B703 and B308 check passed if mark_safe used as a decorator

[chinskiy]

Describe the bug According to docs mark_safe can also be used as a decorator.

B703 and B308 checks in this case passed.

To Reproduce

When mark_safe used as a function:

example.py

from django.utils.safestring import mark_safe

def foo(a):
    return mark_safe(a)

Output

bandit example.py 
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.7.5
[node_visitor]  INFO    Unable to find qualified name for module: example.py
Run started:2020-03-25 14:34:46.110414

Test results:
>> Issue: [B703:django_mark_safe] Potential XSS on mark_safe function.
   Severity: Medium   Confidence: High
   Location: example.py:5
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b703_django_mark_safe.html
4   def foo(a):
5       return mark_safe(a)

--------------------------------------------------
>> Issue: [B308:blacklist] Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
   Severity: Medium   Confidence: High
   Location: example.py:5
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b308-mark-safe
4   def foo(a):
5       return mark_safe(a)

--------------------------------------------------

Code scanned:
    Total lines of code: 3
    Total lines skipped (#nosec): 0

Run metrics:
    Total issues (by severity):
        Undefined: 0.0
        Low: 0.0
        Medium: 2.0
        High: 0.0
    Total issues (by confidence):
        Undefined: 0.0
        Low: 0.0
        Medium: 0.0
        High: 2.0
Files skipped (0):

When as a decorator

example.py

from django.utils.safestring import mark_safe

@mark_safe
def foo(a):
    return a

Output

bandit example.py 
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.7.5
[node_visitor]  INFO    Unable to find qualified name for module: example.py
Run started:2020-03-25 14:35:07.494061

Test results:
    No issues identified.

Code scanned:
    Total lines of code: 4
    Total lines skipped (#nosec): 0

Run metrics:
    Total issues (by severity):
        Undefined: 0.0
        Low: 0.0
        Medium: 0.0
        High: 0.0
    Total issues (by confidence):
        Undefined: 0.0
        Low: 0.0
        Medium: 0.0
        High: 0.0
Files skipped (0):

Expected behavior Same issues should be shown.

Bandit version

bandit 1.6.2
  python version = 3.7.6 (default, Jan 18 2020, 02:49:59) [GCC 9.2.0]

Additional context I like this tool :)

[aastashov]

A have the same problem with format_html

Error:

  Line: 40
    bandit: B703 / Potential XSS on mark_safe function.
    bandit: B308 / Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.

example:

from django.utils.html import format_html

class ModelAdmin(admin.ModelAdmin):
    def foo(self, obj: Model):
        full_name = f"{obj.first_name} {obj.last_name}".strip()
        return format_html('<a href="#">{}</a>', full_name)  # <--- format_html calls mark_safe and returns SafeString object