You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While working on #374, I noticed that the paramiko injection test is not actually testing SSHClient.invoke_shell() because it can't resolve SSHClient and the function call is wrong.
Actually, I agree that the paramiko example is wrong. However, Bandit is still able to flag the problems. Here's the result after changing the example:
browne-a01:bandit browne$ .tox/py36/bin/bandit examples/paramiko_injection.py
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.6.5
Run started:2018-08-27 18:01:15.265128
Test results:
>> Issue: [B601:paramiko_calls] Possible shell injection via Paramiko call, check inputs are properly sanitized.
Severity: Medium Confidence: Medium
Location: examples/paramiko_injection.py:7
More Info: https://bandit.readthedocs.io/en/latest/plugins/b601_paramiko_calls.html
6 # this is not safe
7 client.exec_command('something; really; unsafe')
8
--------------------------------------------------
>> Issue: [B601:paramiko_calls] Possible shell injection via Paramiko call, check inputs are properly sanitized.
Severity: Medium Confidence: Medium
Location: examples/paramiko_injection.py:13
More Info: https://bandit.readthedocs.io/en/latest/plugins/b601_paramiko_calls.html
12 # this is not safe
13 client.invoke_shell('something; bad; here\n')
Paramiko's invoke_shell function does not take a command argument
even though the Bandit example implied that. It simply opens a stream
for communicating with a shell. Therefore, it should not be flagged
as part of the Bandit scan.
The current example of paramiko command injection does not properly
create an instance of the SSHClient before calling the functions
on the client. Instead it's calling the functions statically which
is not proper syntax.
This patches updates the plugin and example. Bandit, however, is
still functioning properly to detect the improper use of exec_command().
Fixes Issue #375
Signed-off-by: Eric Brown <browne@vmware.com>
While working on #374, I noticed that the paramiko injection test is not actually testing
SSHClient.invoke_shell()
because it can't resolveSSHClient
and the function call is wrong.Should be:
Instead of:
Expected behavior
Bandit should flag
SSHClient.invoke_shell()
correctly.Bandit version
The text was updated successfully, but these errors were encountered: