Skip to content

Expand B404, B602, B603 and B604 to include anyio calls #1199

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Expand B404, B602, B603 and B604 to include anyio calls#1199
Labels
enhancementNew feature or request
@Skelmis

Description

@Skelmis
Skelmis
opened on Nov 11, 2024

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Currently the plugins B404, B602, B603 and B604 handle the general case of subproccesses within Python. These checks however do not cover anyio and I think it'd be useful to add support for this.

Describe the solution you'd like
A clear and concise description of what you want to happen.
Expand upon the existing plugins so that they may handle anyio cases.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Manually conducting source code review to find and locate these calls.

Additional context
Add any other context or screenshots about the feature request here.
While not as common as direct subprocess calls, the anyio package still appears to be relatively popular by download counts at least. Not all users will use subprocesses per say, but I still think this feature may be useful for Bandit to contain. I am also possibly looking to PR this feature myself, however I figured opening an issue first for any discussions surrounding direction would be ideal.

Example checks
Example vulnerable code as currently seen by Bandit.
The following code examples are considered equivalent (source):

result_str = await anyio.run_process("user input here")
result_str = subprocess.run("user input here", shell=True)

With the following code Bandit outputs the following, only alerting on the subprocess call.
Code:

import asyncio

import anyio
import subprocess


async def main():
    command = input()

    # Anyio
    result_str = await anyio.run_process(command)

    # Subprocess
    result_str = subprocess.run(command, shell=True)


asyncio.run(main())

Bandit output:

>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.10/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./bandit.py:14:17
13	    # Subprocess
14	    result_str = subprocess.run(command, shell=True)
15

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions