Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Paramiko injection test not testing SSHClient.invoke_shell() properly #375

Closed
rajathagasthya opened this issue Aug 24, 2018 · 2 comments
Closed

Paramiko injection test not testing SSHClient.invoke_shell() properly #375

rajathagasthya opened this issue Aug 24, 2018 · 2 comments
Assignees
@ericwb
Labels
bug Something isn't working

Comments

@rajathagasthya
Copy link
Contributor

While working on #374, I noticed that the paramiko injection test is not actually testing SSHClient.invoke_shell() because it can't resolve SSHClient and the function call is wrong.

Should be:

import paramiko

ssh_client = paramiko.client.SSHClient()
ssh_client.invoke_shell()

Instead of:

import paramiko

SSHClient.invoke_shell('something; bad; here\n')

Expected behavior
Bandit should flag SSHClient.invoke_shell() correctly.

Bandit version

1.5.0
@ericwb ericwb self-assigned this Aug 27, 2018
@ericwb
Copy link
Member

ericwb commented Aug 27, 2018

Actually, I agree that the paramiko example is wrong. However, Bandit is still able to flag the problems. Here's the result after changing the example:

browne-a01:bandit browne$ .tox/py36/bin/bandit examples/paramiko_injection.py 
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.6.5
Run started:2018-08-27 18:01:15.265128

Test results:
>> Issue: [B601:paramiko_calls] Possible shell injection via Paramiko call, check inputs are properly sanitized.
   Severity: Medium   Confidence: Medium
   Location: examples/paramiko_injection.py:7
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b601_paramiko_calls.html
6	# this is not safe
7	client.exec_command('something; really; unsafe')
8	

--------------------------------------------------
>> Issue: [B601:paramiko_calls] Possible shell injection via Paramiko call, check inputs are properly sanitized.
   Severity: Medium   Confidence: Medium
   Location: examples/paramiko_injection.py:13
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b601_paramiko_calls.html
12	# this is not safe
13	client.invoke_shell('something; bad; here\n')

@ericwb ericwb mentioned this issue Aug 27, 2018
Merged
@ericwb ericwb added the bug Something isn't working label Sep 11, 2018
ericwb added a commit that referenced this issue Dec 10, 2018
@ericwb
Remove paramiko invoke_shell and fix example (#377)
82d67c7 
Paramiko's invoke_shell function does not take a command argument
even though the Bandit example implied that. It simply opens a stream
for communicating with a shell. Therefore, it should not be flagged
as part of the Bandit scan.

The current example of paramiko command injection does not properly
create an instance of the SSHClient before calling the functions
on the client. Instead it's calling the functions statically which
is not proper syntax.

This patches updates the plugin and example. Bandit, however, is
still functioning properly to detect the improper use of exec_command().

Fixes Issue #375

Signed-off-by: Eric Brown <browne@vmware.com>
@ericwb
Copy link
Member

ericwb commented May 9, 2019

Fixed with #377

@ericwb ericwb closed this as completed May 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ericwb ericwb

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rajathagasthya @ericwb