search

PyCQA / bandit

Bandit is a tool designed to find common security issues in Python code.
https://bandit.readthedocs.io
Apache License 2.0
6.52k stars 612 forks source link

ssh_no_host_key_verification is failing on Python 3.12 #1077

Closed dolfinus closed 11 months ago

dolfinus commented 11 months ago

Describe the bug

Using bandit on Python 3.12 with enabled ssh_no_host_key_verification plugin leads to internal error:

from paramiko import SSHClient, WarningPolicy

client = SSHClient()

client.set_missing_host_key_policy(WarningPolicy())
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.12.0
[node_visitor]  WARNING Unable to find qualified name for module: 1.py
[tester]        ERROR   Bandit internal error running: ssh_no_host_key_verification on file 1.py at line 5: 'Name' object has no attribute 'attr'Traceback (most recent call last):
  File "/home/maxim/Repo/onetl/venv2/lib/python3.12/site-packages/bandit/core/tester.py", line 53, in run_tests
    result = test(context)
             ^^^^^^^^^^^^^
  File "/home/maxim/Repo/onetl/venv2/lib/python3.12/site-packages/bandit/plugins/ssh_no_host_key_verification.py", line 59, in ssh_no_host_key_verification
    policy_argument_value = policy_argument.func.attr
                            ^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'Name' object has no attribute 'attr'

But changing module last line to this:

client.set_missing_host_key_policy(client.WarningPolicy())

or this:

client.set_missing_host_key_policy(client.WarningPolicy)

fixes the issue:

[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.12.0
[node_visitor]  WARNING Unable to find qualified name for module: 1.py
Run started:2023-12-12 11:47:08.155867

Test results:
>> Issue: [B507:ssh_no_host_key_verification] Paramiko call with policy set to automatically trust the unknown host key.
   Severity: High   Confidence: Medium
   CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html)
   More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b507_ssh_no_host_key_verification.html
   Location: 1.py:5:0
4
5       client.set_missing_host_key_policy(client.WarningPolicy())
6

Reproduction steps

pyenv install 3.12
pyenv shell 3.12
python -m venv venv
source venv/bin/activate
pip install bandit==1.7.6 paramiko==3.3.1
echo "file content from description above" > 1.py
bandit 1.py

Expected behavior

Plugin ssh_no_host_key_verification should not fail on any Python version and any valid way of passing policy to client.set_missing_host_key_policy(...)

Bandit version

1.7.6 (Default)

Python version

3.12 (Default)

Additional context

No response