bandit icon indicating copy to clipboard operation
bandit copied to clipboard

Published 20 hours ago verified publisher icon PyCQA

#nosec doesn't work with multi-line strings and Python 3.10

Open marcinbarczynski opened this issue 2 years ago • 1 comments

Describe the bug

Skipping B608:hardcoded_sql_expressions with # nosec doesn't work if the string has multiple lines. Worked on Python 3.7 doesn't work on Python 3.10.

Reproduction steps

1. Create the following file:

table = "demo"
nosec_working = f"""SELECT * FROM {table}"""  # nosec


nosec_not_working = f"""
    SELECT * FROM {table}
"""  # nosec
  1. Run bandit on the file:
$ bandit --version
bandit 1.7.4
  python version = 3.10.3 (main, Mar 23 2022, 13:56:45) [GCC 8.4.0]

$ bandit test-bandit.py 
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.10.3
[node_visitor]	WARNING	Unable to find qualified name for module: test-bandit.py
Run started:2022-04-07 10:16:31.742923

Test results:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
   Location: test-bandit.py:5:20
   More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b608_hardcoded_sql_expressions.html
4	
5	nosec_not_working = f"""
6	    SELECT * FROM {table}
7	"""  # nosec

--------------------------------------------------

Code scanned:
	Total lines of code: 5
	Total lines skipped (#nosec): 1

Run metrics:
	Total issues (by severity):
		Undefined: 0
		Low: 0
		Medium: 1
		High: 0
	Total issues (by confidence):
		Undefined: 0
		Low: 1
		Medium: 0
		High: 0
Files skipped (0):
  1. Works fine with Python 3.7:
$ bandit --version
bandit 1.7.4
  python version = 3.7.13 (default, Mar 23 2022, 13:54:39) [GCC 8.4.0]

$ bandit test-bandit.py 
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.7.13
[node_visitor]	WARNING	Unable to find qualified name for module: test-bandit.py
Run started:2022-04-07 10:17:57.194122

Test results:
	No issues identified.

Code scanned:
	Total lines of code: 5
	Total lines skipped (#nosec): 2

Run metrics:
	Total issues (by severity):
		Undefined: 0
		Low: 0
		Medium: 0
		High: 0
	Total issues (by confidence):
		Undefined: 0
		Low: 0
		Medium: 0
		High: 0
Files skipped (0):

Expected behavior

Bandit should skip all issues marked with #nosec.

Bandit version

1.7.4 (Default)

Python version

3.10 (Default)

Additional context

No response

marcinbarczynski avatar Apr 07 '22 10:04 marcinbarczynski

@ericwb I created a pull request (915) with a fix for this issue. Could you please review it?

kfrydel avatar Jun 30 '22 07:06 kfrydel