Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'NoneType' object has no attribute 'id'Traceback in django_mark_safe #574

Closed
darakian opened this issue Feb 19, 2020 · 5 comments
Closed

'NoneType' object has no attribute 'id'Traceback in django_mark_safe #574

darakian opened this issue Feb 19, 2020 · 5 comments
Labels
bug Something isn't working
Milestone
Release 1.6.3

Comments

@darakian
Copy link

Describe the bug
While running bandit 1.6.2 I get the following output

[tester]	ERROR	Bandit internal error running: django_mark_safe on file ./venv/lib/python3.7/site-packages/django/template/base.py at line 738: 'NoneType' object has no attribute 'id'Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/bandit/core/tester.py", line 64, in run_tests
    result = test(context)
  File "/usr/local/lib/python3.7/site-packages/bandit/plugins/django_xss.py", line 295, in django_mark_safe
    return check_risk(context.node)
  File "/usr/local/lib/python3.7/site-packages/bandit/plugins/django_xss.py", line 243, in check_risk
    secure = evaluate_var(xss_var, parent, node.lineno)
  File "/usr/local/lib/python3.7/site-packages/bandit/plugins/django_xss.py", line 123, in evaluate_var
    to = analyser.is_assigned(node)
  File "/usr/local/lib/python3.7/site-packages/bandit/plugins/django_xss.py", line 89, in is_assigned
    assigned.extend(self.is_assigned_in(node.body))
  File "/usr/local/lib/python3.7/site-packages/bandit/plugins/django_xss.py", line 33, in is_assigned_in
    new_assigned = self.is_assigned(ast_inst)
  File "/usr/local/lib/python3.7/site-packages/bandit/plugins/django_xss.py", line 90, in is_assigned
    assigned.extend(self.is_assigned_in(node.orelse))
  File "/usr/local/lib/python3.7/site-packages/bandit/plugins/django_xss.py", line 33, in is_assigned_in
    new_assigned = self.is_assigned(ast_inst)
  File "/usr/local/lib/python3.7/site-packages/bandit/plugins/django_xss.py", line 89, in is_assigned
    assigned.extend(self.is_assigned_in(node.body))
  File "/usr/local/lib/python3.7/site-packages/bandit/plugins/django_xss.py", line 33, in is_assigned_in
    new_assigned = self.is_assigned(ast_inst)
  File "/usr/local/lib/python3.7/site-packages/bandit/plugins/django_xss.py", line 65, in is_assigned
    if withitem.optional_vars.id == self.var_name.id:
AttributeError: 'NoneType' object has no attribute 'id'

Expected behavior
Not seeing a stack trace.

Bandit version

bandit 1.6.2
  python version = 3.7.6 (default, Dec 30 2019, 19:38:26) [Clang 11.0.0 (clang-1100.0.33.16)]
@lukehinds
Copy link
Member

hi @darakian

can you let us know the exact args you use to call Bandit and if the project you are scanning is available, the github repo url please

@darakian
Copy link
Author

darakian commented Feb 26, 2020
edited

Sure thing. First the args are -iii -lll with the full command looking like (in my case)

bandit -iii -lll venv/lib/python3.7/site-packages/django/template/base.py

The project is the django web framework and I'm using this file in particular
https://github.com/django/django/blob/stable/1.11.x/django/template/base.py

With some quick testing it looks like any combination of i's and l's cause the stack trace. This includes not having them ex.

bandit venv/lib/python3.7/site-packages/django/template/base.py

@jshields
Copy link

I am having this issue as well. I can't share the full example since it's part of a closed source codebase, but basically here's what's happening:
bandit 1.6.2
python 3.6.9

[tester]	ERROR	Bandit internal error running: django_mark_safe on file apps/redacted/admin/views.py at line 65: 'NoneType' object has no attribute 'id'Traceback (most recent call last):
  File "redacted_app_name/lib/python3.6/site-packages/bandit/core/tester.py", line 64, in run_tests
    result = test(context)
  File "redacted_app_name/lib/python3.6/site-packages/bandit/plugins/django_xss.py", line 295, in django_mark_safe
    return check_risk(context.node)
  File "redacted_app_name/lib/python3.6/site-packages/bandit/plugins/django_xss.py", line 243, in check_risk
    secure = evaluate_var(xss_var, parent, node.lineno)
  File "redacted_app_name/lib/python3.6/site-packages/bandit/plugins/django_xss.py", line 123, in evaluate_var
    to = analyser.is_assigned(node)
  File "redacted_app_name/lib/python3.6/site-packages/bandit/plugins/django_xss.py", line 89, in is_assigned
    assigned.extend(self.is_assigned_in(node.body))
  File "redacted_app_name/lib/python3.6/site-packages/bandit/plugins/django_xss.py", line 33, in is_assigned_in
    new_assigned = self.is_assigned(ast_inst)
  File "redacted_app_name/lib/python3.6/site-packages/bandit/plugins/django_xss.py", line 89, in is_assigned
    assigned.extend(self.is_assigned_in(node.body))
  File "redacted_app_name/lib/python3.6/site-packages/bandit/plugins/django_xss.py", line 33, in is_assigned_in
    new_assigned = self.is_assigned(ast_inst)
  File "redacted_app_name/lib/python3.6/site-packages/bandit/plugins/django_xss.py", line 65, in is_assigned
    if withitem.optional_vars.id == self.var_name.id:
AttributeError: 'NoneType' object has no attribute 'id'

The line has the issue:

msg = '<a href="{url}">{s}</a>'.format(url=redacted_name.admin_url(), s=redacted)
messages.info(request, mark_safe(msg))

Workaround is to move mark_safe onto the line where msg is defined:

msg = mark_safe('<a href="{url}">{s}</a>'.format(url=redacted_name.admin_url(), s=redacted))
messages.info(request, msg)

@lukehinds lukehinds added the bug Something isn't working label Apr 13, 2020
@lukehinds
Copy link
Member

@ehooo I can see this is your code, do you mind taking a look?

ehooo added a commit to ehooo/bandit that referenced this issue Apr 13, 2020
@ehooo
Fix issue PyCQA#574
47daa15
ehooo added a commit to ehooo/bandit that referenced this issue Apr 13, 2020
@ehooo
Fix issue PyCQA#574
9247072
ericwb pushed a commit that referenced this issue Apr 16, 2020
@ehooo @ericwb
Fix issue #574
bbe99a8
@ericwb ericwb added this to the Release 1.6.3 milestone Apr 17, 2020
@ericwb
Copy link
Member

ericwb commented Apr 17, 2020

Fixed with #598

@ericwb ericwb closed this as completed Apr 17, 2020
mikespallino pushed a commit to mikespallino/bandit that referenced this issue Aug 25, 2021
@ehooo @mikespallino
Fix issue PyCQA#574
2cef260
mikespallino pushed a commit to mikespallino/bandit that referenced this issue Jan 7, 2022
@ehooo @mikespallino
Fix issue PyCQA#574
29ee480
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
Release 1.6.3
Development

No branches or pull requests
4 participants
@jshields @darakian @ericwb @lukehinds