Bandit

Bandit reports 'json.load' as 'yaml.load'

Bug #1622615 reported by Luke Hinds on 2016-09-12

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Bandit	Fix Released	Undecided	Dave McCowan

Bug Description

json.load is incorrectly parsed as yaml.load...see the following example

yaml_load: Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
Test ID: B506
Severity: MEDIUM
Confidence: HIGH
File: <snip>
More info: http://docs.openstack.org/developer/bandit/plugins/yaml_load.html
348 .format(RESULTS_DIR, test_name)) as json_file:
349 json_data = json.load(json_file)

Dave McCowan (dave-mccowan) on 2016-10-06

Changed in bandit:
assignee:	nobody → Dave McCowan (dave-mccowan)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-06: Fix proposed to bandit (master)

Fix proposed to branch: master
Review: https://review.openstack.org/383245

Changed in bandit:
status:	New → In Progress

Revision history for this message

Luke Hinds (lhinds) wrote on 2016-10-06:

Just tested against the same code and LGTM.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-06: Fix merged to bandit (master)

Reviewed: https://review.openstack.org/383245
Committed: https://git.openstack.org/cgit/openstack/bandit/commit/?id=e98515faf0a1089baafbd106694b02e548581b32
Submitter: Jenkins
Branch: master

commit e98515faf0a1089baafbd106694b02e548581b32
Author: Dave McCowan <email address hidden>
Date: Thu Oct 6 14:28:04 2016 -0400

Use qualname list to avoid false positive on load()

    The code checking for yaml.load() issues had false positives
    on json.load() and foo.load(). This patch checks the
    qualnames of the load function to avoid false positives.

Change-Id: I22ffb9e852e31d04dc49c4ad949d1417e70f8828
Closes-bug: 1622615

Changed in bandit:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.