PyCQA · ericwb · Apr 2, 2022 · Apr 2, 2022 · Apr 2, 2022 · Apr 2, 2022
@@ -0,0 +1,56 @@
+# Copyright (c) 2022 Rajesh Pangare
+#
+# SPDX-License-Identifier: Apache-2.0
+
+r"""
+====================================================
+B612: Test for insecure use of logging.config.listen
+====================================================
+
+This plugin test checks for the unsafe usage of the
+``logging.config.listen`` function. The logging.config.listen
+function provides the ability to listen for external
+configuration files on a socket server. Because portions of the
+configuration are passed through eval(), use of this function
+may open its users to a security risk. While the function only
+binds to a socket on localhost, and so does not accept connections
+from remote machines, there are scenarios where untrusted code
+could be run under the account of the process which calls listen().
+
+logging.config.listen provides the ability to verify bytes received
+across the socket with signature verification or encryption/decryption.
+
+:Example:
+    >> Issue: [B612:logging_config_listen] Use of insecure
+    logging.config.listen detected.
+       Severity: Medium   Confidence: High
+       CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html)
+       Location: examples/logging_config_insecure_listen.py:3:4
+    2
+    3	t = logging.config.listen(9999)
+
+.. seealso::
+
+ - https://docs.python.org/3/library/logging.config.html#logging.config.listen
+
+.. versionadded:: 1.7.5
+
+"""
+
+import bandit
+from bandit.core import issue, test_properties as test
+
+
+@test.checks('Call')
+@test.test_id('B612')
+def logging_config_insecure_listen(context):
+    if (
+        context.call_function_name_qual == 'logging.config.listen'
+        and 'verify' not in context.call_keywords
+    ):
+        return bandit.Issue(
+            severity=bandit.MEDIUM,
+            confidence=bandit.HIGH,
+            cwe=issue.Cwe.CODE_INJECTION,
+            text="Use of insecure logging.config.listen detected."
+        )
@@ -0,0 +1,5 @@
+---------------
+B102: exec_used
+---------------
+
+.. automodule:: bandit.plugins.logging_config_insecure_listen
@@ -0,0 +1,3 @@
+import logging.config
+
+t = logging.config.listen(9999)
@@ -137,6 +137,9 @@ bandit.plugins =
     snmp_insecure_version = bandit.plugins.snmp_security_check:snmp_insecure_version_check
     snmp_weak_cryptography = bandit.plugins.snmp_security_check:snmp_crypto_check
 
+    # bandit/plugins/logging_config_insecure_listen.py
+    logging_config_insecure_listen = bandit.plugins.logging_config_insecure_listen:logging_config_insecure_listen
+
 [build_sphinx]
 all_files = 1
 build-dir = doc/build