From 0779eb09008f9700bcb8342ff140397a7bff2e89 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Thu, 18 Jan 2024 18:33:28 -0800 Subject: [PATCH] Add random.randbytes to blacklist calls (#1096) In Python 3.9, the random module added new function randbytes(n). This function shouldn't be used for any cryptographic operations. As the doc recommends, use secrets.token_bytes() instead. https://docs.python.org/3/library/random.html#random.randbytes Signed-off-by: Eric Brown --- bandit/blacklists/calls.py | 2 ++ examples/random_module.py | 1 + tests/functional/test_functional.py | 4 ++-- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/bandit/blacklists/calls.py b/bandit/blacklists/calls.py index 9e7ec7447..d69f5dd3c 100644 --- a/bandit/blacklists/calls.py +++ b/bandit/blacklists/calls.py @@ -198,6 +198,7 @@ | | | - random.choices | | | | | - random.uniform | | | | | - random.triangular | | +| | | - random.randbytes | | +------+---------------------+------------------------------------+-----------+ B312: telnetlib @@ -523,6 +524,7 @@ def gen_blacklist(): "random.choices", "random.uniform", "random.triangular", + "random.randbytes", ], "Standard pseudo-random generators are not suitable for " "security/cryptographic purposes.", diff --git a/examples/random_module.py b/examples/random_module.py index 2bf80d037..224f2513c 100644 --- a/examples/random_module.py +++ b/examples/random_module.py @@ -10,6 +10,7 @@ bad = random.choices() bad = random.uniform() bad = random.triangular() +bad = random.randbytes() good = os.urandom() good = random.SystemRandom() diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 846994379..a230dc30b 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -396,8 +396,8 @@ def test_popen_wrappers(self): def test_random_module(self): """Test for the `random` module.""" expect = { - "SEVERITY": {"UNDEFINED": 0, "LOW": 8, "MEDIUM": 0, "HIGH": 0}, - "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 8}, + "SEVERITY": {"UNDEFINED": 0, "LOW": 9, "MEDIUM": 0, "HIGH": 0}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 9}, } self.check_example("random_module.py", expect)