Bandit Low Level Issues – Code Quality Docs

May 31, 2021

Rule	Description	example	kpi
B101-assert_used	Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.	assert logged_in display_assets()	Maintainability
B102-exec_used	Use of exec detected.	exec("do evil") exec "do evil"	Maintainability
B103-set_bad_file_permissions	Probable insecure usage of temp file/directory.	os.chmod('/etc/hosts', 0o777) os.chmod('/tmp/oh_hai', 0x1ff) os.chmod('/etc/passwd', stat.S_IRWXU	Maintainability
B104-hardcoded_bind_all_interfaces	Possible binding to all interfaces.	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('0.0.0.0', 31137)) s.bind(('192.168.0.1', 8080))	Maintainability
B105-hardcoded_password_string	Possible hardcoded password '(root)'	def someFunction2(password): if password == "root": print("OK, logged in")	Maintainability
B106-hardcoded_password_funcarg	Possible hardcoded password: 'blerg'	doLogin(password="blerg")	Maintainability
B107-hardcoded_password_default	Possible hardcoded password: 'Admin'	def someFunction(user, password="Admin"): print("Hi " + user)	Maintainability
B108-hardcoded_tmp_directory	insecure usage of tmp file/directory	tmp_dirs: ['/tmp', '/var/tmp', '/dev/shm']	Maintainability
B110-try_except_pass	a pass in the except block	try: do_some_stuff() except Exception: pass	Maintainability
B112-try_except_continue	a continue in the except block	while keep_going: try: do_some_stuff() except Exception: continue	Maintainability
B201-flask_debug_true	A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code.	app.run(debug=True)	Maintainability
B501-request_with_no_cert_validation	Requests call with verify=False disabling SSL certificate checks, security issue.	requests.get('https://gmail.com', verify=True) requests.get('https://gmail.com', verify=False) requests.post('https://gmail.com', verify=True)	Maintainability
B502-ssl_with_bad_version	ssl.wrap_socket call with insecure SSL/TLS protocol version identified, security issue	ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3) ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)	Maintainability
B503-ssl_with_bad_defaults	Function definition identified with insecure SSL/TLS protocol version by default, possible security issue.	def open_ssl_socket(version=SSL.SSLv2_METHOD): pass	Maintainability
B504-ssl_with_no_version	ssl.wrap_socket call with no SSL/TLS protocol version specified, the default SSLv23 could be insecure, possible security issue.	ssl.wrap_socket(	Maintainability
B505-weak_cryptographic_key	DSA key sizes below 1024 bits are considered breakable.	dsa.generate_private_key(512, backends.default_backend()) rsa.generate_private_key(3,	Maintainability
B506-yaml_load	use of yaml load	ystr = yaml.dump({‘a’ : 1, ‘b’ : 2, ‘c’ : 3}) y = yaml.load(ystr) 6 yaml.dump(y)	Maintainability
B507-ssh_no_host_key_verification	Paramiko call with policy set to automatically trust the unknown host key.	ssh_client = client.SSHClient() ssh_client.set_missing_host_key_policy(client.AutoAddPolicy) ssh_client.set_missing_host_key_policy(client.WarningPolicy)	Maintainability
B601-paramiko_calls	Possible shell injection via Paramiko call, check inputs are properly sanitized.	paramiko.exec_command('something; really; unsafe')	Maintainability
B602-subprocess_popen_with_shell_equals_true	subprocess call with shell=True seems safe, but may be changed in the future, consider rewriting without shell	subprocess.check_call(['/bin/ls', '-l'], shell=False) subprocess.check_call('/bin/ls -l', shell=True)	Maintainability
B603-subprocess_without_shell_equals_true	subprocess call - check for execution of untrusted input.	subprocess.check_output(['/bin/ls', '-l'])	Maintainability
B604-any_other_function_with_shell_equals_true	Function call with shell=True parameter identified, possible security issue.	pop('/bin/gcc --version', shell=True) Popen('/bin/gcc --version', shell=True)	Maintainability
B605-start_process_with_a_shell	Starting a process with a shell: check for injection.	os.system('/bin/echo hi')	Maintainability
B606-start_process_with_no_shell	Starting a process without a shell.	os.spawnv(mode, path, args) os.spawnve(mode, path, args, env) os.spawnvp(mode, file, args)	Maintainability
B607-start_process_with_partial_path	Starting a process with a partial executable path	from subprocess import Popen as pop pop('gcc --version', shell=False)	Maintainability
B608-hardcoded_sql_expressions	SQL injectio	query = "DELETE FROM foo WHERE id = '%s'" % identifier query = "UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier	Maintainability
B609-linux_commands_wildcard_injection	Possible wildcard injection in call: subprocess.Popen	o.popen2('/bin/chmod ') subp.Popen('/bin/chown ', shell=True)	Maintainability
B610-django_extra_used	Potential SQL injection on extra function		Maintainability
B611-django_rawsql_used	Potential SQL injection on RawSQL function		Maintainability
B701-jinja2_autoescape_false	Using jinja2 templates with autoescape=False is dangerous and can lead to XSS. Use autoescape=True to mitigate XSS vulnerabilities.	templateEnv = jinja2.Environment(autoescape=False, loader=templateLoader) Environment(loader=templateLoader, load=templateLoader, autoescape=False)	Maintainability
B702-use_of_mako_templates	Mako templates allow HTML/JS rendering by default and are inherently open to XSS attacks. Ensure variables in all templates are properly sanitized via the 'n', 'h' or 'x' flags (depending on context).	mako.template.Template("hern") template.Template("hern")	Maintainability
B703-django_mark_safe	Potential XSS on mark_safe function		Maintainability
B301-blacklist_calls	pickle	Imports : pickle.loads pickle.load pickle.Unpickler cPickle.loads cPickle.load cPickle.Unpickler dill.loads dill.load dill.Unpickler shelve.open shelve.DbfilenameShelf	Maintainability
B302-blacklist_calls	marshal	Imports : marshal.load marshal.loads	Maintainability
B303-blacklist_calls	md5	Imports : hashlib.md5 hashlib.sha1 Crypto.Hash.MD2.new Crypto.Hash.MD4.new Crypto.Hash.MD5.new Crypto.Hash.SHA.new Cryptodome.Hash.MD2.new Cryptodome.Hash.MD4.new Cryptodome.Hash.MD5.new Cryptodome.Hash.SHA.new cryptography.hazmat.primitives .hashes.MD5 cryptography.hazmat.primitives .hashes.SHA1	Maintainability
B304-blacklist_calls	ciphers	Imports : Crypto.Cipher.ARC2.new Crypto.Cipher.ARC4.new Crypto.Cipher.Blowfish.new Crypto.Cipher.DES.new Crypto.Cipher.XOR.new Cryptodome.Cipher.ARC2.new Cryptodome.Cipher.ARC4.new Cryptodome.Cipher.Blowfish.new Cryptodome.Cipher.DES.new Cryptodome.Cipher.XOR.new cryptography.hazmat.primitives .ciphers.algorithms.ARC4 cryptography.hazmat.primitives .ciphers.algorithms.Blowfish cryptography.hazmat.primitives .ciphers.algorithms.IDEA	Maintainability
B305-blacklist_calls	cipher_modes	Imports : cryptography.hazmat.primitives .ciphers.modes.ECB	Maintainability
B306-blacklist_calls	mktemp_q	Imports : tempfile.mktemp	Maintainability
B307-blacklist_calls	eval	Imports : eval	Maintainability
B308-blacklist_calls	mark_safe	Imports : django.utils.safestring.mark_safe	Maintainability
B309-blacklist_calls	httpsconnection	Imports : httplib.HTTPSConnection http.client.HTTPSConnection six.moves.http_client .HTTPSConnection	Maintainability
B310-blacklist_calls	urllib_urlopen	Imports : urllib.urlopen urllib.request.urlopen urllib.urlretrieve urllib.request.urlretrieve urllib.URLopener urllib.request.URLopener urllib.FancyURLopener urllib.request.FancyURLopener urllib2.urlopen urllib2.Request six.moves.urllib.request.urlopen six.moves.urllib.request .urlretrieve six.moves.urllib.request .URLopener six.moves.urllib.request .FancyURLopener	Maintainability
B311-blacklist_calls	random	Imports : random.random random.randrange random.randint random.choice random.uniform random.triangular	Maintainability
B312-blacklist_calls	telnetlib	Imports : telnetlib.*	Maintainability
B313-blacklist_calls	xml_bad_cElementTree	Imports : xml.etree.cElementTree.parse xml.etree.cElementTree.iterparse xml.etree.cElementTree.fromstring xml.etree.cElementTree.XMLParser	Maintainability
B314-blacklist_calls	xml_bad_ElementTree	Imports : xml.etree.ElementTree.parse xml.etree.ElementTree.iterparse xml.etree.ElementTree.fromstring xml.etree.ElementTree.XMLParser	Maintainability
B315-blacklist_calls	xml_bad_expatreader	Imports : xml.sax.expatreader.create_parser	Maintainability
B316-blacklist_calls	xml_bad_expatbuilder	Imports : xml.dom.expatbuilder.parse xml.dom.expatbuilder.parseString	Maintainability
B317-blacklist_calls	xml_bad_sax	Imports : xml.sax.parse xml.sax.parseString xml.sax.make_parser	Maintainability
B318-blacklist_calls	xml_bad_minidom	Imports : xml.dom.minidom.parse xml.dom.minidom.parseString	Maintainability
B319-blacklist_calls	xml_bad_pulldom	Imports : xml.dom.pulldom.parse xml.dom.pulldom.parseString	Maintainability
B320-blacklist_calls	xml_bad_etree	Imports : lxml.etree.parse lxml.etree.fromstring lxml.etree.RestrictedElement lxml.etree.GlobalParserTLS lxml.etree.getDefaultParser lxml.etree.check_docinfo	Maintainability
B321-blacklist_calls	ftplib	Imports : ftplib.*	Maintainability
B322-blacklist_calls	input	Imports : input	Maintainability
B323-blacklist_calls	unverified_context	Imports : ssl._create_unverified_context	Maintainability
B325-blacklist_calls	tempnam	Imports : os.tempnam os.tmpnam	Maintainability
B403-blacklist_calls	pickle cPickle dill shelve		Maintainability
B404-blacklist_calls	subprocess		Maintainability
B405-blacklist_calls	xml.etree.cElementTree xml.etree.ElementTree		Maintainability
B406-blacklist_calls	xml.sax		Maintainability
B407-blacklist_calls	xml.dom.expatbuilder		Maintainability
B408-blacklist_calls	xml.dom.minidom		Maintainability
B409-blacklist_calls	xml.dom.pulldom		Maintainability
B410-blacklist_calls	lxml		Maintainability