From 5e6d6758b2cd37865d8a36bbd34ca3b33657e980 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Tue, 12 Dec 2023 14:34:03 -0800 Subject: [PATCH] Handle variant in how policy is passed in paramiko Paramiko permits various ways of importing the missing host key policy. It allows paramiko.client.AutoAddPolicy or paramiko.AutoAddPolicy. The later isn't being handled in Bandit. This change adds news tests and modifies the plugin to inspect the AST to determine whether the argument is an Attribute, Name, or Call. Fixes #1077 Signed-off-by: Eric Brown --- bandit/plugins/ssh_no_host_key_verification.py | 7 ++++++- examples/no_host_key_verification.py | 7 +++++++ tests/functional/test_functional.py | 4 ++-- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/bandit/plugins/ssh_no_host_key_verification.py b/bandit/plugins/ssh_no_host_key_verification.py index e8edaf93a..51be2eb4a 100644 --- a/bandit/plugins/ssh_no_host_key_verification.py +++ b/bandit/plugins/ssh_no_host_key_verification.py @@ -55,8 +55,13 @@ def ssh_no_host_key_verification(context): policy_argument_value = None if isinstance(policy_argument, ast.Attribute): policy_argument_value = policy_argument.attr + elif isinstance(policy_argument, ast.Name): + policy_argument_value = policy_argument.id elif isinstance(policy_argument, ast.Call): - policy_argument_value = policy_argument.func.attr + if isinstance(policy_argument.func, ast.Attribute): + policy_argument_value = policy_argument.func.attr + elif isinstance(policy_argument.func, ast.Name): + policy_argument_value = policy_argument.func.id if policy_argument_value in ["AutoAddPolicy", "WarningPolicy"]: return bandit.Issue( diff --git a/examples/no_host_key_verification.py b/examples/no_host_key_verification.py index 2e092fe4d..1ac01e6c6 100644 --- a/examples/no_host_key_verification.py +++ b/examples/no_host_key_verification.py @@ -1,7 +1,14 @@ from paramiko import client +from paramiko import AutoAddPolicy +from paramiko import WarningPolicy ssh_client = client.SSHClient() ssh_client.set_missing_host_key_policy(client.AutoAddPolicy) ssh_client.set_missing_host_key_policy(client.WarningPolicy) ssh_client.set_missing_host_key_policy(client.AutoAddPolicy()) ssh_client.set_missing_host_key_policy(client.WarningPolicy()) + +ssh_client.set_missing_host_key_policy(AutoAddPolicy) +ssh_client.set_missing_host_key_policy(WarningPolicy) +ssh_client.set_missing_host_key_policy(AutoAddPolicy()) +ssh_client.set_missing_host_key_policy(WarningPolicy()) diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 6917462dd..6bc047ee6 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -543,8 +543,8 @@ def test_yaml(self): def test_host_key_verification(self): """Test for ignoring host key verification.""" expect = { - "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 4}, - "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 4, "HIGH": 0}, + "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 8}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 8, "HIGH": 0}, } self.check_example("no_host_key_verification.py", expect)