24 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B507: ssh_no_host_key_verification -- View page source - ------------------------------------------------------------------------- - -# B507: ssh_no_host_key_verification - -Previous - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +## B507: Test for missing host key validation + +Encryption in general is typically critical to the security of many +applications. Using SSH can greatly increase security by guaranteeing +the identity of the party you are communicating with. This is +accomplished by one or both parties presenting trusted host keys during +the connection initialization phase of SSH. + +When paramiko methods are used, host keys are verified by default. If +host key verification is disabled, Bandit will return a HIGH severity +error. + +Example: + + + + >> Issue: [B507:ssh_no_host_key_verification] Paramiko call with policy set + to automatically trust the unknown host key. + Severity: High Confidence: Medium + CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html) + Location: examples/no_host_key_verification.py:4 + 3 ssh_client = client.SSHClient() + 4 ssh_client.set_missing_host_key_policy(client.AutoAddPolicy) + 5 ssh_client.set_missing_host_key_policy(client.WarningPolicy) \ No newline at end of file diff --git a/docs/description/B508.md b/docs/description/B508.md index 25c7e0e..6304d54 100644 --- a/docs/description/B508.md +++ b/docs/description/B508.md @@ -1,162 +1,17 @@ -Bandit +## B508: Checking for insecure SNMP versions -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: - snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +Please update your code to use more secure versions of SNMP. -Bandit +Example: -- -- Test Plugins -- B508: snmp_insecure_version -- View page source + ------------------------------------------------------------------------- - -# B508: snmp_insecure_version - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. + >> Issue: [B508:snmp_insecure_version_check] The use of SNMPv1 and + SNMPv2 is insecure. You should use SNMPv3 if able. + Severity: Medium Confidence: High + CWE: CWE-319 (https://cwe.mitre.org/data/definitions/319.html) + Location: examples/snmp.py:4:4 + More Info: https://bandit.readthedocs.io/en/latest/plugins/b508_snmp_insecure_version_check.html + 3 # SHOULD FAIL + 4 a = CommunityData('public', mpModel=0) + 5 # SHOULD FAIL \ No newline at end of file diff --git a/docs/description/B509.md b/docs/description/B509.md index 697d951..b513de4 100644 --- a/docs/description/B509.md +++ b/docs/description/B509.md @@ -1,162 +1,20 @@ -Bandit +## B509: Checking for weak cryptography -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: - snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +Please update your code to use more secure versions of SNMP. For example: -Bandit +Instead of: +`CommunityData(‘public’, mpModel=0)` +Use (Defaults to usmHMACMD5AuthProtocol and usmDESPrivProtocol +`UsmUserData(“securityName”, “authName”, “privName”)` -- -- Test Plugins -- B509: snmp_weak_cryptography -- View page source +Example: ------------------------------------------------------------------------- + -# B509: snmp_weak_cryptography - - -Next - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. + >> Issue: [B509:snmp_crypto_check] You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure + Severity: Medium CWE: CWE-319 (https://cwe.mitre.org/data/definitions/319.html) Confidence: High + Location: examples/snmp.py:6:11 + More Info: https://bandit.readthedocs.io/en/latest/plugins/b509_snmp_crypto_check.html + 5 # SHOULD FAIL + 6 insecure = UsmUserData("securityName") + 7 # SHOULD FAIL \ No newline at end of file diff --git a/docs/description/B601.md b/docs/description/B601.md index 339265c..c990f7f 100644 --- a/docs/description/B601.md +++ b/docs/description/B601.md @@ -1,163 +1,22 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: - paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B601: paramiko_calls -- View page source - ------------------------------------------------------------------------- - -# B601: paramiko_calls - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +## B601: Test for shell injection within Paramiko + +Paramiko is a Python library designed to work with the SSH2 protocol for +secure (encrypted and authenticated) connections to remote machines. It +is intended to run commands on a remote host. These commands are run +within a shell on the target and are thus vulnerable to various shell +injection attacks. Bandit reports a MEDIUM issue when it detects the use +of Paramiko’s “exec\_command” method advising the user to check inputs +are correctly sanitized. + +Example: + + + + >> Issue: Possible shell injection via Paramiko call, check inputs are + properly sanitized. + Severity: Medium Confidence: Medium + CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) + Location: ./examples/paramiko_injection.py:4 + 3 # this is not safe + 4 paramiko.exec_command('something; really; unsafe') + 5 \ No newline at end of file diff --git a/docs/description/B602.md b/docs/description/B602.md index a94717f..0b30e5b 100644 --- a/docs/description/B602.md +++ b/docs/description/B602.md @@ -1,162 +1,79 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B602: subprocess_popen_with_shell_equals_true -- View page source - ------------------------------------------------------------------------- - -# B602: subprocess_popen_with_shell_equals_true - -Previous - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +**B602: Test for use of popen with shell equals true** + +Python possesses many mechanisms to invoke an external executable. +However, doing so may present a security issue if appropriate care is +not taken to sanitize any user provided or variable input. + +This plugin test is part of a family of tests built to check for process +spawning and warn appropriately. Specifically, this test looks for the +spawning of a subprocess using a command shell. This type of subprocess +invocation is dangerous as it is vulnerable to various shell injection +attacks. Great care should be taken to sanitize all input in order to +mitigate this risk. Calls of this type are identified by a parameter of +‘shell=True’ being given. + +Additionally, this plugin scans the command string given and adjusts its +reported severity based on how it is presented. If the command string is +a simple static string containing no special shell characters, then the +resulting issue has low severity. If the string is static, but contains +shell formatting characters or wildcards, then the reported issue is +medium. Finally, if the string is computed using Python’s string +manipulation or formatting operations, then the reported issue has high +severity. These severity levels reflect the likelihood that the code is +vulnerable to injection. + +See also: + +- ../plugins/linux\_commands\_wildcard\_injection +- ../plugins/subprocess\_without\_shell\_equals\_true +- ../plugins/start\_process\_with\_no\_shell +- ../plugins/start\_process\_with\_a\_shell +- ../plugins/start\_process\_with\_partial\_path + +**Config Options:** + +This plugin test shares a configuration with others in the same family, +namely shell\_injection. This configuration is divided up into three +sections, subprocess, shell and no\_shell. They each list Python calls +that spawn subprocesses, invoke commands within a shell, or invoke +commands without a shell (by replacing the calling process) +respectively. + +This plugin specifically scans for methods listed in subprocess section +that have shell=True specified. + + shell_injection: + + # Start a process using the subprocess module, or one of its + wrappers. + subprocess: + - subprocess.Popen + - subprocess.call + +Example + + + + >> Issue: subprocess call with shell=True seems safe, but may be + changed in the future, consider rewriting without shell + Severity: Low Confidence: High + Location: ./examples/subprocess_shell.py:21 + 20 subprocess.check_call(['/bin/ls', '-l'], shell=False) + 21 subprocess.check_call('/bin/ls -l', shell=True) + 22 + + >> Issue: call with shell=True contains special shell characters, + consider moving extra logic into Python code + Severity: Medium Confidence: High + Location: ./examples/subprocess_shell.py:26 + 25 + 26 subprocess.Popen('/bin/ls *', shell=True) + 27 subprocess.Popen('/bin/ls %s' % ('something',), shell=True) + + >> Issue: subprocess call with shell=True identified, security issue. + Severity: High Confidence: High + Location: ./examples/subprocess_shell.py:27 + 26 subprocess.Popen('/bin/ls *', shell=True) + 27 subprocess.Popen('/bin/ls %s' % ('something',), shell=True) + 28 subprocess.Popen('/bin/ls {}'.format('something'), shell=True) + diff --git a/docs/description/B603.md b/docs/description/B603.md index ce8d9c7..38096f7 100644 --- a/docs/description/B603.md +++ b/docs/description/B603.md @@ -1,163 +1,54 @@ -Bandit +**B603: Test for use of subprocess without shell equals true** -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +Python possesses many mechanisms to invoke an external executable. +However, doing so may present a security issue if appropriate care is +not taken to sanitize any user provided or variable input. -Bandit +This plugin test is part of a family of tests built to check for process +spawning and warn appropriately. Specifically, this test looks for the +spawning of a subprocess without the use of a command shell. This type +of subprocess invocation is not vulnerable to shell injection attacks, +but care should still be taken to ensure validity of input. -- -- Test Plugins -- B603: subprocess_without_shell_equals_true -- View page source +Because this is a lesser issue than that described in +subprocess\_popen\_with\_shell\_equals\_true a LOW severity warning is +reported. ------------------------------------------------------------------------- +See also: -# B603: subprocess_without_shell_equals_true +- ../plugins/linux\_commands\_wildcard\_injection +- ../plugins/subprocess\_popen\_with\_shell\_equals\_true +- ../plugins/start\_process\_with\_no\_shell +- ../plugins/start\_process\_with\_a\_shell +- ../plugins/start\_process\_with\_partial\_path - - +**Config Options:** ------------------------------------------------------------------------- +This plugin test shares a configuration with others in the same family, +namely shell\_injection. This configuration is divided up into three +sections, subprocess, shell and no\_shell. They each list Python calls +that spawn subprocesses, invoke commands within a shell, or invoke +commands without a shell (by replacing the calling process) +respectively. -© Copyright 2025, Bandit Developers. +This plugin specifically scans for methods listed in subprocess section +that have shell=False specified. + + shell_injection: + # Start a process using the subprocess module, or one of its + wrappers. + subprocess: + - subprocess.Popen + - subprocess.call + +Example + + + + >> Issue: subprocess call - check for execution of untrusted input. + Severity: Low Confidence: High + Location: ./examples/subprocess_shell.py:23 + 22 + 23 subprocess.check_output(['/bin/ls', '-l']) + 24 -Built with Sphinx -using a theme provided by -Read the Docs. diff --git a/docs/description/B604.md b/docs/description/B604.md index 0c82359..beb8f97 100644 --- a/docs/description/B604.md +++ b/docs/description/B604.md @@ -1,162 +1,54 @@ -Bandit +**B604: Test for any function with shell equals true** + +Python possesses many mechanisms to invoke an external executable. +However, doing so may present a security issue if appropriate care is +not taken to sanitize any user provided or variable input. + +This plugin test is part of a family of tests built to check for process +spawning and warn appropriately. Specifically, this plugin test +interrogates method calls for the presence of a keyword parameter shell +equalling true. It is related to detection of shell injection issues and +is intended to catch custom wrappers to vulnerable methods that may have +been created. + +See also: + +- ../plugins/linux\_commands\_wildcard\_injection +- ../plugins/subprocess\_popen\_with\_shell\_equals\_true +- ../plugins/subprocess\_without\_shell\_equals\_true +- ../plugins/start\_process\_with\_no\_shell +- ../plugins/start\_process\_with\_a\_shell +- ../plugins/start\_process\_with\_partial\_path + +**Config Options:** + +This plugin test shares a configuration with others in the same family, +namely shell\_injection. This configuration is divided up into three +sections, subprocess, shell and no\_shell. They each list Python calls +that spawn subprocesses, invoke commands within a shell, or invoke +commands without a shell (by replacing the calling process) +respectively. + +Specifically, this plugin excludes those functions listed under the +subprocess section, these methods are tested in a separate specific test +plugin and this exclusion prevents duplicate issue reporting. + + shell_injection: + # Start a process using the subprocess module, or one of its + wrappers. + subprocess: [subprocess.Popen, subprocess.call, + subprocess.check_call, subprocess.check_output + execute_with_timeout] + +Example + + + + >> Issue: Function call with shell=True parameter identified, possible + security issue. + Severity: Medium Confidence: High + Location: ./examples/subprocess_shell.py:9 + 8 pop('/bin/gcc --version', shell=True) + 9 Popen('/bin/gcc --version', shell=True) + 10 -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B604: any_other_function_with_shell_equals_true -- View page source - ------------------------------------------------------------------------- - -# B604: any_other_function_with_shell_equals_true - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. diff --git a/docs/description/B605.md b/docs/description/B605.md index 72ab3e9..15c7bdd 100644 --- a/docs/description/B605.md +++ b/docs/description/B605.md @@ -1,161 +1,58 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B605: start_process_with_a_shell -- View page source - ------------------------------------------------------------------------- - -# B605: start_process_with_a_shell - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +**B605: Test for starting a process with a shell** + +Python possesses many mechanisms to invoke an external executable. +However, doing so may present a security issue if appropriate care is +not taken to sanitize any user provided or variable input. + +This plugin test is part of a family of tests built to check for process +spawning and warn appropriately. Specifically, this test looks for the +spawning of a subprocess using a command shell. This type of subprocess +invocation is dangerous as it is vulnerable to various shell injection +attacks. Great care should be taken to sanitize all input in order to +mitigate this risk. Calls of this type are identified by the use of +certain commands which are known to use shells. Bandit will report a LOW +severity warning. + +See also: + +- ../plugins/linux\_commands\_wildcard\_injection +- ../plugins/subprocess\_without\_shell\_equals\_true +- ../plugins/start\_process\_with\_no\_shell +- ../plugins/start\_process\_with\_partial\_path +- ../plugins/subprocess\_popen\_with\_shell\_equals\_true + +**Config Options:** + +This plugin test shares a configuration with others in the same family, +namely shell\_injection. This configuration is divided up into three +sections, subprocess, shell and no\_shell. They each list Python calls +that spawn subprocesses, invoke commands within a shell, or invoke +commands without a shell (by replacing the calling process) +respectively. + +This plugin specifically scans for methods listed in shell section. + + shell_injection: + shell: + - os.system + - os.popen + - os.popen2 + - os.popen3 + - os.popen4 + - popen2.popen2 + - popen2.popen3 + - popen2.popen4 + - popen2.Popen3 + - popen2.Popen4 + - commands.getoutput + - commands.getstatusoutput + +Example + + + + >> Issue: Starting a process with a shell: check for injection. + Severity: Low Confidence: Medium + Location: examples/os_system.py:3 + 2 + 3 os.system('/bin/echo hi') diff --git a/docs/description/B606.md b/docs/description/B606.md index 8cea033..c885766 100644 --- a/docs/description/B606.md +++ b/docs/description/B606.md @@ -1,161 +1,64 @@ -Bandit +**B606: Test for starting a process with no shell** -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +Python possesses many mechanisms to invoke an external executable. +However, doing so may present a security issue if appropriate care is +not taken to sanitize any user provided or variable input. -Bandit +This plugin test is part of a family of tests built to check for process +spawning and warn appropriately. Specifically, this test looks for the +spawning of a subprocess in a way that doesn’t use a shell. Although +this is generally safe, it maybe useful for penetration testing +workflows to track where external system calls are used. As such a LOW +severity message is generated. -- -- Test Plugins -- B606: start_process_with_no_shell -- View page source +See also: ------------------------------------------------------------------------- +- ../plugins/linux\_commands\_wildcard\_injection +- ../plugins/subprocess\_without\_shell\_equals\_true +- ../plugins/start\_process\_with\_a\_shell +- ../plugins/start\_process\_with\_partial\_path +- ../plugins/subprocess\_popen\_with\_shell\_equals\_true -# B606: start_process_with_no_shell +**Config Options:** - - +This plugin test shares a configuration with others in the same family, +namely shell\_injection. This configuration is divided up into three +sections, subprocess, shell and no\_shell. They each list Python calls +that spawn subprocesses, invoke commands within a shell, or invoke +commands without a shell (by replacing the calling process) +respectively. ------------------------------------------------------------------------- +This plugin specifically scans for methods listed in no\_shell section. -© Copyright 2025, Bandit Developers. + shell_injection: + no_shell: + - os.execl + - os.execle + - os.execlp + - os.execlpe + - os.execv + - os.execve + - os.execvp + - os.execvpe + - os.spawnl + - os.spawnle + - os.spawnlp + - os.spawnlpe + - os.spawnv + - os.spawnve + - os.spawnvp + - os.spawnvpe + - os.startfile + +Example + + + + >> Issue: [start_process_with_no_shell] Starting a process without a + shell. + Severity: Low Confidence: Medium + Location: examples/os-spawn.py:8 + 7 os.spawnv(mode, path, args) + 8 os.spawnve(mode, path, args, env) + 9 os.spawnvp(mode, file, args) -Built with Sphinx -using a theme provided by -Read the Docs. diff --git a/docs/description/B607.md b/docs/description/B607.md index 80047f2..d161c2a 100644 --- a/docs/description/B607.md +++ b/docs/description/B607.md @@ -1,162 +1,62 @@ -Bandit +**B607: Test for starting a process with a partial path** + +Python possesses many mechanisms to invoke an external executable. If +the desired executable path is not fully qualified relative to the +filesystem root then this may present a potential security risk. + +In POSIX environments, the PATH environment variable is used to specify +a set of standard locations that will be searched for the first matching +named executable. While convenient, this behavior may allow a malicious +actor to exert control over a system. If they are able to adjust the +contents of the PATH variable, or manipulate the file system, then a +bogus executable may be discovered in place of the desired one. This +executable will be invoked with the user privileges of the Python +process that spawned it, potentially a highly privileged user. + +This test will scan the parameters of all configured Python methods, +looking for paths that do not start at the filesystem root, that is, do +not have a leading ‘/’ character. + +**Config Options:** + +This plugin test shares a configuration with others in the same family, +namely shell\_injection. This configuration is divided up into three +sections, subprocess, shell and no\_shell. They each list Python calls +that spawn subprocesses, invoke commands within a shell, or invoke +commands without a shell (by replacing the calling process) +respectively. + +This test will scan parameters of all methods in all sections. Note that +methods are fully qualified and de-aliased prior to checking. + + shell_injection: + # Start a process using the subprocess module, or one of its + wrappers. + subprocess: + - subprocess.Popen + - subprocess.call + + # Start a process with a function vulnerable to shell injection. + shell: + - os.system + - os.popen + - popen2.Popen3 + - popen2.Popen4 + - commands.getoutput + - commands.getstatusoutput + # Start a process with a function that is not vulnerable to shell + injection. + no_shell: + - os.execl + - os.execle + +Example + + + + >> Issue: Starting a process with a partial executable path + Severity: Low Confidence: High + Location: ./examples/partial_path_process.py:3 + 2 from subprocess import Popen as pop + 3 pop('gcc --version', shell=False) -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B607: start_process_with_partial_path -- View page source - ------------------------------------------------------------------------- - -# B607: start_process_with_partial_path - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. diff --git a/docs/description/B608.md b/docs/description/B608.md index ea59ed4..7e8b795 100644 --- a/docs/description/B608.md +++ b/docs/description/B608.md @@ -1,162 +1,26 @@ -Bandit +## B608: Test for SQL injection -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: - hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +An SQL injection attack consists of insertion or “injection” of a SQL query via the input data given to an application. It is a very common attack vector. This plugin test looks for strings that resemble SQL statements that are involved in some form of string building operation. For example: -Bandit +* “SELECT %s FROM derp;” % var +* “SELECT thing FROM ” + tab +* “SELECT ” + val + ” FROM ” + tab + … +* “SELECT {} FROM derp;”.format(var) +* f”SELECT foo FROM bar WHERE id = {product}” +* +Unless care is taken to sanitize and control the input data when building such SQL statement strings, an injection attack becomes possible. If strings of this nature are discovered, a LOW confidence issue is reported. In order to boost result confidence, this plugin test will also check to see if the discovered string is in use with standard Python DBAPI calls execute or executemany. If so, a MEDIUM issue is reported. For example: -- -- Test Plugins -- B608: hardcoded_sql_expressions -- View page source +* cursor.execute(“SELECT %s FROM derp;” % var) ------------------------------------------------------------------------- +Example: -# B608: hardcoded_sql_expressions + - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. + >> Issue: Possible SQL injection vector through string-based query + construction. + Severity: Medium Confidence: Low + CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html) + Location: ./examples/sql_statements.py:4 + 3 query = "DELETE FROM foo WHERE id = '%s'" % identifier + 4 query = "UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier + 5 diff --git a/docs/description/B609.md b/docs/description/B609.md index a8f5cc0..be3ac6d 100644 --- a/docs/description/B609.md +++ b/docs/description/B609.md @@ -1,162 +1,72 @@ -Bandit +## B609: Test for use of wildcard injection -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +Python provides a number of methods that emulate the behavior of +standard Linux command line utilities. Like their Linux counterparts, +these commands may take a wildcard “\*” character in place of a file +system path. This is interpreted to mean “any and all files or folders” +and can be used to build partially qualified paths, such as +“/home/user/\*”. -Bandit +The use of partially qualified paths may result in unintended +consequences if an unexpected file or symlink is placed into the path +location given. This becomes particularly dangerous when combined with +commands used to manipulate file permissions or copy data off of a +system. -- -- Test Plugins -- B609: linux_commands_wildcard_injection -- View page source +This test plugin looks for usage of the following commands in +conjunction with wild card parameters: ------------------------------------------------------------------------- +As well as any method configured in the shell or subprocess injection +test configurations. -# B609: linux_commands_wildcard_injection +**Config Options:** - - +This plugin test shares a configuration with others in the same family, +namely shell\_injection. This configuration is divided up into three +sections, subprocess, shell and no\_shell. They each list Python calls +that spawn subprocesses, invoke commands within a shell, or invoke +commands without a shell (by replacing the calling process) +respectively. ------------------------------------------------------------------------- +This test will scan parameters of all methods in all sections. Note that +methods are fully qualified and de-aliased prior to checking. -© Copyright 2025, Bandit Developers. + # shell_injection: + # Start a process using the subprocess module, or one of its wrappers. + subprocess: + subprocess.Popen + subprocess.call -Built with Sphinx -using a theme provided by -Read the Docs. + # Start a process with a function vulnerable to shell injection. + shell: + - os.system + - os.popen + - popen2.Popen3 + - popen2.Popen4 + - commands.getoutput + - commands.getstatusoutput + # Start a process with a function that is not vulnerable to shell + injection. + no_shell: + - os.execl + - os.execle + +Example: + + + + >> Issue: Possible wildcard injection in call: subprocess.Popen + Severity: High Confidence: Medium + CWE-78 (https://cwe.mitre.org/data/definitions/78.html) + Location: ./examples/wildcard-injection.py:8 + 7 o.popen2('/bin/chmod *') + 8 subp.Popen('/bin/chown *', shell=True) + 9 + + >> Issue: subprocess call - check for execution of untrusted input. + Severity: Low Confidence: High + CWE-78 (https://cwe.mitre.org/data/definitions/78.html) + Location: ./examples/wildcard-injection.py:11 + 10 # Not vulnerable to wildcard injection + 11 subp.Popen('/bin/rsync *') + 12 subp.Popen("/bin/chmod *") \ No newline at end of file diff --git a/docs/description/B610.md b/docs/description/B610.md index e175e13..e73da1b 100644 --- a/docs/description/B610.md +++ b/docs/description/B610.md @@ -1,162 +1,13 @@ -Bandit +**B610: Potential SQL injection on extra function** -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: - django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +Example: -Bandit + -- -- Test Plugins -- B610: django_extra_used -- View page source - ------------------------------------------------------------------------- - -# B610: django_extra_used - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. + >> Issue: [B610:django_extra_used] Use of extra potential SQL attack vector. + Severity: Medium Confidence: Medium + CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html) + Location: examples/django_sql_injection_extra.py:29:0 + More Info: https://bandit.readthedocs.io/en/latest/plugins/b610_django_extra_used.html + 28 tables_str = 'django_content_type" WHERE "auth_user"."username"="admin' + 29 User.objects.all().extra(tables=[tables_str]).distinct() diff --git a/docs/description/B611.md b/docs/description/B611.md index f96cf55..4a2abf2 100644 --- a/docs/description/B611.md +++ b/docs/description/B611.md @@ -1,162 +1,13 @@ -Bandit +**B611: Potential SQL injection on RawSQL function** -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: - django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +Example: -Bandit + -- -- Test Plugins -- B611: django_rawsql_used -- View page source - ------------------------------------------------------------------------- - -# B611: django_rawsql_used - -Previous - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. + >> Issue: [B611:django_rawsql_used] Use of RawSQL potential SQL attack vector. + Severity: Medium Confidence: Medium + CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html) + Location: examples/django_sql_injection_raw.py:11:26 + More Info: https://bandit.readthedocs.io/en/latest/plugins/b611_django_rawsql_used.html + 10 ' WHERE "username"="admin" OR 1=%s --' + 11 User.objects.annotate(val=RawSQL(raw, [0])) diff --git a/docs/description/B612.md b/docs/description/B612.md index e7167b6..57ae200 100644 --- a/docs/description/B612.md +++ b/docs/description/B612.md @@ -1,162 +1,24 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B612: logging_config_insecure_listen -- View page source - ------------------------------------------------------------------------- - -# B612: logging_config_insecure_listen - - -Next - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +## B612: Test for insecure use of logging.config.listen + +This plugin test checks for the unsafe usage of the logging.config.listen function. +The logging.config.listen function provides the ability to listen for external +configuration files on a socket server. Because portions of the configuration +are passed through eval(), use of this function may open its users to a security risk. +While the function only binds to a socket on localhost, and so does not accept connections +from remote machines, there are scenarios where untrusted code could be run under the account +of the process which calls listen(). + +logging.config.listen provides the ability to verify bytes received across the socket +with signature verification or encryption/decryption. + +Example: + + + + >> Issue: [B612:logging_config_listen] Use of insecure + logging.config.listen detected. + Severity: Medium Confidence: High + CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html) + Location: examples/logging_config_insecure_listen.py:3:4 + 2 + 3 t = logging.config.listen(9999) \ No newline at end of file diff --git a/docs/description/B701.md b/docs/description/B701.md index 82df86b..ee878d0 100644 --- a/docs/description/B701.md +++ b/docs/description/B701.md @@ -1,162 +1,43 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: - jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B701: jinja2_autoescape_false -- View page source - ------------------------------------------------------------------------- - -# B701: jinja2_autoescape_false - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +## B701: Test for not auto escaping in jinja2 + +Jinja2 is a Python HTML templating system. It is typically used to build +web applications, though appears in other places well, notably the +Ansible automation system. When configuring the Jinja2 environment, the +option to use autoescaping on input can be specified. When autoescaping +is enabled, Jinja2 will filter input strings to escape any HTML content +submitted via template variables. Without escaping HTML input the +application becomes vulnerable to Cross Site Scripting (XSS) attacks. + +Unfortunately, autoescaping is False by default. Thus this plugin test +will warn on omission of an autoescape setting, as well as an explicit +setting of false. A HIGH severity warning is generated in either of +these scenarios. + +Example: + + + + >> Issue: Using jinja2 templates with autoescape=False is dangerous and can + lead to XSS. Use autoescape=True to mitigate XSS vulnerabilities. + Severity: High Confidence: High + CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html) + Location: ./examples/jinja2_templating.py:11 + 10 templateEnv = jinja2.Environment(autoescape=False, + loader=templateLoader) + 11 Environment(loader=templateLoader, + 12 load=templateLoader, + 13 autoescape=False) + 14 + + >> Issue: By default, jinja2 sets autoescape to False. Consider using + autoescape=True or use the select_autoescape function to mitigate XSS + vulnerabilities. + Severity: High Confidence: High + CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html) + Location: ./examples/jinja2_templating.py:15 + 14 + 15 Environment(loader=templateLoader, + 16 load=templateLoader) + 17 + 18 Environment(autoescape=select_autoescape(['html', 'htm', 'xml']), + 19 loader=templateLoader) \ No newline at end of file diff --git a/docs/description/B702.md b/docs/description/B702.md index 7de4386..e245133 100644 --- a/docs/description/B702.md +++ b/docs/description/B702.md @@ -1,162 +1,23 @@ -Bandit - -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: - use_of_mako_templates - - B703: django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions - -Bandit - -- -- Test Plugins -- B702: use_of_mako_templates -- View page source - ------------------------------------------------------------------------- - -# B702: use_of_mako_templates - - -Next - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. +## B702: Test for use of mako templates + +Mako is a Python templating system often used to build web applications. +It is the default templating system used in Pylons and Pyramid. Unlike +Jinja2 (an alternative templating system), Mako has no environment wide +variable escaping mechanism. Because of this, all input variables must +be carefully escaped before use to prevent possible vulnerabilities to +Cross Site Scripting (XSS) attacks. + +Example: + + + + >> Issue: Mako templates allow HTML/JS rendering by default and are + inherently open to XSS attacks. Ensure variables in all templates are + properly sanitized via the 'n', 'h' or 'x' flags (depending on context). + For example, to HTML escape the variable 'data' do ${ data |h }. + Severity: Medium Confidence: High + CWE: CWE-80 (https://cwe.mitre.org/data/definitions/80.html) + Location: ./examples/mako_templating.py:10 + 9 + 10 mako.template.Template("hern") + 11 template.Template("hern") \ No newline at end of file diff --git a/docs/description/B703.md b/docs/description/B703.md index 724bf5f..c7785b0 100644 --- a/docs/description/B703.md +++ b/docs/description/B703.md @@ -1,162 +1,13 @@ -Bandit +**B703: Potential XSS on mark\_safe function** -- Getting - Started -- Configuration -- Integrations -- Test - Plugins - - Writing Tests - - Config Generation - - Example Test Plugin - - Plugin ID Groupings - - Complete Test Plugin Listing - - B101: assert_used - - B102: exec_used - - B103: set_bad_file_permissions - - B104: - hardcoded_bind_all_interfaces - - B105: hardcoded_password_string - - B106: - hardcoded_password_funcarg - - B107: - hardcoded_password_default - - B108: hardcoded_tmp_directory - - B109: - password_config_option_not_marked_secret - - B110: try_except_pass - - B111: - execute_with_run_as_root_equals_true - - B112: try_except_continue - - B113: request_without_timeout - - B201: flask_debug_true - - B202: tarfile_unsafe_members - - B324: hashlib - - B501: - request_with_no_cert_validation - - B502: ssl_with_bad_version - - B503: ssl_with_bad_defaults - - B504: ssl_with_no_version - - B505: weak_cryptographic_key - - B506: yaml_load - - B507: - ssh_no_host_key_verification - - B508: snmp_insecure_version - - B509: snmp_weak_cryptography - - B601: paramiko_calls - - B602: - subprocess_popen_with_shell_equals_true - - B603: - subprocess_without_shell_equals_true - - B604: - any_other_function_with_shell_equals_true - - B605: - start_process_with_a_shell - - B606: - start_process_with_no_shell - - B607: - start_process_with_partial_path - - B608: hardcoded_sql_expressions - - B609: - linux_commands_wildcard_injection - - B610: django_extra_used - - B611: django_rawsql_used - - B612: - logging_config_insecure_listen - - B613: trojansource - - B614: pytorch_load - - B615: - huggingface_unsafe_download - - B701: jinja2_autoescape_false - - B702: use_of_mako_templates - - B703: - django_mark_safe - - B704: markupsafe_markup_xss -- Blacklist Plugins -- Report Formatters -- Continuous Integration and Deployment (CI/CD) -- Frequently - Asked Questions +Example: -Bandit + -- -- Test Plugins -- B703: django_mark_safe -- View page source - ------------------------------------------------------------------------- - -# B703: django_mark_safe - - - - ------------------------------------------------------------------------- - -© Copyright 2025, Bandit Developers. - -Built with Sphinx -using a theme provided by -Read the Docs. + >> Issue: [B703:django_mark_safe] Potential XSS on mark_safe function. + Severity: Medium Confidence: High + CWE: CWE-80 (https://cwe.mitre.org/data/definitions/80.html) + Location: examples/mark_safe_insecure.py:159:4 + More Info: https://bandit.readthedocs.io/en/latest/plugins/b703_django_mark_safe.html + 158 str_arg = 'could be insecure' + 159 safestring.mark_safe(str_arg) \ No newline at end of file diff --git a/docs/description/description.json b/docs/description/description.json index 3b0962c..f15787d 100644 --- a/docs/description/description.json +++ b/docs/description/description.json @@ -1,221 +1,391 @@ [ { "patternId" : "B101", "title" : "assert_used", - "description" : "B101: assert_used — Bandit documentation ", + "description" : "B101: Test for use of assert", "parameters" : [ ] }, { "patternId" : "B102", "title" : "exec_used", - "description" : "B102: exec_used — Bandit documentation ", + "description" : "B102: Test for the use of exec", "parameters" : [ ] }, { "patternId" : "B103", "title" : "set_bad_file_permissions", - "description" : "B103: set_bad_file_permissions — Bandit documentation ", + "description" : "B103: Test for setting permissive file permissions", "parameters" : [ ] }, { "patternId" : "B104", "title" : "hardcoded_bind_all_interfaces", - "description" : "B104: hardcoded_bind_all_interfaces — Bandit documentation ", + "description" : "B104: Test for binding to all interfaces", "parameters" : [ ] }, { "patternId" : "B105", "title" : "hardcoded_password_string", - "description" : "B105: hardcoded_password_string — Bandit documentation ", + "description" : "B105: Test for use of hard-coded password strings", "parameters" : [ ] }, { "patternId" : "B106", "title" : "hardcoded_password_funcarg", - "description" : "B106: hardcoded_password_funcarg — Bandit documentation ", + "description" : "B106: Test for use of hard-coded password function arguments", "parameters" : [ ] }, { "patternId" : "B107", "title" : "hardcoded_password_default", - "description" : "B107: hardcoded_password_default — Bandit documentation ", + "description" : "B107: Test for use of hard-coded password argument defaults", "parameters" : [ ] }, { "patternId" : "B108", "title" : "hardcoded_tmp_directory", - "description" : "B108: hardcoded_tmp_directory — Bandit documentation ", + "description" : "B108: Test for insecure usage of tmp file/directory", "parameters" : [ ] }, { "patternId" : "B109", - "title" : "password_config_option_not_marked_secret", - "description" : "B109: password_config_option_not_marked_secret — Bandit documentation ", + "title" : "Test for a password based config option not marked secret", + "description" : "B109: Test for a password based config option not marked secret", "parameters" : [ ] }, { "patternId" : "B110", "title" : "try_except_pass", - "description" : "B110: try_except_pass — Bandit documentation ", + "description" : "B110: Test for a pass in the except block", "parameters" : [ ] }, { "patternId" : "B111", - "title" : "execute_with_run_as_root_equals_true", - "description" : "B111: execute_with_run_as_root_equals_true — Bandit documentation ", + "title" : "Test for the use of rootwrap running as root", + "description" : "B111: Test for the use of rootwrap running as root", "parameters" : [ ] }, { "patternId" : "B112", "title" : "try_except_continue", - "description" : "B112: try_except_continue — Bandit documentation ", + "description" : "B112: Test for a continue in the except block", "parameters" : [ ] -}, { +},{ "patternId" : "B113", "title" : "request_without_timeout", - "description" : "B113: request_without_timeout — Bandit documentation ", + "description" : "B113: Test for missing requests timeout", "parameters" : [ ] }, { "patternId" : "B201", "title" : "flask_debug_true", - "description" : "B201: flask_debug_true — Bandit documentation ", + "description" : "B201: Test for use of flask app with debug set to true", "parameters" : [ ] }, { "patternId" : "B202", "title" : "tarfile_unsafe_members", - "description" : "B202: tarfile_unsafe_members — Bandit documentation ", + "description" : "B202: Test for tarfile.extractall", + "parameters" : [ ] +}, { + "patternId" : "B301", + "title" : "pickle", + "description" : "B301: Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.", + "parameters" : [ ] +}, { + "patternId" : "B302", + "title" : "marshal", + "description" : "B302: Deserialization with the marshal module is possibly dangerous.", + "parameters" : [ ] +}, { + "patternId" : "B303", + "title" : "md5", + "description" : "B303: Use of insecure MD2, MD4, MD5, or SHA1 hash function.", + "parameters" : [ ] +}, { + "patternId" : "B304", + "title" : "B304: ciphers and modes", + "description" : "B304: Use of insecure cipher or cipher mode", + "parameters" : [ ] +}, { + "patternId" : "B305", + "title" : "B305: ciphers and modes", + "description" : "B305: Use of insecure cipher or cipher mode", + "parameters" : [ ] +}, { + "patternId" : "B306", + "title" : "mktemp_q", + "description" : "B306: Use of insecure and deprecated function (mktemp).", + "parameters" : [ ] +}, { + "patternId" : "B307", + "title" : "eval", + "description" : "B307: Use of possibly insecure function - consider using safer ast.literal_eval.", + "parameters" : [ ] +}, { + "patternId" : "B308", + "title" : "mark_safe", + "description" : "B308: Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.", + "parameters" : [ ] +}, { + "patternId" : "B309", + "title" : "httpsconnection", + "description" : "B309: Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033", + "parameters" : [ ] +}, { + "patternId" : "B310", + "title" : "urllib_urlopen", + "description" : "B310: Audit url open for permitted schemes", + "parameters" : [ ] +}, { + "patternId" : "B311", + "title" : "random", + "description" : "B311: Standard pseudo-random generators are not suitable for security/cryptographic purposes.", + "parameters" : [ ] +}, { + "patternId" : "B312", + "title" : "telnetlib", + "description" : "B312: Telnet-related functions are being called", + "parameters" : [ ] +}, { + "patternId" : "B313", + "title" : "B313: XML", + "description" : "B313: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", + "parameters" : [ ] +}, { + "patternId" : "B314", + "title" : "B314: XML", + "description" : "B314: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", + "parameters" : [ ] +}, { + "patternId" : "B315", + "title" : "B315: XML", + "description" : "B315: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", + "parameters" : [ ] +}, { + "patternId" : "B316", + "title" : "B316: XML", + "description" : "B316: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", + "parameters" : [ ] +}, { + "patternId" : "B317", + "title" : "B317: XML", + "description" : "B317: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", + "parameters" : [ ] +}, { + "patternId" : "B318", + "title" : "B318: XML", + "description" : "B318: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", + "parameters" : [ ] +}, { + "patternId" : "B319", + "title" : "B319: XML", + "description" : "B319: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", + "parameters" : [ ] +}, { + "patternId" : "B320", + "title" : "B320: XML", + "description" : "B320: Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks", + "parameters" : [ ] +}, { + "patternId" : "B321", + "title" : "ftplib", + "description" : "B321: FTP-related functions are being called", + "parameters" : [ ] +}, { + "patternId" : "B322", + "title" : "input", + "description" : "B322: The check for this call has been removed.", + "parameters" : [ ] +}, { + "patternId" : "B323", + "title" : "unverified_context", + "description" : "B323: By default, Python will create a secure, verified ssl context for use in such classes as HTTPSConnection", "parameters" : [ ] }, { "patternId" : "B324", "title" : "hashlib", - "description" : "B324: hashlib — Bandit documentation ", + "description" : "B324: Test use of insecure md4, md5, or sha1 hash functions in hashlib", + "parameters" : [ ] +}, { + "patternId" : "B325", + "title" : "tempnam", + "description" : "B325: Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks", + "parameters" : [ ] +}, { + "patternId" : "B401", + "title" : "import_telnetlib", + "description" : "B401: A telnet-related module is being imported", + "parameters" : [ ] +}, { + "patternId" : "B402", + "title" : "import_ftplib", + "description" : "B402: A FTP-related module is being imported", + "parameters" : [ ] +}, { + "patternId" : "B403", + "title" : "import_pickle", + "description" : "B403: Consider possible security implications associated with these modules.", + "parameters" : [ ] +}, { + "patternId" : "B404", + "title" : "import_subprocess", + "description" : "B404: Consider possible security implications associated with these modules.", + "parameters" : [ ] +}, { + "patternId" : "B405", + "title" : "import_xml_etree", + "description" : "B405: Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks", + "parameters" : [ ] +}, { + "patternId" : "B406", + "title" : "import_xml_sax", + "description" : "B406: Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks", + "parameters" : [ ] +}, { + "patternId" : "B407", + "title" : "import_xml_expat", + "description" : "B407: Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks", + "parameters" : [ ] +}, { + "patternId" : "B408", + "title" : "import_xml_minidom", + "description" : "B408: Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks", + "parameters" : [ ] +}, { + "patternId" : "B409", + "title" : "import_xml_pulldom", + "description" : "B409: Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks", + "parameters" : [ ] +}, { + "patternId" : "B410", + "title" : "import_lxml", + "description" : "B410: Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks", + "parameters" : [ ] +}, { + "patternId" : "B411", + "title" : "import_xmlrpclib", + "description" : "B411: XMLRPC is particularly dangerous as it is also concerned with communicating data over a network", + "parameters" : [ ] +}, { + "patternId" : "B412", + "title" : "import_httpoxy", + "description" : "B412: httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments", + "parameters" : [ ] +}, { + "patternId" : "B413", + "title" : "import_pycrypto", + "description" : "B413: pycrypto library is known to have publicly disclosed buffer overflow vulnerability https://github.com/dlitz/pycrypto/issues/176", + "parameters" : [ ] +}, { + "patternId" : "B414", + "title" : "import_pycryptodome", + "description" : "B414: This import blacklist has been removed", "parameters" : [ ] }, { "patternId" : "B501", "title" : "request_with_no_cert_validation", - "description" : "B501: request_with_no_cert_validation — Bandit documentation ", + "description" : "B501: Test for missing certificate validation", "parameters" : [ ] }, { "patternId" : "B502", "title" : "ssl_with_bad_version", - "description" : "B502: ssl_with_bad_version — Bandit documentation ", + "description" : "B502: Test for SSL use with bad version used", "parameters" : [ ] }, { "patternId" : "B503", "title" : "ssl_with_bad_defaults", - "description" : "B503: ssl_with_bad_defaults — Bandit documentation ", + "description" : "B503: Test for SSL use with bad defaults specified", "parameters" : [ ] }, { "patternId" : "B504", "title" : "ssl_with_no_version", - "description" : "B504: ssl_with_no_version — Bandit documentation ", + "description" : "B504: Test for SSL use with no version specified", "parameters" : [ ] }, { "patternId" : "B505", "title" : "weak_cryptographic_key", - "description" : "B505: weak_cryptographic_key — Bandit documentation ", + "description" : "B505: Test for weak cryptographic key use", "parameters" : [ ] }, { "patternId" : "B506", "title" : "yaml_load", - "description" : "B506: yaml_load — Bandit documentation ", + "description" : "B506: Test for use of yaml load", "parameters" : [ ] }, { "patternId" : "B507", "title" : "ssh_no_host_key_verification", - "description" : "B507: ssh_no_host_key_verification — Bandit documentation ", + "description" : "B507: Test for missing host key validation", "parameters" : [ ] }, { "patternId" : "B508", "title" : "snmp_insecure_version", - "description" : "B508: snmp_insecure_version — Bandit documentation ", + "description" : "B508: Checking for insecure SNMP versions", "parameters" : [ ] }, { "patternId" : "B509", "title" : "snmp_weak_cryptography", - "description" : "B509: snmp_weak_cryptography — Bandit documentation ", + "description" : "B509: Checking for weak cryptography", "parameters" : [ ] }, { "patternId" : "B601", "title" : "paramiko_calls", - "description" : "B601: paramiko_calls — Bandit documentation ", + "description" : "B601: Test for shell injection within Paramiko", "parameters" : [ ] }, { "patternId" : "B602", "title" : "subprocess_popen_with_shell_equals_true", - "description" : "B602: subprocess_popen_with_shell_equals_true — Bandit documentation ", + "description" : "B602: Test for use of popen with shell equals true", "parameters" : [ ] }, { "patternId" : "B603", "title" : "subprocess_without_shell_equals_true", - "description" : "B603: subprocess_without_shell_equals_true — Bandit documentation ", + "description" : "B603: Test for use of subprocess without shell equals true", "parameters" : [ ] }, { "patternId" : "B604", "title" : "any_other_function_with_shell_equals_true", - "description" : "B604: any_other_function_with_shell_equals_true — Bandit documentation ", + "description" : "B604: Test for any function with shell equals true", "parameters" : [ ] }, { "patternId" : "B605", "title" : "start_process_with_a_shell", - "description" : "B605: start_process_with_a_shell — Bandit documentation ", + "description" : "B605: Test for starting a process with a shell", "parameters" : [ ] }, { "patternId" : "B606", "title" : "start_process_with_no_shell", - "description" : "B606: start_process_with_no_shell — Bandit documentation ", + "description" : "B606: Test for starting a process with no shell", "parameters" : [ ] }, { "patternId" : "B607", "title" : "start_process_with_partial_path", - "description" : "B607: start_process_with_partial_path — Bandit documentation ", + "description" : "B607: Test for starting a process with a partial path", "parameters" : [ ] }, { "patternId" : "B608", "title" : "hardcoded_sql_expressions", - "description" : "B608: hardcoded_sql_expressions — Bandit documentation ", + "description" : "B608: Test for SQL injection", "parameters" : [ ] }, { "patternId" : "B609", "title" : "linux_commands_wildcard_injection", - "description" : "B609: linux_commands_wildcard_injection — Bandit documentation ", + "description" : "B609: Test for use of wildcard injection", "parameters" : [ ] }, { "patternId" : "B610", "title" : "django_extra_used", - "description" : "B610: django_extra_used — Bandit documentation ", + "description" : "B610: Potential SQL injection on extra function", "parameters" : [ ] }, { "patternId" : "B611", "title" : "django_rawsql_used", - "description" : "B611: django_rawsql_used — Bandit documentation ", + "description" : "B611: Potential SQL injection on RawSQL function", "parameters" : [ ] }, { "patternId" : "B612", "title" : "logging_config_insecure_listen", - "description" : "B612: logging_config_insecure_listen — Bandit documentation ", - "parameters" : [ ] -}, { - "patternId" : "B613", - "title" : "trojansource", - "description" : "B613: trojansource — Bandit documentation ", - "parameters" : [ ] -}, { - "patternId" : "B614", - "title" : "pytorch_load", - "description" : "B614: pytorch_load — Bandit documentation ", - "parameters" : [ ] -}, { - "patternId" : "B615", - "title" : "huggingface_unsafe_download", - "description" : "B615: huggingface_unsafe_download — Bandit documentation ", + "description" : "B612: Test for insecure use of logging.config.listen", "parameters" : [ ] }, { "patternId" : "B701", "title" : "jinja2_autoescape_false", - "description" : "B701: jinja2_autoescape_false — Bandit documentation ", + "description" : "B701: Test for not auto escaping in jinja2", "parameters" : [ ] }, { "patternId" : "B702", "title" : "use_of_mako_templates", - "description" : "B702: use_of_mako_templates — Bandit documentation ", + "description" : "B702: Test for use of mako templates", "parameters" : [ ] }, { "patternId" : "B703", "title" : "django_mark_safe", - "description" : "B703: django_mark_safe — Bandit documentation ", - "parameters" : [ ] -}, { - "patternId" : "B704", - "title" : "markupsafe_markup_xss", - "description" : "B704: markupsafe_markup_xss — Bandit documentation ", + "description" : "B703: Potential XSS on mark_safe function", "parameters" : [ ] } ] diff --git a/docs/patterns.json b/docs/patterns.json index a9bbac0..59e99bb 100644 --- a/docs/patterns.json +++ b/docs/patterns.json @@ -1,11 +1,10 @@ { "name" : "bandit", - "version" : "1.8.6", + "version" : "1.8.3", "patterns" : [ { "patternId" : "B101", "level" : "Warning", "category" : "Security", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false @@ -14,16 +13,14 @@ "level" : "Warning", "category" : "Security", "subcategory" : "InputValidation", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true }, { "patternId" : "B103", - "level" : "Warning", + "level" : "Error", "category" : "Security", "subcategory" : "FileAccess", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -31,7 +28,6 @@ "patternId" : "B104", "level" : "Warning", "category" : "Security", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -40,7 +36,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "Auth", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -49,7 +44,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "Auth", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false @@ -58,7 +52,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "Auth", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -67,7 +60,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "FileAccess", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -76,7 +68,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "Auth", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -84,7 +75,6 @@ "patternId" : "B110", "level" : "Warning", "category" : "Security", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -93,7 +83,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "Auth", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -101,58 +90,348 @@ "patternId" : "B112", "level" : "Warning", "category" : "Security", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true }, { - "patternId" : "B113", + "patternId" : "B113", + "level" : "Warning", + "category" : "Security", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B201", + "level" : "Error", + "category" : "Security", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B202", + "level" : "Error", + "category" : "Security", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B301", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B302", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B303", + "level" : "Warning", + "category" : "Security", + "subcategory" : "Cryptography", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B304", + "level" : "Warning", + "category" : "Security", + "subcategory" : "Cryptography", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B305", + "level" : "Warning", + "category" : "Security", + "subcategory" : "Cryptography", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B306", + "level" : "Warning", + "category" : "Security", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B307", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InputValidation", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B308", + "level" : "Warning", + "category" : "Security", + "subcategory" : "XSS", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B309", + "level" : "Warning", + "category" : "Security", + "subcategory" : "SSL", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B310", + "level" : "Warning", + "category" : "Security", + "subcategory" : "HTTP", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B311", + "level" : "Warning", + "category" : "Security", + "subcategory" : "Cryptography", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B312", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B313", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InputValidation", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B314", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InputValidation", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B315", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InputValidation", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B316", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InputValidation", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B317", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InputValidation", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B318", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InputValidation", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B319", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InputValidation", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B320", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InputValidation", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B321", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B322", "level" : "Warning", "category" : "Security", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false }, { - "patternId" : "B201", + "patternId" : "B323", "level" : "Warning", "category" : "Security", - "subcategory" : "UnexpectedBehaviour", - "scanType" : "SAST", + "parameters" : [ ], + "languages" : [ ], + "enabled" : false + }, { + "patternId" : "B324", + "level" : "Error", + "category" : "Security", + "parameters" : [ ], + "languages" : [ ], + "enabled" : false + }, { + "patternId" : "B325", + "level" : "Warning", + "category" : "Security", + "parameters" : [ ], + "languages" : [ ], + "enabled" : false + }, { + "patternId" : "B401", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", "parameters" : [ ], "languages" : [ ], "enabled" : true }, { - "patternId" : "B202", + "patternId" : "B402", "level" : "Warning", "category" : "Security", - "scanType" : "SAST", + "subcategory" : "InsecureModulesLibraries", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B403", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B404", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B405", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B406", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B407", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B408", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B409", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B410", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B411", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", + "parameters" : [ ], + "languages" : [ ], + "enabled" : true + }, { + "patternId" : "B412", + "level" : "Warning", + "category" : "Security", + "subcategory" : "InsecureModulesLibraries", "parameters" : [ ], "languages" : [ ], "enabled" : false }, { - "patternId" : "B324", + "patternId" : "B413", "level" : "Warning", "category" : "Security", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false }, { - "patternId" : "B501", + "patternId" : "B414", "level" : "Warning", "category" : "Security", + "parameters" : [ ], + "languages" : [ ], + "enabled" : false + }, { + "patternId" : "B501", + "level" : "Error", + "category" : "Security", "subcategory" : "SSL", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true }, { "patternId" : "B502", - "level" : "Warning", + "level" : "Error", "category" : "Security", "subcategory" : "SSL", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -161,7 +440,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "SSL", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -170,16 +448,14 @@ "level" : "Warning", "category" : "Security", "subcategory" : "SSL", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true }, { "patternId" : "B505", - "level" : "Warning", + "level" : "Error", "category" : "Security", "subcategory" : "Cryptography", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -188,32 +464,27 @@ "level" : "Warning", "category" : "Security", "subcategory" : "InputValidation", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true }, { "patternId" : "B507", - "level" : "Warning", + "level" : "Error", "category" : "Security", - "subcategory" : "Auth", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false }, { - "patternId" : "B508", - "level" : "Warning", - "category" : "Security", - "scanType" : "SAST", - "parameters" : [ ], - "languages" : [ ], - "enabled" : false + "patternId" : "B508", + "level" : "Error", + "category" : "Security", + "parameters" : [ ], + "languages" : [ ], + "enabled" : false }, { "patternId" : "B509", - "level" : "Warning", + "level" : "Error", "category" : "Security", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false @@ -222,16 +493,14 @@ "level" : "Warning", "category" : "Security", "subcategory" : "CommandInjection", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true }, { "patternId" : "B602", - "level" : "Warning", + "level" : "Error", "category" : "Security", "subcategory" : "CommandInjection", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -240,7 +509,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "CommandInjection", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -249,7 +517,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "CommandInjection", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -258,7 +525,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "CommandInjection", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false @@ -267,7 +533,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "CommandInjection", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -276,7 +541,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "CommandInjection", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false @@ -285,7 +549,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "SQLInjection", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -294,7 +557,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "InputValidation", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -302,7 +564,6 @@ "patternId" : "B610", "level" : "Warning", "category" : "Security", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false @@ -310,8 +571,6 @@ "patternId" : "B611", "level" : "Warning", "category" : "Security", - "subcategory" : "SQLInjection", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false @@ -319,40 +578,14 @@ "patternId" : "B612", "level" : "Warning", "category" : "Security", - "scanType" : "SAST", - "parameters" : [ ], - "languages" : [ ], - "enabled" : false - }, { - "patternId" : "B613", - "level" : "Warning", - "category" : "Security", - "scanType" : "SAST", - "parameters" : [ ], - "languages" : [ ], - "enabled" : false - }, { - "patternId" : "B614", - "level" : "Warning", - "category" : "Security", - "scanType" : "SAST", - "parameters" : [ ], - "languages" : [ ], - "enabled" : false - }, { - "patternId" : "B615", - "level" : "Warning", - "category" : "Security", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false }, { "patternId" : "B701", - "level" : "Warning", + "level" : "Error", "category" : "Security", "subcategory" : "XSS", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -361,7 +594,6 @@ "level" : "Warning", "category" : "Security", "subcategory" : "XSS", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : true @@ -369,16 +601,6 @@ "patternId" : "B703", "level" : "Warning", "category" : "Security", - "subcategory" : "XSS", - "scanType" : "SAST", - "parameters" : [ ], - "languages" : [ ], - "enabled" : false - }, { - "patternId" : "B704", - "level" : "Warning", - "category" : "Security", - "scanType" : "SAST", "parameters" : [ ], "languages" : [ ], "enabled" : false From caac8e4f4b8c75691643a0ccee131edf73efccf9 Mon Sep 17 00:00:00 2001 From: "david.marinho@codacy.com" Date: Wed, 23 Jul 2025 16:31:58 +0100 Subject: [PATCH 3/5] add scan type --- .../scala/docs/transformers/BlacklistDocTransformer.scala | 1 + .../main/scala/docs/transformers/PluginsDocGenerator.scala | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala b/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala index 439e6f2..c752ac9 100644 --- a/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala +++ b/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala @@ -70,6 +70,7 @@ object BlacklistDocTransformer extends IPatternDocTransformer { Level.Warn, Pattern.Category.Security, SecuritySubcategories.get(patternIdCapitalized), + Some(Pattern.ScanType.SAST), Set.empty, Set.empty, enabled = DefaultPatterns.list.contains(patternIdCapitalized.value) diff --git a/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala b/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala index c780f86..bbf7529 100644 --- a/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala +++ b/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala @@ -4,7 +4,7 @@ import docs.transformers.utils.HtmlLoader import scala.xml._ import better.files._ -import com.codacy.plugins.api.results.Pattern.Category +import com.codacy.plugins.api.results.Pattern.{Category,Scantype} import com.codacy.plugins.api.results.Result.Level import com.codacy.plugins.api.results.Pattern import docs.{DefaultPatterns, SecuritySubcategories} @@ -80,6 +80,8 @@ object PluginsDocTransformer extends IPatternDocTransformer { severity, Category.Security, SecuritySubcategories.get(patternIdCapitalized), + Some(ScanType.SAST), + Set.empty, Set.empty, enabled = DefaultPatterns.list.contains(patternIdCapitalized.value) ) From a5cf4d30295b3d6576d541184c74de91eac04951 Mon Sep 17 00:00:00 2001 From: "david.marinho@codacy.com" Date: Wed, 23 Jul 2025 16:32:30 +0100 Subject: [PATCH 4/5] rename node.labels to node.label --- .../src/main/scala/docs/transformers/PluginsDocGenerator.scala | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala b/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala index bbf7529..c3946dc 100644 --- a/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala +++ b/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala @@ -52,7 +52,7 @@ object PluginsDocTransformer extends IPatternDocTransformer { divs <- htmlPluginsDocs if (divs \@ "id").startsWith(patternId.value.toLowerCase()) divsChildren <- divs.child.filter { node => - val l = node.labels + val l = node.label l == "h1" || l == "h2" || l == "p" } } yield divsChildren From a1bbe5a5efa0c1f3c442a21277d951ab56f41ec1 Mon Sep 17 00:00:00 2001 From: "david.marinho@codacy.com" Date: Wed, 23 Jul 2025 16:34:10 +0100 Subject: [PATCH 5/5] run scalafmt --- .../src/main/scala/docs/transformers/PluginsDocGenerator.scala | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala b/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala index c3946dc..45a05c7 100644 --- a/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala +++ b/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala @@ -4,7 +4,7 @@ import docs.transformers.utils.HtmlLoader import scala.xml._ import better.files._ -import com.codacy.plugins.api.results.Pattern.{Category,Scantype} +import com.codacy.plugins.api.results.Pattern.{Category, Scantype} import com.codacy.plugins.api.results.Result.Level import com.codacy.plugins.api.results.Pattern import docs.{DefaultPatterns, SecuritySubcategories}