Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hashlib_new_insecure_functions plugin fails to parse dynamic code #504

Closed
pshchelo opened this issue Jun 9, 2019 · 1 comment · Fixed by #516
Closed

hashlib_new_insecure_functions plugin fails to parse dynamic code #504

pshchelo opened this issue Jun 9, 2019 · 1 comment · Fixed by #516
Labels
bug Something isn't working
Milestone
Release 1.6.3

Comments

@pshchelo
Copy link
Contributor

pshchelo commented Jun 9, 2019

Describe the bug
Running this plugin against a hashlib.new invocation that does accept the hashing algo dynamically from an inline function of a variable fails with
AttributeError: 'NoneType' object has no attribute 'lower'

To Reproduce
minimal repro module test_hash_new.py

import hashlib

def bandit_fail(algo):
    return hashlib.new(str(algo))

Run bandit >=1.5.0 against it (that's where that check plugin appeared first time)

$ bandit test_hash_new.py
...
[tester]        ERROR   Bandit internal error running: hashlib_new on file test_hash_new.py at line 4: 'NoneType' object has no attribute 'lower'Traceback (most recent call last):                                                                                                       
  File "/home/pshchelo/.virtualenvs/bandit/lib/python3.6/site-packages/bandit/core/tester.py", line 64, in run_tests                                                                                                                                                                      
    result = test(context)                                                                                                                                                                                                                                                                
  File "/home/pshchelo/.virtualenvs/bandit/lib/python3.6/site-packages/bandit/plugins/hashlib_new_insecure_functions.py", line 57, in hashlib_new                                                                                                                                         
    if name.lower() in ('md4', 'md5'):
AttributeError: 'NoneType' object has no attribute 'lower'
...

Note that moving str out of call to hashlib.new solves the issue.

Expected behavior
At least no failure/traceback. Possibly the same error emitted but with lower confidence stating something like "Verify that no insecure algos are being passed here".

Bandit version

bandit 1.6.0
  python version = 3.6.5 (default, Apr  1 2018, 05:46:30) [GCC 7.3.0]

but observed on any bandit 1.5.x too, where this check plugin is already available

Additional context
Seems like aftermath of implementing #122

Code where this very failure was observed is OpenStack's glance_store drivers, for example
https://opendev.org/openstack/glance_store/src/tag/0.29.0/glance_store/_drivers/cinder.py#L676

It seems something like

            if name and name.lower() in ('md4', 'md5'):

would suffice to fix it.
@ericwb ericwb added the bug Something isn't working label Jun 25, 2019
@ehooo
Copy link
Contributor

ehooo commented Jul 26, 2019

This is the PR #516

@ehooo ehooo mentioned this issue Jul 26, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
Release 1.6.3
Development

Successfully merging a pull request may close this issue.

Add type checking to name node of hashlib_new
3 participants
@ehooo @pshchelo @ericwb