Mercurial Repositories > eric / file comparison

comparison: eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/blackListCalls.py

eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/blackListCalls.py

changeset 7613
382f89c11e27
parent 7612
ca1ce1e0fcff
child 7619
ef2b5af23ce7
equal deleted inserted replaced
7612:ca1ce1e0fcff 7613:382f89c11e27
5 5
6 """ 6 """
7 Module implementing checks for blacklisted methods and functions. 7 Module implementing checks for blacklisted methods and functions.
8 """ 8 """
9 9
10 #
11 # This is a modified version of the one found in the bandit package.
12 #
13 # Original Copyright 2016 Hewlett-Packard Development Company, L.P.
14 #
15 # SPDX-License-Identifier: Apache-2.0
16 #
17
10 import ast 18 import ast
11 import fnmatch 19 import fnmatch
12
13 20
14 _blacklists = { 21 _blacklists = {
15 'S301': ([ 22 'S301': ([
16 'pickle.loads', 23 'pickle.loads',
17 'pickle.load', 24 'pickle.load',
41 'Cryptodome.Hash.MD5.new', 48 'Cryptodome.Hash.MD5.new',
42 'Cryptodome.Hash.SHA.new', 49 'Cryptodome.Hash.SHA.new',
43 'cryptography.hazmat.primitives.hashes.MD5', 50 'cryptography.hazmat.primitives.hashes.MD5',
44 'cryptography.hazmat.primitives.hashes.SHA1'], 51 'cryptography.hazmat.primitives.hashes.SHA1'],
45 "M"), 52 "M"),
53 'S304': ([
54 'Crypto.Cipher.ARC2.new',
55 'Crypto.Cipher.ARC4.new',
56 'Crypto.Cipher.Blowfish.new',
57 'Crypto.Cipher.DES.new',
58 'Crypto.Cipher.XOR.new',
59 'Cryptodome.Cipher.ARC2.new',
60 'Cryptodome.Cipher.ARC4.new',
61 'Cryptodome.Cipher.Blowfish.new',
62 'Cryptodome.Cipher.DES.new',
63 'Cryptodome.Cipher.XOR.new',
64 'cryptography.hazmat.primitives.ciphers.algorithms.ARC4',
65 'cryptography.hazmat.primitives.ciphers.algorithms.Blowfish',
66 'cryptography.hazmat.primitives.ciphers.algorithms.IDEA'],
67 "H"),
68 'S305': ([
69 'cryptography.hazmat.primitives.ciphers.modes.ECB'],
70 "M"),
71 'S306': ([
72 'tempfile.mktemp'],
73 "M"),
74 'S307': ([
75 'eval'],
76 "M"),
77 'S308': ([
78 'django.utils.safestring.mark_safe'],
79 "M"),
80 'S309': ([
81 'httplib.HTTPSConnection',
82 'http.client.HTTPSConnection',
83 'six.moves.http_client.HTTPSConnection'],
84 "M"),
85 'S310': ([
86 'urllib.urlopen',
87 'urllib.request.urlopen',
88 'urllib.urlretrieve',
89 'urllib.request.urlretrieve',
90 'urllib.URLopener',
91 'urllib.request.URLopener',
92 'urllib.FancyURLopener',
93 'urllib.request.FancyURLopener',
94 'urllib2.urlopen',
95 'urllib2.Request',
96 'six.moves.urllib.request.urlopen',
97 'six.moves.urllib.request.urlretrieve',
98 'six.moves.urllib.request.URLopener',
99 'six.moves.urllib.request.FancyURLopener'],
100 ""),
101 'S311': ([
102 'random.random',
103 'random.randrange',
104 'random.randint',
105 'random.choice',
106 'random.uniform',
107 'random.triangular'],
108 "L"),
109 'S312': ([
110 'telnetlib.*'],
111 "H"),
112 'S313': ([
113 'xml.etree.cElementTree.parse',
114 'xml.etree.cElementTree.iterparse',
115 'xml.etree.cElementTree.fromstring',
116 'xml.etree.cElementTree.XMLParser'],
117 "M"),
118 'S314': ([
119 'xml.etree.ElementTree.parse',
120 'xml.etree.ElementTree.iterparse',
121 'xml.etree.ElementTree.fromstring',
122 'xml.etree.ElementTree.XMLParser'],
123 "M"),
124 'S315': ([
125 'xml.sax.expatreader.create_parser'],
126 "M"),
127 'S316': ([
128 'xml.dom.expatbuilder.parse',
129 'xml.dom.expatbuilder.parseString'],
130 "M"),
131 'S317': ([
132 'xml.sax.parse',
133 'xml.sax.parseString',
134 'xml.sax.make_parser'],
135 "M"),
136 'S318': ([
137 'xml.dom.minidom.parse',
138 'xml.dom.minidom.parseString'],
139 "M"),
140 'S319': ([
141 'xml.dom.pulldom.parse',
142 'xml.dom.pulldom.parseString'],
143 "M"),
144 'S320': ([
145 'lxml.etree.parse',
146 'lxml.etree.fromstring',
147 'lxml.etree.RestrictedElement',
148 'lxml.etree.GlobalParserTLS',
149 'lxml.etree.getDefaultParser',
150 'lxml.etree.check_docinfo'],
151 "M"),
152 'S321': ([
153 'ftplib.*'],
154 "H"),
155 'S322': ([
156 'input'],
157 "H"),
158 'S323': ([
159 'ssl._create_unverified_context'],
160 "M"),
161 'S325': ([
162 'os.tempnam',
163 'os.tmpnam'],
164 "M"),
46 } 165 }
47 166
48 167
49 def getChecks(): 168 def getChecks():
50 """ 169 """
52 171
53 @return dictionary containing checker lists containing checker function and 172 @return dictionary containing checker lists containing checker function and
54 list of codes 173 list of codes
55 @rtype dict 174 @rtype dict
56 """ 175 """
57 # TODO: should be list of tuples
58 return { 176 return {
59 "Call": (checkBlacklist, tuple(_blacklists.keys())), 177 "Call": [
178 (checkBlacklist, tuple(_blacklists.keys())),
179 ],
60 } 180 }
61 181
62 182
63 def checkBlacklist(reportError, context, config): 183 def checkBlacklist(reportError, context, config):
184 """
185 Function to check for blacklisted method calls.
186
187 @param reportError function to be used to report errors
188 @type func
189 @param context security context object
190 @type SecurityContext
191 @param config dictionary with configuration data
192 @type dict
193 """
64 nodeType = context.node.__class__.__name__ 194 nodeType = context.node.__class__.__name__
65 195
66 if nodeType == 'Call': 196 if nodeType == 'Call':
67 func = context.node.func 197 func = context.node.func
68 if isinstance(func, ast.Name) and func.id == '__import__': 198 if isinstance(func, ast.Name) and func.id == '__import__':
83 213
84 for code in _blacklists: 214 for code in _blacklists:
85 qualnames, severity = _blacklists[code] 215 qualnames, severity = _blacklists[code]
86 for qualname in qualnames: 216 for qualname in qualnames:
87 if name and fnmatch.fnmatch(name, qualname): 217 if name and fnmatch.fnmatch(name, qualname):
88 return reportError( 218 reportError(
89 context.node.lineno, 219 context.node.lineno - 1,
90 context.node.col_offset, 220 context.node.col_offset,
91 code, 221 code,
92 "M", 222 severity,
93 "H" 223 "H",
224 name
94 ) 225 )
95
96 return None

Mercurial Repository: eric

eric ide

mercurial