Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding logging.config.listen() plugin with examples #874

Merged
merged 5 commits into from Apr 2, 2022
Merged

Adding logging.config.listen() plugin with examples #874

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7a299e1
Adding logging.config.listen() plugin with examples
Apr 2, 2022
e829829
Minor changes from the review
Apr 2, 2022
3a13471
Reorder imports
Apr 2, 2022
2cb83f2
Formatting changes
Apr 2, 2022
087a38d
Another formatting change
Apr 2, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
50 changes: 50 additions & 0 deletions bandit/plugins/logging_config_insecure_listen.py
View file
Open in desktop
@@ -0,0 +1,50 @@
# -*- coding:utf-8 -*-
raj3shp marked this conversation as resolved.
Show resolved Hide resolved
#
# Copyright 2014 Hewlett-Packard Development Company, L.P.
raj3shp marked this conversation as resolved.
Show resolved Hide resolved
#
# SPDX-License-Identifier: Apache-2.0

r"""
====================================================
B612: Test for insecure use of logging.config.listen
====================================================

This plugin test checks for the unsafe usage of the
``logging.config.listen`` function. The logging.config.listen
function provides the ability to listen for external
configuration files on a socket server. Because portions of the
configuration are passed through eval(), use of this function
raj3shp marked this conversation as resolved.
Show resolved Hide resolved
may open its users to a security risk. While the function only
binds to a socket on localhost, and so does not accept connections
from remote machines, there are scenarios where untrusted code
could be run under the account of the process which calls listen().

logging.config.listen provides the ability to verify bytes received
across the socket with signature verification or encryption/decryption.

:Example:
>> Issue: [B612:logging_config_listen] Use of insecure
logging.config.listen detected.
Severity: Medium Confidence: High
Location: examples/logging_config_insecure_listen.py:3:4
2
3 t = logging.config.listen(9999)

.. versionadded:: 1.7.4
raj3shp marked this conversation as resolved.
Show resolved Hide resolved

raj3shp marked this conversation as resolved.
Show resolved Hide resolved
"""

import bandit
from bandit.core import test_properties as test


@test.checks('Call')
@test.test_id('B612')
def logging_config_insecure_listen(context):
if context.call_function_name_qual == 'logging.config.listen' \
raj3shp marked this conversation as resolved.
Show resolved Hide resolved
and 'verify' not in context.call_keywords:
return bandit.Issue(
raj3shp marked this conversation as resolved.
Show resolved Hide resolved
severity=bandit.MEDIUM,
confidence=bandit.HIGH,
text="Use of insecure logging.config.listen detected."
)
3 changes: 3 additions & 0 deletions examples/logging_config_insecure_listen.py
View file
Open in desktop
@@ -0,0 +1,3 @@
import logging.config

t = logging.config.listen(9999)
3 changes: 3 additions & 0 deletions setup.cfg
View file
Open in desktop
Expand Up @@ -137,6 +137,9 @@ bandit.plugins =
snmp_insecure_version = bandit.plugins.snmp_security_check:snmp_insecure_version_check
snmp_weak_cryptography = bandit.plugins.snmp_security_check:snmp_crypto_check

# bandit/plugins/logging_config_insecure_listen.py
logging_config_insecure_listen = bandit.plugins.logging_config_insecure_listen:logging_config_insecure_listen

[build_sphinx]
all_files = 1
build-dir = doc/build
Expand Down