OOT: bandit
260 views
Skip to first unread message
黄祥
May 22, 2019, 11:13:19 AM5/22/19
to web2py-users
pardon, not sure, this thread proper or not here, tested web2py and web3py with bandit
steps
pip3 install bandit
cd
git clone https://github.com/web2py/web3py
git clone https://github.com/web2py/web2py$ bandit web3py/*.py -r
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.5.3
Run started:2019-05-22 15:04:53.288693
Test results:
>> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
Severity: Low Confidence: High
Location: web3py/setup.py:4
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
3 """
4 import subprocess
5 import re
--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution ofuntrusted input.
Severity: Low Confidence: High
Location: web3py/setup.py:13
More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
12 def get_hash():
13 return subprocess.check_output(['git', 'rev-parse', 'HEAD']).strip().decode('utf8')
--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: web3py/setup.py:13
More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
12 def get_hash():
13 return subprocess.check_output(['git', 'rev-parse', 'HEAD']).strip().decode('utf8')
--------------------------------------------------
Code scanned:
Total lines of code: 52
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0.0
Low: 3.0
Medium: 0.0
High: 0.0
Total issues (by confidence):
Undefined: 0.0
Low: 0.0
Medium: 0.0
High: 3.0
Files skipped (0):$ bandit web2py/*.py -r
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.5.3
Run started:2019-05-22 15:06:10.007801
Test results:
>> Issue: [B412:blacklist] Consider possible security implications associated with CGIHandler module.
Severity: High Confidence: High
Location: web2py/anyserver.py:25
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b412-import-httpoxy
24 def cgi(app, address=None, **options):
25 from wsgiref.handlers import CGIHandler
26 CGIHandler().run(app) # Just ignore host and port here
--------------------------------------------------
>> Issue: [B412:blacklist] Consider possible security implications associated with wsgiref.handlers.CGIHandler module.
Severity: High Confidence: High
Location: web2py/anyserver.py:26
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b412-import-httpoxy
25 from wsgiref.handlers import CGIHandler
26 CGIHandler().run(app) # Just ignore host and port here
--------------------------------------------------
Code scanned:
Total lines of code: 540
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0.0
Low: 0.0
Medium: 0.0
High: 2.0
Total issues (by confidence):
Undefined: 0.0
Low: 0.0
Medium: 0.0
High: 2.0
Files skipped (1):
web2py/fabfile.py (syntax error while parsing AST from file)best regards,
stifan
黄祥
May 23, 2019, 12:49:14 AM5/23/19
to web2py-users
prev message, not scan recursively, tried to scan web2py take longer time, n think it can ignore the result under apps folder since it's just a scaffolding or examples, but can be a reminder when deploy in production
$ bandit ./web3py/ -r
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.6.7
Run started:2019-05-23 04:29:35.118424
Test results:
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: '<my secret key>'
Severity: Low Confidence: Medium
Location: ./web3py/apps/_scaffold/settings.py:17
More Info: https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html
16 SESSION_TYPE = 'cookies'
17 SESSION_SECRET_KEY = '<my secret key>'
18 MEMCACHE_CLIENTS = ['127.0.0.1:11211']
--------------------------------------------------
>> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'myscret'
Severity: Low Confidence: Medium
Location: ./web3py/apps/examples/__init__.py:12
More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html
11 db.commit()
12 session = Session(secret='myscret')
13
--------------------------------------------------
>> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'some secret'
Severity: Low Confidence: Medium
Location: ./web3py/apps/todo/__init__.py:5
More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html
4 # define session and cache objects
5 session = Session(secret='some secret')
6 cache = Cache(size=1000)
--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
Severity: Low Confidence: High
Location: ./web3py/setup.py:4"""
4 import subprocess
5 import re
--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: ./web3py/setup.py:13
More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
12 def get_hash():
13 return subprocess.check_output(['git', 'rev-parse', 'HEAD']).strip().decode('utf8')
14
--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution ofuntrusted input.
Severity: Low Confidence: High
Location: ./web3py/setup.py:13
More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
12 def get_hash():
13 return subprocess.check_output(['git', 'rev-parse', 'HEAD']).strip().decode('utf8')
14
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
Location: ./web3py/web3py/core.py:255
More Info: https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html
254 if self.expiration is not None and self.storage is None:
255 assert self.local.data['timestamp'] > time.time() - int(self.expiration)
256 assert self.local.data.get('secure') == self.local.secure
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
Location: ./web3py/web3py/core.py:256
More Info: https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html
255 assert self.local.data['timestamp'] > time.time() - int(self.expiration)
256 assert self.local.data.get('secure') == self.local.secure
257 except (jwt.exceptions.InvalidSignatureError, AssertionError, ValueError):
--------------------------------------------------
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./web3py/web3py/core.py:648
More Info: https://bandit.readthedocs.io/en/latest/plugins/b108_hardcoded_tmp_directory.html
647 parser.add_argument('--service_db_uri', default='sqlite://service.storage', type=str, help='db uri for logging')
648 parser.add_argument('--service_folder', default='/tmp/web3py', type=str, help='db uri for logging')
649 action.args = args = parser.parse_args()
--------------------------------------------------
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: ./web3py/web3py/tests/test_action.py:14
More Info: https://bandit.readthedocs.io/en/latest/plugins/b108_hardcoded_tmp_directory.html
13
14 db = DAL('sqlite://storage_%s' % uuid.uuid4(), folder='/tmp/')
15 db.define_table('thing', Field('name'))
--------------------------------------------------
>> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'my secret'
Severity: Low Confidence: Medium
Location: ./web3py/web3py/tests/test_action.py:16
More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html
15 db.define_table('thing', Field('name'))
16 session = Session(secret='my secret')
17 cache = Cache()
--------------------------------------------------
>> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'a'
Severity: Low Confidence: Medium
Location: ./web3py/web3py/tests/test_auth.py:12
More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html
11 self.db = DAL('sqlite:memory')
12 self.session = Session(secret="a", expiration=10)
13 self.session.local.data = {}
--------------------------------------------------
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
Location: ./web3py/web3py/tests/test_cache.py:51
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random
50 def f(x):
51 return x + random.random()
52
--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
Severity: Low Confidence: High
Location: ./web3py/web3py/tests/test_session.py:4
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
3 import memcache
4 import subprocess
5
6 from web3py import request, response, Session, DAL
--------------------------------------------------
>> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'a'
Severity: Low Confidence: Medium
Location: ./web3py/web3py/tests/test_session.py:13
More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html
12 request.app_name = 'myapp'
13 session = Session(secret="a", expiration=10)
14 session.on_request()
--------------------------------------------------
>> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'b'
Severity: Low Confidence: Medium
Location: ./web3py/web3py/tests/test_session.py:24
More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html
23
24 session = Session(secret="b", expiration=10)
25 session.on_request()
--------------------------------------------------
>> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'a'
Severity: Low Confidence: Medium
Location: ./web3py/web3py/tests/test_session.py:28
More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html
27
28 session = Session(secret="a", expiration=10)
29 session.on_request()
--------------------------------------------------
>> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'a'
Severity: Low Confidence: Medium
Location: ./web3py/web3py/tests/test_session.py:35
More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html
34 db = DAL('sqlite:memory')
35 session = Session(secret="a", expiration=10, storage=DBStore(db))
36 request.cookies.clear()
--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: ./web3py/web3py/tests/test_session.py:59
More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
58 try:
59 memcache_process = subprocess.Popen(['memcached', '-p', '11211'])
60 time.sleep(1)
--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution ofuntrusted input.
Severity: Low Confidence: High
Location: ./web3py/web3py/tests/test_session.py:59
More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
58 try:
59 memcache_process = subprocess.Popen(['memcached', '-p', '11211'])
60 time.sleep(1)
--------------------------------------------------
>> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'a'
Severity: Low Confidence: Medium
Location: ./web3py/web3py/tests/test_session.py:63
More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html
62 conn = memcache.Client(['127.0.0.1:11211'], debug=0)
63 session = Session(secret="a", expiration=10, storage=conn)
64 request.cookies.clear()
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
Location: ./web3py/web3py/utils/auth.py:211
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
210 id = user['id']
211 token = hashlib.sha1(user['email'].lower()).hexdigest()
212 db = self.db
--------------------------------------------------
>> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'gdpr-unsubscribed'
Severity: Low Confidence: Medium
Location: ./web3py/web3py/utils/auth.py:213
More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html
212 db = self.db
213 db(db.auth_user.id==id).update(
214 email="%s@example.com" % token,
215 password=None,
216 first_name='anonymous',
217 last_name='anonymous',
218 sso_id=None,
219 action_token='gdpr-unsubscribed')
220 if send:
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
Location: ./web3py/web3py/utils/auth.py:225
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
224 db = self.db
225 token = hashlib.sha1(email.lower()).hexdigest()
226 email="%s@example.com" % token
--------------------------------------------------
Code scanned:
Total lines of code: 2701
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0.0
Low: 20.0
Medium: 4.0
High: 0.0
Total issues (by confidence):
Undefined: 0.0
Low: 0.0
Medium: 13.0
High: 11.0
Files skipped (0):best regards,
stifan
Reply all
Reply to author
Forward
0 new messages