Add check for httpoxy vulnerability

Change-Id: Ie366b110d33cb940ae176ccb87ef48e024868401
Closes-Bug: #1607907

README.rst

@@ -174,6 +174,7 @@ Usage::
       B409  import_xml_pulldom
       B410  import_lxml
       B411  import_xmlrpclib
+      B412  import_httpoxy
       B501  request_with_no_cert_validation
       B502  ssl_with_bad_version
       B503  ssl_with_bad_defaults

bandit/blacklists/imports.py

@@ -160,6 +160,20 @@ xmlrpclib and mitigate remote XML attacks.
 | B411 | import_xmlrpclib    | - xmlrpclib                        | high      |
 +------+---------------------+------------------------------------+-----------+
 
+B412: import_httpoxy
+--------------------
+httpoxy is a set of vulnerabilities that affect application code running in
+CGI, or CGI-like environments. The use of CGI for web applications should be
+avoided to prevent this class of attack. More details are available
+at https://httpoxy.org/.
+
++------+---------------------+------------------------------------+-----------+
+| ID   |  Name               |  Imports                           |  Severity |
++======+=====================+====================================+===========+
+| B412 | import_httpoxy      | - wsgiref.handlers.CGIHandler      | high      |
+|      |                     | - twisted.web.twcgi.CGIScript      |           |
++------+---------------------+------------------------------------+-----------+
+
 """
 
 from bandit.blacklists import utils
@@ -237,4 +251,12 @@ def gen_blacklist():
         'function to monkey-patch xmlrpclib and mitigate XML '
         'vulnerabilities.', 'HIGH'))
 
+    sets.append(utils.build_conf_dict(
+        'import_httpoxy', 'B412',
+        ['wsgiref.handlers.CGIHandler', 'twisted.web.twcgi.CGIScript',
+         'twisted.web.twcgi.CGIDirectory'],
+        'Consider possible security implications associated with '
+        '{name} module.', 'HIGH'
+        ))
+
     return {'Import': sets, 'ImportFrom': sets, 'Call': sets}

examples/httpoxy_cgihandler.py

@@ -0,0 +1,10 @@
+import requests
+import wsgiref.handlers
+
+def application(environ, start_response):
+    r = requests.get('https://192.168.0.42/private/api/foobar')
+    start_response('200 OK', [('Content-Type', 'text/plain')])
+    return [r.content]
+
+if __name__ == '__main__':
+    wsgiref.handlers.CGIHandler().run(application)

examples/httpoxy_twisted_directory.py

@@ -0,0 +1,7 @@
+from twisted.internet import reactor
+from twisted.web import static, server, twcgi
+
+root = static.File("/root")
+root.putChild("cgi-bin", twcgi.CGIDirectory("/var/www/cgi-bin"))
+reactor.listenTCP(80, server.Site(root))
+reactor.run()

examples/httpoxy_twisted_script.py

@@ -0,0 +1,7 @@
+from twisted.internet import reactor
+from twisted.web import static, server, twcgi
+
+root = static.File("/root")
+root.putChild("login.cgi", twcgi.CGIScript("/var/www/cgi-bin/login.py"))
+reactor.listenTCP(80, server.Site(root))
+reactor.run()

tests/functional/test_functional.py

@@ -387,6 +387,14 @@ class FunctionalTests(testtools.TestCase):
                   'CONFIDENCE': {'HIGH': 2, 'MEDIUM': 6}}
         self.check_example('xml_sax.py', expect)
 
+    def test_httpoxy(self):
+        '''Test httpoxy vulnerability.'''
+        expect = {'SEVERITY': {'HIGH': 1},
+                  'CONFIDENCE': {'HIGH': 1}}
+        self.check_example('httpoxy_cgihandler.py', expect)
+        self.check_example('httpoxy_twisted_script.py', expect)
+        self.check_example('httpoxy_twisted_directory.py', expect)
+
     def test_asserts(self):
         '''Test catching the use of assert.'''
         expect = {'SEVERITY': {'LOW': 1},