blacklist_calls: add Python3 and six versions of some functions

Bandit currently only emits warnings for the Python 2 functions.

Closes-Bug #1512384
Change-Id: Id268dff098ab2ce317017cc636e66801ff14891a

bandit/config/bandit.yaml

@@ -137,7 +137,10 @@ blacklist_calls:
                 Use of mark_safe() may expose cross-site scripting
                 vulnerabilities and should be reviewed.
         - httpsconnection:
-            qualnames: [httplib.HTTPSConnection]
+            qualnames:
+                - httplib.HTTPSConnection
+                - http.client.HTTPSConnection
+                - six.moves.http_client.HTTPSConnection
             message: >
                 Use of HTTPSConnection does not provide security, see
                 https://wiki.openstack.org/wiki/OSSN/OSSN-0033
@@ -149,11 +152,19 @@ blacklist_calls:
         - urllib_urlopen:
             qualnames:
                 - urllib.urlopen
+                - urllib.request.urlopen
                 - urllib.urlretrieve
+                - urllib.request.urlretrieve
                 - urllib.URLopener
+                - urllib.request.URLopener
                 - urllib.FancyURLopener
+                - urllib.request.FancyURLopener
                 - urllib2.urlopen
                 - urllib2.Request
+                - six.moves.urllib.request.urlopen
+                - six.moves.urllib.request.urlretrieve
+                - six.moves.urllib.request.URLopener
+                - six.moves.urllib.request.FancyURLopener
             message: >
                 Audit url open for permitted schemes. Allowing use of file:/ or
                 custom schemes is often unexpected.

examples/httplib_https.py

@@ -1,2 +1,8 @@
 import httplib
-c = httplib.HTTPSConnection("example.com")
+c = httplib.HTTPSConnection("example.com")
+
+import http.client
+c = http.client.HTTPSConnection("example.com")
+
+import six
+six.moves.http_client.HTTPSConnection("example.com")

examples/urlopen.py

@@ -10,6 +10,12 @@ could be used by an attacker to leak information about the server.
 import urllib
 import urllib2
 
+# Python 3
+import urllib.request
+
+# Six
+import six
+
 def test_urlopen():
     # urllib
     url = urllib.quote('file:///bin/ls')
@@ -31,3 +37,23 @@ def test_urlopen():
     urllib2.install_opener(opener)
     urllib2.urlopen('file:///bin/ls')
     urllib2.Request('file:///bin/ls')
+
+    # Python 3
+    urllib.request.urlopen('file:///bin/ls')
+    urllib.request.urlretrieve('file:///bin/ls', '/bin/ls2')
+    opener = urllib.request.URLopener()
+    opener.open('file:///bin/ls')
+    opener.retrieve('file:///bin/ls')
+    opener = urllib.request.FancyURLopener()
+    opener.open('file:///bin/ls')
+    opener.retrieve('file:///bin/ls')
+
+    # Six
+    six.moves.urllib.request.urlopen('file:///bin/ls')
+    six.moves.urllib.request.urlretrieve('file:///bin/ls', '/bin/ls2')
+    opener = six.moves.urllib.request.URLopener()
+    opener.open('file:///bin/ls')
+    opener.retrieve('file:///bin/ls')
+    opener = six.moves.urllib.request.FancyURLopener()
+    opener.open('file:///bin/ls')
+    opener.retrieve('file:///bin/ls')

tests/functional/test_functional.py

@@ -162,7 +162,7 @@ class FunctionalTests(testtools.TestCase):
 
     def test_httplib_https(self):
         '''Test for `httplib.HTTPSConnection`.'''
-        expect = {'SEVERITY': {'MEDIUM': 1}, 'CONFIDENCE': {'HIGH': 1}}
+        expect = {'SEVERITY': {'MEDIUM': 3}, 'CONFIDENCE': {'HIGH': 3}}
         self.check_example('httplib_https.py', expect)
 
     def test_imports_aliases(self):
@@ -304,7 +304,7 @@ class FunctionalTests(testtools.TestCase):
 
     def test_urlopen(self):
         '''Test for dangerous URL opening.'''
-        expect = {'SEVERITY': {'MEDIUM': 6}, 'CONFIDENCE': {'HIGH': 6}}
+        expect = {'SEVERITY': {'MEDIUM': 14}, 'CONFIDENCE': {'HIGH': 14}}
         self.check_example('urlopen.py', expect)
 
     def test_utils_shell(self):