Mercurial Repositories > eric / file diff

diff: eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/blackListCalls.py

eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/blackListCalls.py

changeset 7613
382f89c11e27
parent 7612
ca1ce1e0fcff
child 7619
ef2b5af23ce7
diff -r ca1ce1e0fcff -r 382f89c11e27 eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/blackListCalls.py
--- a/eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/blackListCalls.py	Mon Jun 08 08:17:14 2020 +0200
+++ b/eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/blackListCalls.py	Mon Jun 08 20:08:27 2020 +0200
@@ -7,10 +7,17 @@
 Module implementing checks for blacklisted methods and functions.
 """
 
+#
+# This is a modified version of the one found in the bandit package.
+#
+# Original Copyright 2016 Hewlett-Packard Development Company, L.P.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
 import ast
 import fnmatch
 
-
 _blacklists = {
     'S301': ([
         'pickle.loads',
@@ -43,6 +50,118 @@
         'cryptography.hazmat.primitives.hashes.MD5',
         'cryptography.hazmat.primitives.hashes.SHA1'],
         "M"),
+    'S304': ([
+        'Crypto.Cipher.ARC2.new',
+        'Crypto.Cipher.ARC4.new',
+        'Crypto.Cipher.Blowfish.new',
+        'Crypto.Cipher.DES.new',
+        'Crypto.Cipher.XOR.new',
+        'Cryptodome.Cipher.ARC2.new',
+        'Cryptodome.Cipher.ARC4.new',
+        'Cryptodome.Cipher.Blowfish.new',
+        'Cryptodome.Cipher.DES.new',
+        'Cryptodome.Cipher.XOR.new',
+        'cryptography.hazmat.primitives.ciphers.algorithms.ARC4',
+        'cryptography.hazmat.primitives.ciphers.algorithms.Blowfish',
+        'cryptography.hazmat.primitives.ciphers.algorithms.IDEA'],
+        "H"),
+    'S305': ([
+        'cryptography.hazmat.primitives.ciphers.modes.ECB'],
+        "M"),
+    'S306': ([
+        'tempfile.mktemp'],
+        "M"),
+    'S307': ([
+        'eval'],
+        "M"),
+    'S308': ([
+        'django.utils.safestring.mark_safe'],
+        "M"),
+    'S309': ([
+        'httplib.HTTPSConnection',
+        'http.client.HTTPSConnection',
+        'six.moves.http_client.HTTPSConnection'],
+        "M"),
+    'S310': ([
+        'urllib.urlopen',
+        'urllib.request.urlopen',
+        'urllib.urlretrieve',
+        'urllib.request.urlretrieve',
+        'urllib.URLopener',
+        'urllib.request.URLopener',
+        'urllib.FancyURLopener',
+        'urllib.request.FancyURLopener',
+        'urllib2.urlopen',
+        'urllib2.Request',
+        'six.moves.urllib.request.urlopen',
+        'six.moves.urllib.request.urlretrieve',
+        'six.moves.urllib.request.URLopener',
+        'six.moves.urllib.request.FancyURLopener'],
+        ""),
+    'S311': ([
+        'random.random',
+        'random.randrange',
+        'random.randint',
+        'random.choice',
+        'random.uniform',
+        'random.triangular'],
+        "L"),
+    'S312': ([
+        'telnetlib.*'],
+        "H"),
+    'S313': ([
+        'xml.etree.cElementTree.parse',
+        'xml.etree.cElementTree.iterparse',
+        'xml.etree.cElementTree.fromstring',
+        'xml.etree.cElementTree.XMLParser'],
+        "M"),
+    'S314': ([
+        'xml.etree.ElementTree.parse',
+        'xml.etree.ElementTree.iterparse',
+        'xml.etree.ElementTree.fromstring',
+        'xml.etree.ElementTree.XMLParser'],
+        "M"),
+    'S315': ([
+        'xml.sax.expatreader.create_parser'],
+        "M"),
+    'S316': ([
+        'xml.dom.expatbuilder.parse',
+        'xml.dom.expatbuilder.parseString'],
+        "M"),
+    'S317': ([
+        'xml.sax.parse',
+        'xml.sax.parseString',
+        'xml.sax.make_parser'],
+        "M"),
+    'S318': ([
+        'xml.dom.minidom.parse',
+        'xml.dom.minidom.parseString'],
+        "M"),
+    'S319': ([
+        'xml.dom.pulldom.parse',
+        'xml.dom.pulldom.parseString'],
+        "M"),
+    'S320': ([
+        'lxml.etree.parse',
+        'lxml.etree.fromstring',
+        'lxml.etree.RestrictedElement',
+        'lxml.etree.GlobalParserTLS',
+        'lxml.etree.getDefaultParser',
+        'lxml.etree.check_docinfo'],
+        "M"),
+    'S321': ([
+        'ftplib.*'],
+        "H"),
+    'S322': ([
+        'input'],
+        "H"),
+    'S323': ([
+        'ssl._create_unverified_context'],
+        "M"),
+    'S325': ([
+        'os.tempnam',
+        'os.tmpnam'],
+        "M"),
 }
 
 
@@ -54,13 +173,24 @@
         list of codes
     @rtype dict
     """
-    # TODO: should be list of tuples
     return {
-        "Call": (checkBlacklist, tuple(_blacklists.keys())),
+        "Call": [
+            (checkBlacklist, tuple(_blacklists.keys())),
+        ],
     }
 
 
 def checkBlacklist(reportError, context, config):
+    """
+    Function to check for blacklisted method calls.
+    
+    @param reportError function to be used to report errors
+    @type func
+    @param context security context object
+    @type SecurityContext
+    @param config dictionary with configuration data
+    @type dict
+    """
     nodeType = context.node.__class__.__name__
     
     if nodeType == 'Call':
@@ -85,12 +215,11 @@
             qualnames, severity = _blacklists[code]
             for qualname in qualnames:
                 if name and fnmatch.fnmatch(name, qualname):
-                    return reportError(
-                        context.node.lineno,
+                    reportError(
+                        context.node.lineno - 1,
                         context.node.col_offset,
                         code,
-                        "M",
-                        "H"
+                        severity,
+                        "H",
+                        name
                     )
-    
-    return None

Mercurial Repository: eric

eric ide

mercurial