Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

B603 false positive?

See original GitHub issue

Describe the bug I don’t understand how I should "check for untrusted input.

To Reproduce Steps to reproduce the behavior:

With the code:

import shlex
import subprocess

def foo():
    args = shlex.split("git rev-parse HEAD")
    return str(subprocess.check_output(args, shell=False), "utf-8").strip()

Gives Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. I don’t understand how this is shell equals true given that “shell=False” is passed, nor how this is untrusted input.

Expected behavior

This line shouldn’t be flagged as a warning

Bandit version

bandit --version
bandit 1.4.0

Additional context

Issue Analytics

  • State:open
  • Created 5 years ago
  • Reactions:7
  • Comments:8 (1 by maintainers)

github_iconTop GitHub Comments

11reactions
pzelnipcommented, Jul 11, 2018

I see your point, but I suppose I’m having trouble how you could possibly use subprocess.check_output without triggering B603. Ie I get that all it sees is args and it has no idea if args is trusted or not, but even if I put the string literal into the call:

return str(
        subprocess.check_output("git rev-parse HEAD".split(), shell=False), "utf-8"
    ).strip()

I still trigger B603. As such this feels more like “don’t use subprocess.check_output” rather than “make sure the input to subprocess.check_output is trusted”, so it feels like the description of B603 is misleading/not helpful. Or am I missing a way to use subprocess.check_output without triggering B603?

7reactions
bcallercommented, Jul 11, 2018

Actually you’re right. My apologies. I checked the code and the test is a bit dumb. It will flag any use of check_output regardless. The example in the test’s docstring is subprocess.check_output(['/bin/ls', '-l']) which I wouldn’t consider vulnerable to injection.

I agree with you that the test should be improved to decrease obvious false positives.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Bandit is a tool designed to find common security issues in ...
In the event that a line of code triggers a Bandit issue, but that the line has been reviewed and the issue is...
Read more >
Bandit Documentation - Read the Docs
Note: this can be noisy and may generate false positives. Config Options: ... B603: Test for use of subprocess without shell equals true....
Read more >
False Positives: The Undetected Threat to Your Revenue
declined due to suspected fraud are known as “false positives.” These undetected sales killers pose serious threats to merchant revenue and customer loyalty ......
Read more >
Automated Malware Analysis Report for f792d816-f614-41f1-b603 ...
General. Entrypoint: 0x1000e41e. Entrypoint Section: .text. Digitally signed: false. Imagebase: 0x10000000. Subsystem: windows cui.
Read more >
How do you Restore a Quarantined Item if you have no box to ...
I have a file that was given a high level security threat. It has been determined to be a false positive and I...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Errors when doing dynamic imports

Next page

Consider removing PyCryptodome from blacklist