Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

#nosec not working for multi-line strings in python 3.8

See original GitHub issue

The Problem

Starting python3.8 adding #nosec after a multi-line string has no effect. This was not the case in python 3.6 (and I think also 3.7)

How to Reproduce

Prepare two sample python source files

success.py:

table = "my_table"
query = f"SELECT * FROM {table}"  # nosec

fail.py

table = "my_table"
query = f"""
SELECT *
FROM {table}
"""  # nosec

Set up python3.6 and python3.8 environments

$ python3.6 -m venv venv36
$ python3.8 -m venv venv38

Run bandit using python3.6

$ source ./venv36/bin/activate
$ pip install bandit==1.6.3

Run bandit on success.py – no issues.

$ bandit success.py
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.6.12
[node_visitor]  INFO    Unable to find qualified name for module: success.py
Run started:2020-12-07 14:35:50.699373

Test results:
        No issues identified.

Code scanned:
        Total lines of code: 2
        Total lines skipped (#nosec): 1

Run metrics:
        Total issues (by severity):
                Undefined: 0.0
                Low: 0.0
                Medium: 0.0
                High: 0.0
        Total issues (by confidence):
                Undefined: 0.0
                Low: 0.0
                Medium: 0.0
                High: 0.0
Files skipped (0):

Run bandit on fail.py – no issues either.

$ bandit fail.py
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.6.12
[node_visitor]  INFO    Unable to find qualified name for module: fail.py
Run started:2020-12-07 14:25:36.277457

Test results:
        No issues identified.

Code scanned:
        Total lines of code: 5
        Total lines skipped (#nosec): 1

Run metrics:
        Total issues (by severity):
                Undefined: 0.0
                Low: 0.0
                Medium: 0.0
                High: 0.0
        Total issues (by confidence):
                Undefined: 0.0
                Low: 0.0
                Medium: 0.0
                High: 0.0
Files skipped (0):
$ deactivate

Run bandit in python3.8

$ source ./venv38/bin/activate
$ pip install bandit==1.6.3

Run bandit on success.py – no issues.

$ bandit success.py 
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.8.6
[node_visitor]  INFO    Unable to find qualified name for module: success.py
Run started:2020-12-07 14:37:02.909155

Test results:
        No issues identified.

Code scanned:
        Total lines of code: 2
        Total lines skipped (#nosec): 1

Run metrics:
        Total issues (by severity):
                Undefined: 0.0
                Low: 0.0
                Medium: 0.0
                High: 0.0
        Total issues (by confidence):
                Undefined: 0.0
                Low: 0.0
                Medium: 0.0
                High: 0.0
Files skipped (0):

Run bandit on fail.pyone issue is reported.

$ bandit fail.py           
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.8.6
[node_visitor]  INFO    Unable to find qualified name for module: fail.py
Run started:2020-12-07 14:26:41.664117

Test results:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   Location: fail.py:2
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
1       table = "my_table"
2       query = f"""
3       SELECT *
4       FROM {table}
5       """  # nosec

--------------------------------------------------

Code scanned:
        Total lines of code: 5
        Total lines skipped (#nosec): 0

Run metrics:
        Total issues (by severity):
                Undefined: 0.0
                Low: 0.0
                Medium: 1.0
                High: 0.0
        Total issues (by confidence):
                Undefined: 0.0
                Low: 1.0
                Medium: 0.0
                High: 0.0
Files skipped (0):
$ deactivate

Expected Behaviour

The #nosec clause should work both in python3.6 and python3.8. In this concrete example bandit fail.py should not fail in python3.8.

Bandit Version

On python3.6:

$ bandit --version
bandit 1.6.3
  python version = 3.6.12 (default, Nov  6 2020, 13:08:49) [GCC Apple LLVM 12.0.0 (clang-1200.0.32.21)]

On python3.8

$ bandit --version
bandit 1.6.3
  python version = 3.8.6 (default, Nov  6 2020, 13:26:24) [Clang 12.0.0 (clang-1200.0.32.21)]

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:26
  • Comments:7

github_iconTop GitHub Comments

10reactions
CarliJoycommented, Feb 10, 2022

A black compatible workaround

        # fmt: off
        query = (  # nosec
            f"""
            SELECT something,
            WHERE foobar = {bar} 
            """
        )
        # fmt: on

Still please fix. Especially using black this can be a pain in the ass 😉

5reactions
michiel-nwacommented, Mar 4, 2022

I’m not able to get any of the mentioned workarounds to work. Only thing that worked for me for now was downgrading back to bandit 1.6.2.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How do I split the definition of a long string over multiple lines?
Are you talking about multi-line strings? Easy, use triple quotes to start and end them. s = """ this is a very long...
Read more >
nosec has to be on first line of multiline statement
When I run bandit with the nosec comment on the specific line of a multiline statement that bandit indicates has the issue, it...
Read more >
syntax error in multiline f-string produces ~40k spaces output
Issue 37433: syntax error in multiline f-string produces ~40k spaces output - Python tracker. This issue tracker has been migrated to GitHub, ...
Read more >
bandit 1.7.4 - PythonFix.com
Security oriented static analyser for python code. ... #nosec not working for multi-line strings in python 3.8; blacklist getattr calls ...
Read more >
https://ftp.nluug.nl/OpenBSD/Changelogs/ChangeLog.48
Nm fall back to the empty string, not to UNKNOWN * never let . ... found while working on mandoc(1) messages CVSROOT: /cvs...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

bandit 1.6.3 is getting picked up on python 2.7 installs

Next page

Bandit 1.6.3 does not respect excluded paths from .bandit file