Skip to content

click 7.1.2

Cory Francis Myers edited this page Sep 21, 2021 · 6 revisions

Evaluation criteria

Is this dependency well-maintained?

Click has had 42 releases between 28 April 2014 and 19 May 2021.

Click is one of the Pallets Projects "independently developed by Armin Ronacher and later used as the basis of the Flask microframework".

How secure is this dependency?

Bandit found 7 high-severity issues. All are in src/click/_termui_impl.py, which provides platform-specific implementations of interactive terminal features.

cfm@ozymandias{1066}$ bandit -r src             [~/Downloads/click-7.1.2 12:21]
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.9.6
Run started:2021-09-21 19:21:41.685514

Test results:
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
   Severity: Low   Confidence: High
   Location: src/click/_compat.py:82
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
81	                    self.flush()
82	                except Exception:
83	                    pass
84	                return self.buffer.write(str(x))

--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
   Severity: Low   Confidence: High
   Location: src/click/_compat.py:94
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
93	            self.detach()
94	        except Exception:
95	            pass
96	

--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
   Severity: Low   Confidence: High
   Location: src/click/_compat.py:212
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
211	                fileno = f.fileno()
212	            except Exception:
213	                pass
214	            else:

--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
   Severity: Low   Confidence: High
   Location: src/click/_compat.py:227
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
226	                fileno = f.fileno()
227	            except Exception:
228	                pass
229	            else:

--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
   Severity: Low   Confidence: High
   Location: src/click/_compat.py:303
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
302	                return False
303	            except Exception:
304	                pass
305	            return default

--------------------------------------------------
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
   Severity: Low   Confidence: High
   Location: src/click/_compat.py:564
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random
563	            os.path.dirname(filename),
564	            ".__atomic-write{:08x}".format(random.randrange(1 << 32)),
565	        )

--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
   Severity: Low   Confidence: High
   Location: src/click/_compat.py:718
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
717	                _ansi_stream_wrappers[stream] = rv
718	            except Exception:
719	                pass
720	            return rv

--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
   Severity: Low   Confidence: High
   Location: src/click/_compat.py:764
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
763	            cache[stream] = rv
764	        except Exception:
765	            pass
766	        return rv

--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
   Severity: Low   Confidence: High
   Location: src/click/_termui_impl.py:340
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
339	        return _tempfilepager(generator, "more <", color)
340	    if hasattr(os, "system") and os.system("(less) 2>/dev/null") == 0:
341	        return _pipepager(generator, "less", color)

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   Location: src/click/_termui_impl.py:340
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
339	        return _tempfilepager(generator, "more <", color)
340	    if hasattr(os, "system") and os.system("(less) 2>/dev/null") == 0:
341	        return _pipepager(generator, "less", color)

--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
   Severity: High   Confidence: High
   Location: src/click/_termui_impl.py:348
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
347	    try:
348	        if hasattr(os, "system") and os.system('more "{}"'.format(filename)) == 0:
349	            return _pipepager(generator, "more", color)

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
   Severity: Low   Confidence: High
   Location: src/click/_termui_impl.py:359
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
358	    """
359	    import subprocess
360	
361	    env = dict(os.environ)

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   Location: src/click/_termui_impl.py:374
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
373	
374	    c = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE, env=env)
375	    encoding = get_best_encoding(c.stdin)

--------------------------------------------------
>> Issue: [B306:blacklist] Use of insecure and deprecated function (mktemp).
   Severity: Medium   Confidence: High
   Location: src/click/_termui_impl.py:408
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b306-mktemp-q
407	
408	    filename = tempfile.mktemp()
409	    # TODO: This never terminates if the passed generator never terminates.

--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
   Severity: High   Confidence: High
   Location: src/click/_termui_impl.py:417
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
416	    try:
417	        os.system('{} "{}"'.format(cmd, filename))
418	    finally:

--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
   Severity: High   Confidence: High
   Location: src/click/_termui_impl.py:447
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
446	        for editor in "sensible-editor", "vim", "nano":
447	            if os.system("which {} >/dev/null 2>&1".format(editor)) == 0:
448	                return editor

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
   Severity: Low   Confidence: High
   Location: src/click/_termui_impl.py:452
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
451	    def edit_file(self, filename):
452	        import subprocess
453	
454	        editor = self.get_editor()

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   Location: src/click/_termui_impl.py:462
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
461	            c = subprocess.Popen(
462	                '{} "{}"'.format(editor, filename), env=environ, shell=True,
463	            )
464	            exit_code = c.wait()

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
   Severity: Low   Confidence: High
   Location: src/click/_termui_impl.py:507
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
506	def open_url(url, wait=False, locate=False):
507	    import subprocess
508	
509	    def _unquote_file(url):

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   Location: src/click/_termui_impl.py:527
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
526	        try:
527	            return subprocess.Popen(args, stderr=null).wait()
528	        finally:

--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
   Severity: High   Confidence: High
   Location: src/click/_termui_impl.py:538
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
537	            )
538	        return os.system(args)
539	    elif CYGWIN:

--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
   Severity: High   Confidence: High
   Location: src/click/_termui_impl.py:545
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
544	            args = 'cygstart {} "{}"'.format("-w" if wait else "", url.replace('"', ""))
545	        return os.system(args)
546	

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   Location: src/click/_termui_impl.py:552
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
551	            url = _unquote_file(url)
552	        c = subprocess.Popen(["xdg-open", url])
553	        if wait:

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   Location: src/click/_termui_impl.py:552
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
551	            url = _unquote_file(url)
552	        c = subprocess.Popen(["xdg-open", url])
553	        if wait:

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
   Severity: Low   Confidence: High
   Location: src/click/_unicodefun.py:67
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
66	    if os.name == "posix":
67	        import subprocess
68	
69	        try:

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   Location: src/click/_unicodefun.py:70
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
69	        try:
70	            rv = subprocess.Popen(
71	                ["locale", "-a"], stdout=subprocess.PIPE, stderr=subprocess.PIPE
72	            ).communicate()[0]

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   Location: src/click/_unicodefun.py:70
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
69	        try:
70	            rv = subprocess.Popen(
71	                ["locale", "-a"], stdout=subprocess.PIPE, stderr=subprocess.PIPE
72	            ).communicate()[0]

--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
   Severity: Low   Confidence: High
   Location: src/click/_winconsole.py:211
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
210	            self.flush()
211	        except Exception:
212	            pass
213	        return self.buffer.write(x)

--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
   Severity: Low   Confidence: High
   Location: src/click/termui.py:258
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
257	                os.close(fd)
258	        except Exception:
259	            pass
260	    if not cr or not cr[0] or not cr[1]:

--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
   Severity: Low   Confidence: High
   Location: src/click/termui.py:428
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
427	    if WIN:
428	        os.system("cls")
429	    else:

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   Location: src/click/termui.py:428
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
427	    if WIN:
428	        os.system("cls")
429	    else:

--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
   Severity: Low   Confidence: High
   Location: src/click/testing.py:252
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
251	                        del os.environ[key]
252	                    except Exception:
253	                        pass
254	                else:

--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
   Severity: Low   Confidence: High
   Location: src/click/testing.py:262
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
261	                        del os.environ[key]
262	                    except Exception:
263	                        pass
264	                else:

--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
   Severity: Low   Confidence: High
   Location: src/click/utils.py:42
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
41	            return func(*args, **kwargs)
42	        except Exception:
43	            pass
44	

--------------------------------------------------

Code scanned:
	Total lines of code: 6314
	Total lines skipped (#nosec): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0.0
		Low: 26.0
		Medium: 1.0
		High: 7.0
	Total issues (by confidence):
		Undefined: 0.0
		Low: 0.0
		Medium: 0.0
		High: 34.0
Files skipped (0):

How popular is this dependency?

Click has 11.3K GitHub stars. According to https://libraries.io/pypi/click, it is a dependency of 12.4K packages and 54.7K repositories.

Review statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Reviewed from:

d2b5255c7c6349bc1bd1e59e08cd12acbbd63ce649f2588755783aa94dfb6b1a  click-7.1.2.tar.gz
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE8m422wF7k3FrJQXVFKLelAvuBhMFAmFKMfkACgkQFKLelAvu
BhNv8Qf+J4Y4HaVD7j5SBo/AFwWsGCETOKFVrU8MPGaqqdvTlyqs4LlKBh123ijQ
FdC6nPaq9zH+pf45FG36xKrGbmPEV9oyCDm19xl6z/oSRy2nQ8Vggra1KM17G/i4
/FGAido1ik2ruMhf2VF3fbE0Kuqz76MkvTx7qIXC7iuH+d0xAlJY01gFker/Pdpm
g9rS7KZsBBUeQK6uXXADKXlsq40lT8FRZqmvHFM9XT7S8AZv517jmJpe6eCGM7IY
w3JHH7yrHj+hO6eNe2YDMBsnrAGHkuoBm+A3Bs3mQm0Ix+4yUs5vhuhSC34UHmlC
vkgDtMdfM03opEeNgqtAvvkLmBlOpQ==
=LRdw
-----END PGP SIGNATURE-----
Clone this wiki locally