3
# Copyright 2014 Hewlett-Packard Development Company, L.P.
5
# Licensed under the Apache License, Version 2.0 (the "License"); you may
6
# not use this file except in compliance with the License. You may obtain
7
# a copy of the License at
9
# http://www.apache.org/licenses/LICENSE-2.0
11
# Unless required by applicable law or agreed to in writing, software
12
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
14
# License for the specific language governing permissions and limitations
24
from bandit.core import constants as C
25
from bandit.core import manager as b_manager
26
from bandit.core import test_set as b_test_set
29
cfg_file = os.path.join(os.getcwd(), 'bandit/config/bandit.yaml')
32
class FunctionalTests(unittest.TestCase):
34
'''This set of tests runs bandit against each example file in turn
35
and records the score returned. This is compared to a known good value.
36
When new tests are added to an example the expected result should be
41
super(FunctionalTests, self).setUp()
42
# NOTE(tkelsey): bandit is very sensitive to paths, so stitch
43
# them up here for the testing environment.
45
path = os.path.join(os.getcwd(), 'bandit', 'plugins')
46
self.b_mgr = b_manager.BanditManager(cfg_file, 'file')
47
self.b_mgr.b_conf._settings['plugins_dir'] = path
48
self.b_mgr.b_ts = b_test_set.BanditTestSet(self.b_mgr.logger,
49
config=self.b_mgr.b_conf,
55
def run_example(self, example_script):
56
'''A helper method to run the specified test
58
This method runs the test, which populates the self.b_mgr.scores
59
value. Call this directly if you need to run a test, but do not
60
need to test the resulting scores against specified values.
61
:param example_script: Filename of an example script to test
63
path = os.path.join(os.getcwd(), 'examples', example_script)
64
self.b_mgr.discover_files([path], True)
65
self.b_mgr.run_tests()
67
def check_example(self, example_script, expect):
68
'''A helper method to test the scores for example scripts.
70
:param example_script: Filename of an example script to test
71
:param expect: dict with expected counts of issue types
73
# reset scores for subsequent calls to check_example
74
self.b_mgr.scores = []
75
self.run_example(example_script)
78
for test_scores in self.b_mgr.scores:
79
for score_type in test_scores:
80
self.assertIn(score_type, expect)
81
for rating in expect[score_type]:
83
expect[score_type][rating] * C.RANKING_VALUES[rating]
85
result += sum(test_scores[score_type])
86
self.assertEqual(expected, result)
88
def test_binding(self):
89
'''Test the bind-to-0.0.0.0 example.'''
90
expect = {'SEVERITY': {'MEDIUM': 1}, 'CONFIDENCE': {'MEDIUM': 1}}
91
self.check_example('binding.py', expect)
93
def test_crypto_md5(self):
94
'''Test the `hashlib.md5` example.'''
95
expect = {'SEVERITY': {'MEDIUM': 4}, 'CONFIDENCE': {'HIGH': 4}}
96
self.check_example('crypto-md5.py', expect)
99
'''Test the `eval` example.'''
100
expect = {'SEVERITY': {'MEDIUM': 3}, 'CONFIDENCE': {'HIGH': 3}}
101
self.check_example('eval.py', expect)
104
'''Test the `exec` example.'''
105
filename = 'exec-{}.py'
107
filename = filename.format('py2')
108
expect = {'SEVERITY': {'MEDIUM': 2}, 'CONFIDENCE': {'HIGH': 2}}
110
filename = filename.format('py3')
111
expect = {'SEVERITY': {'MEDIUM': 1}, 'CONFIDENCE': {'HIGH': 1}}
112
self.check_example(filename, expect)
114
def test_exec_as_root(self):
115
'''Test for the `run_as_root=True` keyword argument.'''
116
expect = {'SEVERITY': {'LOW': 5}, 'CONFIDENCE': {'MEDIUM': 5}}
117
self.check_example('exec-as-root.py', expect)
119
def test_hardcoded_passwords(self):
120
'''Test for hard-coded passwords.'''
121
expect = {'SEVERITY': {'LOW': 2}, 'CONFIDENCE': {'LOW': 2}}
122
self.check_example('hardcoded-passwords.py', expect)
124
def test_hardcoded_tmp(self):
125
'''Test for hard-coded /tmp.'''
126
expect = {'SEVERITY': {'MEDIUM': 1}, 'CONFIDENCE': {'MEDIUM': 1}}
127
self.check_example('hardcoded-tmp.py', expect)
129
def test_httplib_https(self):
130
'''Test for `httplib.HTTPSConnection`.'''
131
expect = {'SEVERITY': {'MEDIUM': 1}, 'CONFIDENCE': {'HIGH': 1}}
132
self.check_example('httplib_https.py', expect)
134
def test_imports_aliases(self):
135
'''Test the `import X as Y` syntax.'''
137
'SEVERITY': {'LOW': 3, 'MEDIUM': 5, 'HIGH': 1},
138
'CONFIDENCE': {'HIGH': 9}
140
self.check_example('imports-aliases.py', expect)
142
def test_imports_from(self):
143
'''Test the `from X import Y` syntax.'''
144
expect = {'SEVERITY': {'LOW': 3}, 'CONFIDENCE': {'HIGH': 3}}
145
self.check_example('imports-from.py', expect)
147
def test_imports_function(self):
148
'''Test the `__import__` function.'''
149
expect = {'SEVERITY': {'LOW': 2}, 'CONFIDENCE': {'HIGH': 2}}
150
self.check_example('imports-function.py', expect)
152
def test_imports_telnetlib(self):
153
'''Test for `import telnetlib`.'''
154
expect = {'SEVERITY': {'HIGH': 1}, 'CONFIDENCE': {'HIGH': 1}}
155
self.check_example('imports-telnetlib.py', expect)
157
def test_imports(self):
158
'''Test for dangerous imports.'''
159
expect = {'SEVERITY': {'LOW': 2}, 'CONFIDENCE': {'HIGH': 2}}
160
self.check_example('imports.py', expect)
162
def test_multiline_str(self):
163
'''Test docstrings and multi-line strings are handled properly.'''
164
expect = {'SEVERITY': {'MEDIUM': 3}, 'CONFIDENCE': {'MEDIUM': 3}}
165
self.check_example('multiline-str.py', expect)
167
def test_mktemp(self):
168
'''Test for `tempfile.mktemp`.'''
169
expect = {'SEVERITY': {'MEDIUM': 4}, 'CONFIDENCE': {'HIGH': 4}}
170
self.check_example('mktemp.py', expect)
172
def test_nonsense(self):
173
'''Test that a syntactically invalid module is skipped.'''
174
self.run_example('nonsense.py')
175
self.assertEqual(1, len(self.b_mgr.b_rs.skipped))
178
'''Test a vulnerability-free file.'''
179
expect = {'SEVERITY': {}, 'CONFIDENCE': {}}
180
self.check_example('okay.py', expect)
182
def test_os_chmod(self):
183
'''Test setting file permissions.'''
184
filename = 'os-chmod-{}.py'
186
filename = filename.format('py2')
188
'SEVERITY': {'MEDIUM': 2, 'HIGH': 9},
189
'CONFIDENCE': {'HIGH': 10, 'MEDIUM': 1}
192
filename = filename.format('py3')
194
'SEVERITY': {'MEDIUM': 2, 'HIGH': 9},
195
'CONFIDENCE': {'HIGH': 10, 'MEDIUM': 1}
197
self.check_example('os-chmod.py', expect)
199
def test_os_exec(self):
200
'''Test for `os.exec*`.'''
201
expect = {'SEVERITY': {'LOW': 8}, 'CONFIDENCE': {'MEDIUM': 8}}
202
self.check_example('os-exec.py', expect)
204
def test_os_popen(self):
205
'''Test for `os.popen`.'''
206
expect = {'SEVERITY': {'MEDIUM': 7}, 'CONFIDENCE': {'MEDIUM': 7}}
207
self.check_example('os-popen.py', expect)
209
def test_os_spawn(self):
210
'''Test for `os.spawn*`.'''
211
expect = {'SEVERITY': {'LOW': 8}, 'CONFIDENCE': {'MEDIUM': 8}}
212
self.check_example('os-spawn.py', expect)
214
def test_os_startfile(self):
215
'''Test for `os.startfile`.'''
216
expect = {'SEVERITY': {'LOW': 3}, 'CONFIDENCE': {'MEDIUM': 3}}
217
self.check_example('os-startfile.py', expect)
219
def test_os_system(self):
220
'''Test for `os.system`.'''
221
expect = {'SEVERITY': {'MEDIUM': 1}, 'CONFIDENCE': {'MEDIUM': 1}}
222
self.check_example('os_system.py', expect)
224
def test_pickle(self):
225
'''Test for the `pickle` module.'''
227
'SEVERITY': {'LOW': 2, 'MEDIUM': 6},
228
'CONFIDENCE': {'HIGH': 8 }
230
self.check_example('pickle_deserialize.py', expect)
232
def test_popen_wrappers(self):
233
'''Test the `popen2` and `commands` modules.'''
234
expect = {'SEVERITY': {'MEDIUM': 7}, 'CONFIDENCE': {'MEDIUM': 7}}
235
self.check_example('popen_wrappers.py', expect)
237
def test_random_module(self):
238
'''Test for the `random` module.'''
239
expect = {'SEVERITY': {'LOW': 3}, 'CONFIDENCE': {'HIGH': 3}}
240
self.check_example('random_module.py', expect)
242
def test_requests_ssl_verify_disabled(self):
243
'''Test for the `requests` library skipping verification.'''
244
expect = {'SEVERITY': {'HIGH': 2}, 'CONFIDENCE': {'HIGH': 2}}
245
self.check_example('requests-ssl-verify-disabled.py', expect)
248
'''Test `#nosec` and `#noqa` comments.'''
249
expect = {'SEVERITY': {'LOW': 5}, 'CONFIDENCE': {'HIGH': 5}}
250
self.check_example('skip.py', expect)
252
def test_sql_statements_with_sqlalchemy(self):
253
'''Test for SQL injection through string building.'''
254
expect = {'SEVERITY': {'LOW': 4}, 'CONFIDENCE': {'LOW': 4}}
255
self.check_example('sql_statements_with_sqlalchemy.py', expect)
257
def test_sql_statements_without_sql_alchemy(self):
258
'''Test for SQL injection without SQLAlchemy.'''
259
expect = {'SEVERITY': {'MEDIUM': 4}, 'CONFIDENCE': {'LOW': 4}}
260
self.check_example('sql_statements_without_sql_alchemy.py', expect)
262
def test_ssl_insecure_version(self):
263
'''Test for insecure SSL protocol versions.'''
265
'SEVERITY': {'LOW': 1, 'MEDIUM': 10, 'HIGH': 7},
266
'CONFIDENCE': {'LOW': 0, 'MEDIUM': 11, 'HIGH': 7}
268
self.check_example('ssl-insecure-version.py', expect)
270
def test_subprocess_shell(self):
271
'''Test for `subprocess.Popen` with `shell=True`.'''
273
'SEVERITY': {'HIGH': 5, 'MEDIUM': 1, 'LOW': 7},
274
'CONFIDENCE': {'HIGH': 13}
276
self.check_example('subprocess_shell.py', expect)
278
def test_urlopen(self):
279
'''Test for dangerous URL opening.'''
280
expect = {'SEVERITY': {'MEDIUM': 6}, 'CONFIDENCE': {'HIGH': 6}}
281
self.check_example('urlopen.py', expect)
283
def test_utils_shell(self):
284
'''Test for `utils.execute*` with `shell=True`.'''
286
'SEVERITY': {'HIGH': 4, 'LOW': 1},
287
'CONFIDENCE': {'HIGH': 5}
289
self.check_example('utils-shell.py', expect)
291
def test_wildcard_injection(self):
292
'''Test for wildcard injection in shell commands.'''
294
'SEVERITY': {'HIGH': 5, 'MEDIUM':3, 'LOW': 6},
295
'CONFIDENCE': {'MEDIUM': 8, 'HIGH': 6}
297
self.check_example('wildcard-injection.py', expect)
300
'''Test for `yaml.load`.'''
301
expect = {'SEVERITY': {'MEDIUM': 1}, 'CONFIDENCE': {'HIGH': 1}}
302
self.check_example('yaml_load.py', expect)
304
def test_jinja2_templating(self):
305
'''Test jinja templating for potential XSS bugs.'''
307
'SEVERITY': {'HIGH': 4},
308
'CONFIDENCE': {'HIGH': 3, 'MEDIUM':1}
310
self.check_example('jinja2_templating.py', expect)
312
def test_secret_config_option(self):
313
'''Test for `secret=True` in Oslo's config.'''
315
'SEVERITY': {'LOW': 1, 'MEDIUM': 2},
316
'CONFIDENCE': {'MEDIUM': 3}
318
self.check_example('secret-config-option.py', expect)
320
def test_mako_templating(self):
321
'''Test Mako templates for XSS.'''
322
expect = {'SEVERITY': {'MEDIUM': 3}, 'CONFIDENCE': {'HIGH': 3}}
323
self.check_example('mako_templating.py', expect)
326
'''Test xml vulnerabilities.'''
327
expect = {'SEVERITY': {'LOW': 1, 'HIGH': 4},
328
'CONFIDENCE': {'HIGH': 1, 'MEDIUM': 4}}
329
self.check_example('xml_etree_celementtree.py', expect)
331
expect = {'SEVERITY': {'LOW': 1, 'HIGH': 2},
332
'CONFIDENCE': {'HIGH': 1, 'MEDIUM': 2}}
333
self.check_example('xml_expatbuilder.py', expect)
335
expect = {'SEVERITY': {'LOW': 3, 'HIGH': 1},
336
'CONFIDENCE': {'HIGH': 3, 'MEDIUM': 1}}
337
self.check_example('xml_lxml.py', expect)
339
expect = {'SEVERITY': {'LOW': 2, 'HIGH': 2},
340
'CONFIDENCE': {'HIGH': 2, 'MEDIUM': 2}}
341
self.check_example('xml_pulldom.py', expect)
343
expect = {'SEVERITY': {'HIGH': 1},
344
'CONFIDENCE': {'HIGH': 1}}
345
self.check_example('xml_xmlrpc.py', expect)
347
expect = {'SEVERITY': {'LOW': 1, 'HIGH': 4},
348
'CONFIDENCE': {'HIGH': 1, 'MEDIUM': 4}}
349
self.check_example('xml_etree_elementtree.py', expect)
351
expect = {'SEVERITY': {'LOW': 1, 'HIGH': 1},
352
'CONFIDENCE': {'HIGH': 1, 'MEDIUM': 1}}
353
self.check_example('xml_expatreader.py', expect)
355
expect = {'SEVERITY': {'LOW': 2, 'HIGH': 2},
356
'CONFIDENCE': {'HIGH': 2, 'MEDIUM': 2}}
357
self.check_example('xml_minidom.py', expect)
359
expect = {'SEVERITY': {'LOW': 1, 'HIGH': 6},
360
'CONFIDENCE': {'HIGH': 1, 'MEDIUM': 6}}
361
self.check_example('xml_sax.py', expect)
363
def test_asserts(self):
364
'''Test catching the use of assert.'''
365
expect = {'SEVERITY': {'LOW': 1},
366
'CONFIDENCE': {'HIGH': 1}}
367
self.check_example('assert.py', expect)
369
def test_paramiko_injection(self):
370
'''Test paramiko command execution.'''
371
expect = {'SEVERITY': {'MEDIUM': 2},
372
'CONFIDENCE': {'HIGH': 2}}
373
self.check_example('paramiko_injection.py', expect)
375
def test_multiline_code(self):
376
'''Test issues in multiline statements return code as expected.'''
377
self.run_example('multiline-str.py')
378
self.assertEqual(0, len(self.b_mgr.b_rs.skipped))
379
self.assertEqual(1, len(self.b_mgr.files_list))
380
self.assertTrue(self.b_mgr.files_list[0].endswith('multiline-str.py'))
381
issues = self.b_mgr.b_rs._get_issue_list()
382
self.assertEqual(3, len(issues))
384
issues[0]['filename'].endswith('examples/multiline-str.py')
386
self.assertEqual(4, issues[0]['line_number'])
387
self.assertEqual(range(2, 7), issues[0]['line_range'])
388
self.assertIn('/tmp', issues[0]['code'])
389
self.assertEqual(18, issues[1]['line_number'])
390
self.assertEqual(range(16, 21), issues[1]['line_range'])
391
self.assertIn('/tmp', issues[1]['code'])
392
self.assertEqual(23, issues[2]['line_number'])
393
self.assertEqual(range(22, 31), issues[2]['line_range'])
394
self.assertIn('/tmp', issues[2]['code'])