bandit icon indicating copy to clipboard operation
bandit copied to clipboard
verified publisher icon PyCQA

general_bad_file_permission only works for mode as int

Open ericwb opened this issue 3 years ago • 2 comments

Describe the bug

The testing of the general_bad_file_permission plugin makes it appear it can test the mode argument as an int or as constant from the stat module.

However, the plugin checks whether the mode argument is an int only. If the argument is stat.S_IXOTH for example, the argument would be a str.

This is a prime example of how the current model of testing based on counts of of severity and confidence instead of whether or not each line is an issue or not.

Reproduction steps

1. Review general_bad_file_permission.py
2. Notice the check for isinstance(mode, int)
3. If you add debug to print mode when passed as "stat.S_IXOTH", you'll notice it's not an int.

Expected behavior

Either the plugin needs to handle stat constants or claim it can't. Right now, there is a false impression that it can.

Bandit version

1.7.4 (Default)

Python version

3.10 (Default)

Additional context

No response

ericwb avatar Jul 14 '22 22:07 ericwb

Here's a couple examples where Bandit would not find anything wrong:

os.chmod(
    '~/hidden_exec',
    stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR | stat.S_IRGRP | stat.S_IWGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH
)

os.chmod('~/hidden_exec', stat.S_IXOTH)

ericwb avatar Jul 14 '22 23:07 ericwb

This is interesting. If no one else if working on this I would like to take a crack at it.

noliverio avatar Sep 04 '22 00:09 noliverio