-
-
Notifications
You must be signed in to change notification settings - Fork 585
/
imports.py
436 lines (370 loc) · 17.1 KB
/
imports.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
#
# Copyright 2016 Hewlett-Packard Development Company, L.P.
#
# SPDX-License-Identifier: Apache-2.0
r"""
======================================================
Blacklist various Python imports known to be dangerous
======================================================
This blacklist data checks for a number of Python modules known to have
possible security implications. The following blacklist tests are run against
any import statements or calls encountered in the scanned code base.
Note that the XML rules listed here are mostly based off of Christian Heimes'
work on defusedxml: https://pypi.org/project/defusedxml/
B401: import_telnetlib
----------------------
A telnet-related module is being imported. Telnet is considered insecure. Use
SSH or some other encrypted protocol.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B401 | import_telnetlib | - telnetlib | high |
+------+---------------------+------------------------------------+-----------+
B402: import_ftplib
-------------------
A FTP-related module is being imported. FTP is considered insecure. Use
SSH/SFTP/SCP or some other encrypted protocol.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B402 | import_ftplib | - ftplib | high |
+------+---------------------+------------------------------------+-----------+
B403: import_pickle
-------------------
Consider possible security implications associated with these modules.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B403 | import_pickle | - pickle | low |
| | | - cPickle | |
| | | - dill | |
| | | - shelve | |
+------+---------------------+------------------------------------+-----------+
B404: import_subprocess
-----------------------
Consider possible security implications associated with these modules.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B404 | import_subprocess | - subprocess | low |
+------+---------------------+------------------------------------+-----------+
B405: import_xml_etree
----------------------
Using various methods to parse untrusted XML data is known to be vulnerable to
XML attacks. Replace vulnerable imports with the equivalent defusedxml package,
or make sure defusedxml.defuse_stdlib() is called.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B405 | import_xml_etree | - xml.etree.cElementTree | low |
| | | - xml.etree.ElementTree | |
+------+---------------------+------------------------------------+-----------+
B406: import_xml_sax
--------------------
Using various methods to parse untrusted XML data is known to be vulnerable to
XML attacks. Replace vulnerable imports with the equivalent defusedxml package,
or make sure defusedxml.defuse_stdlib() is called.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B406 | import_xml_sax | - xml.sax | low |
+------+---------------------+------------------------------------+-----------+
B407: import_xml_expat
----------------------
Using various methods to parse untrusted XML data is known to be vulnerable to
XML attacks. Replace vulnerable imports with the equivalent defusedxml package,
or make sure defusedxml.defuse_stdlib() is called.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B407 | import_xml_expat | - xml.dom.expatbuilder | low |
+------+---------------------+------------------------------------+-----------+
B408: import_xml_minidom
------------------------
Using various methods to parse untrusted XML data is known to be vulnerable to
XML attacks. Replace vulnerable imports with the equivalent defusedxml package,
or make sure defusedxml.defuse_stdlib() is called.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B408 | import_xml_minidom | - xml.dom.minidom | low |
+------+---------------------+------------------------------------+-----------+
B409: import_xml_pulldom
------------------------
Using various methods to parse untrusted XML data is known to be vulnerable to
XML attacks. Replace vulnerable imports with the equivalent defusedxml package,
or make sure defusedxml.defuse_stdlib() is called.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B409 | import_xml_pulldom | - xml.dom.pulldom | low |
+------+---------------------+------------------------------------+-----------+
B410: import_lxml
-----------------
Using various methods to parse untrusted XML data is known to be vulnerable to
XML attacks. Replace vulnerable imports with the equivalent defusedxml package.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B410 | import_lxml | - lxml | low |
+------+---------------------+------------------------------------+-----------+
B411: import_xmlrpclib
----------------------
XMLRPC is particularly dangerous as it is also concerned with communicating
data over a network. Use defused.xmlrpc.monkey_patch() function to monkey-patch
xmlrpclib and mitigate remote XML attacks.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B411 | import_xmlrpclib | - xmlrpclib | high |
+------+---------------------+------------------------------------+-----------+
B412: import_httpoxy
--------------------
httpoxy is a set of vulnerabilities that affect application code running in
CGI, or CGI-like environments. The use of CGI for web applications should be
avoided to prevent this class of attack. More details are available
at https://httpoxy.org/.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B412 | import_httpoxy | - wsgiref.handlers.CGIHandler | high |
| | | - twisted.web.twcgi.CGIScript | |
+------+---------------------+------------------------------------+-----------+
B413: import_pycrypto
---------------------
pycrypto library is known to have publicly disclosed buffer overflow
vulnerability https://github.com/dlitz/pycrypto/issues/176. It is no longer
actively maintained and has been deprecated in favor of pyca/cryptography
library.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B413 | import_pycrypto | - Crypto.Cipher | high |
| | | - Crypto.Hash | |
| | | - Crypto.IO | |
| | | - Crypto.Protocol | |
| | | - Crypto.PublicKey | |
| | | - Crypto.Random | |
| | | - Crypto.Signature | |
| | | - Crypto.Util | |
+------+---------------------+------------------------------------+-----------+
B414: import_pycryptodome
-------------------------
This import blacklist has been removed. The information here has been
left for historical purposes.
pycryptodome is a direct fork of pycrypto that has not fully addressed
the issues inherent in PyCrypto. It seems to exist, mainly, as an API
compatible continuation of pycrypto and should be deprecated in favor
of pyca/cryptography which has more support among the Python community.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B414 | import_pycryptodome | - Cryptodome.Cipher | high |
| | | - Cryptodome.Hash | |
| | | - Cryptodome.IO | |
| | | - Cryptodome.Protocol | |
| | | - Cryptodome.PublicKey | |
| | | - Cryptodome.Random | |
| | | - Cryptodome.Signature | |
| | | - Cryptodome.Util | |
+------+---------------------+------------------------------------+-----------+
B415: import_pyghmi
-------------------
An IPMI-related module is being imported. IPMI is considered insecure. Use
an encrypted protocol.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B415 | import_pyghmi | - pyghmi | high |
+------+---------------------+------------------------------------+-----------+
"""
from bandit.blacklists import utils
from bandit.core import issue
def gen_blacklist():
"""Generate a list of items to blacklist.
Methods of this type, "bandit.blacklist" plugins, are used to build a list
of items that bandit's built in blacklisting tests will use to trigger
issues. They replace the older blacklist* test plugins and allow
blacklisted items to have a unique bandit ID for filtering and profile
usage.
:return: a dictionary mapping node types to a list of blacklist data
"""
sets = []
sets.append(
utils.build_conf_dict(
"import_telnetlib",
"B401",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["telnetlib"],
"A telnet-related module is being imported. Telnet is "
"considered insecure. Use SSH or some other encrypted protocol.",
"HIGH",
)
)
sets.append(
utils.build_conf_dict(
"import_ftplib",
"B402",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["ftplib"],
"A FTP-related module is being imported. FTP is considered "
"insecure. Use SSH/SFTP/SCP or some other encrypted protocol.",
"HIGH",
)
)
sets.append(
utils.build_conf_dict(
"import_pickle",
"B403",
issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
["pickle", "cPickle", "dill", "shelve"],
"Consider possible security implications associated with "
"{name} module.",
"LOW",
)
)
sets.append(
utils.build_conf_dict(
"import_subprocess",
"B404",
issue.Cwe.OS_COMMAND_INJECTION,
["subprocess"],
"Consider possible security implications associated with the "
"subprocess module.",
"LOW",
)
)
# Most of this is based off of Christian Heimes' work on defusedxml:
# https://pypi.org/project/defusedxml/#defusedxml-sax
xml_msg = (
"Using {name} to parse untrusted XML data is known to be "
"vulnerable to XML attacks. Replace {name} with the equivalent "
"defusedxml package, or make sure defusedxml.defuse_stdlib() "
"is called."
)
lxml_msg = (
"Using {name} to parse untrusted XML data is known to be "
"vulnerable to XML attacks. Replace {name} with the "
"equivalent defusedxml package."
)
sets.append(
utils.build_conf_dict(
"import_xml_etree",
"B405",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.etree.cElementTree", "xml.etree.ElementTree"],
xml_msg,
"LOW",
)
)
sets.append(
utils.build_conf_dict(
"import_xml_sax",
"B406",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.sax"],
xml_msg,
"LOW",
)
)
sets.append(
utils.build_conf_dict(
"import_xml_expat",
"B407",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.expatbuilder"],
xml_msg,
"LOW",
)
)
sets.append(
utils.build_conf_dict(
"import_xml_minidom",
"B408",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.minidom"],
xml_msg,
"LOW",
)
)
sets.append(
utils.build_conf_dict(
"import_xml_pulldom",
"B409",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.pulldom"],
xml_msg,
"LOW",
)
)
sets.append(
utils.build_conf_dict(
"import_lxml",
"B410",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["lxml"],
lxml_msg,
"LOW",
)
)
sets.append(
utils.build_conf_dict(
"import_xmlrpclib",
"B411",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xmlrpclib"],
"Using {name} to parse untrusted XML data is known to be "
"vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() "
"function to monkey-patch xmlrpclib and mitigate XML "
"vulnerabilities.",
"HIGH",
)
)
sets.append(
utils.build_conf_dict(
"import_httpoxy",
"B412",
issue.Cwe.IMPROPER_ACCESS_CONTROL,
[
"wsgiref.handlers.CGIHandler",
"twisted.web.twcgi.CGIScript",
"twisted.web.twcgi.CGIDirectory",
],
"Consider possible security implications associated with "
"{name} module.",
"HIGH",
)
)
sets.append(
utils.build_conf_dict(
"import_pycrypto",
"B413",
issue.Cwe.BROKEN_CRYPTO,
[
"Crypto.Cipher",
"Crypto.Hash",
"Crypto.IO",
"Crypto.Protocol",
"Crypto.PublicKey",
"Crypto.Random",
"Crypto.Signature",
"Crypto.Util",
],
"The pyCrypto library and its module {name} are no longer actively"
" maintained and have been deprecated. "
"Consider using pyca/cryptography library.",
"HIGH",
)
)
sets.append(
utils.build_conf_dict(
"import_pyghmi",
"B415",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["pyghmi"],
"An IPMI-related module is being imported. IPMI is considered "
"insecure. Use an encrypted protocol.",
"HIGH",
)
)
return {"Import": sets, "ImportFrom": sets, "Call": sets}