Adding "input()" to the blacklist calls list

Change-Id: Ia74f70334952dc913c9c6a3bf3c100c8fe649c3e
2016-09-19 11:43:54 +01:00 · 2016-09-19 11:43:54 +01:00 · ee5ac9ff60
commit ee5ac9ff60
parent 7ecf945921
4 changed files with 32 additions and 0 deletions
--- a/README.rst
+++ b/README.rst
@ -163,6 +163,7 @@ Usage::
      B319  xml_bad_pulldom
      B320  xml_bad_etree
      B321  ftplib
+      B322  input
      B401  import_telnetlib
      B402  import_ftplib
      B403  import_pickle
--- a/bandit/blacklists/calls.py
+++ b/bandit/blacklists/calls.py
@ -260,6 +260,20 @@ SSH/SFTP/SCP or some other encrypted protocol.
 | B321 | ftplib              | - ftplib.\*                        | High      |
 +------+---------------------+------------------------------------+-----------+

+B322: input
+------------
+
+The input method in Python 2 will read from standard input, evaluate and
+run the resulting string as python source code. This is similar, though in
+many ways worse, then using eval. On Python 2, use raw_input instead, input
+is safe in Python 3.
+
+------+---------------------+------------------------------------+-----------+
+| ID   |  Name               |  Calls                             |  Severity |
+======+=====================+====================================+===========+
+| B322 | ftplib              | - input                            | High      |
+------+---------------------+------------------------------------+-----------+
+
 """

 from bandit.blacklists import utils
@ -473,4 +487,13 @@ def gen_blacklist():
        'HIGH'
        ))

+    sets.append(utils.build_conf_dict(
+        'input', 'B322', ['input'],
+        'The input method in Python 2 will read from standard input, '
+        'evaluate and run the resulting string as python source code. This '
+        'is similar, though in many ways worse, then using eval. On Python '
+        '2, use raw_input instead, input is safe in Python 3.',
+        'HIGH'
+        ))
+
    return {'Call': sets}
--- a/examples/input.py
+++ b/examples/input.py
@ -0,0 +1 @@
+input()
--- a/tests/functional/test_functional.py
+++ b/tests/functional/test_functional.py
@ -532,3 +532,10 @@ class FunctionalTests(testtools.TestCase):
        self.run_example('flask_debug.py')
        self.assertEqual(1, len(self.b_mgr.baseline))
        self.assertEqual({}, self.b_mgr.get_issue_list())
+
+    def test_blacklist_input(self):
+        expect = {
+            'SEVERITY': {'HIGH': 1},
+            'CONFIDENCE': {'HIGH': 1}
+        }
+        self.check_example('input.py', expect)