Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add case for global exec #570

Merged
merged 16 commits into from Jul 8, 2022
Merged

Add case for global exec #570

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
15c710f
Add case for global exec
tonybaloney Jan 31, 2020
f1e96f3
Include group writable in medium permissions and update comments (whi…
tonybaloney Feb 26, 2020
b1ae81b
Update test assertions since there will be more medium and high warni…
tonybaloney Feb 26, 2020
5b9f3c3
Add some extra examples
tonybaloney Feb 27, 2020
4c24aed
Merge branch 'master' into perms
tonybaloney Jun 2, 2020
b990a18
Update tests and baseline
tonybaloney Jun 2, 2020
eb39bb1
Refactor stat check
tonybaloney Jun 2, 2020
c10769e
Update tests/functional/test_functional.py
ericwb Jul 8, 2022
e6fc991
Update examples/os-chmod-py2.py
ericwb Jul 8, 2022
135ad93
Update os-chmod-py2.py
ericwb Jul 8, 2022
4180da3
Update test_functional.py
ericwb Jul 8, 2022
4401239
Update os-chmod-py3.py
ericwb Jul 8, 2022
d219c18
Update os-chmod-py3.py
ericwb Jul 8, 2022
f62786f
Merge branch 'main' into perms
ericwb Jul 8, 2022
14e5dcc
Update os-chmod.py
ericwb Jul 8, 2022
f28d4a4
Update general_bad_file_permissions.py
ericwb Jul 8, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 15 additions & 3 deletions bandit/plugins/general_bad_file_permissions.py
View file
Open in desktop
Expand Up @@ -14,8 +14,8 @@

This plugin test looks for the use of ``chmod`` and will alert when it is used
to set particularly permissive control flags. A MEDIUM warning is generated if
a file is set to group executable and a HIGH warning is reported if a file is
set world writable. Warnings are given with HIGH confidence.
a file is set to group write or executable and a HIGH warning is reported if a
file is set world write or executable. Warnings are given with HIGH confidence.

:Example:

Expand Down Expand Up @@ -49,6 +49,9 @@
.. versionchanged:: 1.7.3
CWE information added

.. versionchanged:: 1.7.5
Added checks for S_IWGRP and S_IXOTH

""" # noqa: E501
import stat

Expand All @@ -57,6 +60,15 @@
from bandit.core import test_properties as test


def _stat_is_dangerous(mode):
return (
mode & stat.S_IWOTH
or mode & stat.S_IWGRP
or mode & stat.S_IXGRP
or mode & stat.S_IXOTH
)


@test.checks("Call")
@test.test_id("B103")
def set_bad_file_permissions(context):
Expand All @@ -67,7 +79,7 @@ def set_bad_file_permissions(context):
if (
mode is not None
and isinstance(mode, int)
and (mode & stat.S_IWOTH or mode & stat.S_IXGRP)
and _stat_is_dangerous(mode)
):
# world writable is an HIGH, group executable is a MEDIUM
if mode & stat.S_IWOTH:
Expand Down
4 changes: 3 additions & 1 deletion examples/os-chmod.py
View file
Open in desktop
Expand Up @@ -14,4 +14,6 @@
os.chmod('/etc/hosts', 0o777)
os.chmod('/tmp/oh_hai', 0x1ff)
os.chmod('/etc/passwd', stat.S_IRWXU)
os.chmod(key_file, 0o777)
os.chmod(keyfile, 0o777)
os.chmod('~/hidden_exec', stat.S_IXGRP)
os.chmod('~/hidden_exec', stat.S_IXOTH)
4 changes: 2 additions & 2 deletions tests/functional/test_functional.py
View file
Open in desktop
Expand Up @@ -300,8 +300,8 @@ def test_subdirectory_okay(self):
def test_os_chmod(self):
"""Test setting file permissions."""
expect = {
"SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 2, "HIGH": 8},
"CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 1, "HIGH": 9},
"SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 4, "HIGH": 8},
"CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 1, "HIGH": 11},
}
self.check_example("os-chmod.py", expect)

Expand Down