1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
#
# Copyright (c) 2016 Hewlett-Packard Development Company, L.P.
#
# SPDX-License-Identifier: Apache-2.0
from unittest import mock
import sys
import testtools
from stevedore import extension
from bandit.blacklists import utils
from bandit.core import extension_loader
from bandit.core import issue
from bandit.core import test_properties as test
from bandit.core import test_set
AST_STR = "Str" if sys.version_info < (3, 14) else "Constant"
@test.checks("Str")
@test.test_id("B000")
def test_plugin():
sets = []
sets.append(
utils.build_conf_dict(
"telnet",
"B401",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["telnetlib"],
"A telnet-related module is being imported. Telnet is "
"considered insecure. Use SSH or some other encrypted protocol.",
"HIGH",
)
)
sets.append(
utils.build_conf_dict(
"marshal",
"B302",
issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
["marshal.load", "marshal.loads"],
"Deserialization with the marshal module is possibly dangerous.",
)
)
return {"Import": sets, "ImportFrom": sets, "Call": sets}
class BanditTestSetTests(testtools.TestCase):
def _make_test_manager(self, plugin):
return extension.ExtensionManager.make_test_instance(
[extension.Extension("test_plugin", None, test_plugin, None)]
)
def setUp(self):
super().setUp()
mngr = self._make_test_manager(mock.Mock)
self.patchExtMan = mock.patch("stevedore.extension.ExtensionManager")
self.mockExtMan = self.patchExtMan.start()
self.mockExtMan.return_value = mngr
self.old_ext_man = extension_loader.MANAGER
extension_loader.MANAGER = extension_loader.Manager()
self.config = mock.MagicMock()
self.config.get_setting.return_value = None
def tearDown(self):
self.patchExtMan.stop()
super().tearDown()
extension_loader.MANAGER = self.old_ext_man
def test_has_defaults(self):
ts = test_set.BanditTestSet(self.config)
self.assertEqual(1, len(ts.get_tests(AST_STR)))
def test_profile_include_id(self):
profile = {"include": ["B000"]}
ts = test_set.BanditTestSet(self.config, profile)
self.assertEqual(1, len(ts.get_tests(AST_STR)))
def test_profile_exclude_id(self):
profile = {"exclude": ["B000"]}
ts = test_set.BanditTestSet(self.config, profile)
self.assertEqual(0, len(ts.get_tests(AST_STR)))
def test_profile_include_none(self):
profile = {"include": []} # same as no include
ts = test_set.BanditTestSet(self.config, profile)
self.assertEqual(1, len(ts.get_tests(AST_STR)))
def test_profile_exclude_none(self):
profile = {"exclude": []} # same as no exclude
ts = test_set.BanditTestSet(self.config, profile)
self.assertEqual(1, len(ts.get_tests(AST_STR)))
def test_profile_has_builtin_blacklist(self):
ts = test_set.BanditTestSet(self.config)
self.assertEqual(1, len(ts.get_tests("Import")))
self.assertEqual(1, len(ts.get_tests("ImportFrom")))
self.assertEqual(1, len(ts.get_tests("Call")))
def test_profile_exclude_builtin_blacklist(self):
profile = {"exclude": ["B001"]}
ts = test_set.BanditTestSet(self.config, profile)
self.assertEqual(0, len(ts.get_tests("Import")))
self.assertEqual(0, len(ts.get_tests("ImportFrom")))
self.assertEqual(0, len(ts.get_tests("Call")))
def test_profile_exclude_builtin_blacklist_specific(self):
profile = {"exclude": ["B302", "B401"]}
ts = test_set.BanditTestSet(self.config, profile)
self.assertEqual(0, len(ts.get_tests("Import")))
self.assertEqual(0, len(ts.get_tests("ImportFrom")))
self.assertEqual(0, len(ts.get_tests("Call")))
def test_profile_filter_blacklist_none(self):
ts = test_set.BanditTestSet(self.config)
blacklist = ts.get_tests("Import")[0]
self.assertEqual(2, len(blacklist._config["Import"]))
self.assertEqual(2, len(blacklist._config["ImportFrom"]))
self.assertEqual(2, len(blacklist._config["Call"]))
def test_profile_filter_blacklist_one(self):
profile = {"exclude": ["B401"]}
ts = test_set.BanditTestSet(self.config, profile)
blacklist = ts.get_tests("Import")[0]
self.assertEqual(1, len(blacklist._config["Import"]))
self.assertEqual(1, len(blacklist._config["ImportFrom"]))
self.assertEqual(1, len(blacklist._config["Call"]))
def test_profile_filter_blacklist_include(self):
profile = {"include": ["B001", "B401"]}
ts = test_set.BanditTestSet(self.config, profile)
blacklist = ts.get_tests("Import")[0]
self.assertEqual(1, len(blacklist._config["Import"]))
self.assertEqual(1, len(blacklist._config["ImportFrom"]))
self.assertEqual(1, len(blacklist._config["Call"]))
def test_profile_filter_blacklist_all(self):
profile = {"exclude": ["B401", "B302"]}
ts = test_set.BanditTestSet(self.config, profile)
# if there is no blacklist data for a node type then we wont add a
# blacklist test to it, as this would be pointless.
self.assertEqual(0, len(ts.get_tests("Import")))
self.assertEqual(0, len(ts.get_tests("ImportFrom")))
self.assertEqual(0, len(ts.get_tests("Call")))
def test_profile_blacklist_compat(self):
data = [
utils.build_conf_dict(
"marshal",
"B302",
issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
["marshal.load", "marshal.loads"],
(
"Deserialization with the marshal module is possibly "
"dangerous."
),
)
]
profile = {"include": ["B001"], "blacklist": {"Call": data}}
ts = test_set.BanditTestSet(self.config, profile)
blacklist = ts.get_tests("Call")[0]
self.assertNotIn("Import", blacklist._config)
self.assertNotIn("ImportFrom", blacklist._config)
self.assertEqual(1, len(blacklist._config["Call"]))
|
