search

PyCQA / bandit

Bandit is a tool designed to find common security issues in Python code.
https://bandit.readthedocs.io
Apache License 2.0
6.49k stars 606 forks source link

False positive on token_fail_reason #843

Open jshcodes opened 2 years ago

jshcodes commented 2 years ago

Describe the bug

Up until this latest release, our bandit workflows have delivered passing results without issue. With our latest commit, 1.7.3 was installed and our unit testing failed with the following:

Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'Unexpected API response received'
   Severity: Low   Confidence: Medium
   CWE: CWE-[25](https://github.com/CrowdStrike/falconpy/runs/5401017629?check_suite_focus=true#step:5:25)9 (https://cwe.mitre.org/data/definitions/259.html)
   Location: src/falconpy/oauth2.py:157:41
   More Info: https://bandit.readthedocs.io/en/1.7.3/plugins/b105_hardcoded_password_string.html
156                 returned = generate_error_result("Unexpected API response received", 403)
157                 self.token_fail_reason = "Unexpected API response received"
158                 self.token_status = 403

Impacted code block

if isinstance(returned, dict):
    self.token_status = returned["status_code"]
    if self.token_status == 201:
        self.token_expiration = returned["body"]["expires_in"]
        self.token_time = time.time()
        self.token_value = returned["body"]["access_token"]
        self.token_fail_reason = None
        # unrelated code continues...
else:
    returned = generate_error_result("Unexpected API response received", 403)
    self.token_fail_reason = "Unexpected API response received"
    self.token_status = 403

Reproduction steps

Started occurring with the 1.7.3 install. (I've confirmed it's not an issue in 1.7.0 - 1.7.2)

Expected behavior

I don't believe there is a problem with the code above.

Bandit version

1.7.3 (Default)

Python version

3.10 (Default)

Additional context

Appears to be similar to issue #842.

ericwb commented 2 years ago

Looks like a false positive as a result of #766 which now examines function calls with attributes that have the word "token" within them.

The hardcoded password/token/etc check tends to have a lower confidence to detect guaranteed cases of a hardcoded secret. You can always add # nosec comment to ignore this instance.