Add case for global exec (#570)

* Add case for global exec * Include group writable in medium permissions and update comments (which updates the docs) * Update test assertions since there will be more medium and high warnings given. * Add some extra examples * Update tests and baseline * Refactor stat check * Update tests/functional/test_functional.py * Update examples/os-chmod-py2.py * Update os-chmod-py2.py * Update test_functional.py * Update os-chmod-py3.py * Update os-chmod-py3.py * Update os-chmod.py * Update general_bad_file_permissions.py Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
PyCQA · Jul 8, 2022 · 5809d1b · 5809d1b
1 parent adf6ace
commit 5809d1b
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 6 deletions.
diff --git a/bandit/plugins/general_bad_file_permissions.py b/bandit/plugins/general_bad_file_permissions.py
@@ -14,8 +14,8 @@
 
 This plugin test looks for the use of ``chmod`` and will alert when it is used
 to set particularly permissive control flags. A MEDIUM warning is generated if
-a file is set to group executable and a HIGH warning is reported if a file is
-set world writable. Warnings are given with HIGH confidence.
+a file is set to group write or executable and a HIGH warning is reported if a
+file is set world write or executable. Warnings are given with HIGH confidence.
 
 :Example:
 
@@ -49,6 +49,9 @@
 .. versionchanged:: 1.7.3
     CWE information added
 
+.. versionchanged:: 1.7.5
+    Added checks for S_IWGRP and S_IXOTH
+
 """  # noqa: E501
 import stat
 
@@ -57,6 +60,15 @@
 from bandit.core import test_properties as test
 
 
+def _stat_is_dangerous(mode):
+    return (
+        mode & stat.S_IWOTH
+        or mode & stat.S_IWGRP
+        or mode & stat.S_IXGRP
+        or mode & stat.S_IXOTH
+    )
+
+
 @test.checks("Call")
 @test.test_id("B103")
 def set_bad_file_permissions(context):
@@ -67,7 +79,7 @@ def set_bad_file_permissions(context):
             if (
                 mode is not None
                 and isinstance(mode, int)
-                and (mode & stat.S_IWOTH or mode & stat.S_IXGRP)
+                and _stat_is_dangerous(mode)
             ):
                 # world writable is an HIGH, group executable is a MEDIUM
                 if mode & stat.S_IWOTH:

diff --git a/examples/os-chmod.py b/examples/os-chmod.py
@@ -14,4 +14,6 @@
 os.chmod('/etc/hosts', 0o777)
 os.chmod('/tmp/oh_hai', 0x1ff)
 os.chmod('/etc/passwd', stat.S_IRWXU)
-os.chmod(key_file, 0o777)
+os.chmod(keyfile, 0o777)
+os.chmod('~/hidden_exec', stat.S_IXGRP)
+os.chmod('~/hidden_exec', stat.S_IXOTH)
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
@@ -300,8 +300,8 @@ def test_subdirectory_okay(self):
     def test_os_chmod(self):
         """Test setting file permissions."""
         expect = {
-            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 2, "HIGH": 8},
-            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 1, "HIGH": 9},
+            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 4, "HIGH": 8},
+            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 1, "HIGH": 11},
         }
         self.check_example("os-chmod.py", expect)