Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand B404, B602, B603 and B604 to include anyio calls #1199

Open
Skelmis opened this issue Nov 11, 2024 · 0 comments
Open

Expand B404, B602, B603 and B604 to include anyio calls #1199

Skelmis opened this issue Nov 11, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@Skelmis
Copy link

Skelmis commented Nov 11, 2024

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Currently the plugins B404, B602, B603 and B604 handle the general case of subproccesses within Python. These checks however do not cover anyio and I think it'd be useful to add support for this.

Describe the solution you'd like
A clear and concise description of what you want to happen.
Expand upon the existing plugins so that they may handle anyio cases.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Manually conducting source code review to find and locate these calls.

Additional context
Add any other context or screenshots about the feature request here.
While not as common as direct subprocess calls, the anyio package still appears to be relatively popular by download counts at least. Not all users will use subprocesses per say, but I still think this feature may be useful for Bandit to contain. I am also possibly looking to PR this feature myself, however I figured opening an issue first for any discussions surrounding direction would be ideal.

Example checks
Example vulnerable code as currently seen by Bandit.
The following code examples are considered equivalent (source):

result_str = await anyio.run_process("user input here")
result_str = subprocess.run("user input here", shell=True)

With the following code Bandit outputs the following, only alerting on the subprocess call.
Code:

import asyncio

import anyio
import subprocess


async def main():
    command = input()

    # Anyio
    result_str = await anyio.run_process(command)

    # Subprocess
    result_str = subprocess.run(command, shell=True)


asyncio.run(main())

Bandit output:

>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.10/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./bandit.py:14:17
13	    # Subprocess
14	    result_str = subprocess.run(command, shell=True)
15
@Skelmis Skelmis added the enhancement New feature or request label Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Skelmis