Handling Python source files using a non-UTF8 encoding

PyCQA · Nov 16, 2021 · e59ae35 · e59ae35
1 parent 1061513
commit e59ae35
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 3 deletions.
diff --git a/bandit/plugins/trojansource.py b/bandit/plugins/trojansource.py
@@ -14,7 +14,7 @@
 
 .. code-block:: none
 
-    >> Issue: [B113:trojansource] A Python source file seems to contain bidirectional control characters ('\u202e').
+    >> Issue: [B113:trojansource] A Python source file contains bidirectional control characters ('\u202e').
        Severity: High   Confidence: Medium
        Location: examples/trojansource.py:0:0
 
@@ -27,6 +27,8 @@
 
 """  # noqa: E501
 
+from tokenize import detect_encoding
+
 import bandit
 from bandit.core import test_properties as test
 
@@ -37,7 +39,9 @@
 @test.test_id('B113')
 @test.checks('File')
 def trojansource(context):
-    with open(context.filename, encoding='utf8') as src_file:
+    with open(context.filename, 'rb') as src_file:
+        encoding, _ = detect_encoding(src_file.readline)
+    with open(context.filename, encoding=encoding) as src_file:
         for lineno, line in enumerate(src_file.readlines(), start=1):
             for char in BIDI_CHARACTERS:
                 try:
@@ -47,7 +51,7 @@ def trojansource(context):
                 return bandit.Issue(
                     severity=bandit.HIGH,
                     confidence=bandit.MEDIUM,
-                    text="A Python source file seems to contain bidirectional control characters (%r)." % char,
+                    text="A Python source file contains bidirectional control characters (%r)." % char,
                     lineno=lineno,
                     col_offset=col_offset,
                 )
diff --git a/examples/trojansource_latin1.py b/examples/trojansource_latin1.py
@@ -0,0 +1,7 @@
+#!/usr/bin/env python3
+# -*- coding: latin-1 -*-
+# cf. https://trojansource.codes & https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574
+# Some special characters: àçéêèù
+access_level = "user"
+if access_level != 'none??': # Check if admin ??' and access_level != 'user
+    print("You are an admin.\n")
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
@@ -797,3 +797,10 @@ def test_trojansource(self):
             'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0}
         }
         self.check_example('trojansource.py', expect)
+
+    def test_trojansource_latin1(self):
+        expect = {
+            'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 0},
+            'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 0}
+        }
+        self.check_example('trojansource_latin1.py', expect)