Bandit

default location of word_list file can't be found

Bug #1451575 reported by Eric Brown
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Bandit
Fix Released
Medium
Dave Walker

Bug Description

In the default bandit.yaml the following is defined:

hardcoded_password:
    word_list: "wordlist/default-passwords"

This is a relative path to a file that exists within the bandit source tree.

And from looking at code that loads this file, it does a file open on that exact relative. So if not run within the bandit root project directory, it'll be unable to find the file and not give any indication of error since the default is to use an empty list.

Issues:
- default-passwords doesn't get installed with the PyPi package.
- bandit/bandit/plugins/general_hardcoded_password.py needs to find the default password file.
- An error should be logged if a file cannot be loaded. Someone could provide their own custom password file, will see no indication if it wasn't found.

Eric Brown (ericwb)
Changed in bandit:
importance: Undecided → Medium
Dave Walker (davewalker)
Changed in bandit:
assignee: nobody → Dave Walker (davewalker)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to bandit (master)

Fix proposed to branch: master
Review: https://review.openstack.org/201053

Changed in bandit:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to bandit (master)

Reviewed: https://review.openstack.org/201053
Committed: https://git.openstack.org/cgit/openstack/bandit/commit/?id=78643c5b2173596b8ae2bd96e1c2e56c0b38560a
Submitter: Jenkins
Branch: master

commit 78643c5b2173596b8ae2bd96e1c2e56c0b38560a
Author: Dave Walker (Daviey) <email address hidden>
Date: Sun Jul 12 21:11:44 2015 +0100

    Install word_list, raise exception if cannot find

    Previously, the default bandit.yaml config file had an entry
    for a relative word-list which is only really useful if
    running bandit from git, as the path is both relative but
    also the default word-list is not installed by the bandit
    python package.

    If the word-list from the config cannot be found, the
    current behavior is to silently continue with an empty set,
    meaning that this test does not function at all - giving a
    false sense of assurance.

    This change installs the default word_list to:
      - /usr/local/share/bandit/wordlist/default-passwords

    The config file now supports "(site_data_dir)" for
    substitution, which is replaced by distro standard site_data
    locations (including /usr/local and /usr).

    The first substitution attempted is still relative to the
    pwd, to allow the current working tree (and unit tests) to
    function).

    Crucially, this change now raises an exception if the
    declared word-list cannot be found.

    Closes-Bug: #1451575
    Signed-off-by: Dave Walker (Daviey) <email address hidden>
    Change-Id: Ia090ee6b16866d374191c03de55529fbd6a10c99

Changed in bandit:
status: In Progress → Fix Committed
Revision history for this message
Eric Brown (ericwb) wrote :

Fix released in 0.13.0

Changed in bandit:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.