Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False-positive when Loader= not used in yaml.load(foo, yaml.SafeLoader) #546

Closed
KevinHock opened this issue Oct 11, 2019 · 0 comments · Fixed by #927
Closed

False-positive when Loader= not used in yaml.load(foo, yaml.SafeLoader) #546

KevinHock opened this issue Oct 11, 2019 · 0 comments · Fixed by #927
Assignees
@lukehinds
Labels
bug Something isn't working

Comments

@KevinHock
Copy link

Summary

In the fix for #437, we forgot to handle positional arguments, it seems context.get_call_arg_at_position [1] can resolve this. PR #436 has all the related code one needs to edit.

yaml.load(foo, yaml.SafeLoader), note no Loader= keyword argument, we will alert off of it.

p.s. Labels: good first issue, accuracy

[1]

bandit/bandit/core/context.py

Lines 284 to 285 in 09b0207

def get_call_arg_at_position(self, position_num):
'''Returns positional argument at the specified position (if it exists)

@lukehinds lukehinds self-assigned this Apr 13, 2020
@lukehinds lukehinds added the bug Something isn't working label Apr 13, 2020
ericwb added a commit to ericwb/bandit that referenced this issue Jul 9, 2022
@ericwb
Fix a false positive condition yaml_load
abac8d3 
The yaml.load() function has a second argument that is typically
passed as a kwarg. However, someone could pass as a positional
argument as well. In such a case, Bandit would flag code passing
a SafeLoader even though that is validly secure.

The fix involves looking at the positional args. However, the
convenience function to do so also had no handling of ast.Attribute
as args. So get_call_arg_at_position() was modified to function much
like call_args().

Closes PyCQA#546

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
@ericwb ericwb mentioned this issue Jul 9, 2022
Merged
ericwb added a commit that referenced this issue Jul 10, 2022
@ericwb
Fix a false positive condition yaml_load (#927)
1067978 
The yaml.load() function has a second argument that is typically
passed as a kwarg. However, someone could pass as a positional
argument as well. In such a case, Bandit would flag code passing
a SafeLoader even though that is validly secure.

The fix involves looking at the positional args. However, the
convenience function to do so also had no handling of ast.Attribute
as args. So get_call_arg_at_position() was modified to function much
like call_args().

Closes #546

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lukehinds lukehinds

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix a false positive condition yaml_load ericwb/bandit
2 participants
@KevinHock @lukehinds