Add a plugin to detect os.join with input

[ericwb]

Transfer of OpenStack blueprint to GH issue:
https://blueprints.launchpad.net/bandit/+spec/add-os-join-plugin

If os.join is used with un-filtered user input it can lead to path traversal. A plugin that detects its use could be useful for pentesting.

[spaceone]

It's acutally os.path.join()!
The vulnerability here is that user_input = '/tmp/foo' os.path.join('/var/cache/', user_input) will result in user_input.

[vanschelven]

I've implemented something like this out of the bandit repo:

https://github.com/bugsink/spoils/

No check on user_input (yet) though.