Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive on token_fail_reason #843

Open
jshcodes opened this issue Mar 3, 2022 · 1 comment
Open

False positive on token_fail_reason #843

jshcodes opened this issue Mar 3, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@jshcodes
Copy link

jshcodes commented Mar 3, 2022
edited

Describe the bug

Up until this latest release, our bandit workflows have delivered passing results without issue. With our latest commit, 1.7.3 was installed and our unit testing failed with the following:

Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'Unexpected API response received'
   Severity: Low   Confidence: Medium
   CWE: CWE-[25](https://github.com/CrowdStrike/falconpy/runs/5401017629?check_suite_focus=true#step:5:25)9 (https://cwe.mitre.org/data/definitions/259.html)
   Location: src/falconpy/oauth2.py:157:41
   More Info: https://bandit.readthedocs.io/en/1.7.3/plugins/b105_hardcoded_password_string.html
156	                returned = generate_error_result("Unexpected API response received", 403)
157	                self.token_fail_reason = "Unexpected API response received"
158	                self.token_status = 403

Impacted code block

if isinstance(returned, dict):
    self.token_status = returned["status_code"]
    if self.token_status == 201:
        self.token_expiration = returned["body"]["expires_in"]
        self.token_time = time.time()
        self.token_value = returned["body"]["access_token"]
        self.token_fail_reason = None
        # unrelated code continues...
else:
    returned = generate_error_result("Unexpected API response received", 403)
    self.token_fail_reason = "Unexpected API response received"
    self.token_status = 403

Reproduction steps

Started occurring with the 1.7.3 install. (I've confirmed it's not an issue in 1.7.0 - 1.7.2)

Expected behavior

I don't believe there is a problem with the code above.

Bandit version

1.7.3 (Default)

Python version

3.10 (Default)

Additional context

Appears to be similar to issue #842.
@jshcodes jshcodes added the bug Something isn't working label Mar 3, 2022
@jshcodes jshcodes mentioned this issue Mar 3, 2022
Merged
3 tasks
@ericwb
Copy link
Member

ericwb commented Mar 3, 2022
edited

Looks like a false positive as a result of #766 which now examines function calls with attributes that have the word "token" within them.

The hardcoded password/token/etc check tends to have a lower confidence to detect guaranteed cases of a hardcoded secret. You can always add # nosec comment to ignore this instance.

Segelzwerg added a commit to Whist-Team/Whist-Server that referenced this issue Mar 5, 2022
@Segelzwerg
FIX: false positive
ea42245 
PyCQA/bandit#843 (comment)
jshcodes added a commit to CrowdStrike/falconpy that referenced this issue Mar 9, 2022
@jshcodes
Add token_fail_reason enum.
f3a9db2 
Relates to PyCQA/bandit#843
jshcodes added a commit to CrowdStrike/falconpy that referenced this issue Mar 9, 2022
@jshcodes
Add token_fail_reason enum.
1df5ebb 
Relates to PyCQA/bandit#843
@jshcodes jshcodes mentioned this issue Mar 9, 2022
Merged
2 tasks
jshcodes added a commit to CrowdStrike/falconpy that referenced this issue Mar 10, 2022
@jshcodes
Add token_fail_reason enum.
3b133af 
Relates to PyCQA/bandit#843
@comc comc mentioned this issue Dec 13, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ericwb @jshcodes