1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
import sqlalchemy
# bad
query = """SELECT *
FROM foo WHERE id = '%s'""" % identifier
query = """INSERT INTO foo
VALUES ('a', 'b', '%s')""" % value
query = """DELETE FROM foo
WHERE id = '%s'""" % identifier
query = """UPDATE foo
SET value = 'b'
WHERE id = '%s'""" % identifier
query = """WITH cte AS (SELECT x FROM foo)
SELECT x FROM cte WHERE x = '%s'""" % identifier
# bad alternate forms
query = """SELECT *
FROM foo
WHERE id = '""" + identifier + "'"
query = """SELECT *
FROM foo
WHERE id = '{}'""".format(identifier)
query = f"""
SELECT *
FROM foo
WHERE id = {identifier}
"""
# bad
cur.execute("""SELECT *
FROM foo
WHERE id = '%s'""" % identifier)
cur.execute("""INSERT INTO foo
VALUES ('a', 'b', '%s')""" % value)
cur.execute("""DELETE FROM foo
WHERE id = '%s'""" % identifier)
cur.execute("""UPDATE foo
SET value = 'b'
WHERE id = '%s'""" % identifier)
# bad alternate forms
cur.execute("""SELECT *
FROM foo
WHERE id = '""" + identifier + "'")
cur.execute("""SELECT *
FROM foo
WHERE id = '{}'""".format(identifier))
# bad with f-string
query = f"""
SELECT *
FROM foo
WHERE id = {identifier}
"""
query = f"""
SELECT *
FROM foo
WHERE id = {identifier}
"""
query = f"""
SELECT *
FROM foo
WHERE id = {identifier}"""
query = f"""
SELECT *
FROM foo
WHERE id = {identifier}"""
cur.execute(f"""
SELECT
{column_name}
FROM foo
WHERE id = 1""")
cur.execute(f"""
SELECT
{a + b}
FROM foo
WHERE id = 1""")
cur.execute(f"""
INSERT INTO
{table_name}
VALUES (1)""")
cur.execute(f"""
UPDATE {table_name}
SET id = 1""")
# implicit concatenation mixed with f-strings
cur.execute("SELECT "
f"{column_name} "
"FROM foo "
"WHERE id = 1"
)
cur.execute("INSERT INTO "
f"{table_name} "
"VALUES (1)")
cur.execute(f"UPDATE {table_name} "
"SET id = 1")
# good
cur.execute("""SELECT *
FROM foo
WHERE id = '%s'""", identifier)
cur.execute("""INSERT INTO foo
VALUES ('a', 'b', '%s')""", value)
cur.execute("""DELETE FROM foo
WHERE id = '%s'""", identifier)
cur.execute("""UPDATE foo
SET value = 'b'
WHERE id = '%s'""", identifier)
# bug: https://bugs.launchpad.net/bandit/+bug/1479625
def a():
def b():
pass
return b
a()("""SELECT %s
FROM foo""" % val)
# skip
query = """SELECT *
FROM foo WHERE id = '%s'""" % identifier # nosec
query = """SELECT *
FROM foo WHERE id = '%s'""" % identifier # nosec B608
query = """
SELECT *
FROM foo
WHERE id = '%s'
""" % identifier # nosec B608
query = f"""
SELECT *
FROM foo
WHERE id = {identifier}
""" # nosec
query = f"""
SELECT *
FROM foo
WHERE id = {identifier}
""" # nosec B608
query = f"""
SELECT *
FROM foo
WHERE id = {identifier}""" # nosec
query = f"""
SELECT *
FROM foo
WHERE id = {identifier}""" # nosec B608
cur.execute("SELECT * " # nosec
"FROM foo "
f"WHERE id = {identifier}")
cur.execute("SELECT * " # nosec B608
"FROM foo "
f"WHERE id = {identifier}")
query = ("SELECT * " # nosec
"FROM foo "
f"WHERE id = {identifier}")
query = ("SELECT * " # nosec B608
"FROM foo "
f"WHERE id = {identifier}")
# nosec is not recognized for the 4 below cases in python 3.7
query = ("SELECT * "
"FROM foo " # nosec
f"WHERE id = {identifier}")
query = ("SELECT * "
"FROM foo " # nosec B608
f"WHERE id = {identifier}")
query = ("SELECT * "
"FROM foo "
f"WHERE id = {identifier}") # nosec
query = ("SELECT * "
"FROM foo "
f"WHERE id = {identifier}") # nosec B608
|
