bandit
bandit copied to clipboard
Published
20 hours ago •
PyCQA
PyCQA
B411 error can't be resolved by the suggested change
Describe the bug
We recently faced the following bandit error in oslo.serialization project. It seems bandit 1.7.6 contains the commit 3260f137873798b4b0c0c289373cc5e8fa2d93ed and now it reject importing xmlrpc.
>> Issue: [B411:blacklist] Using client to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.
Severity: High Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/blacklists/blacklist_imports.html#b411-import-xmlrpclib
Location: oslo_serialization/jsonutils.py:40:0
38 import json
39 import uuid
40 from xmlrpc import client as xmlrpclib
41
42 from oslo_utils import encodeutils
However bandit still detects the error even if we add the monkey_patch as suggested by the message.
Reproduction steps
- Run bandit with the code
from xmlrpc import client as xmlrpclib
- ZB411 error is detected
- Update the code to include the suggested change
import defusedxml.xmlrpc
frm xmlrpc import client as xmlrpclib
defusedxml.xmlrpc.monkey_patch()
- Run bandit again and it still detects the same error
Expected behavior
The execution at step 4 does not detect the error
Bandit version
1.7.6 (Default)
Python version
3.11
Additional context
No response
