Make subprocess without `shell=True` into a plugin

This way, people can easily ignore these warnings. Change-Id: I8682e55985f2cf8804659dd279d61dadb2da2b0b
2015-03-13 17:24:03 -05:00 · 2015-03-13 17:24:03 -05:00 · 9261e3e8e4
parent c5adaabd05
commit 9261e3e8e4
3 changed files with 12 additions and 3 deletions
--- a/bandit.yaml
+++ b/bandit.yaml
@ -36,6 +36,7 @@ profiles:
    ShellInjection:
        include:
            - subprocess_popen_with_shell_equals_true
+            - subprocess_without_shell_equals_true
            - any_other_function_with_shell_equals_true
            - start_process_with_a_shell
            - start_process_with_no_shell
--- a/bandit/plugins/injection_shell.py
+++ b/bandit/plugins/injection_shell.py
@ -29,6 +29,14 @@ def subprocess_popen_with_shell_equals_true(context, config):
                   context.call_args_string)


+@takes_config('shell_injection')
+@checks('Call')
+def subprocess_without_shell_equals_true(context, config):
+    if config and context.call_function_name_qual in config['subprocess']:
+        if not context.check_call_arg_value('shell', 'True'):
+            return (bandit.INFO, 'subprocess call without a subshell.')
+
+
@takes_config('shell_injection')
@checks('Call')
 def any_other_function_with_shell_equals_true(context, config):
--- a/tests/test_functional.py
+++ b/tests/test_functional.py
@ -190,7 +190,7 @@ class FunctionalTests(unittest.TestCase):

    def test_subprocess_shell(self):
        '''Test for `subprocess.Popen` with `shell=True`.'''
-        self.check_example('subprocess_shell.py', info=2, warn=1, error=5)
+        self.check_example('subprocess_shell.py', info=7, warn=1, error=5)

    def test_urlopen(self):
        '''Test for dangerous URL opening.'''
@ -198,11 +198,11 @@ class FunctionalTests(unittest.TestCase):

    def test_utils_shell(self):
        '''Test for `utils.execute*` with `shell=True`.'''
-        self.check_example('utils-shell.py', info=0, error=4)
+        self.check_example('utils-shell.py', info=1, error=4)

    def test_wildcard_injection(self):
        '''Test for wildcard injection in shell commands.'''
-        self.check_example('wildcard-injection.py', info=2, error=8)
+        self.check_example('wildcard-injection.py', info=6, error=8)

    def test_yaml(self):
        '''Test for `yaml.load`.'''