从 python bandit 安全问题报告中 ignore/skip 一些问题的方法是什么?
What is the way to ignore/skip some issues from python bandit security issues report?
我遇到了一堆 django_mark_safe 错误
>> Issue: [B703:django_mark_safe] Potential XSS on mark_safe function.
Severity: Medium Confidence: High
Location: ...
More Info: https://bandit.readthedocs.io/en/latest/plugins/b703_django_mark_safe.html
54 return mark_safe(f'<a href="{url}" target="_blank">{title}</a>')
>> Issue: [B308:blacklist] Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
Severity: Medium Confidence: High
Location: ...
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b308-mark-safe
54 return mark_safe(f'<a href="{url}" target="_blank">{title}</a>')
我很好奇是否有办法跳过或忽略这些行?我知道使用 mark_safe 可能很危险,但如果我想冒险怎么办?例如,此方法是在 Django 管理中显示自定义 link 的唯一方法,所以我不知道没有 mark_safe
的任何其他选项如何做到这一点
我有答案here:
Two ways:
- You can skip the B703 and B308 using the --skip argument to the
command line.
- Or you can affix a comment
# nosec on the line to skip.
https://bandit.readthedocs.io/en/latest/config.html#exclusions
注意使用 # nosec 注释多行:
给定:
li_without_nosec = [
"select * from %s where 1 = 1 "
% "foo"
]
li_nosec_at_start_works = [ # nosec - ✅ and you can put a comment
"select * from %s where 1 = 1 "
% "foo"
]
# nosec - there's an enhancement request to marker above line
li_nosec_on_top_doesntwork = [
"select * from %s where 1 = 1 "
% "foo"
]
li_nosec_at_end_doesntwork = [
"select * from %s where 1 = 1 "
% "foo"
] # nosec
输出:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Low
Location: test.py:3
More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
2 li_without_nosec = [
3 "select * from %s where 1 = 1 "
4 % "foo"
5 ]
--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Low
Location: test.py:15
More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
14 li_nosec_on_top_doesntwork = [
15 "select * from %s where 1 = 1 "
16 % "foo"
17 ]
--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Low
Location: test.py:21
More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
20 li_nosec_at_end_doesntwork = [
21 "select * from %s where 1 = 1 "
22 % "foo"
23 ] # nosec
黑色
希望 black 不会介入并重组线路,移动 # nosec。
满怀希望... black 确实会四处移动,就像它对 pylint 指令所做的那样,每当行长度变得太长时。此时 # nosec 结束。
您可以主动打断该行并将 # nosec 放在第一个位置。或者您可以等待黑色,然后根据需要进行调整。
只是为了完成主题 - 在我的例子中,我不得不摆脱 B322: input 规则,并且不想每次在代码中发现这个问题时都写 # nosec,或者始终使用 --skip 标志执行 Bandit。
所以如果你想为整个解决方案省略某个规则,你可以在项目的根目录中创建一个 .bandit 文件。然后你可以写每次应该跳过哪些规则,例如:
[bandit]
skips: B322
然后Bandit会默认跳过这个检查,不需要在代码中给出额外的注释。
我遇到了一堆 django_mark_safe 错误
>> Issue: [B703:django_mark_safe] Potential XSS on mark_safe function.
Severity: Medium Confidence: High
Location: ...
More Info: https://bandit.readthedocs.io/en/latest/plugins/b703_django_mark_safe.html
54 return mark_safe(f'<a href="{url}" target="_blank">{title}</a>')
>> Issue: [B308:blacklist] Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
Severity: Medium Confidence: High
Location: ...
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b308-mark-safe
54 return mark_safe(f'<a href="{url}" target="_blank">{title}</a>')
我很好奇是否有办法跳过或忽略这些行?我知道使用 mark_safe 可能很危险,但如果我想冒险怎么办?例如,此方法是在 Django 管理中显示自定义 link 的唯一方法,所以我不知道没有 mark_safe
我有答案here:
Two ways:
- You can skip the B703 and B308 using the --skip argument to the command line.
- Or you can affix a comment
# nosecon the line to skip.https://bandit.readthedocs.io/en/latest/config.html#exclusions
注意使用 # nosec 注释多行:
给定:
li_without_nosec = [
"select * from %s where 1 = 1 "
% "foo"
]
li_nosec_at_start_works = [ # nosec - ✅ and you can put a comment
"select * from %s where 1 = 1 "
% "foo"
]
# nosec - there's an enhancement request to marker above line
li_nosec_on_top_doesntwork = [
"select * from %s where 1 = 1 "
% "foo"
]
li_nosec_at_end_doesntwork = [
"select * from %s where 1 = 1 "
% "foo"
] # nosec
输出:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Low
Location: test.py:3
More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
2 li_without_nosec = [
3 "select * from %s where 1 = 1 "
4 % "foo"
5 ]
--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Low
Location: test.py:15
More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
14 li_nosec_on_top_doesntwork = [
15 "select * from %s where 1 = 1 "
16 % "foo"
17 ]
--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Low
Location: test.py:21
More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
20 li_nosec_at_end_doesntwork = [
21 "select * from %s where 1 = 1 "
22 % "foo"
23 ] # nosec
黑色
希望 black 不会介入并重组线路,移动 # nosec。
满怀希望... black 确实会四处移动,就像它对 pylint 指令所做的那样,每当行长度变得太长时。此时 # nosec 结束。
您可以主动打断该行并将 # nosec 放在第一个位置。或者您可以等待黑色,然后根据需要进行调整。
只是为了完成主题 - 在我的例子中,我不得不摆脱 B322: input 规则,并且不想每次在代码中发现这个问题时都写 # nosec,或者始终使用 --skip 标志执行 Bandit。
所以如果你想为整个解决方案省略某个规则,你可以在项目的根目录中创建一个 .bandit 文件。然后你可以写每次应该跳过哪些规则,例如:
[bandit]
skips: B322
然后Bandit会默认跳过这个检查,不需要在代码中给出额外的注释。