You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Running this plugin against a hashlib.new invocation that does accept the hashing algo dynamically from an inline function of a variable fails with AttributeError: 'NoneType' object has no attribute 'lower'
To Reproduce
minimal repro module test_hash_new.py
Run bandit >=1.5.0 against it (that's where that check plugin appeared first time)
$ bandit test_hash_new.py
...
[tester] ERROR Bandit internal error running: hashlib_new on file test_hash_new.py at line 4: 'NoneType' object has no attribute 'lower'Traceback (most recent call last):
File "/home/pshchelo/.virtualenvs/bandit/lib/python3.6/site-packages/bandit/core/tester.py", line 64, in run_tests
result = test(context)
File "/home/pshchelo/.virtualenvs/bandit/lib/python3.6/site-packages/bandit/plugins/hashlib_new_insecure_functions.py", line 57, in hashlib_new
if name.lower() in ('md4', 'md5'):
AttributeError: 'NoneType' object has no attribute 'lower'
...
Note that moving str out of call to hashlib.new solves the issue.
Expected behavior
At least no failure/traceback. Possibly the same error emitted but with lower confidence stating something like "Verify that no insecure algos are being passed here".
Describe the bug
Running this plugin against a hashlib.new invocation that does accept the hashing algo dynamically from an inline function of a variable fails with
AttributeError: 'NoneType' object has no attribute 'lower'
To Reproduce
minimal repro module
test_hash_new.py
Run
bandit >=1.5.0
against it (that's where that check plugin appeared first time)Note that moving
str
out of call tohashlib.new
solves the issue.Expected behavior
At least no failure/traceback. Possibly the same error emitted but with lower confidence stating something like "Verify that no insecure algos are being passed here".
Bandit version
but observed on any bandit 1.5.x too, where this check plugin is already available
Additional context
Seems like aftermath of implementing #122
Code where this very failure was observed is OpenStack's glance_store drivers, for example
https://opendev.org/openstack/glance_store/src/tag/0.29.0/glance_store/_drivers/cinder.py#L676
It seems something like
would suffice to fix it.
The text was updated successfully, but these errors were encountered: