Bandit

hardcoded_sql_expressions dumping traceback errors

Bug #1479625 reported by Eric Brown
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bandit
Fix Released
High
Tim Kelsey

Bug Description

The latest bandit (from source) is showing traceback errors from the hardcoded_sql_expressions plugin.

To recreate:
git clone https://github.com/openstack/bandit.git
git clone https://github.com/openstack/nova.git
cd bandit
tox -e py27
.tox/py27/bin/bandit -r ../nova/nova -n 5

jenkins@wdc-ecostack-dhcp-4-255:~/bandit$ .tox/py27/bin/bandit -r ../nova/nova -n 5
[bandit] INFO using config: /home/jenkins/bandit/bandit/config/bandit.yaml
[bandit] INFO running on Python 2.7.6
1418 [0.. /home/jenkins/bandit/bandit/plugins/general_hardcoded_password.py:41: UserWarning: Using relative path for word_list: ./wordlist/default-passwords
  % word_list_path)
50.. 100.. 150.. 200.. 250.. 300.. 350.. [tester] ERROR Bandit internal error running: hardcoded_sql_expressions on file ../nova/nova/db/sqlalchemy/api.py at line 2170: 'Call' object has no attribute 'id'Traceback (most recent call last):
  File "/home/jenkins/bandit/bandit/core/tester.py", line 65, in run_tests
    result = test(context)
  File "/home/jenkins/bandit/bandit/plugins/injection_sql.py", line 46, in hardcoded_sql_expressions
    val = _evaluate_ast(context.node)
  File "/home/jenkins/bandit/bandit/plugins/injection_sql.py", line 39, in _evaluate_ast
    name = utils.get_called_name(out[0].parent)
  File "/home/jenkins/bandit/bandit/core/utils.py", line 343, in get_called_name
    return (func.attr if isinstance(func, ast.Attribute) else func.id)
AttributeError: 'Call' object has no attribute 'id'

[tester] ERROR Bandit internal error running: hardcoded_sql_expressions on file ../nova/nova/db/sqlalchemy/api.py at line 2170: 'Call' object has no attribute 'id'Traceback (most recent call last):
  File "/home/jenkins/bandit/bandit/core/tester.py", line 65, in run_tests
    result = test(context)
  File "/home/jenkins/bandit/bandit/plugins/injection_sql.py", line 46, in hardcoded_sql_expressions
    val = _evaluate_ast(context.node)
  File "/home/jenkins/bandit/bandit/plugins/injection_sql.py", line 39, in _evaluate_ast
    name = utils.get_called_name(out[0].parent)
  File "/home/jenkins/bandit/bandit/core/utils.py", line 343, in get_called_name
    return (func.attr if isinstance(func, ast.Attribute) else func.id)
AttributeError: 'Call' object has no attribute 'id'

Eric Brown (ericwb)
Changed in bandit:
importance: Undecided → High
Eric Brown (ericwb)
Changed in bandit:
assignee: nobody → Tim Kelsey (tim-kelsey)
Revision history for this message
Tim Kelsey (tim-kelsey) wrote :

what an interesting edge case :) this happens because a call node gets wrapped in a call node. This odd ast structure happens when calling a function returned from a function, like so:

def derp():
    def herp():
        print "meta!"
    return herp

derp()()

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to bandit (master)

Fix proposed to branch: master
Review: https://review.openstack.org/207513

Changed in bandit:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to bandit (master)

Reviewed: https://review.openstack.org/207513
Committed: https://git.openstack.org/cgit/openstack/bandit/commit/?id=f696ce0a0dd2007177558a0566e58f8ac44acb44
Submitter: Jenkins
Branch: master

commit f696ce0a0dd2007177558a0566e58f8ac44acb44
Author: Tim Kelsey <email address hidden>
Date: Thu Jul 30 16:51:07 2015 +0100

    Bug fix for SQL tests

    A very interesting edge case in the AST came up to cause this bug.
    When calling a function returned from a function the AST will
    wrap a call node in a call node, resulting in a completely anonymous
    function call. Even more anonymous than a Lambda, since you can
    detect that from its node type.

    def derp():
        def herp():
            print "meta!"
        return herp

    derp()()

    The fix is a try, except block since we can't do anything useful in
    this situation. Tests on Nova now run to completion.

    Change-Id: Ice0a165009ae7b5a72b6b6661ee24aafa7ef4075
    Closes-bug: 1479625

Changed in bandit:
status: In Progress → Fix Committed
Revision history for this message
Eric Brown (ericwb) wrote :

Fix released in 0.13.0

Changed in bandit:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.