search

astral-sh / ruff

An extremely fast Python linter and code formatter, written in Rust.
https://docs.astral.sh/ruff
MIT License
30.94k stars 1.02k forks source link

[`flake8-bandit`]: S413 false positive for PyCryptodome #12761

Open trim21 opened 1 month ago

trim21 commented 1 month ago

ruff 0.5.7 with preview enabled.

PyCryptodome is a fork of PyCrypto and have same import name Crypto.

It trigger S413 pycrypto library is known to have publicly disclosed buffer overflow vulnerability

MichaReiser commented 1 month ago

Thanks for reporting this. Do you have a link to where it states that the vulnerability is fixed?

trim21 commented 1 month ago

it didn't state, but it doesn't re-produce CVE-2013-7459

MichaReiser commented 1 month ago

Hmm. I don't think there's much we can do when both packages use the same name other than documenting that this rule doesn't apply to PyCryptodome

trim21 commented 1 month ago

Hmm. I don't think there's much we can do when both packages use the same name other than documenting that this rule doesn't apply to PyCryptodome

read pyproject.toml and parse deps list maybe?

I understand ruff can't know for sure which package this is, add docs is OK for me.

charliermarsh commented 1 month ago

Happy to document it but it would be helpful to have a clear source to cite. How did you learn that it doesn't reproduce that CVE, for example?

trim21 commented 1 month ago

Happy to document it but it would be helpful to have a clear source to cite. How did you learn that it doesn't reproduce that CVE, for example?

source repo: https://github.com/Legrandin/pycryptodome

https://github.com/pycrypto/pycrypto/issues/176 give a example code and it can be executed with PyCryptodome without python crash