blacklist_imports — Bandit documentation (2024)

Table of Contents
Blacklist various Python imports known to be dangerous¶ B401: import_telnetlib¶ B402: import_ftplib¶ B403: import_pickle¶ B404: import_subprocess¶ B405: import_xml_etree¶ B406: import_xml_sax¶ B407: import_xml_expat¶ B408: import_xml_minidom¶ B409: import_xml_pulldom¶ B410: import_lxml¶ B411: import_xmlrpclib¶ B412: import_httpoxy¶ B413: import_pycrypto¶ B414: import_pycryptodome¶

Blacklist various Python imports known to be dangerous

This blacklist data checks for a number of Python modules known to havepossible security implications. The following blacklist tests are run againstany import statements or calls encountered in the scanned code base.

Note that the XML rules listed here are mostly based off of Christian Heimes’work on defusedxml: https://pypi.org/project/defusedxml/

B401: import_telnetlib

A telnet-related module is being imported. Telnet is considered insecure. UseSSH or some other encrypted protocol.

IDNameImportsSeverity
B401import_telnetlib
  • telnetlib
high

B402: import_ftplib

A FTP-related module is being imported. FTP is considered insecure. UseSSH/SFTP/SCP or some other encrypted protocol.

IDNameImportsSeverity
B402import_ftplib
  • ftplib
high

B404: import_subprocess

Consider possible security implications associated with these modules.

IDNameImportsSeverity
B404import_subprocess
  • subprocess
low

B405: import_xml_etree

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

IDNameImportsSeverity
B405import_xml_etree
  • xml.etree.cElementTree
  • xml.etree.ElementTree
low

B406: import_xml_sax

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

IDNameImportsSeverity
B406import_xml_sax
  • xml.sax
low

B407: import_xml_expat

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

See Also
4 Awesome Python Libraries for Cryptography - AlixaProDev

IDNameImportsSeverity
B407import_xml_expat
  • xml.dom.expatbuilder
low

B408: import_xml_minidom

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

IDNameImportsSeverity
B408import_xml_minidom
  • xml.dom.minidom
low

B409: import_xml_pulldom

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

IDNameImportsSeverity
B409import_xml_pulldom
  • xml.dom.pulldom
low

B410: import_lxml

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package.

IDNameImportsSeverity
B410import_lxml
  • lxml
low

B411: import_xmlrpclib

XMLRPC is particularly dangerous as it is also concerned with communicatingdata over a network. Use defused.xmlrpc.monkey_patch() function to monkey-patchxmlrpclib and mitigate remote XML attacks.

IDNameImportsSeverity
B411import_xmlrpclib
  • xmlrpclib
high

B412: import_httpoxy

httpoxy is a set of vulnerabilities that affect application code running inCGI, or CGI-like environments. The use of CGI for web applications should beavoided to prevent this class of attack. More details are availableat https://httpoxy.org/.

IDNameImportsSeverity
B412import_httpoxy
  • wsgiref.handlers.CGIHandler
  • twisted.web.twcgi.CGIScript
high

B413: import_pycrypto

pycrypto library is known to have publicly disclosed buffer overflowvulnerability https://github.com/dlitz/pycrypto/issues/176. It is no longeractively maintained and has been deprecated in favor of pyca/cryptographylibrary.

IDNameImportsSeverity
B413import_pycrypto
  • Crypto.Cipher
  • Crypto.Hash
  • Crypto.IO
  • Crypto.Protocol
  • Crypto.PublicKey
  • Crypto.Random
  • Crypto.Signature
  • Crypto.Util
high

B414: import_pycryptodome

This import blacklist has been removed. The information here has beenleft for historical purposes.

pycryptodome is a direct fork of pycrypto that has not fully addressedthe issues inherent in PyCrypto. It seems to exist, mainly, as an APIcompatible continuation of pycrypto and should be deprecated in favorof pyca/cryptography which has more support among the Python community.

IDNameImportsSeverity
B414import_pycryptodome
  • Cryptodome.Cipher
  • Cryptodome.Hash
  • Cryptodome.IO
  • Cryptodome.Protocol
  • Cryptodome.PublicKey
  • Cryptodome.Random
  • Cryptodome.Signature
  • Cryptodome.Util
high
blacklist_imports — Bandit documentation (2024)
Top Articles
Chlorine Dioxide & Chlorite | Public Health Statement
Does chlorine kill fungus?
[Free-TV] Finneytown vs Bethel-Tate Live Stream za darmo! Finneytown vs Bethel-Tate Live Stream za darmo: To Finneytown vs Bethel-Tate, a ten dzisiejszy mecz Baseball Finneytown vs Bethel-Tate Match.Mecz Finneytown vs Betel-Tate będzie emitowany w ESPN na
Ćwiczenia terapii sztuki: zwiększ kreatywność i zdrowie emocjonalne
Latest Posts
Are Gold And Silver Magnetic?
binancecom
Article information

Author: Roderick King

Last Updated:

Views: 6380

Rating: 4 / 5 (71 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Roderick King

Birthday: 1997-10-09

Address: 3782 Madge Knoll, East Dudley, MA 63913

Phone: +2521695290067

Job: Customer Sales Coordinator

Hobby: Gunsmithing, Embroidery, Parkour, Kitesurfing, Rock climbing, Sand art, Beekeeping

Introduction: My name is Roderick King, I am a cute, splendid, excited, perfect, gentle, funny, vivacious person who loves writing and wants to share my knowledge and understanding with you.