From b6268f9593b0deba2dfebbe647f4053eeb2a0ed6 Mon Sep 17 00:00:00 2001 From: Yassine Ilmi Date: Tue, 5 Nov 2019 11:58:59 +0000 Subject: [PATCH 01/19] Adding tarfile.extractall() plugin with examples --- README.rst | 1 + bandit/plugins/tarfile_unsafe_members.py | 115 ++++++++++++++++++ .../plugins/b612_tarfile_unsafe_members.rst | 5 + examples/tarfile_extractall.py | 47 +++++++ setup.cfg | 3 + 5 files changed, 171 insertions(+) create mode 100644 bandit/plugins/tarfile_unsafe_members.py create mode 100644 doc/source/plugins/b612_tarfile_unsafe_members.rst create mode 100644 examples/tarfile_extractall.py diff --git a/README.rst b/README.rst index 98424142c..2556faa1f 100644 --- a/README.rst +++ b/README.rst @@ -248,6 +248,7 @@ Usage:: B609 linux_commands_wildcard_injection B610 django_extra_used B611 django_rawsql_used + B612 tarfile_unsafe_members B701 jinja2_autoescape_false B702 use_of_mako_templates B703 django_mark_safe diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py new file mode 100644 index 000000000..45d09d2de --- /dev/null +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -0,0 +1,115 @@ +# Copyright (c) 2019 VMware, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +r""" +================================= +B612: Test for tarfile.extractall +================================= + +This plugin will look for usage of ``tarfile.extractall()`` + +Severity are set as follows: + +* ``tarfile.extractalll(members=function(tarfile))`` - LOW +* ``tarfile.extractalll(members=?)`` - member is not a function - MEDIUM +* ``tarfile.extractall()`` - members from the archive is trusted - HIGH + +Use ``tarfile.extractall(members=function_name)`` and define a function +that will inspect each member. Discard files that contain a directory +traversal sequences such as ``../`` or ``\..`` along with all special filetypes +unless you explicitly need them. + +:Example: + +.. code-block:: none + + >> Issue: [B612:tarfile_unsafe_members] tarfile.extractall used without + any validation. You should check members and discard dangerous ones + Severity: High Confidence: High + Location: examples/tarfile_extractall.py:8 + More Info: + https://bandit.readthedocs.io/en/latest/plugins/b612_tarfile_unsafe_members.html + 7 tar = tarfile.open(filename) + 8 tar.extractall(path=tempfile.mkdtemp()) + 9 tar.close() + + +.. seealso:: + + - https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall + - https://docs.python.org/3/library/tarfile.html#tarfile.TarInfo + +.. versionadded:: 1.6.3 + +""" +import ast +import bandit + +from bandit.core import test_properties as test + + +def exec_issue(level, members=''): + if level == bandit.LOW: + return bandit.Issue( + severity=bandit.LOW, + confidence=bandit.LOW, + text="Usage of tarfile.extractall(members=function(tarfile)). " + "Make sure your function properly discards dangerous members " + "{members}).".format(members=members)) + elif level == bandit.MEDIUM: + return bandit.Issue( + severity=bandit.MEDIUM, + confidence=bandit.MEDIUM, + text="Found tarfile.extractall(members=?) but couldn't " + "identify the type of members. " + "Check if the members were properly validated " + "{members}).".format(members=members)) + else: + return bandit.Issue( + severity=bandit.HIGH, + confidence=bandit.HIGH, + text="tarfile.extractall used without any validation. " + "You should check members and discard dangerous ones " + ) + + +def get_members_value(context): + for keyword in context.node.keywords: + if keyword.arg == 'members': + arg = keyword.value + if isinstance(arg, ast.Call): + return {'Function': arg.func.id} + else: + value = arg.id if isinstance(arg, ast.Name) else arg + return {'Other': value} + + +@test.test_id('B612') +@test.checks('Call') +def tarfile_unsafe_members(context): + if all([ + context.is_module_imported_exact('tarfile'), + 'extractall' in context.call_function_name]): + if 'members' in context.call_keywords: + members = get_members_value(context) + if 'Function' in members: + return exec_issue( + bandit.LOW, + members) + else: + return exec_issue( + bandit.MEDIUM, + members) + return exec_issue(bandit.HIGH) diff --git a/doc/source/plugins/b612_tarfile_unsafe_members.rst b/doc/source/plugins/b612_tarfile_unsafe_members.rst new file mode 100644 index 000000000..ac110cbb5 --- /dev/null +++ b/doc/source/plugins/b612_tarfile_unsafe_members.rst @@ -0,0 +1,5 @@ +---------------------------- +B612: tarfile_unsafe_members +---------------------------- + +.. automodule:: bandit.plugins.tarfile_unsafe_members diff --git a/examples/tarfile_extractall.py b/examples/tarfile_extractall.py new file mode 100644 index 000000000..2af3eb544 --- /dev/null +++ b/examples/tarfile_extractall.py @@ -0,0 +1,47 @@ +import sys +import tarfile +import tempfile + + +def unsafe_archive_handler(filename): + tar = tarfile.open(filename) + tar.extractall(path=tempfile.mkdtemp()) + tar.close() + + +def managed_members_archive_handler(filename): + tar = tarfile.open(filename) + tar.extractall(path=tempfile.mkdtemp(), members=members_filter(tar)) + tar.close() + + +def list_members_archive_handler(filename): + tar = tarfile.open(filename) + tar.extractall(path=tempfile.mkdtemp(), members=[]) + tar.close() + + +def provided_members_archive_handler(filename): + tar = tarfile.open(filename) + tarfile.extractall(path=tempfile.mkdtemp(), members=tar) + tar.close() + + +def members_filter(tarfile): + result = [] + for member in tarfile.getmembers(): + if '../' in member.name: + print('Member name container directory traversal sequence') + continue + elif (member.issym() or member.islnk()) and ('../' in member.linkname): + print('Symlink to external resource') + continue + result.append(member) + return result + + +if __name__ == "__main__": + if len(sys.argv) > 1: + filename = sys.argv[1] + unsafe_archive_handler(filename) + managed_members_archive_handler(filename) diff --git a/setup.cfg b/setup.cfg index f0ec29c01..016dc091e 100644 --- a/setup.cfg +++ b/setup.cfg @@ -122,6 +122,9 @@ bandit.plugins = # bandit/plugins/ssh_no_host_key_verification.py ssh_no_host_key_verification = bandit.plugins.ssh_no_host_key_verification:ssh_no_host_key_verification + #bandit/plugins/tarfile_unsafe_members.py + tarfile_unsafe_members = bandit.plugins.tarfile_unsafe_members:tarfile_unsafe_members + [build_sphinx] all_files = 1 build-dir = doc/build From b03ba9974394b67f421c3c1bdae992fa39b9db02 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 09:47:38 -0700 Subject: [PATCH 02/19] Update README.rst --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index 1298ba7fc..0586aa903 100644 --- a/README.rst +++ b/README.rst @@ -250,7 +250,7 @@ Usage:: B609 linux_commands_wildcard_injection B610 django_extra_used B611 django_rawsql_used - B612 tarfile_unsafe_members + B202 tarfile_unsafe_members B701 jinja2_autoescape_false B702 use_of_mako_templates B703 django_mark_safe From 0ceb4aa0287bab86c83d9b513628616736f2ed9a Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 09:47:47 -0700 Subject: [PATCH 03/19] Apply suggestions from code review --- bandit/plugins/tarfile_unsafe_members.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index 45d09d2de..94742b151 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -1,6 +1,6 @@ # Copyright (c) 2019 VMware, Inc. # -# Licensed under the Apache License, Version 2.0 (the "License"); you may +# SPDX-License-Identifier: Apache-2.0 # not use this file except in compliance with the License. You may obtain # a copy of the License at # From c1fc5871f71df16899fce9c8396199fb6259ea11 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 09:47:57 -0700 Subject: [PATCH 04/19] Update bandit/plugins/tarfile_unsafe_members.py --- bandit/plugins/tarfile_unsafe_members.py | 1 - 1 file changed, 1 deletion(-) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index 94742b151..a63b8b127 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -1,4 +1,3 @@ -# Copyright (c) 2019 VMware, Inc. # # SPDX-License-Identifier: Apache-2.0 # not use this file except in compliance with the License. You may obtain From 9aa702ef07e9319d13b776b030dc8d2f138bf766 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 09:48:05 -0700 Subject: [PATCH 05/19] Update bandit/plugins/tarfile_unsafe_members.py --- bandit/plugins/tarfile_unsafe_members.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index a63b8b127..3cf15407c 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -14,7 +14,7 @@ r""" ================================= -B612: Test for tarfile.extractall +B202: Test for tarfile.extractall ================================= This plugin will look for usage of ``tarfile.extractall()`` From edb857ef1632ee95a02b743ba5ea88a8ab41041b Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 09:48:44 -0700 Subject: [PATCH 06/19] Update bandit/plugins/tarfile_unsafe_members.py --- bandit/plugins/tarfile_unsafe_members.py | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index 3cf15407c..7f8ba4e8e 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -1,17 +1,5 @@ # # SPDX-License-Identifier: Apache-2.0 -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - r""" ================================= B202: Test for tarfile.extractall From ecef3816d4d50cc65e7ec7bf8a5497b65735f870 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 09:49:01 -0700 Subject: [PATCH 07/19] Update bandit/plugins/tarfile_unsafe_members.py --- bandit/plugins/tarfile_unsafe_members.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index 7f8ba4e8e..493fa81ee 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -22,7 +22,7 @@ .. code-block:: none - >> Issue: [B612:tarfile_unsafe_members] tarfile.extractall used without + >> Issue: [B202:tarfile_unsafe_members] tarfile.extractall used without any validation. You should check members and discard dangerous ones Severity: High Confidence: High Location: examples/tarfile_extractall.py:8 From bf5a32c7dd3986e1972f4cd526240d76272c50c2 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 09:49:09 -0700 Subject: [PATCH 08/19] Update bandit/plugins/tarfile_unsafe_members.py --- bandit/plugins/tarfile_unsafe_members.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index 493fa81ee..d49719913 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -68,7 +68,7 @@ def exec_issue(level, members=''): severity=bandit.HIGH, confidence=bandit.HIGH, text="tarfile.extractall used without any validation. " - "You should check members and discard dangerous ones " + "Please check and discard dangerous members." ) From 670347288ceaa45f82e5d61f217d755007599cff Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 09:49:16 -0700 Subject: [PATCH 09/19] Update doc/source/plugins/b612_tarfile_unsafe_members.rst --- doc/source/plugins/b612_tarfile_unsafe_members.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/plugins/b612_tarfile_unsafe_members.rst b/doc/source/plugins/b612_tarfile_unsafe_members.rst index ac110cbb5..3b99055e3 100644 --- a/doc/source/plugins/b612_tarfile_unsafe_members.rst +++ b/doc/source/plugins/b612_tarfile_unsafe_members.rst @@ -1,5 +1,5 @@ ---------------------------- -B612: tarfile_unsafe_members +B202: tarfile_unsafe_members ---------------------------- .. automodule:: bandit.plugins.tarfile_unsafe_members From 4847e702e0b93b9b10249d1834acc970488c1c82 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 09:49:23 -0700 Subject: [PATCH 10/19] Update bandit/plugins/tarfile_unsafe_members.py --- bandit/plugins/tarfile_unsafe_members.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index d49719913..37c1b6368 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -83,7 +83,7 @@ def get_members_value(context): return {'Other': value} -@test.test_id('B612') +@test.test_id('B202') @test.checks('Call') def tarfile_unsafe_members(context): if all([ From 42dd4d5972f9513c9e56a7602410b8bf446f38fe Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 09:49:34 -0700 Subject: [PATCH 11/19] Update bandit/plugins/tarfile_unsafe_members.py --- bandit/plugins/tarfile_unsafe_members.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index 37c1b6368..00d69dddb 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -38,7 +38,7 @@ - https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall - https://docs.python.org/3/library/tarfile.html#tarfile.TarInfo -.. versionadded:: 1.6.3 +.. versionadded:: 1.7.5 """ import ast From a8f38bc01faaf0a945cf402161f02119dcb55336 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 09:49:41 -0700 Subject: [PATCH 12/19] Update bandit/plugins/tarfile_unsafe_members.py --- bandit/plugins/tarfile_unsafe_members.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index 00d69dddb..2c35c7b4f 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -27,7 +27,7 @@ Severity: High Confidence: High Location: examples/tarfile_extractall.py:8 More Info: - https://bandit.readthedocs.io/en/latest/plugins/b612_tarfile_unsafe_members.html + https://bandit.readthedocs.io/en/latest/plugins/b202_tarfile_unsafe_members.html 7 tar = tarfile.open(filename) 8 tar.extractall(path=tempfile.mkdtemp()) 9 tar.close() From e1349fa1d4a0d73e9e449ab68ad925d6a8d13a4d Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 09:50:57 -0700 Subject: [PATCH 13/19] Update README.rst --- README.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/README.rst b/README.rst index 0586aa903..8ca8bf8bd 100644 --- a/README.rst +++ b/README.rst @@ -250,7 +250,6 @@ Usage:: B609 linux_commands_wildcard_injection B610 django_extra_used B611 django_rawsql_used - B202 tarfile_unsafe_members B701 jinja2_autoescape_false B702 use_of_mako_templates B703 django_mark_safe From d4261c82bf6bf38c40af7e6353763b3862fdc110 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 09:51:17 -0700 Subject: [PATCH 14/19] Update bandit/plugins/tarfile_unsafe_members.py --- bandit/plugins/tarfile_unsafe_members.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index 2c35c7b4f..b0dc2d283 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -1,5 +1,6 @@ # # SPDX-License-Identifier: Apache-2.0 +# r""" ================================= B202: Test for tarfile.extractall From ff3f756f3ce962185722619f65da9f869b7b9625 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 09:58:08 -0700 Subject: [PATCH 15/19] Apply suggestions from code review --- bandit/plugins/tarfile_unsafe_members.py | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index b0dc2d283..97ee8e444 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -43,12 +43,13 @@ """ import ast + import bandit from bandit.core import test_properties as test -def exec_issue(level, members=''): +def exec_issue(level, members=""): if level == bandit.LOW: return bandit.Issue( severity=bandit.LOW, @@ -75,24 +76,24 @@ def exec_issue(level, members=''): def get_members_value(context): for keyword in context.node.keywords: - if keyword.arg == 'members': + if keyword.arg == "members": arg = keyword.value if isinstance(arg, ast.Call): - return {'Function': arg.func.id} + return {"Function": arg.func.id} else: value = arg.id if isinstance(arg, ast.Name) else arg - return {'Other': value} + return {"Other": value} -@test.test_id('B202') -@test.checks('Call') +@test.test_id("B202") +@test.checks("Call") def tarfile_unsafe_members(context): if all([ - context.is_module_imported_exact('tarfile'), - 'extractall' in context.call_function_name]): - if 'members' in context.call_keywords: + context.is_module_imported_exact("tarfile"), + "extractall" in context.call_function_name]): + if "members" in context.call_keywords: members = get_members_value(context) - if 'Function' in members: + if "Function" in members: return exec_issue( bandit.LOW, members) From 4dc85a54ac139d0c05f2b48ce4028f8d4ba404b8 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 10:04:09 -0700 Subject: [PATCH 16/19] Update tarfile_unsafe_members.py --- bandit/plugins/tarfile_unsafe_members.py | 32 ++++++++++++------------ 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index 97ee8e444..f64fd680a 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -45,7 +45,6 @@ import ast import bandit - from bandit.core import test_properties as test @@ -55,23 +54,25 @@ def exec_issue(level, members=""): severity=bandit.LOW, confidence=bandit.LOW, text="Usage of tarfile.extractall(members=function(tarfile)). " - "Make sure your function properly discards dangerous members " - "{members}).".format(members=members)) + "Make sure your function properly discards dangerous members " + "{members}).".format(members=members), + ) elif level == bandit.MEDIUM: return bandit.Issue( severity=bandit.MEDIUM, confidence=bandit.MEDIUM, text="Found tarfile.extractall(members=?) but couldn't " - "identify the type of members. " - "Check if the members were properly validated " - "{members}).".format(members=members)) + "identify the type of members. " + "Check if the members were properly validated " + "{members}).".format(members=members), + ) else: return bandit.Issue( severity=bandit.HIGH, confidence=bandit.HIGH, text="tarfile.extractall used without any validation. " - "Please check and discard dangerous members." - ) + "Please check and discard dangerous members.", + ) def get_members_value(context): @@ -88,17 +89,16 @@ def get_members_value(context): @test.test_id("B202") @test.checks("Call") def tarfile_unsafe_members(context): - if all([ + if all( + [ context.is_module_imported_exact("tarfile"), - "extractall" in context.call_function_name]): + "extractall" in context.call_function_name, + ] + ): if "members" in context.call_keywords: members = get_members_value(context) if "Function" in members: - return exec_issue( - bandit.LOW, - members) + return exec_issue(bandit.LOW, members) else: - return exec_issue( - bandit.MEDIUM, - members) + return exec_issue(bandit.MEDIUM, members) return exec_issue(bandit.HIGH) From ea44418dd70e59b7cdef67564e1a652f59ccbb81 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 10:09:44 -0700 Subject: [PATCH 17/19] Update tarfile_unsafe_members.py --- bandit/plugins/tarfile_unsafe_members.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index f64fd680a..9dc85806f 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -26,6 +26,7 @@ >> Issue: [B202:tarfile_unsafe_members] tarfile.extractall used without any validation. You should check members and discard dangerous ones Severity: High Confidence: High + CWE: CWE-22 (https://cwe.mitre.org/data/definitions/22.html) Location: examples/tarfile_extractall.py:8 More Info: https://bandit.readthedocs.io/en/latest/plugins/b202_tarfile_unsafe_members.html @@ -53,6 +54,7 @@ def exec_issue(level, members=""): return bandit.Issue( severity=bandit.LOW, confidence=bandit.LOW, + cwe=issue.Cwe.PATH_TRAVERSAL, text="Usage of tarfile.extractall(members=function(tarfile)). " "Make sure your function properly discards dangerous members " "{members}).".format(members=members), @@ -61,6 +63,7 @@ def exec_issue(level, members=""): return bandit.Issue( severity=bandit.MEDIUM, confidence=bandit.MEDIUM, + cwe=issue.Cwe.PATH_TRAVERSAL, text="Found tarfile.extractall(members=?) but couldn't " "identify the type of members. " "Check if the members were properly validated " @@ -70,6 +73,7 @@ def exec_issue(level, members=""): return bandit.Issue( severity=bandit.HIGH, confidence=bandit.HIGH, + cwe=issue.Cwe.PATH_TRAVERSAL, text="tarfile.extractall used without any validation. " "Please check and discard dangerous members.", ) From 1d4517336ec6bdd1dbfbbbab4edc3f826c2bb089 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 10:18:36 -0700 Subject: [PATCH 18/19] Update bandit/plugins/tarfile_unsafe_members.py --- bandit/plugins/tarfile_unsafe_members.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index 9dc85806f..32c1e6127 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -46,6 +46,7 @@ import ast import bandit +from bandit.core import issue from bandit.core import test_properties as test From 959c9b5353d58ea76c676d978b1c48d344e5e8c5 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 11 Jul 2022 10:49:27 -0700 Subject: [PATCH 19/19] Update test_functional.py --- tests/functional/test_functional.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 16d07c0a7..cb483772e 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -904,3 +904,11 @@ def test_snmp_security_check(self): "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 3}, } self.check_example("snmp.py", expect) + + def test_tarfile_unsafe_members(self): + """Test insecure usage of tarfile.""" + expect = { + "SEVERITY": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 1}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 1}, + } + self.check_example("tarfile_extractall.py", expect)