Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove checks for Python2 urllib #999

Merged
merged 1 commit into from
Mar 13, 2023
Merged

Remove checks for Python2 urllib #999

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 0 additions & 6 deletions bandit/blacklists/calls.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -493,16 +493,10 @@ def gen_blacklist():
"B310",
issue.Cwe.PATH_TRAVERSAL,
[
"urllib.urlopen",
"urllib.request.urlopen",
"urllib.urlretrieve",
"urllib.request.urlretrieve",
"urllib.URLopener",
"urllib.request.URLopener",
"urllib.FancyURLopener",
"urllib.request.FancyURLopener",
"urllib2.urlopen",
"urllib2.Request",
"six.moves.urllib.request.urlopen",
"six.moves.urllib.request.urlretrieve",
"six.moves.urllib.request.URLopener",
Expand Down
29 changes: 2 additions & 27 deletions examples/urlopen.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,43 +1,18 @@
''' Example dangerous usage of urllib[2] opener functions
''' Example dangerous usage of urllib.request opener functions

The urllib and urllib2 opener functions and object can open http, ftp,
The urllib.request opener functions and object can open http, ftp,
and file urls. Often, the ability to open file urls is overlooked leading
to code that can unexpectedly open files on the local server. This
could be used by an attacker to leak information about the server.
'''


import urllib
import urllib2

# Python 3
import urllib.request

# Six
import six

def test_urlopen():
# urllib
url = urllib.quote('file:///bin/ls')
urllib.urlopen(url, 'blah', 32)
urllib.urlretrieve('file:///bin/ls', '/bin/ls2')
opener = urllib.URLopener()
opener.open('file:///bin/ls')
opener.retrieve('file:///bin/ls')
opener = urllib.FancyURLopener()
opener.open('file:///bin/ls')
opener.retrieve('file:///bin/ls')

# urllib2
handler = urllib2.HTTPBasicAuthHandler()
handler.add_password(realm='test',
uri='http://mysite.com',
user='bob')
opener = urllib2.build_opener(handler)
urllib2.install_opener(opener)
urllib2.urlopen('file:///bin/ls')
urllib2.Request('file:///bin/ls')

# Python 3
urllib.request.urlopen('file:///bin/ls')
urllib.request.urlretrieve('file:///bin/ls', '/bin/ls2')
Expand Down
4 changes: 2 additions & 2 deletions tests/functional/test_functional.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -513,8 +513,8 @@ def test_subprocess_shell(self):
def test_urlopen(self):
"""Test for dangerous URL opening."""
expect = {
"SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 14, "HIGH": 0},
"CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 14},
"SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 8, "HIGH": 0},
"CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 8},
}
self.check_example("urlopen.py", expect)

Expand Down