search

PyCQA / bandit

Bandit is a tool designed to find common security issues in Python code.
https://bandit.readthedocs.io
Apache License 2.0
6.5k stars 610 forks source link

Expand `B404, B602, B603 and B604` to include anyio calls #1199

Open Skelmis opened 1 week ago

Skelmis commented 1 week ago

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] Currently the plugins B404, B602, B603 and B604 handle the general case of subproccesses within Python. These checks however do not cover anyio and I think it'd be useful to add support for this.

Describe the solution you'd like A clear and concise description of what you want to happen. Expand upon the existing plugins so that they may handle anyio cases.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered. Manually conducting source code review to find and locate these calls.

Additional context Add any other context or screenshots about the feature request here. While not as common as direct subprocess calls, the anyio package still appears to be relatively popular by download counts at least. Not all users will use subprocesses per say, but I still think this feature may be useful for Bandit to contain. I am also possibly looking to PR this feature myself, however I figured opening an issue first for any discussions surrounding direction would be ideal.

Example checks Example vulnerable code as currently seen by Bandit. The following code examples are considered equivalent (source):

result_str = await anyio.run_process("user input here")
result_str = subprocess.run("user input here", shell=True)

With the following code Bandit outputs the following, only alerting on the subprocess call. Code:

import asyncio

import anyio
import subprocess

async def main():
    command = input()

    # Anyio
    result_str = await anyio.run_process(command)

    # Subprocess
    result_str = subprocess.run(command, shell=True)

asyncio.run(main())

Bandit output:

>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.10/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./bandit.py:14:17
13      # Subprocess
14      result_str = subprocess.run(command, shell=True)
15