Fix a false positive condition yaml_load #927

ericwb · 2022-07-09T23:58:58Z

The yaml.load() function has a second argument that is typically
passed as a kwarg. However, someone could pass as a positional
argument as well. In such a case, Bandit would flag code passing
a SafeLoader even though that is validly secure.

The fix involves looking at the positional args. However, the
convenience function to do so also had no handling of ast.Attribute
as args. So get_call_arg_at_position() was modified to function much
like call_args().

Closes #546

Signed-off-by: Eric Brown eric_wade_brown@yahoo.com

The yaml.load() function has a second argument that is typically passed as a kwarg. However, someone could pass as a positional argument as well. In such a case, Bandit would flag code passing a SafeLoader even though that is validly secure. The fix involves looking at the positional args. However, the convenience function to do so also had no handling of ast.Attribute as args. So get_call_arg_at_position() was modified to function much like call_args(). Closes PyCQA#546 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

ericwb requested review from lukehinds and sigmavirus24 as code owners July 9, 2022 23:58

sigmavirus24 approved these changes Jul 10, 2022

View reviewed changes

ericwb merged commit 1067978 into PyCQA:main Jul 10, 2022

ericwb deleted the yaml_false_pos branch July 10, 2022 02:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix a false positive condition yaml_load #927

Fix a false positive condition yaml_load #927

ericwb commented Jul 9, 2022

Fix a false positive condition yaml_load #927

Fix a false positive condition yaml_load #927

Conversation

ericwb commented Jul 9, 2022