31

我有一堆django_mark_safe错误

>> Issue: [B703:django_mark_safe] Potential XSS on mark_safe function.
   Severity: Medium   Confidence: High
   Location: ...
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b703_django_mark_safe.html
54 return mark_safe(f'<a href="{url}" target="_blank">{title}</a>')

>> Issue: [B308:blacklist] Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
   Severity: Medium   Confidence: High
   Location: ...
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b308-mark-safe
54 return mark_safe(f'<a href="{url}" target="_blank">{title}</a>')

我很好奇是否有办法跳过或忽略这些行?我知道使用mark_safe可能很危险,但如果我想冒险怎么办?例如,此方法是在 Django admin 中显示自定义链接的唯一方法,所以我不知道任何其他选项如何做到这一点mark_safe

4

3 回答 3

46

我在这里得到了答案:

两种方式:

  1. 您可以在命令行中使用 --skip 参数跳过 B703 和 B308。
  2. 或者,您可以在要跳过的行上添加注释# nosec

https://github.com/PyCQA/bandit#exclusions

于 2018-10-02T15:26:18.600 回答
10

注意用 注释多行# nosec

给定:

li_without_nosec = [
    "select * from %s where 1 = 1 "
    % "foo"
]

li_nosec_at_start_works = [  # nosec - ✅ and you can put a comment
    "select * from %s where 1 = 1 "
    % "foo"
]  

# nosec - there's an enhancement request to marker above line
li_nosec_on_top_doesntwork = [  
    "select * from %s where 1 = 1 "
    % "foo"
]  

li_nosec_at_end_doesntwork = [
    "select * from %s where 1 = 1 "
    % "foo"
]  # nosec

输出:

>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   Location: test.py:3
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
2   li_without_nosec = [
3       "select * from %s where 1 = 1 "
4       % "foo"
5   ]

--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   Location: test.py:15
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
14  li_nosec_on_top_doesntwork = [
15      "select * from %s where 1 = 1 "
16      % "foo"
17  ]

--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   Location: test.py:21
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
20  li_nosec_at_end_doesntwork = [
21      "select * from %s where 1 = 1 "
22      % "foo"
23  ]  # nosec

黑色的

这里希望黑色不会参与并重组线条,# nosec四处移动。

希望如此之多……每当行长变得太长时,黑色确实会移动事物,就像它对 pylint 指令所做的那样。在这一点# nosec上结束。

您可以主动打破# nosec第一条线和位置。或者您可以等待黑色结束并根据需要进行调整。

于 2020-04-26T20:19:09.823 回答
6

只是为了完成这个话题——在我的情况下,我不得不摆脱B322: input规则,并且不想# nosec每次在代码中发现这个问题时都写,或者总是用--skip标志执行 Bandit。

因此,如果您想为整个解决方案省略某个规则,您可以.bandit在项目的根目录中创建一个文件。然后你可以写下每次应该跳过哪些规则,例如:

[bandit]
skips: B322

然后 Bandit 将默认跳过此检查,无需在代码中提供额外的注释。

于 2020-05-09T21:41:54.780 回答