Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update calls.py with additional rulesets #637

Open
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

prabhuved
Copy link

Added new rule sets to detect common vulnerabilities in default libraries in python.
Some common vulnerabilities observed are -

  1. Use of yaml_load - Insecure and deprecated. Leads to arbitrary server code execution
  2. Vulnerable libraries that allow response splitting vulnerabilities (or) CRLF injection attacks.
  3. Use of base64 encoding algorithm - I have observed sensitive information being encoded using this algorithm. Gives a false sense of security.
  4. Server-Side Template Injection - Primarily seen in flask based applications. The use of default libraries (without validation) allow users to run commands in the server using templates.
  5. Check file upload functionalities in python code - You can check if the application has validation on the file extension and MIME types. Can lead to RCE or malicious file uploads.

prabhuved and others added 5 commits September 4, 2020 01:18
@@ -569,4 +569,65 @@ def gen_blacklist():
'attacks. Consider using tmpfile() instead.'
))

# updated rulesets starts here

sets.append(utils.build_conf_dict(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have a bandit plugin to check for use of yaml.load. See https://github.com/PyCQA/bandit/blob/master/bandit/plugins/yaml_load.py

))

sets.append(utils.build_conf_dict(
'Base64_encoding_used', 'B328',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some very good use cases to use base64. In fact, some protocols require it. So there's a very low confidence this check would find a security issue. I'd rather not introduce many more false positives.

bandit/blacklists/calls.py Show resolved Hide resolved
))

sets.append(utils.build_conf_dict(
'response_splitting', 'B327',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This CVE was resolved already in Python 3.7, 3.8, and greater. At this point, I think it's unnecessary for Bandit to flag that module.


sets.append(utils.build_conf_dict(
'Server_Side_Template_Injection', 'B329',
['render_template_string', 'render_template'],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these part of Flask? If so, they would need to be fully qualified.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants