Closed
Description
openedon Jun 28, 2022
Describe the bug
If there is an f-string variable used in SQL statement between "select" and "from" clauses then bandit does not recognize it as SQL injection.
Reproduction steps
1. Create the following file:
cur.execute(f"SELECT {column_name} FROM foo WHERE id = 1")
cur.execute(f"INSERT INTO {table_name} VALUES (1)")
cur.execute(f"UPDATE {table_name} SET id = 1")
- Run bandit on it:
$ bandit --version
bandit 1.7.5
python version = 3.10.4 (main, Apr 15 2022, 06:34:33) [GCC 8.4.0]
bandit test-sql.py
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.10.4
[node_visitor] WARNING Unable to find qualified name for module: test-sql.py
Run started:2022-06-28 11:00:40.757783
Test results:
No issues identified.
Code scanned:
Total lines of code: 3
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 0
High: 0
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 0
High: 0
Files skipped (0):
### Expected behavior
bandit should fail due to "B608 Possible SQL injection vector through string-based query construction" for all 3 lines in the file.
### Bandit version
1.7.4 (Default)
### Python version
3.10 (Default)
### Additional context
_No response_
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment