Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bandit should deprecate xml.etree use #948

Closed
clavedeluna opened this issue Sep 14, 2022 · 0 comments · Fixed by #1093
Closed

Bandit should deprecate xml.etree use #948

clavedeluna opened this issue Sep 14, 2022 · 0 comments · Fixed by #1093
Labels
bug Something isn't working

Comments

@clavedeluna
Copy link
Contributor

clavedeluna commented Sep 14, 2022
edited
Loading

Describe the bug

Bandit is using xml.etree which is not recommended.

Reproduction steps

If you run bandit on itself 
`bandit -r bandit`
you'll get the following


>> Issue: [B405:blacklist] Using cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
   Severity: Low   Confidence: High
   CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
   Location: bandit/formatters/xml.py:40:0
   More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree
39	import sys
40	from xml.etree import cElementTree as ET
41
42	from bandit.core import docs_utils

Expected behavior

Replace this with defusedxml

Bandit version

1.7.4 (Default)

Python version

3.8

Additional context

No response
@clavedeluna clavedeluna added the bug Something isn't working label Sep 14, 2022
ericwb added a commit to ericwb/bandit that referenced this issue Jan 14, 2024
@ericwb
Fix up issues found running Bandit on itself
e67d288 
* Used nosec for false various positives.
  1. xml.etree is used only for XML generation not parsing
  2. "0.0.0.0" is used in the plugin itself
  3. Various strings of temp directories are used in the plugin
     itself.
  4. The subprocess call does use user input, but only from
     the command line itself that is running baseline. Although
     maybe this could be argued as an issue though.
* Fixed the empty try-except-pass to have code in the except
  block.

Fixes PyCQA#948

Signed-off-by: Eric Brown <[email protected]>
@ericwb ericwb mentioned this issue Jan 14, 2024
Merged
ericwb added a commit that referenced this issue Jan 14, 2024
@ericwb
Fix up issues found running Bandit on itself (#1093)
7129108 
* Used nosec for false various positives.
  1. xml.etree is used only for XML generation not parsing
  2. "0.0.0.0" is used in the plugin itself
  3. Various strings of temp directories are used in the plugin
     itself.
  4. The subprocess call does use user input, but only from
     the command line itself that is running baseline. Although
     maybe this could be argued as an issue though.
* Fixed the empty try-except-pass to have code in the except
  block.

Fixes #948

Signed-off-by: Eric Brown <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix up issues found running Bandit on itself ericwb/bandit
1 participant
@clavedeluna