forked from PyCQA/bandit
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New check: B113: TrojanSource - Bidirectional control characters (PyC…
…QA#757) * New check: B113: TrojanSource - Bidirectional control characters * Handling Python source files using a non-UTF8 encoding * Pleasing pep8 * Adding missing "SPDX-License-Identifier: Apache-2.0" comment * Also forbidding \u200F * Fixups for pre-commit hooks * Fixing KeyError: 'file_data' * Update issue.py * Apply suggestions from code review * Update bandit/plugins/trojansource.py --------- Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> Co-authored-by: Eric Brown <eric_wade_brown@yahoo.com>
- Loading branch information
1 parent
6142b7a
commit ec384b8
Showing
10 changed files
with
131 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
# | ||
# SPDX-License-Identifier: Apache-2.0 | ||
r""" | ||
===================================================== | ||
B613: TrojanSource - Bidirectional control characters | ||
===================================================== | ||
This plugin checks for the presence of unicode bidirectional control characters | ||
in Python source files. Those characters can be embedded in comments and strings | ||
to reorder source code characters in a way that changes its logic. | ||
:Example: | ||
.. code-block:: none | ||
>> Issue: [B613:trojansource] A Python source file contains bidirectional control characters ('\u202e'). | ||
Severity: High Confidence: Medium | ||
CWE: CWE-838 (https://cwe.mitre.org/data/definitions/838.html) | ||
More Info: https://bandit.readthedocs.io/en/1.7.5/plugins/b113_trojansource.html | ||
Location: examples/trojansource.py:4:25 | ||
3 access_level = "user" | ||
4 if access_level != 'none': # Check if admin ' and access_level != 'user | ||
5 print("You are an admin.\n") | ||
.. seealso:: | ||
.. [1] https://trojansource.codes/ | ||
.. [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574 | ||
.. versionadded:: 1.7.10 | ||
""" # noqa: E501 | ||
from tokenize import detect_encoding | ||
|
||
import bandit | ||
from bandit.core import issue | ||
from bandit.core import test_properties as test | ||
|
||
|
||
BIDI_CHARACTERS = ( | ||
"\u202A", | ||
"\u202B", | ||
"\u202C", | ||
"\u202D", | ||
"\u202E", | ||
"\u2066", | ||
"\u2067", | ||
"\u2068", | ||
"\u2069", | ||
"\u200F", | ||
) | ||
|
||
|
||
@test.test_id("B613") | ||
@test.checks("File") | ||
def trojansource(context): | ||
with open(context.filename, "rb") as src_file: | ||
encoding, _ = detect_encoding(src_file.readline) | ||
with open(context.filename, encoding=encoding) as src_file: | ||
for lineno, line in enumerate(src_file.readlines(), start=1): | ||
for char in BIDI_CHARACTERS: | ||
try: | ||
col_offset = line.index(char) + 1 | ||
except ValueError: | ||
continue | ||
text = ( | ||
"A Python source file contains bidirectional" | ||
" control characters (%r)." % char | ||
) | ||
return bandit.Issue( | ||
severity=bandit.HIGH, | ||
confidence=bandit.MEDIUM, | ||
cwe=issue.Cwe.INAPPROPRIATE_ENCODING_FOR_OUTPUT_CONTEXT, | ||
text=text, | ||
lineno=lineno, | ||
col_offset=col_offset, | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
------------------ | ||
B613: trojansource | ||
------------------ | ||
|
||
.. automodule:: bandit.plugins.trojansource |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
#!/usr/bin/env python3 | ||
# cf. https://trojansource.codes/ & https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574 | ||
access_level = "user" | ||
if access_level != 'none': # Check if admin ' and access_level != 'user | ||
print("You are an admin.\n") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
#!/usr/bin/env python3 | ||
# -*- coding: latin-1 -*- | ||
# cf. https://trojansource.codes & https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574 | ||
# Some special characters: àçéêèù | ||
access_level = "user" | ||
if access_level != 'none??': # Check if admin ??' and access_level != 'user | ||
print("You are an admin.\n") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters