Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove paramiko invoke_shell and fix example #377

Merged
merged 2 commits into from Dec 10, 2018
Merged

Remove paramiko invoke_shell and fix example #377

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
12655e3
Remove paramiko invoke_shell and fix example
ericwb Aug 27, 2018
235f940
Merge branch 'master' into paramiko_example
ericwb Dec 10, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
17 changes: 4 additions & 13 deletions bandit/plugins/injection_paramiko.py
View file
Open in desktop
Expand Up @@ -23,9 +23,8 @@
(encrypted and authenticated) connections to remote machines. It is intended to
run commands on a remote host. These commands are run within a shell on the
target and are thus vulnerable to various shell injection attacks. Bandit
reports a MEDIUM issue when it detects the use of Paramiko's "exec_command" or
"invoke_shell" methods advising the user to check inputs are correctly
sanitized.
reports a MEDIUM issue when it detects the use of Paramiko's "exec_command"
method advising the user to check inputs are correctly sanitized.

:Example:

Expand All @@ -36,17 +35,9 @@
Severity: Medium Confidence: Medium
Location: ./examples/paramiko_injection.py:4
3 # this is not safe
4 paramiko.exec_command('something; reallly; unsafe')
4 paramiko.exec_command('something; really; unsafe')
5

>> Issue: Possible shell injection via Paramiko call, check inputs are
properly sanitized.
Severity: Medium Confidence: Medium
Location: ./examples/paramiko_injection.py:10
9 # this is not safe
10 SSHClient.invoke_shell('something; bad; here\n')
11

.. seealso::

- https://security.openstack.org
Expand All @@ -68,7 +59,7 @@ def paramiko_calls(context):
'are properly sanitized.')
for module in ['paramiko']:
if context.is_module_imported_like(module):
if context.call_function_name in ['exec_command', 'invoke_shell']:
if context.call_function_name in ['exec_command']:
return bandit.Issue(severity=bandit.MEDIUM,
confidence=bandit.MEDIUM,
text=issue_text)
9 changes: 4 additions & 5 deletions examples/paramiko_injection.py
View file
Open in desktop
@@ -1,11 +1,10 @@
import paramiko

# this is not safe
paramiko.exec_command('something; really; unsafe')

# this is safe
paramiko.connect('somehost')
client = paramiko.client.SSHClient()

# this is not safe
SSHClient.invoke_shell('something; bad; here\n')
client.exec_command('something; really; unsafe')

# this is safe
client.connect('somehost')
4 changes: 2 additions & 2 deletions tests/functional/test_functional.py
View file
Open in desktop
Expand Up @@ -612,8 +612,8 @@ def test_asserts(self):
def test_paramiko_injection(self):
'''Test paramiko command execution.'''
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 2, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 2, 'HIGH': 0}
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0}
}
self.check_example('paramiko_injection.py', expect)

Expand Down