~ubuntu-branches/ubuntu/wily/bandit/wily-proposed

« back to all changes in this revision

Viewing changes to bandit/core/context.py

Committer: Package Import Robot
Author(s): Dave Walker (Daviey)
Date: 2015-07-22 09:01:39 UTC
Revision ID: package-import@ubuntu.com-20150722090139-fl0nluy0x8m9ctx4

Tags: upstream-0.12.0

Import upstream version 0.12.0

files added:

.gitignore

.gitreview

.testr.conf

AUTHORS

LICENSE

README.md

bandit

bandit/__init__.py

bandit/bandit.py

bandit/config

bandit/config/bandit.yaml

bandit/core

bandit/core/__init__.py

bandit/core/config.py

bandit/core/constants.py

bandit/core/context.py

bandit/core/extension_loader.py

bandit/core/formatters.py

bandit/core/manager.py

bandit/core/meta_ast.py

bandit/core/node_visitor.py

bandit/core/objects.py

bandit/core/result_store.py

bandit/core/test_properties.py

bandit/core/test_set.py

bandit/core/tester.py

bandit/core/utils.py

bandit/plugins

bandit/plugins/__init__.py

bandit/plugins/asserts.py

bandit/plugins/blacklist_calls.py

bandit/plugins/blacklist_imports.py

bandit/plugins/crypto_random.py

bandit/plugins/crypto_request_no_cert_validation.py

bandit/plugins/exec.py

bandit/plugins/exec_as_root.py

bandit/plugins/general_bad_file_permissions.py

bandit/plugins/general_bind_all_interfaces.py

bandit/plugins/general_hardcoded_password.py

bandit/plugins/general_hardcoded_tmp.py

bandit/plugins/injection_shell.py

bandit/plugins/injection_sql.py

bandit/plugins/injection_wildcard.py

bandit/plugins/insecure_ssl_tls.py

bandit/plugins/jinja2_templates.py

bandit/plugins/mako_templates.py

bandit/plugins/secret_config_option.py

bandit/plugins/xml.py

docs

docs/exec.md

docs/jinja2.md

docs/ssl_tls.md

docs/temp.md

docs/xml.md

docs/yaml.md

examples

examples/assert.py

examples/binding.py

examples/crypto-md5.py

examples/eval.py

examples/exec-as-root.py

examples/exec-py2.py

examples/exec-py3.py

examples/hardcoded-passwords.py

examples/hardcoded-tmp.py

examples/httplib_https.py

examples/imports-aliases.py

examples/imports-from.py

examples/imports-function.py

examples/imports-telnetlib.py

examples/imports.py

examples/jinja2_templating.py

examples/mako_templating.py

examples/marshal_deserialize.py

examples/mktemp.py

examples/multiline-str.py

examples/nonsense.py

examples/okay.py

examples/os-chmod-py2.py

examples/os-chmod-py3.py

examples/os-exec.py

examples/os-popen.py

examples/os-spawn.py

examples/os-startfile.py

examples/os_system.py

examples/paramiko_injection.py

examples/pickle_deserialize.py

examples/popen_wrappers.py

examples/random_module.py

examples/requests-ssl-verify-disabled.py

examples/secret-config-option.py

examples/skip.py

examples/sql_statements_with_sqlalchemy.py

examples/sql_statements_without_sql_alchemy.py

examples/ssl-insecure-version.py

examples/subprocess_shell.py

examples/urlopen.py

examples/utils-shell.py

examples/wildcard-injection.py

examples/xml_etree_celementtree.py

examples/xml_etree_elementtree.py

examples/xml_expatbuilder.py

examples/xml_expatreader.py

examples/xml_lxml.py

examples/xml_minidom.py

examples/xml_pulldom.py

examples/xml_sax.py

examples/xml_xmlrpc.py

examples/yaml_load.py

requirements.txt

scripts

scripts/main.py

setup.cfg

setup.py

test-requirements.txt

tests

tests/__init__.py

tests/test_basic.py

tests/test_functional.py

tests/test_node_visitor.py

tests/test_util.py

tox.ini

wordlist

wordlist/default-passwords

Show diffs side-by-side

added added

removed removed

bandit/core/context.py

# -*- coding:utf-8 -*-

# Licensed under the Apache License, Version 2.0 (the "License"); you may

# not use this file except in compliance with the License. You may obtain

# a copy of the License at

# http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the

# License for the specific language governing permissions and limitations

# under the License.

import _ast

import six

from bandit.core import utils

class Context():

def __init__(self, context_object=None):

'''Initialize the class with a context, empty dict otherwise

:param context_object: The context object to create class from

:return: -

'''

if context_object is not None:

self._context = context_object

else:

self._context = dict()

def __repr__(self):

'''Generate representation of object for printing / interactive use

Most likely only interested in non-default properties, so we return

the string version of _context.

Example string returned:

<Context {'node': <_ast.Call object at 0x110252510>, 'function': None,

'name': 'socket', 'imports': set(['socket']), 'module': None,

'filename': 'examples/binding.py',

'call': <_ast.Call object at 0x110252510>, 'lineno': 3,

'import_aliases': {}, 'qualname': 'socket.socket'}>

:return: A string representation of the object

'''

return "<Context %s>" % self._context

@property

def call_args(self):

'''Get a list of function args

:return: A list of function args

'''

args = []

for arg in self._context['call'].args:

if hasattr(arg, 'attr'):

args.append(arg.attr)

else:

args.append(self._get_literal_value(arg))

return args

@property

def call_args_count(self):

'''Get the number of args a function call has

:return: The number of args a function call has

'''

if hasattr(self._context['call'], 'args'):

return len(self._context['call'].args)

else:

return None

@property

def call_args_string(self):

'''Get a string representation of the call arguments

:return: Returns a string representation of the call arguments

'''

if 'call' in self._context and hasattr(self._context, 'args'):

return utils.ast_args_to_str(self._context['call'].args)

else:

return ''

@property

def call_function_name(self):

'''Get the name (not FQ) of a function call

:return: The name (not FQ) of a function call

'''

if 'name' in self._context:

return self._context['name']

else:

return None

100

@property

101

def call_function_name_qual(self):

102

'''Get the FQ name of a function call

103

104

:return: The FQ name of a function call

105

'''

106

if 'qualname' in self._context:

107

return self._context['qualname']

108

else:

109

return None

110

111

@property

112

def call_keywords(self):

113

'''Get a dictionary of keyword parameters

114

115

:return: A dictionary of keyword parameters for a call as strings

116

'''

117

if (

118

'call' in self._context and

119

hasattr(self._context['call'], 'keywords')

120

121

return_dict = {}

122

for li in self._context['call'].keywords:

123

if hasattr(li.value, 'attr'):

124

return_dict[li.arg] = li.value.attr

125

else:

126

return_dict[li.arg] = self._get_literal_value(li.value)

127

return return_dict

128

else:

129

return None

130

131

@property

132

def node(self):

133

'''Get the raw AST node associated with the context

134

135

:return: The raw AST node associated with the context

136

'''

137

if 'node' in self._context:

138

return self._context['node']

139

else:

140

return None

141

142

@property

143

def string_val(self):

144

'''Get a string value of a standalone string

145

146

:return: String value of a standalone string

147

'''

148

if 'str' in self._context:

149

return utils.safe_str(self._context['str'])

150

else:

151

return None

152

153

@property

154

def statement(self):

155

'''Get the raw AST for the current statement

156

157

:return: The raw AST for the current statement

158

'''

159

if 'statement' in self._context:

160

return self._context['statement']

161

else:

162

return None

163

164

@property

165

def function_def_defaults_qual(self):

166

'''Get a list of fully qualified default values in a function def

167

168

:return: List of defaults

169

'''

170

defaults = []

171

for default in self._context['node'].args.defaults:

172

defaults.append(utils.get_qual_attr(

173

default,

174

self._context['import_aliases']))

175

return defaults

176

177

def _get_literal_value(self, literal):

178

'''Utility function to turn AST literals into native Python types

179

180

:param literal: The AST literal to convert

181

:return: The value of the AST literal

182

'''

183

if isinstance(literal, _ast.Num):

184

return literal.n

185

186

elif isinstance(literal, _ast.Str):

187

return literal.s

188

189

elif isinstance(literal, _ast.List):

190

return_list = list()

191

for li in literal.elts:

192

return_list.append(self._get_literal_value(li))

193

return return_list

194

195

elif isinstance(literal, _ast.Tuple):

196

return_tuple = tuple()

197

for ti in literal.elts:

198

return_tuple = return_tuple + (self._get_literal_value(ti),)

199

return return_tuple

200

201

elif isinstance(literal, _ast.Set):

202

return_set = set()

203

for si in literal.elts:

204

return_set.add(self._get_literal_value(si))

205

return return_set

206

207

elif isinstance(literal, _ast.Dict):

208

return dict(zip(literal.keys, literal.values))

209

210

elif isinstance(literal, _ast.Ellipsis):

211

# what do we want to do with this?

212

pass

213

214

elif isinstance(literal, _ast.Name):

215

return literal.id

216

217

# NOTE(sigmavirus24): NameConstants are only part of the AST in Python

218

# 3. NameConstants tend to refer to things like True and False. This

219

# prevents them from being re-assigned in Python 3.

220

elif six.PY3 and isinstance(literal, _ast.NameConstant):

221

return str(literal.value)

222

223

# NOTE(sigmavirus24): Bytes are only part of the AST in Python 3

224

elif six.PY3 and isinstance(literal, _ast.Bytes):

225

return literal.s

226

227

else:

228

return None

229

230

def check_call_arg_value(self, argument_name, argument_values=None):

231

'''Checks for a value of a named argument in a function call.

232

233

Returns none if the specified argument is not found.

234

:param argument_name: A string - name of the argument to look for

235

:param argument_values: the value, or list of values to test against

236

:return: Boolean True if argument found and matched, False if

237

found and not matched, None if argument not found at all

238

'''

239

kwd_values = self.call_keywords

240

if (kwd_values is not None and

241

argument_name in kwd_values):

242

if not isinstance(argument_values, list):

243

# if passed a single value, or a tuple, convert to a list

244

argument_values = list((argument_values,))

245

for val in argument_values:

246

if kwd_values[argument_name] == val:

247

# if matched, fix up the context lineno for reporting

248

self.set_lineno_for_call_arg(argument_name)

249

return True

250

return False

251

else:

252

# argument name not found, return None to allow testing for this

253

# eventuality

254

return None

255

256

def set_lineno_for_call_arg(self, argument_name):

257

'''Updates the line number for a specific named argument

258

259

If a call is split over multiple lines, when a keyword arg is found

260

the issue will be reported with the line number of the start of the

261

call. This function updates the line number in the current context

262

copy to match the actual line where the match occurs.

263

:call_node: the call to find the argument in

264

:param argument_name: A string - name of the argument to look for

265

:return: Integer - the line number of the found argument

266

'''

267

for key in self.node.keywords:

268

if key.arg is argument_name:

269

self._context['lineno'] = key.value.lineno

270

271

def get_call_arg_at_position(self, position_num):

272

'''Returns positional argument at the specified position (if it exists)

273

274

:param position_num: The index of the argument to return the value for

275

:return: Value of the argument at the specified position if it exists

276

'''

277

if (

278

hasattr(self._context['call'], 'args') and

279

position_num < len(self._context['call'].args)

280

281

return self._get_literal_value(

282

self._context['call'].args[position_num]

283

)

284

else:

285

return None

286

287

def is_module_being_imported(self, module):

288

'''Check for the specified module is currently being imported

289

290

:param module: The module name to look for

291

:return: True if the module is found, False otherwise

292

'''

293

if 'module' in self._context and self._context['module'] == module:

294

return True

295

else:

296

return False

297

298

def is_module_imported_exact(self, module):

299

'''Check if a specified module has been imported; only exact matches.

300

301

:param module: The module name to look for

302

:return: True if the module is found, False otherwise

303

'''

304

if 'imports' in self._context and module in self._context['imports']:

305

return True

306

else:

307

return False

308

309

def is_module_imported_like(self, module):

310

'''Check if a specified module has been imported

311

312

Check if a specified module has been imported; specified module exists

313

as part of any import statement.

314

:param module: The module name to look for

315

:return: True if the module is found, False otherwise

316

'''

317

if 'imports' in self._context:

318

for imp in self._context['imports']:

319

if module in imp:

320

return True

321

return False

Older »