Bandit

Bandit freezes when start it with key -r against directory with init.py file

Bug #1538633 reported by Egor Kotko on 2016-01-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Bandit	Fix Released	High	Travis McPeak

Bug Description

Bandit freezes when start it with key -r against directory with __init__.py file

Steps to reproduce:
1. Create dir sec_scan
2. Create 2 files:
- __init__.py - contains one string (comment - see below)
- base.py - see content below
3. Execute bandit -r sec_scan/

Actual result it is freezes on checking __init__.py file

The output of executing:

/tests/sec_scan$ ls
base.py __init__.py
/tests/sec_scan$ cat base.py

try:
    from unittest.case import TestCase
except ImportError:
    # Runing unit-tests in production environment
    from unittest2.case import TestCase

from mock import patch

import logging
import os
import shutil
import subprocess
import sys
import tempfile

logging.basicConfig(stream=sys.stderr)
log = logging.getLogger("CliTest.ExecutionLog")
log.setLevel(logging.DEBUG)

class CliExectutionResult:
    def __init__(self, process_handle, out, err):
        self.return_code = process_handle.returncode
        self.stdout = out
        self.stderr = err

/tests/sec_scan$ cat __init__.py
# Copyright 2013

(fuel-devops-venv)ykotko@ykotko-pc:~/FRESH-FUEL_MAIN/fuel-main/python-fuelclient/fuelclient/tests$ bandit -r sec_scan/
[bandit] INFO using config: /home/ykotko/FRESH-FUEL_MAIN/fuel-qa/fuel-devops-venv/etc/bandit/bandit.yaml
[bandit] INFO running on Python 2.7.6

----FREEZES---

/tests$ bandit -r sec_scan/
[bandit] INFO using config: /home/ykotko/FRESH-FUEL_MAIN/fuel-qa/fuel-devops-venv/etc/bandit/bandit.yaml
[bandit] INFO running on Python 2.7.6
Run started:
2016-01-27 15:32:40.661932

Run metrics:
        Total lines of code: 19
        Total lines skipped (#nosec): 0
        Total issues (by severity):
                Undefined: 0
                Low: 1
                Medium: 0
                High: 0
        Total issues (by confidence):
                Undefined: 0
                Low: 0
                Medium: 0
                High: 1

Files skipped (0):

Test results:

>> Issue: [blacklist_imports] Consider possible security implications associated with subprocess module.

Severity: Low Confidence: High
Location: sec_scan/base.py:13
12 import shutil
13 import subprocess
14 import sys

--------------------------------------------------

Travis McPeak (travis-mcpeak) on 2016-01-27

Changed in bandit:
status:	New → Confirmed
importance:	Undecided → High
assignee:	nobody → Travis McPeak (travis-mcpeak)

Revision history for this message

Travis McPeak (travis-mcpeak) wrote on 2016-01-27:

I've found the issue, fix coming soon.

OpenStack Infra (hudson-openstack) on 2016-01-27

Changed in bandit:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-28: Fix merged to bandit (master)

Reviewed: https://review.openstack.org/273181
Committed: https://git.openstack.org/cgit/openstack/bandit/commit/?id=bb83d3fce1dca0df6fd15ead4fc6acd4ebdf539e
Submitter: Jenkins
Branch: master

commit bb83d3fce1dca0df6fd15ead4fc6acd4ebdf539e
Author: Travis McPeak <email address hidden>
Date: Wed Jan 27 10:10:35 2016 -0800

Fixing hang in get_module_qualname_from_path

    This commit fixes a possible hang in the get_module_qualname...
    function. When running against a '.' target, the while statement
    would loop forever looking for a head of '/', when all it would
    ever find was '.'. Now either option is enough to break the loop.

A head of '.' already indicates we're as far down as we can get
since there is no non-file path left.

Closes-Bug: #1538633
Change-Id: I4aca741b816e4203d6b4da4e62c5edd37d553da4

Changed in bandit:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.