False Positive: SqlInjection warnings found in docstrings
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bandit |
Fix Released
|
Medium
|
Unassigned |
Bug Description
I ran Bandit against Barbican and found some false positives regarding SQL.
It appears Bandit is mistaking our DocStrings with lots of colons as a SQL command construction.
Test results:
>> Possible SQL injection vector through string-based query construction, without SQLALCHEMY use
- /Users/
239 :returns: A :class:`ResultDTO` instance containing the result
240 populated by the plugin implementation
241 :rtype: :class:`ResultDTO`
242 """
243 raise NotImplementedError # pragma: no cover
244
>> Possible SQL injection vector through string-based query construction, without SQLALCHEMY use
- /Users/
52 :returns: A :class:`ResultDTO` instance containing the result
53 populated by the plugin implementation
54 :rtype: :class:`ResultDTO`
55 """
56 LOG.info(
57 return cert.ResultDTO(
>> Possible SQL injection vector through string-based query construction, without SQLALCHEMY use
- /Users/
93 this plugin. Plugins may also update/add
94 information here which Barbican will persist
95 on their behalf.
96 """
97 raise NotImplementedError # pragma: no cover
98
Here is an example docstring that triggers the warning.
It starts with "update" and includes the word "set" in the text.
It would make sense for Bandit to exclude doc strings from the string tests.
def modify_ certificate_ request( self, order_id, order_meta, plugin_meta):
"""Update the order meta-data
:param order_id: ID associated with the order
this plugin. Plugins may also update/add
information here which Barbican will persist
on their behalf.
populated by the plugin implementation
:param order_meta: Dict of meta-data associated with the order.
:param plugin_meta: Plugin meta-data previously set by calls to
:returns: A :class:`ResultDTO` instance containing the result
:rtype: :class:`ResultDTO`
"""