forked from PyCQA/bandit
/
test_config.py
295 lines (224 loc) · 9.5 KB
/
test_config.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
# Copyright 2015 IBM Corp.
#
# SPDX-License-Identifier: Apache-2.0
import os
import tempfile
import textwrap
from unittest import mock
import uuid
import fixtures
import testtools
from bandit.core import config
from bandit.core import utils
class TempFile(fixtures.Fixture):
def __init__(self, contents=None, suffix='.yaml'):
super(TempFile, self).__init__()
self.contents = contents
self.suffix = suffix
def setUp(self):
super(TempFile, self).setUp()
with tempfile.NamedTemporaryFile(suffix=self.suffix, mode='wt',
delete=False) as f:
if self.contents:
f.write(self.contents)
self.addCleanup(os.unlink, f.name)
self.name = f.name
class TestInit(testtools.TestCase):
def test_settings(self):
# Can initialize a BanditConfig.
example_key = uuid.uuid4().hex
example_value = self.getUniqueString()
contents = '%s: %s' % (example_key, example_value)
f = self.useFixture(TempFile(contents))
b_config = config.BanditConfig(f.name)
# After initialization, can get settings.
self.assertEqual('*.py', b_config.get_setting('plugin_name_pattern'))
self.assertEqual({example_key: example_value}, b_config.config)
self.assertEqual(example_value, b_config.get_option(example_key))
def test_file_does_not_exist(self):
# When the config file doesn't exist, ConfigFileUnopenable is raised.
cfg_file = os.path.join(os.getcwd(), 'notafile')
self.assertRaisesRegex(utils.ConfigError, cfg_file,
config.BanditConfig, cfg_file)
def test_yaml_invalid(self):
# When the config yaml file isn't valid, sys.exit(2) is called.
# The following is invalid because it starts a sequence and doesn't
# end it.
invalid_yaml = '- [ something'
f = self.useFixture(TempFile(invalid_yaml))
self.assertRaisesRegex(
utils.ConfigError, f.name, config.BanditConfig, f.name)
class TestGetOption(testtools.TestCase):
def setUp(self):
super(TestGetOption, self).setUp()
self.example_key = uuid.uuid4().hex
self.example_subkey = uuid.uuid4().hex
self.example_subvalue = uuid.uuid4().hex
sample_yaml = textwrap.dedent("""
%s:
%s: %s
""" % (self.example_key, self.example_subkey,
self.example_subvalue))
f = self.useFixture(TempFile(sample_yaml))
self.b_config = config.BanditConfig(f.name)
def test_levels(self):
# get_option with .-separated string.
sample_option_name = '%s.%s' % (self.example_key, self.example_subkey)
self.assertEqual(self.example_subvalue,
self.b_config.get_option(sample_option_name))
def test_levels_not_exist(self):
# get_option when option name doesn't exist returns None.
sample_option_name = '%s.%s' % (uuid.uuid4().hex, uuid.uuid4().hex)
self.assertIsNone(self.b_config.get_option(sample_option_name))
class TestGetSetting(testtools.TestCase):
def setUp(self):
super(TestGetSetting, self).setUp()
test_yaml = 'key: value'
f = self.useFixture(TempFile(test_yaml))
self.b_config = config.BanditConfig(f.name)
def test_not_exist(self):
# get_setting() when the name doesn't exist returns None
sample_setting_name = uuid.uuid4().hex
self.assertIsNone(self.b_config.get_setting(sample_setting_name))
class TestConfigCompat(testtools.TestCase):
sample = textwrap.dedent("""
profiles:
test_1:
include:
- any_other_function_with_shell_equals_true
- assert_used
exclude:
test_2:
include:
- blacklist_calls
test_3:
include:
- blacklist_imports
test_4:
exclude:
- assert_used
test_5:
exclude:
- blacklist_calls
- blacklist_imports
test_6:
include:
- blacklist_calls
exclude:
- blacklist_imports
blacklist_calls:
bad_name_sets:
- pickle:
qualnames: [pickle.loads]
message: "{func} library appears to be in use."
blacklist_imports:
bad_import_sets:
- telnet:
imports: [telnetlib]
level: HIGH
message: "{module} is considered insecure."
""")
suffix = '.yaml'
def setUp(self):
super(TestConfigCompat, self).setUp()
f = self.useFixture(TempFile(self.sample, suffix=self.suffix))
self.config = config.BanditConfig(f.name)
def test_converted_include(self):
profiles = self.config.get_option('profiles')
test = profiles['test_1']
data = {'blacklist': {},
'exclude': set(),
'include': set(['B101', 'B604'])}
self.assertEqual(data, test)
def test_converted_exclude(self):
profiles = self.config.get_option('profiles')
test = profiles['test_4']
self.assertEqual(set(['B101']), test['exclude'])
def test_converted_blacklist_call_data(self):
profiles = self.config.get_option('profiles')
test = profiles['test_2']
data = {'Call': [{'qualnames': ['telnetlib'],
'level': 'HIGH',
'message': '{name} is considered insecure.',
'name': 'telnet'}]}
self.assertEqual(data, test['blacklist'])
def test_converted_blacklist_import_data(self):
profiles = self.config.get_option('profiles')
test = profiles['test_3']
data = [{'message': '{name} library appears to be in use.',
'name': 'pickle',
'qualnames': ['pickle.loads']}]
self.assertEqual(data, test['blacklist']['Call'])
self.assertEqual(data, test['blacklist']['Import'])
self.assertEqual(data, test['blacklist']['ImportFrom'])
def test_converted_blacklist_call_test(self):
profiles = self.config.get_option('profiles')
test = profiles['test_2']
self.assertEqual(set(['B001']), test['include'])
def test_converted_blacklist_import_test(self):
profiles = self.config.get_option('profiles')
test = profiles['test_3']
self.assertEqual(set(['B001']), test['include'])
def test_converted_exclude_blacklist(self):
profiles = self.config.get_option('profiles')
test = profiles['test_5']
self.assertEqual(set(['B001']), test['exclude'])
def test_deprecation_message(self):
msg = ("Config file '%s' contains deprecated legacy config data. "
"Please consider upgrading to the new config format. The tool "
"'bandit-config-generator' can help you with this. Support for "
"legacy configs will be removed in a future bandit version.")
with mock.patch('bandit.core.config.LOG.warning') as m:
self.config._config = {"profiles": {}}
self.config.validate('')
self.assertEqual((msg, ''), m.call_args_list[0][0])
def test_blacklist_error(self):
msg = (" : Config file has an include or exclude reference to legacy "
"test '%s' but no configuration data for it. Configuration "
"data is required for this test. Please consider switching to "
"the new config file format, the tool "
"'bandit-config-generator' can help you with this.")
for name in ["blacklist_call",
"blacklist_imports",
"blacklist_imports_func"]:
self.config._config = (
{"profiles": {"test": {"include": [name]}}})
try:
self.config.validate('')
except utils.ConfigError as e:
self.assertEqual(msg % name, e.message)
def test_bad_yaml(self):
f = self.useFixture(TempFile("[]"))
try:
self.config = config.BanditConfig(f.name)
except utils.ConfigError as e:
self.assertIn("Error parsing file.", e.message)
class TestTomlConfig(TestConfigCompat):
sample = textwrap.dedent("""
[tool.bandit.profiles.test_1]
include = [
"any_other_function_with_shell_equals_true",
"assert_used",
]
[tool.bandit.profiles.test_2]
include = ["blacklist_calls"]
[tool.bandit.profiles.test_3]
include = ["blacklist_imports"]
[tool.bandit.profiles.test_4]
exclude = ["assert_used"]
[tool.bandit.profiles.test_5]
exclude = ["blacklist_calls", "blacklist_imports"]
[tool.bandit.profiles.test_6]
include = ["blacklist_calls"]
exclude = ["blacklist_imports"]
[[tool.bandit.blacklist_calls.bad_name_sets]]
[tool.bandit.blacklist_calls.bad_name_sets.pickle]
qualnames = ["pickle.loads"]
message = "{func} library appears to be in use."
[[tool.bandit.blacklist_imports.bad_import_sets]]
[tool.bandit.blacklist_imports.bad_import_sets.telnet]
imports = ["telnetlib"]
level = "HIGH"
message = "{module} is considered insecure."
""")
suffix = '.toml'