Fixing partial path detection for Windows

This commit updates the check for a partial path in the shell plugin to recognize Windows paths (c:\something\) as complete paths. Change-Id: I0e6e3b83f5464e2fe4b06bc72632bb950b5e3d7e Closes-Bug: #1650392
2016-12-19 09:27:05 -08:00 · 2016-12-19 09:27:05 -08:00 · e3f19b0dca
parent a9f47e5d03
commit e3f19b0dca
3 changed files with 11 additions and 4 deletions
--- a/bandit/plugins/injection_shell.py
+++ b/bandit/plugins/injection_shell.py
@ -15,10 +15,15 @@
 # under the License.

 import ast
+import re

 import bandit
 from bandit.core import test_properties as test

+# yuck, regex: starts with a windows drive letter (eg C:)
+# or one of our path delimeter characters (/, \, .)
+full_path_match = re.compile(r'^(?:[A-Za-z](?=\:)|[\\\/\.])')
+

 def _evaluate_shell_call(context):
    no_formatting = isinstance(context.node.args[0], ast.Str)
@ -615,14 +620,13 @@ def start_process_with_partial_path(context, config):
           context.call_function_name_qual in config['shell'] or
           context.call_function_name_qual in config['no_shell']):

-            delims = ['/', '\\', '.']
            node = context.node.args[0]
            # some calls take an arg list, check the first part
            if isinstance(node, ast.List):
                node = node.elts[0]

            # make sure the param is a string literal and not a var name
-            if isinstance(node, ast.Str) and node.s[0] not in delims:
+            if isinstance(node, ast.Str) and not full_path_match.match(node.s):
                return bandit.Issue(
                    severity=bandit.LOW,
                    confidence=bandit.HIGH,
--- a/examples/partial_path_process.py
+++ b/examples/partial_path_process.py
@ -8,3 +8,6 @@ pop(['ls', '-l'], shell=False)
 pop(['/bin/ls', '-l'], shell=False)

 pop('../ls -l', shell=False)
+
+pop('c:\hello\something', shell=False)
+pop('c:/hello/something_else', shell=False)
--- a/tests/functional/test_functional.py
+++ b/tests/functional/test_functional.py
@ -419,8 +419,8 @@ class FunctionalTests(testtools.TestCase):

    def test_partial_path(self):
        '''Test process spawning with partial file paths.'''
-        expect = {'SEVERITY': {'LOW': 9},
-                  'CONFIDENCE': {'HIGH': 9}}
+        expect = {'SEVERITY': {'LOW': 11},
+                  'CONFIDENCE': {'HIGH': 11}}

        self.check_example('partial_path_process.py', expect)