From 07393a8db61378d3d51ebc07990135fde7cd9fbc Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Mon, 30 Mar 2020 11:26:01 +0100 Subject: [PATCH 1/9] Drop Python 2 Support Python 2 is well beyond EOL now and will soon be removed from github's workflows This PR seeks to remove all calls / references and tests that rely on Python 2. * Remove six imports and six.Py2 conditionals * Remove Py2 calls from github workflows * Merged example files (e.g exec-py2.py|exec-py3.py > exec.py) * Removed py2 env from setuptools * Removed py2 env from tox Resolves: #584 --- .github/workflows/pythonpackage.yml | 28 +++------------- bandit/core/manager.py | 7 +--- bandit/formatters/html.py | 11 ++----- bandit/formatters/utils.py | 9 ----- bandit/formatters/xml.py | 7 +--- bandit/plugins/django_xss.py | 33 ++++--------------- bandit/plugins/exec.py | 17 +++------- .../plugins/general_bad_file_permissions.py | 4 +-- bandit/plugins/injection_shell.py | 4 +-- examples/exec-py2.py | 2 -- examples/{exec-py3.py => exec.py} | 0 examples/os-chmod-py2.py | 17 ---------- examples/{os-chmod-py3.py => os-chmod.py} | 0 setup.cfg | 2 -- tests/functional/test_functional.py | 30 ++++------------- tests/functional/test_runtime.py | 9 ++--- tox.ini | 2 +- 17 files changed, 33 insertions(+), 149 deletions(-) delete mode 100644 examples/exec-py2.py rename examples/{exec-py3.py => exec.py} (100%) delete mode 100644 examples/os-chmod-py2.py rename examples/{os-chmod-py3.py => os-chmod.py} (100%) diff --git a/.github/workflows/pythonpackage.yml b/.github/workflows/pythonpackage.yml index e8e2ce524..811769722 100644 --- a/.github/workflows/pythonpackage.yml +++ b/.github/workflows/pythonpackage.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: [2.7] + python-version: [3.5] steps: - uses: actions/checkout@v1 - name: Set up Python ${{ matrix.python-version }} @@ -22,12 +22,12 @@ jobs: pip install tox - name: Run tox run: tox -e pylint - + pep8: runs-on: ubuntu-latest strategy: matrix: - python-version: [2.7] + python-version: [3.5] steps: - uses: actions/checkout@v1 - name: Set up Python ${{ matrix.python-version }} @@ -43,26 +43,6 @@ jobs: - name: Run tox run: tox -e pep8 - py27: - runs-on: ubuntu-latest - strategy: - matrix: - python-version: [2.7] - steps: - - uses: actions/checkout@v1 - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v1 - with: - python-version: ${{ matrix.python-version }} - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - pip install -r test-requirements.txt - pip install tox - - name: Run tox - run: tox -e py27 - py35: runs-on: ubuntu-latest strategy: @@ -102,7 +82,7 @@ jobs: pip install tox - name: Run tox run: tox -e py36 - + py37: runs-on: ubuntu-latest strategy: diff --git a/bandit/core/manager.py b/bandit/core/manager.py index 956d0673b..363c06593 100644 --- a/bandit/core/manager.py +++ b/bandit/core/manager.py @@ -13,8 +13,6 @@ import tokenize import traceback -import six - from bandit.core import constants as b_constants from bandit.core import extension_loader from bandit.core import issue @@ -269,10 +267,7 @@ def _parse_file(self, fname, fdata, new_files_list): else: try: fdata.seek(0) - if six.PY2: - tokens = tokenize.generate_tokens(fdata.readline) - else: - tokens = tokenize.tokenize(fdata.readline) + tokens = tokenize.tokenize(fdata.readline) nosec_lines = set( lineno for toktype, tokval, (lineno, _), _, _ in tokens if toktype == tokenize.COMMENT and diff --git a/bandit/formatters/html.py b/bandit/formatters/html.py index 29c008b70..fb0f0ce33 100644 --- a/bandit/formatters/html.py +++ b/bandit/formatters/html.py @@ -145,16 +145,11 @@ import logging import sys -import six - from bandit.core import docs_utils from bandit.core import test_properties from bandit.formatters import utils -if not six.PY2: - from html import escape as html_escape -else: - from cgi import escape as html_escape +from html import escape as html_escape LOG = logging.getLogger(__name__) @@ -377,8 +372,8 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): with fileobj: wrapped_file = utils.wrap_file_object(fileobj) - wrapped_file.write(utils.convert_file_contents(header_block)) - wrapped_file.write(utils.convert_file_contents(report_contents)) + wrapped_file.write(header_block) + wrapped_file.write(report_contents) if fileobj.name != sys.stdout.name: LOG.info("HTML output written to file: %s", fileobj.name) diff --git a/bandit/formatters/utils.py b/bandit/formatters/utils.py index 172fa8a77..eee762f12 100644 --- a/bandit/formatters/utils.py +++ b/bandit/formatters/utils.py @@ -5,8 +5,6 @@ import io -import six - def wrap_file_object(fileobj): """Handle differences in Python 2 and 3 around writing bytes.""" @@ -24,10 +22,3 @@ def wrap_file_object(fileobj): # Finally, we've determined that the fileobj passed in cannot handle text, # so we use TextIOWrapper to handle the conversion for us. return io.TextIOWrapper(fileobj) - - -def convert_file_contents(text): - """Convert text to built-in strings on Python 2.""" - if not six.PY2: - return text - return str(text.encode('utf-8')) diff --git a/bandit/formatters/xml.py b/bandit/formatters/xml.py index a21e80024..522571595 100644 --- a/bandit/formatters/xml.py +++ b/bandit/formatters/xml.py @@ -35,8 +35,6 @@ import sys from xml.etree import cElementTree as ET -import six - from bandit.core import docs_utils LOG = logging.getLogger(__name__) @@ -71,10 +69,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): tree = ET.ElementTree(root) if fileobj.name == sys.stdout.name: - if six.PY2: - fileobj = sys.stdout - else: - fileobj = sys.stdout.buffer + fileobj = sys.stdout.buffer elif fileobj.mode == 'w': fileobj.close() fileobj = open(fileobj.name, "wb") diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index 30578e117..ef0effcd8 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -45,27 +45,12 @@ def is_assigned(self, node): return assigned assigned = self.is_assigned_in(node.body) elif isinstance(node, ast.With): - if six.PY2: - if node.optional_vars.id == self.var_name.id: + for withitem in node.items: + if withitem.optional_vars.id == self.var_name.id: assigned = node else: assigned = self.is_assigned_in(node.body) - else: - for withitem in node.items: - if withitem.optional_vars.id == self.var_name.id: - assigned = node - else: - assigned = self.is_assigned_in(node.body) - elif six.PY2 and isinstance(node, ast.TryFinally): - assigned = [] - assigned.extend(self.is_assigned_in(node.body)) - assigned.extend(self.is_assigned_in(node.finalbody)) - elif six.PY2 and isinstance(node, ast.TryExcept): - assigned = [] - assigned.extend(self.is_assigned_in(node.body)) - assigned.extend(self.is_assigned_in(node.handlers)) - assigned.extend(self.is_assigned_in(node.orelse)) - elif not six.PY2 and isinstance(node, ast.Try): + elif isinstance(node, ast.Try): assigned = [] assigned.extend(self.is_assigned_in(node.body)) assigned.extend(self.is_assigned_in(node.handlers)) @@ -149,12 +134,12 @@ def evaluate_call(call, parent, ignore_nodes=None): if isinstance(call, ast.Call) and isinstance(call.func, ast.Attribute): if isinstance(call.func.value, ast.Str) and call.func.attr == 'format': evaluate = True - if call.keywords or (six.PY2 and call.kwargs): + if call.keywords or call.kwargs: evaluate = False # TODO(??) get support for this if evaluate: args = list(call.args) - if six.PY2 and call.starargs and isinstance(call.starargs, + if call.starargs and isinstance(call.starargs, (ast.List, ast.Tuple)): args.extend(call.starargs.elts) @@ -172,7 +157,7 @@ def evaluate_call(call, parent, ignore_nodes=None): num_secure += 1 else: break - elif not six.PY2 and isinstance(arg, ast.Starred) and isinstance( + elif isinstance(arg, ast.Starred) and isinstance( arg.value, (ast.List, ast.Tuple)): args.extend(arg.value.elts) num_secure += 1 @@ -191,18 +176,14 @@ def transform2call(var): new_call = ast.Call() new_call.args = [] new_call.args = [] - if six.PY2: - new_call.starargs = None new_call.keywords = None - if six.PY2: - new_call.kwargs = None new_call.lineno = var.lineno new_call.func = ast.Attribute() new_call.func.value = var.left new_call.func.attr = 'format' if isinstance(var.right, ast.Tuple): new_call.args = var.right.elts - elif six.PY2 and isinstance(var.right, ast.Dict): + elif isinstance(var.right, ast.Dict): new_call.kwargs = var.right else: new_call.args = [var.right] diff --git a/bandit/plugins/exec.py b/bandit/plugins/exec.py index 3d7d8c2d7..806a95ae2 100644 --- a/bandit/plugins/exec.py +++ b/bandit/plugins/exec.py @@ -32,8 +32,6 @@ .. versionadded:: 0.9.0 """ -import six - import bandit from bandit.core import test_properties as test @@ -45,15 +43,8 @@ def exec_issue(): text="Use of exec detected." ) - -if six.PY2: - @test.checks('Exec') - @test.test_id('B102') - def exec_used(context): +@test.checks('Call') +@test.test_id('B102') +def exec_used(context): + if context.call_function_name_qual == 'exec': return exec_issue() -else: - @test.checks('Call') - @test.test_id('B102') - def exec_used(context): - if context.call_function_name_qual == 'exec': - return exec_issue() diff --git a/bandit/plugins/general_bad_file_permissions.py b/bandit/plugins/general_bad_file_permissions.py index f02a85219..1b4b231f6 100644 --- a/bandit/plugins/general_bad_file_permissions.py +++ b/bandit/plugins/general_bad_file_permissions.py @@ -25,14 +25,14 @@ >> Issue: Probable insecure usage of temp file/directory. Severity: Medium Confidence: Medium - Location: ./examples/os-chmod-py2.py:15 + Location: ./examples/os-chmod.py:15 14 os.chmod('/etc/hosts', 0o777) 15 os.chmod('/tmp/oh_hai', 0x1ff) 16 os.chmod('/etc/passwd', stat.S_IRWXU) >> Issue: Chmod setting a permissive mask 0777 on file (key_file). Severity: High Confidence: High - Location: ./examples/os-chmod-py2.py:17 + Location: ./examples/os-chmod.py:17 16 os.chmod('/etc/passwd', stat.S_IRWXU) 17 os.chmod(key_file, 0o777) 18 diff --git a/bandit/plugins/injection_shell.py b/bandit/plugins/injection_shell.py index 210716643..c528ec785 100644 --- a/bandit/plugins/injection_shell.py +++ b/bandit/plugins/injection_shell.py @@ -7,8 +7,6 @@ import ast import re -import six - import bandit from bandit.core import test_properties as test @@ -91,7 +89,7 @@ def has_shell(context): result = bool(val.keys) elif isinstance(val, ast.Name) and val.id in ['False', 'None']: result = False - elif not six.PY2 and isinstance(val, ast.NameConstant): + elif isinstance(val, ast.NameConstant): result = val.value else: result = True diff --git a/examples/exec-py2.py b/examples/exec-py2.py deleted file mode 100644 index ae36c573f..000000000 --- a/examples/exec-py2.py +++ /dev/null @@ -1,2 +0,0 @@ -exec("do evil") -exec "do evil" \ No newline at end of file diff --git a/examples/exec-py3.py b/examples/exec.py similarity index 100% rename from examples/exec-py3.py rename to examples/exec.py diff --git a/examples/os-chmod-py2.py b/examples/os-chmod-py2.py deleted file mode 100644 index 847512aff..000000000 --- a/examples/os-chmod-py2.py +++ /dev/null @@ -1,17 +0,0 @@ -import os -import stat - -keyfile = 'foo' - -os.chmod('/etc/passwd', 0227) -os.chmod('/etc/passwd', 07) -os.chmod('/etc/passwd', 0664) -os.chmod('/etc/passwd', 0777) -os.chmod('/etc/passwd', 0o770) -os.chmod('/etc/passwd', 0o776) -os.chmod('/etc/passwd', 0o760) -os.chmod('~/.bashrc', 511) -os.chmod('/etc/hosts', 0o777) -os.chmod('/tmp/oh_hai', 0x1ff) -os.chmod('/etc/passwd', stat.S_IRWXU) -os.chmod(key_file, 0o777) diff --git a/examples/os-chmod-py3.py b/examples/os-chmod.py similarity index 100% rename from examples/os-chmod-py3.py rename to examples/os-chmod.py diff --git a/setup.cfg b/setup.cfg index f0ec29c01..a6f4ac40a 100644 --- a/setup.cfg +++ b/setup.cfg @@ -16,8 +16,6 @@ classifier = Operating System :: POSIX :: Linux Operating System :: MacOS :: MacOS X Programming Language :: Python - Programming Language :: Python :: 2 - Programming Language :: Python :: 2.7 Programming Language :: Python :: 3 Programming Language :: Python :: 3.5 Programming Language :: Python :: 3.6 diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index e3b73702d..d394fc775 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -7,7 +7,6 @@ import os import sys -import six import testtools from bandit.core import config as b_config @@ -150,22 +149,12 @@ def test_mark_safe(self): def test_exec(self): '''Test the `exec` example.''' - filename = 'exec-{}.py' - if six.PY2: - filename = filename.format('py2') - expect = { - 'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 2, 'HIGH': 0}, - 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, - 'HIGH': 2} - } - else: - filename = filename.format('py3') - expect = { - 'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0}, - 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, - 'HIGH': 1} - } - self.check_example(filename, expect) + expect = { + 'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0}, + 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, + 'HIGH': 1} + } + self.check_example('exec.py', expect) def test_hardcoded_passwords(self): '''Test for hard-coded passwords.''' @@ -286,16 +275,11 @@ def test_subdirectory_okay(self): def test_os_chmod(self): '''Test setting file permissions.''' - filename = 'os-chmod-{}.py' - if six.PY2: - filename = filename.format('py2') - else: - filename = filename.format('py3') expect = { 'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 2, 'HIGH': 8}, 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 9} } - self.check_example(filename, expect) + self.check_example('os-chmod.py', expect) def test_os_exec(self): '''Test for `os.exec*`.''' diff --git a/tests/functional/test_runtime.py b/tests/functional/test_runtime.py index b77a606b9..9d4f7e367 100644 --- a/tests/functional/test_runtime.py +++ b/tests/functional/test_runtime.py @@ -5,7 +5,6 @@ import os import subprocess -import six import testtools @@ -103,12 +102,8 @@ def test_example_nonsense2(self): ) self.assertEqual(0, retcode) self.assertIn("Files skipped (1):", output) - if six.PY2: - self.assertIn("nonsense2.py (exception while scanning file)", - output) - else: - self.assertIn("nonsense2.py (syntax error while parsing AST", - output) + self.assertIn("nonsense2.py (syntax error while parsing AST", + output) def test_example_imports(self): (retcode, output) = self._test_example(['bandit', ], ['imports.py', ]) diff --git a/tox.ini b/tox.ini index 1bafb7ca1..fded4fbd3 100644 --- a/tox.ini +++ b/tox.ini @@ -1,6 +1,6 @@ [tox] minversion = 2.0 -envlist = py35,py27,pep8 +envlist = py35,pep8 skipsdist = True [testenv] From 5262e9b16da61556a5346129878d594ff35df263 Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Mon, 30 Mar 2020 13:05:05 +0100 Subject: [PATCH 2/9] Remove six.PY2 else name.arg or Py2 removal --- bandit/plugins/django_xss.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index ef0effcd8..67475d9a7 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -87,7 +87,7 @@ def evaluate_var(xss_var, parent, until, ignore_nodes=None): if isinstance(xss_var, ast.Name): if isinstance(parent, ast.FunctionDef): for name in parent.args.args: - arg_name = name.id if six.PY2 else name.arg + arg_name = name.id if arg_name == xss_var.id: return False # Params are not secure @@ -205,7 +205,7 @@ def check_risk(node): is_param = False if isinstance(parent, ast.FunctionDef): for name in parent.args.args: - arg_name = name.id if six.PY2 else name.arg + arg_name = name.id if arg_name == xss_var.id: is_param = True break From a961195effc21b93cea48c417f649da3b695c2a2 Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Mon, 30 Mar 2020 14:56:33 +0100 Subject: [PATCH 3/9] Revert to name.arg from name.id --- bandit/plugins/django_xss.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index 67475d9a7..8992dcc49 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -87,7 +87,7 @@ def evaluate_var(xss_var, parent, until, ignore_nodes=None): if isinstance(xss_var, ast.Name): if isinstance(parent, ast.FunctionDef): for name in parent.args.args: - arg_name = name.id + arg_name = name.arg if arg_name == xss_var.id: return False # Params are not secure From a661660290ae988ad0419502ca0cb569a51c7300 Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Mon, 30 Mar 2020 15:22:18 +0100 Subject: [PATCH 4/9] Final arg_name = name.id revert --- bandit/plugins/django_xss.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index 8992dcc49..94585225e 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -205,7 +205,7 @@ def check_risk(node): is_param = False if isinstance(parent, ast.FunctionDef): for name in parent.args.args: - arg_name = name.id + arg_name = name.arg if arg_name == xss_var.id: is_param = True break From 897373b38d8c6916d9a04df985ab3b037cdb8ed6 Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Mon, 30 Mar 2020 16:09:37 +0100 Subject: [PATCH 5/9] Remove call.starargs and add python_requires --- bandit/plugins/django_xss.py | 4 ---- setup.py | 2 ++ 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index 94585225e..fc128c840 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -139,10 +139,6 @@ def evaluate_call(call, parent, ignore_nodes=None): if evaluate: args = list(call.args) - if call.starargs and isinstance(call.starargs, - (ast.List, ast.Tuple)): - args.extend(call.starargs.elts) - num_secure = 0 for arg in args: if isinstance(arg, ast.Str): diff --git a/setup.py b/setup.py index ed6d1d47e..abec72634 100644 --- a/setup.py +++ b/setup.py @@ -13,6 +13,8 @@ except ImportError: pass + setuptools.setup( + python_requires='>=3.5', setup_requires=['pbr>=2.0.0'], pbr=True) From cb926214ad547fc60ea99946aa70feb60c87874c Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Wed, 15 Apr 2020 14:59:35 +0100 Subject: [PATCH 6/9] Fix up CI failures --- bandit/core/manager.py | 6 +++--- bandit/formatters/html.py | 4 ++-- bandit/plugins/django_xss.py | 2 -- bandit/plugins/exec.py | 1 + 4 files changed, 6 insertions(+), 7 deletions(-) diff --git a/bandit/core/manager.py b/bandit/core/manager.py index 363c06593..064b65b29 100644 --- a/bandit/core/manager.py +++ b/bandit/core/manager.py @@ -272,14 +272,14 @@ def _parse_file(self, fname, fdata, new_files_list): lineno for toktype, tokval, (lineno, _), _, _ in tokens if toktype == tokenize.COMMENT and '#nosec' in tokval or '# nosec' in tokval) - except tokenize.TokenError as e: + except tokenize.TokenError: nosec_lines = set() score = self._execute_ast_visitor(fname, data, nosec_lines) self.scores.append(score) self.metrics.count_issues([score, ]) - except KeyboardInterrupt as e: + except KeyboardInterrupt: sys.exit(2) - except SyntaxError as e: + except SyntaxError: self.skipped.append((fname, "syntax error while parsing AST from file")) new_files_list.remove(fname) diff --git a/bandit/formatters/html.py b/bandit/formatters/html.py index fb0f0ce33..530af76d6 100644 --- a/bandit/formatters/html.py +++ b/bandit/formatters/html.py @@ -145,12 +145,12 @@ import logging import sys +from html import escape as html_escape + from bandit.core import docs_utils from bandit.core import test_properties from bandit.formatters import utils -from html import escape as html_escape - LOG = logging.getLogger(__name__) diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index fc128c840..230a1e89d 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -6,8 +6,6 @@ import ast -import six - import bandit from bandit.core import test_properties as test diff --git a/bandit/plugins/exec.py b/bandit/plugins/exec.py index 806a95ae2..6d6e99e64 100644 --- a/bandit/plugins/exec.py +++ b/bandit/plugins/exec.py @@ -43,6 +43,7 @@ def exec_issue(): text="Use of exec detected." ) + @test.checks('Call') @test.test_id('B102') def exec_used(context): From 9110811cca8f6ade205ac087ec98b9efa3e301f2 Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Wed, 15 Apr 2020 15:07:55 +0100 Subject: [PATCH 7/9] Formatting fixes and remove B322 --- bandit/blacklists/calls.py | 23 ----------------------- tests/functional/test_functional.py | 3 +-- tests/functional/test_runtime.py | 3 +-- 3 files changed, 2 insertions(+), 27 deletions(-) diff --git a/bandit/blacklists/calls.py b/bandit/blacklists/calls.py index 85bec160e..773fb47ef 100644 --- a/bandit/blacklists/calls.py +++ b/bandit/blacklists/calls.py @@ -265,20 +265,6 @@ | B321 | ftplib | - ftplib.\* | High | +------+---------------------+------------------------------------+-----------+ -B322: input ------------- - -The input method in Python 2 will read from standard input, evaluate and -run the resulting string as python source code. This is similar, though in -many ways worse, than using eval. On Python 2, use raw_input instead, input -is safe in Python 3. - -+------+---------------------+------------------------------------+-----------+ -| ID | Name | Calls | Severity | -+======+=====================+====================================+===========+ -| B322 | input | - input | High | -+------+---------------------+------------------------------------+-----------+ - B323: unverified_context ------------------------ @@ -543,15 +529,6 @@ def gen_blacklist(): 'HIGH' )) - sets.append(utils.build_conf_dict( - 'input', 'B322', ['input'], - 'The input method in Python 2 will read from standard input, ' - 'evaluate and run the resulting string as python source code. This ' - 'is similar, though in many ways worse, than using eval. On Python ' - '2, use raw_input instead, input is safe in Python 3.', - 'HIGH' - )) - sets.append(utils.build_conf_dict( 'unverified_context', 'B323', ['ssl._create_unverified_context'], 'By default, Python will create a secure, verified ssl context for ' diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index d394fc775..6fb6d8401 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -151,8 +151,7 @@ def test_exec(self): '''Test the `exec` example.''' expect = { 'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 0}, - 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, - 'HIGH': 1} + 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 1} } self.check_example('exec.py', expect) diff --git a/tests/functional/test_runtime.py b/tests/functional/test_runtime.py index 9d4f7e367..6398dc0a7 100644 --- a/tests/functional/test_runtime.py +++ b/tests/functional/test_runtime.py @@ -102,8 +102,7 @@ def test_example_nonsense2(self): ) self.assertEqual(0, retcode) self.assertIn("Files skipped (1):", output) - self.assertIn("nonsense2.py (syntax error while parsing AST", - output) + self.assertIn("nonsense2.py (syntax error while parsing AST", output) def test_example_imports(self): (retcode, output) = self._test_example(['bandit', ], ['imports.py', ]) From 337ca90582e13ed9257dbe57e02ec88299ab0483 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sun, 6 Dec 2020 16:26:05 -0800 Subject: [PATCH 8/9] Update django_xss.py --- bandit/plugins/django_xss.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index 9d840f49d..43d976cb1 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -48,7 +48,7 @@ def is_assigned(self, node): if var_id == self.var_name.id: assigned = node else: - assigned = self.is_assigned_in(node.body) + assigned = self.is_assigned_in(node.body) elif isinstance(node, ast.Try): assigned = [] assigned.extend(self.is_assigned_in(node.body)) From 8ceac8c299a647d84dcdcce9a2864aae42125678 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sun, 6 Dec 2020 16:31:16 -0800 Subject: [PATCH 9/9] Update text.py --- bandit/formatters/text.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/formatters/text.py b/bandit/formatters/text.py index 10f044f61..061e9abf4 100644 --- a/bandit/formatters/text.py +++ b/bandit/formatters/text.py @@ -155,7 +155,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): with fileobj: wrapped_file = utils.wrap_file_object(fileobj) - wrapped_file.write(utils.convert_file_contents(result)) + wrapped_file.write(result) if fileobj.name != sys.stdout.name: LOG.info("Text output written to file: %s", fileobj.name)