Bandit

general_hardcoded_password plugin throws AttributeError exception on Python3

Bug #1502343 reported by vamshi basupalli on 2015-10-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Bandit	Fix Released	Undecided	Tim Kelsey

Bug Description

On Python3, `general_hardcoded_password` plugin throws `AttributeError` exception while handling a `RuntimeError` exception.

In the file `general_hardcoded_password.py`, the method `hardcoded_password`, while handling `RuntimeError` exception tries to access `message` attribute and fails.

In Python-3, an object of `RuntimeError` class does not have a `message` attribute . This attribute is only available in Python-2, where `RuntimeError` inherits the attribute from `BaseException`

vamshi basupalli (vamshi-kr) on 2015-10-02

summary:

- general_hardcoded_password plugin throws RuntimeError exceptions on
+ general_hardcoded_password plugin throws AttributeError exception on
Python3

Revision history for this message

Tim Kelsey (tim-kelsey) wrote on 2015-10-06:

This is likely fixed by the new version of the hardcoded password tests

Travis McPeak (travis-mcpeak) on 2015-10-06

Changed in bandit:
status:	New → Confirmed

Tim Kelsey (tim-kelsey) on 2015-10-06

Changed in bandit:
assignee:	nobody → Tim Kelsey (tim-kelsey)

OpenStack Infra (hudson-openstack) on 2015-10-06

Changed in bandit:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-06: Fix merged to bandit (master)

Reviewed: https://review.openstack.org/230384
Committed: https://git.openstack.org/cgit/openstack/bandit/commit/?id=604ca79759b3d23a01ce661fad58469e525e13b8
Submitter: Jenkins
Branch: master

commit 604ca79759b3d23a01ce661fad58469e525e13b8
Author: Tim Kelsey <email address hidden>
Date: Fri Oct 2 12:41:00 2015 +0100

Improved tests for hardcoded passwords

    This replaces the existing hardcoded password test with a number of
    smarter tests. None of the new tests utilize a word dictionary, we
    now trigger the warnings based on matching variable names and the
    like against a list of candidate names:

     - "password"
     - "pass"
     - "passwd"
     - "pwd"
     - "secret"
     - "token"

    hardcoded_password_string looks for:
     candidate = "some_string_literal"
     dict[candidate] = "some_string_literal"
     candidate == "some_string_literal"

hardcoded_password_funcarg looks for:
func_call(candidate="some_string_literal")

hardcoded_password_default looks for:
def func_def(candidate="some_string_literal"):

All issues are reported as MEDIUM confidence, LOW severity

    Closes-bug: #1502348
    Closes-bug: #1502343
    Closes-bug: #1432887

Change-Id: I36d97ee838a7f08234b759c352649721d07e8ab0

Changed in bandit:
status:	In Progress → Fix Committed

Tim Kelsey (tim-kelsey) on 2015-10-13

Changed in bandit:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.