-
-
Notifications
You must be signed in to change notification settings - Fork 614
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect result for B202:tarfile_unsafe_members #1038
Comments
Looking at typeshed which are user contributed and not official, it looks like we should be looking for the That said, either specifying a members iterable or a filter function/literal
Briefly looking at our code it looks like we have different branches for zip and tar. Regardless if we're expecting members to be a callable there too, then that's also wrong. This should be fixed, not removed |
I believe this should be safe as well:
See Extraction Filters and tarfile.data_filter from the |
Hello, I use bandit as a part of the continuous integration tool-chain in a project. My offending line:
It is unclear to me how I should fix the issue. The link https://bandit.readthedocs.io/en/0.0.0/plugins/b202_tarfile_unsafe_members.html is not working. It seems that the source is: Should filter="data" be enough? Thanks! |
To the best of my knowledge it is safe (with the caveat that "safe", "security" etc is a gray scale). Bandit will complain though because of the bug in this issue.
The issue can only be fixed inside Bandit. The code you wrote should be safe. The "fix" is basically to do what you did, slap a |
Describe the bug
The B202:tarfile_unsafe_members documentation says to pass a callable as the
members
argument but that’s not supported in the official type signature and not implemented in CPython stdlib.members
should be used as anIterable[TarInfo]
instead.That change was introduced in v1.7.5 based on issue #207 and PR #549
cc @yilmi @ericwb @lukehinds @sigmavirus24
The following fixes are required to address this bug:
tarfile.extractalll(members=function(tarfile)) - LOW
suggestion here seems to be wrong.ast.Call
node here should be fixed/removed.extractall
function name look up here is too coarse and can easily result in inaccurate results for other libraries that have the same function names, e.g., ZipFile.extractall.Reproduction steps
This PR addresses the
B202:tarfile_unsafe_members
by validatingmembers
Iterable argument but Bandit cannot detect the filtering ofmembers
used to fix the issue (hence the need to suppress the error)Expected behavior
The check on ast.Call node here should be fixed/removed. We should not assume the
members
argument to have aCallable
type.Bandit version
1.7.5 (Default)
Python version
3.11 (Default)
Additional context
No response
The text was updated successfully, but these errors were encountered: