blacklist_imports — Bandit documentation (2024)

Table of Contents
Blacklist various Python imports known to be dangerous¶ B401: import_telnetlib¶ B402: import_ftplib¶ B403: import_pickle¶ B404: import_subprocess¶ B405: import_xml_etree¶ B406: import_xml_sax¶ B407: import_xml_expat¶ B408: import_xml_minidom¶ B409: import_xml_pulldom¶ B410: import_lxml¶ B411: import_xmlrpclib¶ B412: import_httpoxy¶ B413: import_pycrypto¶ B414: import_pycryptodome¶

Blacklist various Python imports known to be dangerous

This blacklist data checks for a number of Python modules known to havepossible security implications. The following blacklist tests are run againstany import statements or calls encountered in the scanned code base.

Note that the XML rules listed here are mostly based off of Christian Heimes’work on defusedxml: https://pypi.org/project/defusedxml/

B401: import_telnetlib

A telnet-related module is being imported. Telnet is considered insecure. UseSSH or some other encrypted protocol.

IDNameImportsSeverity
B401import_telnetlib
  • telnetlib
high

B402: import_ftplib

A FTP-related module is being imported. FTP is considered insecure. UseSSH/SFTP/SCP or some other encrypted protocol.

IDNameImportsSeverity
B402import_ftplib
  • ftplib
high

B403: import_pickle

Consider possible security implications associated with these modules.

See Also
Top 10 Python Libraries For Cybersecurity - GeeksforGeeksWhat is Ciphertext?Why Python is a great language for Crypto market analytics.pycrypto is not maintained anymore please use PyCryptodome for existing software that depends on…

IDNameImportsSeverity
B403import_pickle
  • pickle
  • cPickle
  • dill
  • shelve
low

B404: import_subprocess

Consider possible security implications associated with these modules.

IDNameImportsSeverity
B404import_subprocess
  • subprocess
low

B405: import_xml_etree

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

IDNameImportsSeverity
B405import_xml_etree
  • xml.etree.cElementTree
  • xml.etree.ElementTree
low

B406: import_xml_sax

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

IDNameImportsSeverity
B406import_xml_sax
  • xml.sax
low

B407: import_xml_expat

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

See Also
The Caesar cipher (video) | Cryptography | Khan Academy

IDNameImportsSeverity
B407import_xml_expat
  • xml.dom.expatbuilder
low

B408: import_xml_minidom

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

IDNameImportsSeverity
B408import_xml_minidom
  • xml.dom.minidom
low

B409: import_xml_pulldom

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

IDNameImportsSeverity
B409import_xml_pulldom
  • xml.dom.pulldom
low

B410: import_lxml

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package.

IDNameImportsSeverity
B410import_lxml
  • lxml
low

B411: import_xmlrpclib

XMLRPC is particularly dangerous as it is also concerned with communicatingdata over a network. Use defused.xmlrpc.monkey_patch() function to monkey-patchxmlrpclib and mitigate remote XML attacks.

IDNameImportsSeverity
B411import_xmlrpclib
  • xmlrpclib
high

B412: import_httpoxy

httpoxy is a set of vulnerabilities that affect application code running inCGI, or CGI-like environments. The use of CGI for web applications should beavoided to prevent this class of attack. More details are availableat https://httpoxy.org/.

IDNameImportsSeverity
B412import_httpoxy
  • wsgiref.handlers.CGIHandler
  • twisted.web.twcgi.CGIScript
high

B413: import_pycrypto

pycrypto library is known to have publicly disclosed buffer overflowvulnerability https://github.com/dlitz/pycrypto/issues/176. It is no longeractively maintained and has been deprecated in favor of pyca/cryptographylibrary.

IDNameImportsSeverity
B413import_pycrypto
  • Crypto.Cipher
  • Crypto.Hash
  • Crypto.IO
  • Crypto.Protocol
  • Crypto.PublicKey
  • Crypto.Random
  • Crypto.Signature
  • Crypto.Util
high

B414: import_pycryptodome

This import blacklist has been removed. The information here has beenleft for historical purposes.

pycryptodome is a direct fork of pycrypto that has not fully addressedthe issues inherent in PyCrypto. It seems to exist, mainly, as an APIcompatible continuation of pycrypto and should be deprecated in favorof pyca/cryptography which has more support among the Python community.

IDNameImportsSeverity
B414import_pycryptodome
  • Cryptodome.Cipher
  • Cryptodome.Hash
  • Cryptodome.IO
  • Cryptodome.Protocol
  • Cryptodome.PublicKey
  • Cryptodome.Random
  • Cryptodome.Signature
  • Cryptodome.Util
high
blacklist_imports — Bandit documentation (2024)
Top Articles
3 ways to pay off your debt
How Does a Financial Advisor Get Paid? Should You Use One?
Craigslist Myrtle Beach Motorcycles For Sale By Owner
Http://N14.Ultipro.com
Workday Latech Edu
Kansas Craigslist Free Stuff
Activities and Experiments to Explore Photosynthesis in the Classroom - Project Learning Tree
Costco in Hawthorne (14501 Hindry Ave)
What Happened To Father Anthony Mary Ewtn
Amateur Lesbian Spanking
Zoebaby222
Oriellys St James Mn
10 Free Employee Handbook Templates in Word & ClickUp
Best Uf Sororities
CANNABIS ONLINE DISPENSARY Promo Code — $100 Off 2024
Richland Ecampus
Race Karts For Sale Near Me
Mccain Agportal
Accident On The 210 Freeway Today
Woodmont Place At Palmer Resident Portal
Www.dunkinbaskinrunsonyou.con
Routing Number For Radiant Credit Union
Ceramic tiles vs vitrified tiles: Which one should you choose? - Building And Interiors
Craigslistodessa
Panolian Batesville Ms Obituaries 2022
Ardie From Something Was Wrong Podcast
Truck from Finland, used truck for sale from Finland
2004 Honda Odyssey Firing Order
Riverstock Apartments Photos
By.association.only - Watsonville - Book Online - Prices, Reviews, Photos
The Creator Showtimes Near Baxter Avenue Theatres
Pipa Mountain Hot Pot渝味晓宇重庆老火锅 Menu
Evil Dead Rise - Everything You Need To Know
Helloid Worthington Login
Whas Golf Card
Uhaul Park Merced
Sadie Sink Doesn't Want You to Define Her Style, Thank You Very Much
Craigslist Pets Huntsville Alabama
Craigslist Gigs Wichita Ks
„Wir sind gut positioniert“
The Listings Project New York
What Is A K 56 Pink Pill?
Devon Lannigan Obituary
Top 40 Minecraft mods to enhance your gaming experience
Reli Stocktwits
Myra's Floral Princeton Wv
Lesson 5 Homework 4.5 Answer Key
Mlb Hitting Streak Record Holder Crossword Clue
Tìm x , y , z :a, \(\frac{x+z+1}{x}=\frac{z+x+2}{y}=\frac{x+y-3}{z}=\)\(\frac{1}{x+y+z}\)b, 10x = 6y và \(2x^2\)\(-\) \(...
Jigidi Jigsaw Puzzles Free
Ihop Deliver
Latest Posts
The Real Cost of a Financial Advisor
Midyear economic outlook: Sticky inflation most everywhere
Article information

Author: Roderick King

Last Updated:

Views: 6380

Rating: 4 / 5 (71 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Roderick King

Birthday: 1997-10-09

Address: 3782 Madge Knoll, East Dudley, MA 63913

Phone: +2521695290067

Job: Customer Sales Coordinator

Hobby: Gunsmithing, Embroidery, Parkour, Kitesurfing, Rock climbing, Sand art, Beekeeping

Introduction: My name is Roderick King, I am a cute, splendid, excited, perfect, gentle, funny, vivacious person who loves writing and wants to share my knowledge and understanding with you.