From f22fe3c8a4f68afe54e5f811e0131bcc0e5a2767 Mon Sep 17 00:00:00 2001
From: Eric Brown <eric_wade_brown@yahoo.com>
Date: Tue, 12 Dec 2023 14:34:03 -0800
Subject: [PATCH] Handle variant in how policy is passed in paramiko

Paramiko permits various ways of importing the missing host key
policy. It allows paramiko.client.AutoAddPolicy or paramiko.AutoAddPolicy.
The later isn't being handled in Bandit.

This change adds news tests and modifies the plugin to inspect the
AST to determine whether the argument is an Attribute, Name, or
Call.

Fixes #1077

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
---
 bandit/plugins/ssh_no_host_key_verification.py | 7 ++++++-
 examples/no_host_key_verification.py           | 7 +++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/bandit/plugins/ssh_no_host_key_verification.py b/bandit/plugins/ssh_no_host_key_verification.py
index e8edaf93..51be2eb4 100644
--- a/bandit/plugins/ssh_no_host_key_verification.py
+++ b/bandit/plugins/ssh_no_host_key_verification.py
@@ -55,8 +55,13 @@ def ssh_no_host_key_verification(context):
         policy_argument_value = None
         if isinstance(policy_argument, ast.Attribute):
             policy_argument_value = policy_argument.attr
+        elif isinstance(policy_argument, ast.Name):
+            policy_argument_value = policy_argument.id
         elif isinstance(policy_argument, ast.Call):
-            policy_argument_value = policy_argument.func.attr
+            if isinstance(policy_argument.func, ast.Attribute):
+                policy_argument_value = policy_argument.func.attr
+            elif isinstance(policy_argument.func, ast.Name):
+                policy_argument_value = policy_argument.func.id
 
         if policy_argument_value in ["AutoAddPolicy", "WarningPolicy"]:
             return bandit.Issue(
diff --git a/examples/no_host_key_verification.py b/examples/no_host_key_verification.py
index 2e092fe4..1ac01e6c 100644
--- a/examples/no_host_key_verification.py
+++ b/examples/no_host_key_verification.py
@@ -1,7 +1,14 @@
 from paramiko import client
+from paramiko import AutoAddPolicy
+from paramiko import WarningPolicy
 
 ssh_client = client.SSHClient()
 ssh_client.set_missing_host_key_policy(client.AutoAddPolicy)
 ssh_client.set_missing_host_key_policy(client.WarningPolicy)
 ssh_client.set_missing_host_key_policy(client.AutoAddPolicy())
 ssh_client.set_missing_host_key_policy(client.WarningPolicy())
+
+ssh_client.set_missing_host_key_policy(AutoAddPolicy)
+ssh_client.set_missing_host_key_policy(WarningPolicy)
+ssh_client.set_missing_host_key_policy(AutoAddPolicy())
+ssh_client.set_missing_host_key_policy(WarningPolicy())