>/ir&SrSSKJr SSKJr Srg)aJ ==================================================== Blacklist various Python calls known to be dangerous ==================================================== This blacklist data checks for a number of Python calls known to have possible security implications. The following blacklist tests are run against any function calls encountered in the scanned code base, triggered by encountering ast.Call nodes. B301: pickle ------------ Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue. +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B301 | pickle | - pickle.loads | Medium | | | | - pickle.load | | | | | - pickle.Unpickler | | | | | - dill.loads | | | | | - dill.load | | | | | - dill.Unpickler | | | | | - shelve.open | | | | | - shelve.DbfilenameShelf | | | | | - jsonpickle.decode | | | | | - jsonpickle.unpickler.decode | | | | | - jsonpickle.unpickler.Unpickler | | | | | - pandas.read_pickle | | +------+---------------------+------------------------------------+-----------+ B302: marshal ------------- Deserialization with the marshal module is possibly dangerous. +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B302 | marshal | - marshal.load | Medium | | | | - marshal.loads | | +------+---------------------+------------------------------------+-----------+ B303: md5 --------- Use of insecure MD2, MD4, MD5, or SHA1 hash function. +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B303 | md5 | - hashlib.md5 | Medium | | | | - hashlib.sha1 | | | | | - Crypto.Hash.MD2.new | | | | | - Crypto.Hash.MD4.new | | | | | - Crypto.Hash.MD5.new | | | | | - Crypto.Hash.SHA.new | | | | | - Cryptodome.Hash.MD2.new | | | | | - Cryptodome.Hash.MD4.new | | | | | - Cryptodome.Hash.MD5.new | | | | | - Cryptodome.Hash.SHA.new | | | | | - cryptography.hazmat.primitives | | | | | .hashes.MD5 | | | | | - cryptography.hazmat.primitives | | | | | .hashes.SHA1 | | +------+---------------------+------------------------------------+-----------+ B304 - B305: ciphers and modes ------------------------------ Use of insecure cipher or cipher mode. Replace with a known secure cipher such as AES. +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B304 | ciphers | - Crypto.Cipher.ARC2.new | High | | | | - Crypto.Cipher.ARC4.new | | | | | - Crypto.Cipher.Blowfish.new | | | | | - Crypto.Cipher.DES.new | | | | | - Crypto.Cipher.XOR.new | | | | | - Cryptodome.Cipher.ARC2.new | | | | | - Cryptodome.Cipher.ARC4.new | | | | | - Cryptodome.Cipher.Blowfish.new | | | | | - Cryptodome.Cipher.DES.new | | | | | - Cryptodome.Cipher.XOR.new | | | | | - cryptography.hazmat.primitives | | | | | .ciphers.algorithms.ARC4 | | | | | - cryptography.hazmat.primitives | | | | | .ciphers.algorithms.Blowfish | | | | | - cryptography.hazmat.primitives | | | | | .ciphers.algorithms.IDEA | | | | | - cryptography.hazmat.primitives | | | | | .ciphers.algorithms.CAST5 | | | | | - cryptography.hazmat.primitives | | | | | .ciphers.algorithms.SEED | | | | | - cryptography.hazmat.primitives | | | | | .ciphers.algorithms.TripleDES | | +------+---------------------+------------------------------------+-----------+ | B305 | cipher_modes | - cryptography.hazmat.primitives | Medium | | | | .ciphers.modes.ECB | | +------+---------------------+------------------------------------+-----------+ B306: mktemp_q -------------- Use of insecure and deprecated function (mktemp). +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B306 | mktemp_q | - tempfile.mktemp | Medium | +------+---------------------+------------------------------------+-----------+ B307: eval ---------- Use of possibly insecure function - consider using safer ast.literal_eval. +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B307 | eval | - eval | Medium | +------+---------------------+------------------------------------+-----------+ B308: mark_safe --------------- Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed. +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B308 | mark_safe | - django.utils.safestring.mark_safe| Medium | +------+---------------------+------------------------------------+-----------+ B309: httpsconnection --------------------- The check for this call has been removed. Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033 +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B309 | httpsconnection | - httplib.HTTPSConnection | Medium | | | | - http.client.HTTPSConnection | | | | | - six.moves.http_client | | | | | .HTTPSConnection | | +------+---------------------+------------------------------------+-----------+ B310: urllib_urlopen -------------------- Audit url open for permitted schemes. Allowing use of 'file:'' or custom schemes is often unexpected. +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B310 | urllib_urlopen | - urllib.urlopen | Medium | | | | - urllib.request.urlopen | | | | | - urllib.urlretrieve | | | | | - urllib.request.urlretrieve | | | | | - urllib.URLopener | | | | | - urllib.request.URLopener | | | | | - urllib.FancyURLopener | | | | | - urllib.request.FancyURLopener | | | | | - urllib2.urlopen | | | | | - urllib2.Request | | | | | - six.moves.urllib.request.urlopen | | | | | - six.moves.urllib.request | | | | | .urlretrieve | | | | | - six.moves.urllib.request | | | | | .URLopener | | | | | - six.moves.urllib.request | | | | | .FancyURLopener | | +------+---------------------+------------------------------------+-----------+ B311: random ------------ Standard pseudo-random generators are not suitable for security/cryptographic purposes. Consider using the secrets module instead: https://docs.python.org/library/secrets.html +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B311 | random | - random.Random | Low | | | | - random.random | | | | | - random.randrange | | | | | - random.randint | | | | | - random.choice | | | | | - random.choices | | | | | - random.uniform | | | | | - random.triangular | | | | | - random.randbytes | | | | | - random.randrange | | | | | - random.sample | | | | | - random.getrandbits | | +------+---------------------+------------------------------------+-----------+ B312: telnetlib --------------- Telnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol. +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B312 | telnetlib | - telnetlib.\* | High | +------+---------------------+------------------------------------+-----------+ B313 - B319: XML ---------------- Most of this is based off of Christian Heimes' work on defusedxml: https://pypi.org/project/defusedxml/#defusedxml-sax Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents. +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B313 | xml_bad_cElementTree| - xml.etree.cElementTree.parse | Medium | | | | - xml.etree.cElementTree.iterparse | | | | | - xml.etree.cElementTree.fromstring| | | | | - xml.etree.cElementTree.XMLParser | | +------+---------------------+------------------------------------+-----------+ | B314 | xml_bad_ElementTree | - xml.etree.ElementTree.parse | Medium | | | | - xml.etree.ElementTree.iterparse | | | | | - xml.etree.ElementTree.fromstring | | | | | - xml.etree.ElementTree.XMLParser | | +------+---------------------+------------------------------------+-----------+ | B315 | xml_bad_expatreader | - xml.sax.expatreader.create_parser| Medium | +------+---------------------+------------------------------------+-----------+ | B316 | xml_bad_expatbuilder| - xml.dom.expatbuilder.parse | Medium | | | | - xml.dom.expatbuilder.parseString | | +------+---------------------+------------------------------------+-----------+ | B317 | xml_bad_sax | - xml.sax.parse | Medium | | | | - xml.sax.parseString | | | | | - xml.sax.make_parser | | +------+---------------------+------------------------------------+-----------+ | B318 | xml_bad_minidom | - xml.dom.minidom.parse | Medium | | | | - xml.dom.minidom.parseString | | +------+---------------------+------------------------------------+-----------+ | B319 | xml_bad_pulldom | - xml.dom.pulldom.parse | Medium | | | | - xml.dom.pulldom.parseString | | +------+---------------------+------------------------------------+-----------+ B320: xml_bad_etree ------------------- The check for this call has been removed. +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B320 | xml_bad_etree | - lxml.etree.parse | Medium | | | | - lxml.etree.fromstring | | | | | - lxml.etree.RestrictedElement | | | | | - lxml.etree.GlobalParserTLS | | | | | - lxml.etree.getDefaultParser | | | | | - lxml.etree.check_docinfo | | +------+---------------------+------------------------------------+-----------+ B321: ftplib ------------ FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol. +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B321 | ftplib | - ftplib.\* | High | +------+---------------------+------------------------------------+-----------+ B322: input ----------- The check for this call has been removed. The input method in Python 2 will read from standard input, evaluate and run the resulting string as python source code. This is similar, though in many ways worse, than using eval. On Python 2, use raw_input instead, input is safe in Python 3. +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B322 | input | - input | High | +------+---------------------+------------------------------------+-----------+ B323: unverified_context ------------------------ By default, Python will create a secure, verified ssl context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks. +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B323 | unverified_context | - ssl._create_unverified_context | Medium | +------+---------------------+------------------------------------+-----------+ B325: tempnam -------------- The check for this call has been removed. Use of os.tempnam() and os.tmpnam() is vulnerable to symlink attacks. Consider using tmpfile() instead. For further information: https://docs.python.org/2.7/library/os.html#os.tempnam https://docs.python.org/3/whatsnew/3.0.html?highlight=tempnam https://bugs.python.org/issue17880 +------+---------------------+------------------------------------+-----------+ | ID | Name | Calls | Severity | +======+=====================+====================================+===========+ | B325 | tempnam | - os.tempnam | Medium | | | | - os.tmpnam | | +------+---------------------+------------------------------------+-----------+ )utils)issuec  /nUR[R"SS[RR /SQS55 UR[R"SS[RR SS/S 55 UR[R"S S [RR /S QS 55 UR[R"SS[RR /SQSS55 UR[R"SS[RR S/S55 UR[R"SS[RRS/S55 UR[R"SS[RRS/S55 UR[R"SS[RRS /S!55 UR[R"S"S#[RR/S$QS%55 UR[R"S&S'[RR/S(QS)S*55 UR[R"S+S,[RRS-/S.S55 S/nUR[R"S0S1[RR/S2QU55 UR[R"S3S4[RR/S5QU55 UR[R"S6S7[RRS8/U55 UR[R"S9S:[RRS;S[RR/S?QU55 UR[R"S@SA[RRSBSC/U55 UR[R"SDSE[RRSFSG/U55 UR[R"SHSI[RRSJ/SKS55 UR[R"SLSM[RRSN/SO55 SPU0$)QaGenerate a list of items to blacklist. Methods of this type, "bandit.blacklist" plugins, are used to build a list of items that bandit's built in blacklisting tests will use to trigger issues. They replace the older blacklist* test plugins and allow blacklisted items to have a unique bandit ID for filtering and profile usage. :return: a dictionary mapping node types to a list of blacklist data pickleB301) z pickle.loadsz pickle.loadzpickle.Unpicklerz dill.loadsz dill.loadzdill.Unpicklerz shelve.openzshelve.DbfilenameShelfzjsonpickle.decodezjsonpickle.unpickler.decodezjsonpickle.unpickler.Unpicklerzpandas.read_picklezoPickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.marshalB302z marshal.loadz marshal.loadsz>Deserialization with the marshal module is possibly dangerous.md5B303) zCrypto.Hash.MD2.newzCrypto.Hash.MD4.newzCrypto.Hash.MD5.newzCrypto.Hash.SHA.newzCryptodome.Hash.MD2.newzCryptodome.Hash.MD4.newzCryptodome.Hash.MD5.newzCryptodome.Hash.SHA.newz)cryptography.hazmat.primitives.hashes.MD5z*cryptography.hazmat.primitives.hashes.SHA1z5Use of insecure MD2, MD4, MD5, or SHA1 hash function.ciphersB304)zCrypto.Cipher.ARC2.newzCrypto.Cipher.ARC4.newzCrypto.Cipher.Blowfish.newzCrypto.Cipher.DES.newzCrypto.Cipher.XOR.newzCryptodome.Cipher.ARC2.newzCryptodome.Cipher.ARC4.newzCryptodome.Cipher.Blowfish.newzCryptodome.Cipher.DES.newzCryptodome.Cipher.XOR.newz6cryptography.hazmat.primitives.ciphers.algorithms.ARC4z:cryptography.hazmat.primitives.ciphers.algorithms.Blowfishz7cryptography.hazmat.primitives.ciphers.algorithms.CAST5z6cryptography.hazmat.primitives.ciphers.algorithms.IDEAz6cryptography.hazmat.primitives.ciphers.algorithms.SEEDz;cryptography.hazmat.primitives.ciphers.algorithms.TripleDESzNUse of insecure cipher {name}. Replace with a known secure cipher such as AES.HIGH cipher_modesB305z0cryptography.hazmat.primitives.ciphers.modes.ECBz#Use of insecure cipher mode {name}.mktemp_qB306ztempfile.mktempz1Use of insecure and deprecated function (mktemp).evalB307zJUse of possibly insecure function - consider using safer ast.literal_eval. mark_safeB308z!django.utils.safestring.mark_safezZUse of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.urllib_urlopenB310)zurllib.request.urlopenzurllib.request.urlretrievezurllib.request.URLopenerzurllib.request.FancyURLopenerz six.moves.urllib.request.urlopenz$six.moves.urllib.request.urlretrievez"six.moves.urllib.request.URLopenerz'six.moves.urllib.request.FancyURLopenerzcAudit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.randomB311) z random.Randomz random.randomrandom.randrangezrandom.randintz random.choicezrandom.choiceszrandom.uniformzrandom.triangularzrandom.randbytesz random.samplerzrandom.getrandbitszWStandard pseudo-random generators are not suitable for security/cryptographic purposes.LOW telnetlibB312ztelnetlib.TelnetzsTelnet-related functions are being called. Telnet is considered insecure. Use SSH or some other encrypted protocol.zUsing {name} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {name} with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is calledxml_bad_cElementTreeB313)zxml.etree.cElementTree.parsez xml.etree.cElementTree.iterparsez!xml.etree.cElementTree.fromstringz xml.etree.cElementTree.XMLParserxml_bad_ElementTreeB314)zxml.etree.ElementTree.parsezxml.etree.ElementTree.iterparsez xml.etree.ElementTree.fromstringzxml.etree.ElementTree.XMLParserxml_bad_expatreaderB315z!xml.sax.expatreader.create_parserxml_bad_expatbuilderB316zxml.dom.expatbuilder.parsez xml.dom.expatbuilder.parseString xml_bad_saxB317)z xml.sax.parsezxml.sax.parseStringzxml.sax.make_parserxml_bad_minidomB318zxml.dom.minidom.parsezxml.dom.minidom.parseStringxml_bad_pulldomB319zxml.dom.pulldom.parsezxml.dom.pulldom.parseStringftplibB321z ftplib.FTPzvFTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.unverified_contextB323zssl._create_unverified_contexta&By default, Python will create a secure, verified ssl context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.Call)appendrbuild_conf_dictrCwe!DESERIALIZATION_OF_UNTRUSTED_DATA BROKEN_CRYPTOINSECURE_TEMP_FILEOS_COMMAND_INJECTIONXSSPATH_TRAVERSALINSUFFICIENT_RANDOM_VALUESCLEARTEXT_TRANSMISSIONIMPROPER_INPUT_VALIDATIONIMPROPER_CERT_VALIDATION)setsxml_msgs Q/home/james-whalen/.local/lib/python3.13/site-packages/bandit/blacklists/calls.py gen_blacklistrBZs DKK    II 7 7  C% 0 KK    II 7 7 _ - L   KK    II # #  D! * KK    II # # $ # 1 : KK    II # # ? @ 1   KK    II ( (   ?   KK    II * * H    KK    IIMM 0 1 6    KK    II $ $  2 ( KK    II 0 0  / ) 2 KK    II , ,   B     /  KK  "  II / /     KK  !  II / /     KK  !  II / / 0 1    KK  "  II / / )+M N    KK    II / / K    KK    II / / $&C D    KK    II / / $&C D    KK    II , , N K    KK   II . . - . 7  & D>N)__doc__bandit.blacklistsr bandit.corerrBrCrArHs Pb $DrC