Remove checks for Python2 urllib

Removal of checks for Python2 version of urllib and urllib2. Fixes #998 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
PyCQA · Mar 13, 2023 · 0719580 · 0719580
1 parent ff431af
commit 0719580
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 35 deletions.
diff --git a/bandit/blacklists/calls.py b/bandit/blacklists/calls.py
@@ -493,16 +493,10 @@ def gen_blacklist():
             "B310",
             issue.Cwe.PATH_TRAVERSAL,
             [
-                "urllib.urlopen",
                 "urllib.request.urlopen",
-                "urllib.urlretrieve",
                 "urllib.request.urlretrieve",
-                "urllib.URLopener",
                 "urllib.request.URLopener",
-                "urllib.FancyURLopener",
                 "urllib.request.FancyURLopener",
-                "urllib2.urlopen",
-                "urllib2.Request",
                 "six.moves.urllib.request.urlopen",
                 "six.moves.urllib.request.urlretrieve",
                 "six.moves.urllib.request.URLopener",

diff --git a/examples/urlopen.py b/examples/urlopen.py
@@ -1,43 +1,18 @@
-''' Example dangerous usage of urllib[2] opener functions
+''' Example dangerous usage of urllib.request opener functions
 
-The urllib and urllib2 opener functions and object can open http, ftp,
+The urllib.request opener functions and object can open http, ftp,
 and file urls. Often, the ability to open file urls is overlooked leading
 to code that can unexpectedly open files on the local server. This
 could be used by an attacker to leak information about the server.
 '''
 
-
-import urllib
-import urllib2
-
 # Python 3
 import urllib.request
 
 # Six
 import six
 
 def test_urlopen():
-    # urllib
-    url = urllib.quote('file:///bin/ls')
-    urllib.urlopen(url, 'blah', 32)
-    urllib.urlretrieve('file:///bin/ls', '/bin/ls2')
-    opener = urllib.URLopener()
-    opener.open('file:///bin/ls')
-    opener.retrieve('file:///bin/ls')
-    opener = urllib.FancyURLopener()
-    opener.open('file:///bin/ls')
-    opener.retrieve('file:///bin/ls')
-
-    # urllib2
-    handler = urllib2.HTTPBasicAuthHandler()
-    handler.add_password(realm='test',
-                         uri='http://mysite.com',
-                         user='bob')
-    opener = urllib2.build_opener(handler)
-    urllib2.install_opener(opener)
-    urllib2.urlopen('file:///bin/ls')
-    urllib2.Request('file:///bin/ls')
-
     # Python 3
     urllib.request.urlopen('file:///bin/ls')
     urllib.request.urlretrieve('file:///bin/ls', '/bin/ls2')

diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
@@ -513,8 +513,8 @@ def test_subprocess_shell(self):
     def test_urlopen(self):
         """Test for dangerous URL opening."""
         expect = {
-            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 14, "HIGH": 0},
-            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 14},
+            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 8, "HIGH": 0},
+            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 8},
         }
         self.check_example("urlopen.py", expect)