Updated copyright for 2023.
9325
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
1
|
# -*- coding: utf-8 -*- |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
2
|
|
|
9653
|
3
|
# Copyright (c) 2022 - 2023 Detlev Offenbach <detlev@die-offenbachs.de> |
9325
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
4
|
# |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
5
|
|
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
6
|
""" |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
7
|
Module implementing checks for insecure use of 'tarfile.extracall()'. |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
8
|
""" |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
9
|
|
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
10
|
# |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
11
|
# This is a modified version of the one found in the bandit package. |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
12
|
# |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
13
|
# SPDX-License-Identifier: Apache-2.0 |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
14
|
# |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
15
|
|
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
16
|
import ast |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
17
|
|
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
18
|
|
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
19
|
def getChecks(): |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
20
|
""" |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
21
|
Public method to get a dictionary with checks handled by this module. |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
22
|
|
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
23
|
@return dictionary containing checker lists containing checker function and |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
24
|
list of codes |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
25
|
@rtype dict |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
26
|
""" |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
27
|
return { |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
28
|
"Call": [ |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
29
|
(checkTarfileUnsafeMembers, ("S202",)), |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
30
|
], |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
31
|
} |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
32
|
|
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
33
|
|
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
34
|
def _getMembersValue(context): |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
35
|
""" |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
36
|
Function to extract the value of the 'members' argument. |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
37
|
|
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
38
|
@param context security context object |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
39
|
@type SecurityContext |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
40
|
@return dictionary containing the argument value |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
41
|
@rtype dict |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
42
|
""" |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
43
|
for kw in context.node.keywords: |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
44
|
if kw.arg == "members": |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
45
|
arg = kw.value |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
46
|
if isinstance(arg, ast.Call): |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
47
|
return {"Function": arg.func.id} |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
48
|
else: |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
49
|
value = arg.id if isinstance(arg, ast.Name) else arg |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
50
|
return {"Other": value} |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
51
|
|
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
52
|
return {} |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
53
|
|
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
54
|
|
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
55
|
def checkTarfileUnsafeMembers(reportError, context, config): |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
56
|
""" |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
57
|
Function to check for insecure use of 'tarfile.extracall()'. |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
58
|
|
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
59
|
@param reportError function to be used to report errors |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
60
|
@type func |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
61
|
@param context security context object |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
62
|
@type SecurityContext |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
63
|
@param config dictionary with configuration data |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
64
|
@type dict |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
65
|
""" |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
66
|
if all( |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
67
|
[ |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
68
|
context.isModuleImportedExact("tarfile"), |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
69
|
"extractall" in context.callFunctionName, |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
70
|
] |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
71
|
): |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
72
|
if "members" in context.callKeywords: |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
73
|
members = _getMembersValue(context) |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
74
|
if "Function" in members: |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
75
|
reportError( |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
76
|
context.node.lineno - 1, |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
77
|
context.node.col_offset, |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
78
|
"S202.1", |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
79
|
"L", |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
80
|
"L", |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
81
|
str(members), |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
82
|
) |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
83
|
else: |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
84
|
reportError( |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
85
|
context.node.lineno - 1, |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
86
|
context.node.col_offset, |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
87
|
"S202.2", |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
88
|
"M", |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
89
|
"M", |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
90
|
str(members), |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
91
|
) |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
92
|
else: |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
93
|
reportError( |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
94
|
context.node.lineno - 1, context.node.col_offset, "S202.3", "H", "H" |
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff
changeset
|
95
|
) |
