From 272fd7416ecdb708194f707c4da078209447a96e Mon Sep 17 00:00:00 2001 From: Tyler Wince Date: Mon, 13 May 2019 17:25:13 +0000 Subject: [PATCH 01/27] add namespaces for parent attributes --- bandit/core/node_visitor.py | 22 ++++++++++++-------- bandit/core/utils.py | 12 ++++++----- bandit/plugins/django_xss.py | 12 +++++------ bandit/plugins/general_hardcoded_password.py | 14 +++++++------ bandit/plugins/injection_sql.py | 18 +++++++++------- 5 files changed, 44 insertions(+), 34 deletions(-) diff --git a/bandit/core/node_visitor.py b/bandit/core/node_visitor.py index b9c51ebe5..653a28e96 100644 --- a/bandit/core/node_visitor.py +++ b/bandit/core/node_visitor.py @@ -161,8 +161,10 @@ def visit_Str(self, node): :return: - ''' self.context['str'] = node.s - if not isinstance(node.parent, ast.Expr): # docstring - self.context['linerange'] = b_utils.linerange_fix(node.parent) + if not isinstance(node.bandit_parent, ast.Expr): # docstring + self.context['linerange'] = b_utils.linerange_fix( + node.bandit_parent + ) self.update_scores(self.tester.run_tests(self.context, 'Str')) def visit_Bytes(self, node): @@ -174,8 +176,10 @@ def visit_Bytes(self, node): :return: - ''' self.context['bytes'] = node.s - if not isinstance(node.parent, ast.Expr): # docstring - self.context['linerange'] = b_utils.linerange_fix(node.parent) + if not isinstance(node.bandit_parent, ast.Expr): # docstring + self.context['linerange'] = b_utils.linerange_fix( + node.bandit_parent + ) self.update_scores(self.tester.run_tests(self.context, 'Bytes')) def pre_visit(self, node): @@ -234,10 +238,10 @@ def generic_visit(self, node): for idx, item in enumerate(value): if isinstance(item, ast.AST): if idx < max_idx: - setattr(item, 'sibling', value[idx + 1]) + setattr(item, 'bandit_sibling', value[idx + 1]) else: - setattr(item, 'sibling', None) - setattr(item, 'parent', node) + setattr(item, 'bandit_sibling', None) + setattr(item, 'bandit_parent', node) if self.pre_visit(item): self.visit(item) @@ -245,8 +249,8 @@ def generic_visit(self, node): self.post_visit(item) elif isinstance(value, ast.AST): - setattr(value, 'sibling', None) - setattr(value, 'parent', node) + setattr(value, 'bandit_sibling', None) + setattr(value, 'bandit_parent', node) if self.pre_visit(value): self.visit(value) diff --git a/bandit/core/utils.py b/bandit/core/utils.py index a16f56420..39a517eee 100644 --- a/bandit/core/utils.py +++ b/bandit/core/utils.py @@ -233,11 +233,13 @@ def linerange_fix(node): """Try and work around a known Python bug with multi-line strings.""" # deal with multiline strings lineno behavior (Python issue #16806) lines = linerange(node) - if hasattr(node, 'sibling') and hasattr(node.sibling, 'lineno'): + if hasattr(node, 'bandit_sibling') and hasattr( + node.bandit_sibling, 'lineno' + ): start = min(lines) - delta = node.sibling.lineno - start + delta = node.bandit_sibling.lineno - start if delta > 1: - return list(range(start, node.sibling.lineno)) + return list(range(start, node.bandit_sibling.lineno)) return lines @@ -264,8 +266,8 @@ def _get(node, bits, stop=None): else node.right) bits = [node] - while isinstance(node.parent, ast.BinOp): - node = node.parent + while isinstance(node.bandit_parent, ast.BinOp): + node = node.bandit_parent if isinstance(node, ast.BinOp): _get(node, bits, stop) return (node, " ".join([x.s for x in bits if isinstance(x, ast.Str)])) diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index 1a86a376e..c95469fff 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -227,9 +227,9 @@ def check_risk(node): if isinstance(xss_var, ast.Name): # Check if the var are secure - parent = node.parent + parent = node.bandit_parent while not isinstance(parent, (ast.Module, ast.FunctionDef)): - parent = parent.parent + parent = parent.bandit_parent is_param = False if isinstance(parent, ast.FunctionDef): @@ -242,17 +242,17 @@ def check_risk(node): if not is_param: secure = evaluate_var(xss_var, parent, node.lineno) elif isinstance(xss_var, ast.Call): - parent = node.parent + parent = node.bandit_parent while not isinstance(parent, (ast.Module, ast.FunctionDef)): - parent = parent.parent + parent = parent.bandit_parent secure = evaluate_call(xss_var, parent) elif isinstance(xss_var, ast.BinOp): is_mod = isinstance(xss_var.op, ast.Mod) is_left_str = isinstance(xss_var.left, ast.Str) if is_mod and is_left_str: - parent = node.parent + parent = node.bandit_parent while not isinstance(parent, (ast.Module, ast.FunctionDef)): - parent = parent.parent + parent = parent.bandit_parent new_call = transform2call(xss_var) secure = evaluate_call(new_call, parent) diff --git a/bandit/plugins/general_hardcoded_password.py b/bandit/plugins/general_hardcoded_password.py index 56f821405..dc0c91a79 100644 --- a/bandit/plugins/general_hardcoded_password.py +++ b/bandit/plugins/general_hardcoded_password.py @@ -85,23 +85,25 @@ def hardcoded_password_string(context): """ node = context.node - if isinstance(node.parent, ast.Assign): + if isinstance(node.bandit_parent, ast.Assign): # looks for "candidate='some_string'" - for targ in node.parent.targets: + for targ in node.bandit_parent.targets: if isinstance(targ, ast.Name) and RE_CANDIDATES.search(targ.id): return _report(node.s) - elif isinstance(node.parent, ast.Index) and RE_CANDIDATES.search(node.s): + elif isinstance(node.bandit_parent, ast.Index) and RE_CANDIDATES.search( + node.s + ): # looks for "dict[candidate]='some_string'" # assign -> subscript -> index -> string - assign = node.parent.parent.parent + assign = node.bandit_parent.bandit_parent.bandit_parent if isinstance(assign, ast.Assign) and isinstance(assign.value, ast.Str): return _report(assign.value.s) - elif isinstance(node.parent, ast.Compare): + elif isinstance(node.bandit_parent, ast.Compare): # looks for "candidate == 'some_string'" - comp = node.parent + comp = node.bandit_parent if isinstance(comp.left, ast.Name): if RE_CANDIDATES.search(comp.left.id): if isinstance(comp.comparators[0], ast.Str): diff --git a/bandit/plugins/injection_sql.py b/bandit/plugins/injection_sql.py index c8dbf0624..75cc3ee7f 100644 --- a/bandit/plugins/injection_sql.py +++ b/bandit/plugins/injection_sql.py @@ -85,18 +85,20 @@ def _evaluate_ast(node): wrapper = None statement = '' - if isinstance(node.parent, ast.BinOp): - out = utils.concat_string(node, node.parent) - wrapper = out[0].parent + if isinstance(node.bandit_parent, ast.BinOp): + out = utils.concat_string(node, node.bandit_parent) + wrapper = out[0].bandit_parent statement = out[1] - elif (isinstance(node.parent, ast.Attribute) - and node.parent.attr == 'format'): + elif (isinstance(node.bandit_parent, ast.Attribute) + and node.bandit_parent.attr == 'format'): statement = node.s # Hierarchy for "".format() is Wrapper -> Call -> Attribute -> Str - wrapper = node.parent.parent.parent - elif hasattr(ast, 'JoinedStr') and isinstance(node.parent, ast.JoinedStr): + wrapper = node.bandit_parent.bandit_parent.bandit_parent + elif hasattr(ast, 'JoinedStr') and isinstance( + node.bandit_parent, ast.JoinedStr + ): statement = node.s - wrapper = node.parent.parent + wrapper = node.bandit_parent.bandit_parent if isinstance(wrapper, ast.Call): # wrapped in "execute" call? names = ['execute', 'executemany'] From 7a5e8279619a46418b345711f034ffde4fa0e731 Mon Sep 17 00:00:00 2001 From: Tyler Wince Date: Mon, 13 May 2019 17:32:31 +0000 Subject: [PATCH 02/27] pylint formatting changes --- bandit/plugins/general_hardcoded_password.py | 5 ++--- bandit/plugins/injection_sql.py | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/bandit/plugins/general_hardcoded_password.py b/bandit/plugins/general_hardcoded_password.py index dc0c91a79..da564b46a 100644 --- a/bandit/plugins/general_hardcoded_password.py +++ b/bandit/plugins/general_hardcoded_password.py @@ -91,9 +91,8 @@ def hardcoded_password_string(context): if isinstance(targ, ast.Name) and RE_CANDIDATES.search(targ.id): return _report(node.s) - elif isinstance(node.bandit_parent, ast.Index) and RE_CANDIDATES.search( - node.s - ): + elif (isinstance(node.bandit_parent, ast.Index) + and RE_CANDIDATES.search(node.s)): # looks for "dict[candidate]='some_string'" # assign -> subscript -> index -> string assign = node.bandit_parent.bandit_parent.bandit_parent diff --git a/bandit/plugins/injection_sql.py b/bandit/plugins/injection_sql.py index 75cc3ee7f..6cf0cc9b5 100644 --- a/bandit/plugins/injection_sql.py +++ b/bandit/plugins/injection_sql.py @@ -94,9 +94,8 @@ def _evaluate_ast(node): statement = node.s # Hierarchy for "".format() is Wrapper -> Call -> Attribute -> Str wrapper = node.bandit_parent.bandit_parent.bandit_parent - elif hasattr(ast, 'JoinedStr') and isinstance( - node.bandit_parent, ast.JoinedStr - ): + elif (hasattr(ast, 'JoinedStr') + and isinstance(node.bandit_parent, ast.JoinedStr)): statement = node.s wrapper = node.bandit_parent.bandit_parent From 583149acbdd3e9b7e36c26c3d478bd0f9d05296e Mon Sep 17 00:00:00 2001 From: Tyler Wince Date: Wed, 15 May 2019 17:28:21 +0000 Subject: [PATCH 03/27] added _Seeker for running seek on sys.stdin --- bandit/core/manager.py | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/bandit/core/manager.py b/bandit/core/manager.py index 99d5e72ea..11338db03 100644 --- a/bandit/core/manager.py +++ b/bandit/core/manager.py @@ -22,6 +22,7 @@ import sys import tokenize import traceback +import io import six @@ -245,7 +246,7 @@ def run_tests(self): sys.stderr.flush() try: if fname == '-': - sys.stdin = os.fdopen(sys.stdin.fileno(), 'rb', 0) + sys.stdin = _Seeker(os.fdopen(sys.stdin.fileno(), 'rb', 0)) self._parse_file('', sys.stdin, new_files_list) else: with open(fname, 'rb') as fdata: @@ -322,6 +323,39 @@ def _execute_ast_visitor(self, fname, data, nosec_lines): return score +class _Seeker(object): + def __init__(self, fileobj): + self.fileobj = fileobj + self.buf = io.BytesIO() + + def _append_to_buf(self, contents): + oldpos = self.buf.tell() + self.buf.seek(0, os.SEEK_END) + self.buf.write(contents) + self.buf.seek(oldpos) + + def seek(self, size): + contents = self.fileobj.read(size) + self._append_to_buf(contents) + return contents + + def read(self, size=None): + if size is None: + return self.buf.read() + self.fileobj.read() + contents = self.buf.read(size) + if len(contents) < size: + contents += self.fileobj.read(size - len(contents)) + return contents + + def readline(self): + line = self.buf.readline() + if not line.endswith("\n".encode()): + # if not line.endswith(bytes("\n", "utf-8")): + line += self.fileobj.readline() + return line + + + def _get_files_from_dir(files_dir, included_globs=None, excluded_path_strings=None): if not included_globs: @@ -409,3 +443,4 @@ def _find_candidate_matches(unmatched_issues, results_list): unmatched == i]) return issue_candidates + From acd80a79c0b82cf45d221427a6bcd8ffd5dbfca8 Mon Sep 17 00:00:00 2001 From: Tyler Wince Date: Wed, 15 May 2019 10:34:44 -0700 Subject: [PATCH 04/27] Update node_visitor.py --- bandit/core/node_visitor.py | 1 - 1 file changed, 1 deletion(-) diff --git a/bandit/core/node_visitor.py b/bandit/core/node_visitor.py index 9b1b468ec..1f7608e7a 100644 --- a/bandit/core/node_visitor.py +++ b/bandit/core/node_visitor.py @@ -161,7 +161,6 @@ def visit_Str(self, node): :return: - ''' self.context['str'] = node.s - if not isinstance(node._bandit_parent, ast.Expr): # docstring self.context['linerange'] = b_utils.linerange_fix( node._bandit_parent From edcecbe3df1169e856ff94b0eef8d3f82f17e82b Mon Sep 17 00:00:00 2001 From: Tyler Wince Date: Wed, 15 May 2019 10:35:02 -0700 Subject: [PATCH 05/27] Update general_hardcoded_password.py --- bandit/plugins/general_hardcoded_password.py | 1 - 1 file changed, 1 deletion(-) diff --git a/bandit/plugins/general_hardcoded_password.py b/bandit/plugins/general_hardcoded_password.py index f14e6b9a9..38788f4a9 100644 --- a/bandit/plugins/general_hardcoded_password.py +++ b/bandit/plugins/general_hardcoded_password.py @@ -99,7 +99,6 @@ def hardcoded_password_string(context): if isinstance(assign, ast.Assign) and isinstance(assign.value, ast.Str): return _report(assign.value.s) - elif isinstance(node._bandit_parent, ast.Compare): # looks for "candidate == 'some_string'" comp = node._bandit_parent From ca5cfe36a635856c535795adf01277e5a2be82ba Mon Sep 17 00:00:00 2001 From: Tyler Wince Date: Wed, 15 May 2019 10:35:27 -0700 Subject: [PATCH 06/27] Update general_hardcoded_password.py --- bandit/plugins/general_hardcoded_password.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bandit/plugins/general_hardcoded_password.py b/bandit/plugins/general_hardcoded_password.py index 38788f4a9..1d4d407a1 100644 --- a/bandit/plugins/general_hardcoded_password.py +++ b/bandit/plugins/general_hardcoded_password.py @@ -99,6 +99,7 @@ def hardcoded_password_string(context): if isinstance(assign, ast.Assign) and isinstance(assign.value, ast.Str): return _report(assign.value.s) + elif isinstance(node._bandit_parent, ast.Compare): # looks for "candidate == 'some_string'" comp = node._bandit_parent From 6a33c6ebdfa2dcdcf6f0a71cdf9f88cb0902445c Mon Sep 17 00:00:00 2001 From: Tyler Wince Date: Wed, 15 May 2019 17:38:37 +0000 Subject: [PATCH 07/27] pep8 fixes --- bandit/core/manager.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/bandit/core/manager.py b/bandit/core/manager.py index 11338db03..034bafb7a 100644 --- a/bandit/core/manager.py +++ b/bandit/core/manager.py @@ -16,13 +16,13 @@ import collections import fnmatch +import io import json import logging import os import sys import tokenize import traceback -import io import six @@ -350,12 +350,10 @@ def read(self, size=None): def readline(self): line = self.buf.readline() if not line.endswith("\n".encode()): - # if not line.endswith(bytes("\n", "utf-8")): line += self.fileobj.readline() return line - def _get_files_from_dir(files_dir, included_globs=None, excluded_path_strings=None): if not included_globs: @@ -443,4 +441,3 @@ def _find_candidate_matches(unmatched_issues, results_list): unmatched == i]) return issue_candidates - From 91543c27b4b9aad431941de3fa34c289c225019a Mon Sep 17 00:00:00 2001 From: wxu Date: Wed, 15 May 2019 14:41:42 -0400 Subject: [PATCH 08/27] added list handling for hard fname swaps --- bandit/core/manager.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bandit/core/manager.py b/bandit/core/manager.py index 034bafb7a..73566b090 100644 --- a/bandit/core/manager.py +++ b/bandit/core/manager.py @@ -247,6 +247,8 @@ def run_tests(self): try: if fname == '-': sys.stdin = _Seeker(os.fdopen(sys.stdin.fileno(), 'rb', 0)) + new_files_list.remove(fname) + new_files_list.append('') self._parse_file('', sys.stdin, new_files_list) else: with open(fname, 'rb') as fdata: From 969e816e5287833458c25d4df5b459e760e2a7fe Mon Sep 17 00:00:00 2001 From: Tyler Wince Date: Wed, 15 May 2019 14:38:23 -0700 Subject: [PATCH 09/27] updated manager --- bandit/core/manager.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/core/manager.py b/bandit/core/manager.py index 034bafb7a..39a4362a9 100644 --- a/bandit/core/manager.py +++ b/bandit/core/manager.py @@ -247,7 +247,7 @@ def run_tests(self): try: if fname == '-': sys.stdin = _Seeker(os.fdopen(sys.stdin.fileno(), 'rb', 0)) - self._parse_file('', sys.stdin, new_files_list) + self._parse_file(fname, sys.stdin, new_files_list) else: with open(fname, 'rb') as fdata: self._parse_file(fname, fdata, new_files_list) From 653510102b1e4b7b1ad1ed0c289a04ac7823a8c4 Mon Sep 17 00:00:00 2001 From: wxu Date: Wed, 15 May 2019 18:13:01 -0400 Subject: [PATCH 10/27] maintaining list order --- bandit/core/manager.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/bandit/core/manager.py b/bandit/core/manager.py index 73566b090..12f4cbfdb 100644 --- a/bandit/core/manager.py +++ b/bandit/core/manager.py @@ -247,8 +247,7 @@ def run_tests(self): try: if fname == '-': sys.stdin = _Seeker(os.fdopen(sys.stdin.fileno(), 'rb', 0)) - new_files_list.remove(fname) - new_files_list.append('') + new_files_list = ["" if x=="-" else x for x in new_files_list] self._parse_file('', sys.stdin, new_files_list) else: with open(fname, 'rb') as fdata: From fe741b4bf564dc51b4105457d62d884e30d3d10b Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 14 Feb 2022 12:01:33 -0800 Subject: [PATCH 11/27] Update manager.py --- bandit/core/manager.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/bandit/core/manager.py b/bandit/core/manager.py index 6979b852f..e2650182e 100644 --- a/bandit/core/manager.py +++ b/bandit/core/manager.py @@ -271,8 +271,9 @@ def run_tests(self): try: if fname == "-": sys.stdin = _Seeker(os.fdopen(sys.stdin.fileno(), "rb", 0)) - new_files_list = ["" if x == "-" else - x for x in new_files_list] + new_files_list = [ + "" if x == "-" else x for x in new_files_list + ] self._parse_file("", sys.stdin, new_files_list) else: with open(fname, "rb") as fdata: @@ -399,7 +400,7 @@ def read(self, size=None): def readline(self): line = self.buf.readline() - if not line.endswith("\n".encode()): + if not line.endswith(b"\n"): line += self.fileobj.readline() return line From b035898a41a6aa9d7dc4920bc2ccd502fcc0130c Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 14 Feb 2022 12:04:42 -0800 Subject: [PATCH 12/27] Update manager.py --- bandit/core/manager.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/core/manager.py b/bandit/core/manager.py index e2650182e..e53853ab0 100644 --- a/bandit/core/manager.py +++ b/bandit/core/manager.py @@ -374,7 +374,7 @@ def _execute_ast_visitor(self, fname, data, nosec_lines): return score -class _Seeker(object): +class _Seeker: def __init__(self, fileobj): self.fileobj = fileobj self.buf = io.BytesIO() From f0e83168352f6db054208297eecb6b69a342a59d Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Tue, 15 Feb 2022 18:31:04 -0800 Subject: [PATCH 13/27] Update manager.py --- bandit/core/manager.py | 42 ++++++------------------------------------ 1 file changed, 6 insertions(+), 36 deletions(-) diff --git a/bandit/core/manager.py b/bandit/core/manager.py index e53853ab0..b7f3f21e8 100644 --- a/bandit/core/manager.py +++ b/bandit/core/manager.py @@ -270,7 +270,8 @@ def run_tests(self): self._show_progress("%s.. " % count, flush=True) try: if fname == "-": - sys.stdin = _Seeker(os.fdopen(sys.stdin.fileno(), "rb", 0)) + open_fd = os.fdopen(sys.stdin.fileno(), "rb", 0) + sys.stdin = io.BytesIO(open_fd.read()) new_files_list = [ "" if x == "-" else x for x in new_files_list ] @@ -318,10 +319,10 @@ def _parse_file(self, fname, fdata, new_files_list): # nosec_lines is a dict of line number -> set of tests to ignore # for the line nosec_lines = dict() - try: - fdata.seek(0) - tokens = tokenize.tokenize(fdata.readline) - + try: + buf_data = io.BytesIO(data) + tokens = tokenize.tokenize(buf_data.readline) + if not self.ignore_nosec: for toktype, tokval, (lineno, _), _, _ in tokens: if toktype == tokenize.COMMENT: @@ -374,37 +375,6 @@ def _execute_ast_visitor(self, fname, data, nosec_lines): return score -class _Seeker: - def __init__(self, fileobj): - self.fileobj = fileobj - self.buf = io.BytesIO() - - def _append_to_buf(self, contents): - oldpos = self.buf.tell() - self.buf.seek(0, os.SEEK_END) - self.buf.write(contents) - self.buf.seek(oldpos) - - def seek(self, size): - contents = self.fileobj.read(size) - self._append_to_buf(contents) - return contents - - def read(self, size=None): - if size is None: - return self.buf.read() + self.fileobj.read() - contents = self.buf.read(size) - if len(contents) < size: - contents += self.fileobj.read(size - len(contents)) - return contents - - def readline(self): - line = self.buf.readline() - if not line.endswith(b"\n"): - line += self.fileobj.readline() - return line - - def _get_files_from_dir( files_dir, included_globs=None, excluded_path_strings=None ): From f0106e4f1cd0dada85cfcc27a7976d75438c8b44 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Tue, 15 Feb 2022 18:34:15 -0800 Subject: [PATCH 14/27] Update issue.py --- bandit/core/issue.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/bandit/core/issue.py b/bandit/core/issue.py index e9727a001..d4637c836 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -3,6 +3,7 @@ # # SPDX-License-Identifier: Apache-2.0 import linecache +import sys from bandit.core import constants @@ -171,9 +172,17 @@ def get_code(self, max_lines=3, tabbed=False): lmin = max(1, self.lineno - max_lines // 2) lmax = lmin + len(self.linerange) + max_lines - 1 + if self.fname == "": + sys.stdin.seek(0) + for line_num in range(1, lmin): + sys.stdin.readline() + tmplt = "%i\t%s" if tabbed else "%i %s" for line in range(lmin, lmax): - text = linecache.getline(self.fname, line) + if self.fname == "": + text = sys.stdin.readline() + else: + text = linecache.getline(self.fname, line) if isinstance(text, bytes): text = text.decode("utf-8") From e27cb8aaf1aca96bf35bfb330111e6d24beb66b8 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Tue, 15 Feb 2022 18:34:58 -0800 Subject: [PATCH 15/27] Update node_visitor.py --- bandit/core/node_visitor.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/core/node_visitor.py b/bandit/core/node_visitor.py index 293f18d49..77836df8f 100644 --- a/bandit/core/node_visitor.py +++ b/bandit/core/node_visitor.py @@ -37,7 +37,7 @@ def __init__(self, fname, metaast, testset, debug, nosec_lines, metrics): try: self.namespace = b_utils.get_module_qualname_from_path(fname) except b_utils.InvalidModulePath: - LOG.info( + LOG.warning( "Unable to find qualified name for module: %s", self.fname ) self.namespace = "" From 410a7cfd6a531987d6a561a21e54f8bb550f65a7 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Tue, 15 Feb 2022 18:36:43 -0800 Subject: [PATCH 16/27] Update manager.py --- bandit/core/manager.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bandit/core/manager.py b/bandit/core/manager.py index b7f3f21e8..3ccb10f81 100644 --- a/bandit/core/manager.py +++ b/bandit/core/manager.py @@ -319,10 +319,10 @@ def _parse_file(self, fname, fdata, new_files_list): # nosec_lines is a dict of line number -> set of tests to ignore # for the line nosec_lines = dict() - try: + try: buf_data = io.BytesIO(data) tokens = tokenize.tokenize(buf_data.readline) - + if not self.ignore_nosec: for toktype, tokval, (lineno, _), _, _ in tokens: if toktype == tokenize.COMMENT: From 0b43d5815b24f28f2c7eed6842149a2f41bf886a Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Tue, 15 Feb 2022 18:39:55 -0800 Subject: [PATCH 17/27] Update issue.py --- bandit/core/issue.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/core/issue.py b/bandit/core/issue.py index d4637c836..7c4eb2186 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -176,7 +176,7 @@ def get_code(self, max_lines=3, tabbed=False): sys.stdin.seek(0) for line_num in range(1, lmin): sys.stdin.readline() - + tmplt = "%i\t%s" if tabbed else "%i %s" for line in range(lmin, lmax): if self.fname == "": From 3f0139ed0aa31211d179687b149e9bb58f730f8d Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Wed, 16 Feb 2022 16:19:34 -0800 Subject: [PATCH 18/27] Update context.py --- bandit/core/context.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bandit/core/context.py b/bandit/core/context.py index a0b2fadf1..11887a55d 100644 --- a/bandit/core/context.py +++ b/bandit/core/context.py @@ -315,3 +315,8 @@ def is_module_imported_like(self, module): @property def filename(self): return self._context.get("filename") + + + @property + def file_data(self): + return self._context.get("file_data") From 128fb4ee671120c533c00121da0508fa55611ec3 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Wed, 16 Feb 2022 16:21:27 -0800 Subject: [PATCH 19/27] Update issue.py --- bandit/core/issue.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/bandit/core/issue.py b/bandit/core/issue.py index 7c4eb2186..4ab9f07b8 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -94,6 +94,7 @@ def __init__( self.text = text self.ident = ident self.fname = "" + self.fdata = None self.test = "" self.test_id = test_id self.lineno = lineno @@ -173,14 +174,14 @@ def get_code(self, max_lines=3, tabbed=False): lmax = lmin + len(self.linerange) + max_lines - 1 if self.fname == "": - sys.stdin.seek(0) + sys.fdata.seek(0) for line_num in range(1, lmin): - sys.stdin.readline() + self.fdata.readline() tmplt = "%i\t%s" if tabbed else "%i %s" for line in range(lmin, lmax): if self.fname == "": - text = sys.stdin.readline() + text = self.fdata.readline() else: text = linecache.getline(self.fname, line) From 217fe52ae590721270856fd1d0f296d059b5c05e Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Wed, 16 Feb 2022 16:23:58 -0800 Subject: [PATCH 20/27] Update manager.py --- bandit/core/manager.py | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/bandit/core/manager.py b/bandit/core/manager.py index 3ccb10f81..3d9c78929 100644 --- a/bandit/core/manager.py +++ b/bandit/core/manager.py @@ -271,11 +271,11 @@ def run_tests(self): try: if fname == "-": open_fd = os.fdopen(sys.stdin.fileno(), "rb", 0) - sys.stdin = io.BytesIO(open_fd.read()) + fdata = io.BytesIO(open_fd.read()) new_files_list = [ "" if x == "-" else x for x in new_files_list ] - self._parse_file("", sys.stdin, new_files_list) + self._parse_file("", fdata, new_files_list) else: with open(fname, "rb") as fdata: self._parse_file(fname, fdata, new_files_list) @@ -320,7 +320,7 @@ def _parse_file(self, fname, fdata, new_files_list): # for the line nosec_lines = dict() try: - buf_data = io.BytesIO(data) + fdata.seek(0) tokens = tokenize.tokenize(buf_data.readline) if not self.ignore_nosec: @@ -330,7 +330,7 @@ def _parse_file(self, fname, fdata, new_files_list): except tokenize.TokenError: pass - score = self._execute_ast_visitor(fname, data, nosec_lines) + score = self._execute_ast_visitor(fname, fdata, data, nosec_lines) self.scores.append(score) self.metrics.count_issues( [ @@ -357,7 +357,7 @@ def _parse_file(self, fname, fdata, new_files_list): LOG.debug(" Exception string: %s", e) LOG.debug(" Exception traceback: %s", traceback.format_exc()) - def _execute_ast_visitor(self, fname, data, nosec_lines): + def _execute_ast_visitor(self, fname, fdata, data, nosec_lines): """Execute AST parse on each file :param fname: The name of the file being parsed @@ -367,7 +367,13 @@ def _execute_ast_visitor(self, fname, data, nosec_lines): """ score = [] res = b_node_visitor.BanditNodeVisitor( - fname, self.b_ma, self.b_ts, self.debug, nosec_lines, self.metrics + fname, + fdata, + self.b_ma, + self.b_ts, + self.debug, + nosec_lines, + self.metrics ) score = res.process(data) From 1a9b389e01ca8fb9c11522fc2026882061004bc4 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Wed, 16 Feb 2022 16:25:09 -0800 Subject: [PATCH 21/27] Update node_visitor.py --- bandit/core/node_visitor.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bandit/core/node_visitor.py b/bandit/core/node_visitor.py index 77836df8f..eee0d1c07 100644 --- a/bandit/core/node_visitor.py +++ b/bandit/core/node_visitor.py @@ -15,7 +15,7 @@ class BanditNodeVisitor: - def __init__(self, fname, metaast, testset, debug, nosec_lines, metrics): + def __init__(self, fname, fdata, metaast, testset, debug, nosec_lines, metrics): self.debug = debug self.nosec_lines = nosec_lines self.seen = 0 @@ -25,6 +25,7 @@ def __init__(self, fname, metaast, testset, debug, nosec_lines, metrics): } self.depth = 0 self.fname = fname + self.fdata = fdata self.metaast = metaast self.testset = testset self.imports = set() @@ -214,6 +215,7 @@ def pre_visit(self, node): self.context["node"] = node self.context["linerange"] = b_utils.linerange_fix(node) self.context["filename"] = self.fname + self.context["file_data"] = self.fdata self.seen += 1 LOG.debug( From 4ab2d4a1f1975aa784c1865f7a946487d2de916c Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Wed, 16 Feb 2022 16:25:33 -0800 Subject: [PATCH 22/27] Update tester.py --- bandit/core/tester.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bandit/core/tester.py b/bandit/core/tester.py index 6ae22d4ad..834fa37d1 100644 --- a/bandit/core/tester.py +++ b/bandit/core/tester.py @@ -61,6 +61,7 @@ def run_tests(self, raw_context, checktype): result.fname = temp_context["filename"].decode("utf-8") else: result.fname = temp_context["filename"] + result.fdata = temp_context["file_data"] if result.lineno is None: result.lineno = temp_context["lineno"] From c42e501c8d46371d6ea024a8614a97e8506dcc1f Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Wed, 16 Feb 2022 16:26:58 -0800 Subject: [PATCH 23/27] Update issue.py --- bandit/core/issue.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/bandit/core/issue.py b/bandit/core/issue.py index 4ab9f07b8..2ef6763c2 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -3,7 +3,6 @@ # # SPDX-License-Identifier: Apache-2.0 import linecache -import sys from bandit.core import constants @@ -174,7 +173,7 @@ def get_code(self, max_lines=3, tabbed=False): lmax = lmin + len(self.linerange) + max_lines - 1 if self.fname == "": - sys.fdata.seek(0) + self.fdata.seek(0) for line_num in range(1, lmin): self.fdata.readline() From e583627b6f18b261ca07cea50af423a63b53cba2 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Wed, 16 Feb 2022 16:35:10 -0800 Subject: [PATCH 24/27] Update manager.py --- bandit/core/manager.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/core/manager.py b/bandit/core/manager.py index 3d9c78929..84f315b9f 100644 --- a/bandit/core/manager.py +++ b/bandit/core/manager.py @@ -321,7 +321,7 @@ def _parse_file(self, fname, fdata, new_files_list): nosec_lines = dict() try: fdata.seek(0) - tokens = tokenize.tokenize(buf_data.readline) + tokens = tokenize.tokenize(fdata.readline) if not self.ignore_nosec: for toktype, tokval, (lineno, _), _, _ in tokens: From 86ffba323a747a2f1f4cc89a9b144511cc1eae3b Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Wed, 16 Feb 2022 16:38:21 -0800 Subject: [PATCH 25/27] Update context.py --- bandit/core/context.py | 1 - 1 file changed, 1 deletion(-) diff --git a/bandit/core/context.py b/bandit/core/context.py index 11887a55d..801b36466 100644 --- a/bandit/core/context.py +++ b/bandit/core/context.py @@ -316,7 +316,6 @@ def is_module_imported_like(self, module): def filename(self): return self._context.get("filename") - @property def file_data(self): return self._context.get("file_data") From a5e44ba97ddb90acb3191e63ae93821d6e68526a Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Wed, 16 Feb 2022 16:42:11 -0800 Subject: [PATCH 26/27] Update node_visitor.py --- bandit/core/node_visitor.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bandit/core/node_visitor.py b/bandit/core/node_visitor.py index eee0d1c07..efa491bd2 100644 --- a/bandit/core/node_visitor.py +++ b/bandit/core/node_visitor.py @@ -15,7 +15,9 @@ class BanditNodeVisitor: - def __init__(self, fname, fdata, metaast, testset, debug, nosec_lines, metrics): + def __init__( + self, fname, fdata, metaast, testset, debug, nosec_lines, metrics + ): self.debug = debug self.nosec_lines = nosec_lines self.seen = 0 From 2e9b2d4fcb1de50a3e1e375123be8768326b182d Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Wed, 16 Feb 2022 16:44:42 -0800 Subject: [PATCH 27/27] Update manager.py --- bandit/core/manager.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/core/manager.py b/bandit/core/manager.py index 84f315b9f..895dc7bd6 100644 --- a/bandit/core/manager.py +++ b/bandit/core/manager.py @@ -373,7 +373,7 @@ def _execute_ast_visitor(self, fname, fdata, data, nosec_lines): self.b_ts, self.debug, nosec_lines, - self.metrics + self.metrics, ) score = res.process(data)