# subprocess_Popen.py

import subprocess
import uuid

subprocess.Popen('touch ' + str(uuid.uuid1()) +'.txt', shell = True)


[dechin@dechin-manjaro bandit_test]$ python3 subprocess_Popen.py
[dechin@dechin-manjaro bandit_test]$ ll
总用量 4
-rw-r--r-- 1 dechin dechin 0 1月 26 23:03 b7aa0fc8-5fe7-11eb-b5d3-058313e110e4.txt
-rw-r--r-- 1 dechin dechin 123 1月 26 23:03 subprocess_Popen.py


# bad.py

from subprocess_Popen import subprocess as subprocess

subprocess.Popen('touch bad.txt', shell = True)

该代码的目的是在不直接import subprocess的条件下,通过前面创建好的subprocess_Popen.py来进行搭桥调用subprocess的功能函数。这个脚本的执行结果如下:

[dechin@dechin-manjaro bandit_test]$ python3 bad.py
[dechin@dechin-manjaro bandit_test]$ ll
总用量 12
-rw-r--r-- 1 dechin dechin 0 1月 26 23:13 0fda7ede-5fe9-11eb-80a8-ad279ab4e0a6.txt
-rw-r--r-- 1 dechin dechin 0 1月 26 23:03 b7aa0fc8-5fe7-11eb-b5d3-058313e110e4.txt
-rw-r--r-- 1 dechin dechin 113 1月 26 23:13 bad.py
-rw-r--r-- 1 dechin dechin 0 1月 26 23:13 bad.txt
drwxr-xr-x 2 dechin dechin 4096 1月 26 23:13 __pycache__
-rw-r--r-- 1 dechin dechin 123 1月 26 23:03 subprocess_Popen.py



用pip安 * andit


[dechin@dechin-manjaro bandit_test]$ python3 -m pip install bandit
Collecting bandit
Downloading bandit-1.7.0-py3-none-any.whl (115 kB)
|████████████████████████████████| 115 kB 101 kB/s
Requirement already satisfied: PyYAML>=5.3.1 in /home/dechin/anaconda3/lib/python3.8/site-packages (from bandit) (5.3.1)
Collecting GitPython>=1.0.1
Downloading GitPython-3.1.12-py3-none-any.whl (159 kB)
|████████████████████████████████| 159 kB 28 kB/s
Requirement already satisfied: six>=1.10.0 in /home/dechin/anaconda3/lib/python3.8/site-packages (from bandit) (1.15.0)
Collecting stevedore>=1.20.0
Downloading stevedore-3.3.0-py3-none-any.whl (49 kB)
|████████████████████████████████| 49 kB 25 kB/s
Collecting gitdb<5,>=4.0.1
Downloading gitdb-4.0.5-py3-none-any.whl (63 kB)
|████████████████████████████████| 63 kB 28 kB/s
Collecting pbr!=2.1.0,>=2.0.0
Downloading pbr-5.5.1-py2.py3-none-any.whl (106 kB)
|████████████████████████████████| 106 kB 26 kB/s
Collecting smmap<4,>=3.0.1
Downloading smmap-3.0.5-py2.py3-none-any.whl (25 kB)
Installing collected packages: smmap, gitdb, GitPython, pbr, stevedore, bandit
Successfully installed GitPython-3.1.12 bandit-1.7.0 gitdb-4.0.5 pbr-5.5.1 smmap-3.0.5 stevedore-3.3.0


[dechin@dechin-manjaro bandit_test]$ bandit -h
usage: bandit [-h] [-r] [-a {file,vuln}] [-n CONTEXT_LINES] [-c CONFIG_FILE] [-p PROFILE] [-t TESTS] [-s SKIPS] [-l] [-i] [-f {csv,custom,html,json,screen,txt,xml,yaml}] [--msg-template MSG_TEMPLATE] [-o [OUTPUT_FILE]] [-v] [-d] [-q]
 [--ignore-nosec] [-x EXCLUDED_PATHS] [-b BASELINE] [--ini INI_PATH] [--exit-zero] [--version]
 [targets [targets ...]]

Bandit - a Python source code security analyzer

positional arguments:
targets  source file(s) or directory(s) to be tested

optional arguments:
-h, --help  show this help message and exit
-r, --recursive find and process files in subdirectories
-a {file,vuln}, --aggregate {file,vuln}
  aggregate output by vulnerability (default) or by filename
  maximum number of code lines to output for each issue
-c CONFIG_FILE, --configfile CONFIG_FILE
  optional config file to use for selecting plugins and overriding defaults
-p PROFILE, --profile PROFILE
  profile to use (defaults to executing all tests)
-t TESTS, --tests TESTS
  comma-separated list of test IDs to run
-s SKIPS, --skip SKIPS
  comma-separated list of test IDs to skip
-l, --level  report only issues of a given severity level or higher (-l for LOW, -ll for MEDIUM, -lll for HIGH)
-i, --confidence report only issues of a given confidence level or higher (-i for LOW, -ii for MEDIUM, -iii for HIGH)
-f {csv,custom,html,json,screen,txt,xml,yaml}, --format {csv,custom,html,json,screen,txt,xml,yaml}
  specify output format
--msg-template MSG_TEMPLATE
  specify output message template (only usable with --format custom), see CUSTOM FORMAT section for list of available values
-o [OUTPUT_FILE], --output [OUTPUT_FILE]
  write report to filename
-v, --verbose  output extra information like excluded and included files
-d, --debug  turn on debug mode
-q, --quiet, --silent
  only show output in the case of an error
--ignore-nosec do not skip lines with # nosec comments
  comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default:
-b BASELINE, --baseline BASELINE
  path of a baseline report to compare against (only JSON-formatted files are accepted)
--ini INI_PATH path to a .bandit file that supplies command line arguments
--exit-zero  exit with 0, even with results found
--version  show program's version number and exit


Available tags:

{abspath}, {relpath}, {line}, {test_id},
{severity}, {msg}, {confidence}, {range}

Example usage:

Default template:
bandit -r examples/ --format custom --msg-template \
"{abspath}:{line}: {test_id}[bandit]: {severity}: {msg}"

Provides same output as:
bandit -r examples/ --format custom

Tags can also be formatted in python string.format() style:
bandit -r examples/ --format custom --msg-template \
"{relpath:20.20s}: {line:03}: {test_id:^8}: DEFECT: {msg:>20}"

See python documentation for more information about formatting style:

The following tests were discovered and loaded:
B101 assert_used
B102 exec_used
B103 set_bad_file_permissions
B104 hardcoded_bind_all_interfaces
B105 hardcoded_password_string
B106 hardcoded_password_funcarg
B107 hardcoded_password_default
B108 hardcoded_tmp_directory
B110 try_except_pass
B112 try_except_continue
B201 flask_debug_true
B301 pickle
B302 marshal
B303 md5
B304 ciphers
B305 cipher_modes
B306 mktemp_q
B307 eval
B308 mark_safe
B309 httpsconnection
B310 urllib_urlopen
B311 random
B312 telnetlib
B313 xml_bad_cElementTree
B314 xml_bad_ElementTree
B315 xml_bad_expatreader
B316 xml_bad_expatbuilder
B317 xml_bad_sax
B318 xml_bad_minidom
B319 xml_bad_pulldom
B320 xml_bad_etree
B321 ftplib
B323 unverified_context
B324 hashlib_new_insecure_functions
B325 tempnam
B401 import_telnetlib
B402 import_ftplib
B403 import_pickle
B404 import_subprocess
B405 import_xml_etree
B406 import_xml_sax
B407 import_xml_expat
B408 import_xml_minidom
B409 import_xml_pulldom
B410 import_lxml
B411 import_xmlrpclib
B412 import_httpoxy
B413 import_pycrypto
B501 request_with_no_cert_validation
B502 ssl_with_bad_version
B503 ssl_with_bad_defaults
B504 ssl_with_no_version
B505 weak_cryptographic_key
B506 yaml_load
B507 ssh_no_host_key_verification
B601 paramiko_calls
B602 subprocess_popen_with_shell_equals_true
B603 subprocess_without_shell_equals_true
B604 any_other_function_with_shell_equals_true
B605 start_process_with_a_shell
B606 start_process_with_no_shell
B607 start_process_with_partial_path
B608 hardcoded_sql_expressions
B609 linux_commands_wildcard_injection
B610 django_extra_used
B611 django_rawsql_used
B701 jinja2_autoescape_false
B702 use_of_mako_templates
B703 django_mark_safe




[dechin@dechin-manjaro bandit_test]$ bandit subprocess_Popen.py
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.8.5
[node_visitor] INFO Unable to find qualified name for module: subprocess_Popen.py
Run started:2021-01-26 15:31:00.425603

Test results:
>> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
Severity: Low Confidence: High
Location: subprocess_Popen.py:3
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
3 import subprocess
4 import uuid

>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
Location: subprocess_Popen.py:6
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
6 subprocess.Popen('touch ' + str(uuid.uuid1()) +'.txt', shell = True)


Code scanned:
Total lines of code: 3
Total lines skipped (#nosec): 0

Run metrics:
Total issues (by severity):
 Undefined: 0.0
 Low: 1.0
 Medium: 0.0
 High: 1.0
Total issues (by confidence):
 Undefined: 0.0
 Low: 0.0
 Medium: 0.0
 High: 2.0
Files skipped (0):

通过对刚才所创建的调用了危险函数subprocess的py文件subprocess_Popen.py的扫描,我们识别出了其中的"危险函数",注意这里的Issue编号是602,定级是Severity: Low Confidence: High。但是如果我们用bandit去扫描利用了其他函数对危险函数的调用搭桥来二次调用的bad.py文件,我们发现是另外一种结果:

[dechin@dechin-manjaro bandit_test]$ bandit bad.py
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.8.5
[node_visitor] INFO Unable to find qualified name for module: bad.py
Run started:2021-01-26 15:30:47.370468

Test results:                            
>> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
Severity: Low Confidence: High                          
Location: bad.py:3                          
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess                
3 from subprocess_Popen import subprocess as subprocess
5 subprocess.Popen('touch bad.txt', shell = True)

>> Issue: [B604:any_other_function_with_shell_equals_true] Function call with shell=True parameter identified, possible security issue.
Severity: Medium Confidence: Low                        
Location: bad.py:5                          
More Info: https://bandit.readthedocs.io/en/latest/plugins/b604_any_other_function_with_shell_equals_true.html                
5 subprocess.Popen('touch bad.txt', shell = True)


Code scanned:                            
Total lines of code: 2
Total lines skipped (#nosec): 0

Run metrics:                        
Total issues (by severity):
 Undefined: 0.0
 Low: 1.0
 Medium: 1.0
 High: 0.0
Total issues (by confidence):
 Undefined: 0.0
 Low: 1.0
 Medium: 0.0
 High: 1.0
Files skipped (0):

注意这里虽然实现的功能跟上面那个例子是一样的,但是这里的Issue编号为604,定级也变成了Severity: Medium Confidence: Low。这里的关键并不是定级变成了什么,而是定级被改变了,这是因为bandit是通过对字符串的处理来识别危险函数的,因此对于这种二次调用的特殊场景,bandit不一定都能够准确的识别出来对危险函数的调用,甚至可能出现二次调用后,完全无法识别风险函数的使用的可能性。


[dechin@dechin-manjaro bandit_test]$ bandit *.py -o test_bandit.txt -f txt
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.8.5
[node_visitor] INFO Unable to find qualified name for module: bad.py
[node_visitor] INFO Unable to find qualified name for module: subprocess_Popen.py
[text] INFO Text output written to file: test_bandit.txt




[dechin@dechin-manjaro bandit_test]$ tree
├── bad.py
├── bad.txt
├── level2
│ └── test_random.py
├── subprocess_Popen.py
├── test_bandit.html
└── test_bandit.txt

1 directory, 6 files
[dechin@dechin-manjaro bandit_test]$ cat level2/test_random.py
# test_bandit.py

import random

a = random.random()


[dechin@dechin-manjaro bandit_test]$ bandit -r . -f html -o test_bandit.html
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.8.5
[html] INFO HTML output written to file: test_bandit.html




skips: B404



在待扫描的py文件的对应风险函数后加上如 * 释,即可在bandit审计过程中自动忽略:

# bad.py

from subprocess_Popen import subprocess as sb

sb.Popen('touch bad.txt', shell = 1) # nosec





# gen.py

import os

with open('test_bandit_power.py', 'w') as py_file:
py_file.write('import subprocess as sb\n')
for i in range(10000):
py_file.write('sb.Popen(\'whoami\', shell = 1)\n')

通过执行python3 gen.py就可以生成一个10000行的危险函数文件test_bandit_power.py,大约300KB的大小。此时我们针对这单个的文件进行bandit扫描测试,我们发现这个过程极为漫长,并且生成了大量的错误日志:

[dechin@dechin-manjaro bandit_test]$ time bandit test_bandit_power.py -f html -o test_power.html
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.8.5
[node_visitor] INFO Unable to find qualified name for module: test_bandit_power.py
[html] INFO HTML output written to file: test_power.html

real 0m6.239s
user 0m6.082s
sys 0m0.150s









