From 7c993d2c10ae2207091ab2bc5f85ed25549fb28e Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sun, 6 Feb 2022 20:41:07 -0800 Subject: [PATCH] Remove redundant Python 3.6 code Bandit no longer supports Pytyon 3.6 and earlier since those are end-of-life. Therefore there is no longer a need to have any code that conditional checks on versions as early as that. This change cleans up the sql_statements check to only be for Python 3.7 and later. Closes #800 Signed-off-by: Eric Brown --- examples/sql_statements-py36.py | 41 ----------------------- tests/functional/test_functional.py | 50 +++++++++-------------------- 2 files changed, 15 insertions(+), 76 deletions(-) delete mode 100644 examples/sql_statements-py36.py diff --git a/examples/sql_statements-py36.py b/examples/sql_statements-py36.py deleted file mode 100644 index 590320528..000000000 --- a/examples/sql_statements-py36.py +++ /dev/null @@ -1,41 +0,0 @@ -import sqlalchemy - -# bad -query = "SELECT * FROM foo WHERE id = '%s'" % identifier -query = "INSERT INTO foo VALUES ('a', 'b', '%s')" % value -query = "DELETE FROM foo WHERE id = '%s'" % identifier -query = "UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier -query = """WITH cte AS (SELECT x FROM foo) -SELECT x FROM cte WHERE x = '%s'""" % identifier -# bad alternate forms -query = "SELECT * FROM foo WHERE id = '" + identifier + "'" -query = "SELECT * FROM foo WHERE id = '{}'".format(identifier) -query = f"SELECT * FROM foo WHERE id = {tmp}" - -# bad -cur.execute("SELECT * FROM foo WHERE id = '%s'" % identifier) -cur.execute("INSERT INTO foo VALUES ('a', 'b', '%s')" % value) -cur.execute("DELETE FROM foo WHERE id = '%s'" % identifier) -cur.execute("UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier) -# bad alternate forms -cur.execute("SELECT * FROM foo WHERE id = '" + identifier + "'") -cur.execute("SELECT * FROM foo WHERE id = '{}'".format(identifier)) -cur.execute(f"SELECT * FROM foo WHERE id {tmp}") - -# good -cur.execute("SELECT * FROM foo WHERE id = '%s'", identifier) -cur.execute("INSERT INTO foo VALUES ('a', 'b', '%s')", value) -cur.execute("DELETE FROM foo WHERE id = '%s'", identifier) -cur.execute("UPDATE foo SET value = 'b' WHERE id = '%s'", identifier) - -# bug: https://bugs.launchpad.net/bandit/+bug/1479625 -def a(): - def b(): - pass - return b - -a()("SELECT %s FROM foo" % val) - -# real world false positives -choices=[('server_list', _("Select from active instances"))] -print("delete from the cache as the first argument") diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index c0a8030a5..bc7f6cfe7 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -385,41 +385,21 @@ def test_ignore_skip(self): def test_sql_statements(self): """Test for SQL injection through string building.""" - filename = "sql_statements{}.py" - if sys.version_info <= (3, 6): - filename = filename.format("") - expect = { - "SEVERITY": { - "UNDEFINED": 0, - "LOW": 0, - "MEDIUM": 14, - "HIGH": 0, - }, - "CONFIDENCE": { - "UNDEFINED": 0, - "LOW": 8, - "MEDIUM": 6, - "HIGH": 0, - }, - } - else: - filename = filename.format("-py36") - expect = { - "SEVERITY": { - "UNDEFINED": 0, - "LOW": 0, - "MEDIUM": 16, - "HIGH": 0, - }, - "CONFIDENCE": { - "UNDEFINED": 0, - "LOW": 9, - "MEDIUM": 7, - "HIGH": 0, - }, - } - - self.check_example(filename, expect) + expect = { + "SEVERITY": { + "UNDEFINED": 0, + "LOW": 0, + "MEDIUM": 14, + "HIGH": 0, + }, + "CONFIDENCE": { + "UNDEFINED": 0, + "LOW": 8, + "MEDIUM": 6, + "HIGH": 0, + }, + } + self.check_example("sql_statements.py", expect) def test_ssl_insecure_version(self): """Test for insecure SSL protocol versions."""