Skip to content

Commit

Permalink
Update to v1.1.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@HubTou
HubTou authored Jul 3, 2021
1 parent 526ddc9 commit c1903c1
Show file tree
Hide file tree
Showing 7 changed files with 154 additions and 129 deletions.
9 changes: 3 additions & 6 deletions README.5.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ Where:
* **VERSION** is the version of the test suite
* **DATE** is the date of last modification to the file
* **AUTHOR** is the test suite author's name
* **B2BT_VERSION** is the minimal version required of **b2bt** required to process this file, or 1.0.x if missing
* **B2BT_VERSION** is the minimal version required of **b2bt** required to process this file, or 1.0.0 if missing

You can then have 1 or more test-cases enclosed between test-case pair of tags:
```XML
Expand All @@ -54,7 +54,7 @@ Where:
* The **timeout** attribute is optional and it's recommended NOT to use it, unless you have a good reason to do so. It takes a positive value, with an eventual decimal part, expressed in seconds. Whatever the Locale you are using, the decimal separator is the "." character
* **CASE_NAME** is a short string describing the test case
* **COMMAND** is the command to be shell executed:
* the **cmd** tag expects exactly one line. Leading or trailing spaces and newline characters are stripped
* the **cmd** tag expects exactly one line. Leading or trailing spaces and newline characters are stripped unless enclosed between double quotes
* the command itself must be pathless. b2bt will replace the first occurrence it founds with the absolute path of the original or new command to be tested
* the command is executed by a Shell. Its output can be piped to another command or redirected to a file, and it can be prefixed by environment variables definition
* There are 2 characters that you must escape in all XML tag contents:
Expand Down Expand Up @@ -146,14 +146,11 @@ Another more sophisticated test suite would be:
[b2bt(1)](https://github.com/HubTou/b2bt/blob/main/README.md)

## HISTORY
These files were made for [The PNU project / PyNIX](https://github.com/HubTou/PNU)
These files were made for the [PNU project](https://github.com/HubTou/PNU)
in order to test the rewritten commands against the installed ones.

This project will provide [b2bt test files for the usual POSIX and FreeBSD commands](https://github.com/HubTou/PNU/tree/main/tests).

## AUTHORS
[Hubert Tournier](https://github.com/HubTou)

## CAVEATS
A way to introduce leading or trailing spaces in tag contents has yet to be provided.

7 changes: 1 addition & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,11 +104,8 @@ The b2bt utility is not a standard UNIX/POSIX command.

It tries to follow the [PEP 8](https://www.python.org/dev/peps/pep-0008/) style guide for [Python](https://www.python.org/) code.

## PORTABILITY
To be tested under Windows.

## HISTORY
This utility was made for [The PNU project / PyNIX](https://github.com/HubTou/PNU)
This utility was made for the [PNU project](https://github.com/HubTou/PNU)
in order to test the rewritten commands against the installed ones.

## LICENSE
Expand All @@ -131,8 +128,6 @@ To mitigate the risks, the utility will:
* Warn you if you are using a privileged account and advise you not to do so.
* Show you every command to be executed and ask for prior confirmation.

We also use the standard Python [xml.dom.minidom](https://docs.python.org/3/library/xml.dom.minidom.html) library which is known to be [vulnerable to several XML attacks](https://pypi.org/project/defusedxml/).

Visual inspection of the XML files to process is recommended, and useful anyway if you are rewriting an existing command.

The program is using MD5 file digests but not for security purposes.
Expand Down
8 changes: 2 additions & 6 deletions man/b2bt.1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -177,11 +177,9 @@ The
utility is not a standard UNIX/POSIX command.
.Pp
It tries to follow the PEP 8 style guide for Python code.
.Sh PORTABILITY
To be tested under Windows.
.Sh HISTORY
This utility was made for
.Lk https://github.com/HubTou/PNU [The PNU project / PyNIX]
This utility was made for the
.Lk https://github.com/HubTou/PNU [PNU project]
in order to test the rewritten commands against the installed ones.
.Sh LICENSE
This utility is available under the 3-clause BSD license.
Expand All @@ -204,8 +202,6 @@ Warn you if you are using a privileged account and advise you not to do so.
Show you every command to be executed and ask for prior confirmation.
.El
.Pp
We also use the standard Python xml.dom.minidom library which is known to be vulnerable to several XML attacks.
.Pp
Visual inspection of the XML files to process is recommended, and useful anyway if you are rewriting an existing command.
.Pp
The program is using MD5 file digests but not for security purposes.
Expand Down
10 changes: 4 additions & 6 deletions man/b2bt.5
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ is the date of last modification to the file
is the test suite author's name
.It
.Em B2BT_VERSION
is the minimal version required of **b2bt** required to process this file, or 1.0.x if missing
is the minimal version required of **b2bt** required to process this file, or 1.0.0 if missing
.El
.Pp
You can then have 1 or more test-cases enclosed between test-case pair of tags:
Expand Down Expand Up @@ -96,7 +96,7 @@ is the command to be shell executed:
.It
the
.Em cmd
tag expects exactly one line. Leading or trailing spaces and newline characters are stripped
tag expects exactly one line. Leading or trailing spaces and newline characters are stripped unless enclosed between double quotes
.It
the command itself must be pathless. b2bt will replace the first occurrence it founds with the absolute path of the original or new command to be tested
.It
Expand Down Expand Up @@ -218,14 +218,12 @@ Another more sophisticated test suite would be:
.Sh SEE ALSO
.Xr b2bt 1
.Sh HISTORY
These files were made for
.Lk https://github.com/HubTou/PNU [The PNU project / PyNIX]
These files were made for the
.Lk https://github.com/HubTou/PNU [PNU project]
in order to test the rewritten commands against the installed ones.
.Pp
This project will provide
.Nm
test files for the usual POSIX and FreeBSD commands.
.Sh AUTHORS
.An Hubert Tournier
.Sh CAVEATS
A way to introduce leading or trailing spaces in tag contents has yet to be provided.
163 changes: 71 additions & 92 deletions misc/bandit.txt
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
bandit -r src/b2bt/__init__.py src/b2bt/main.py
Run started:2021-06-13 11:24:23.718090
Run started:2021-07-03 13:43:36.422536

Test results:
>> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
Expand All @@ -10,154 +10,133 @@ Test results:
17 import subprocess
18 import sys

--------------------------------------------------
>> Issue: [B408:blacklist] Using xml.dom.minidom to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
Location: src/b2bt/main.py:20
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b408-import-xml-minidom
19 import time
20 import xml.dom.minidom
21
22 # Optional dependency upon colorama
23 # Use "pip install colorama" to install
24 try:

--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
Location: src/b2bt/main.py:313
Location: src/b2bt/main.py:325
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
312 chunk_size = 512 * 200
313 digest = hashlib.md5()
314 with open(file_path, "rb") as file:
324 chunk_size = 512 * 200
325 digest = hashlib.md5()
326 with open(file_path, "rb") as file:

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: src/b2bt/main.py:369
Location: src/b2bt/main.py:381
More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
368 if shutil.which("what"):
369 results = subprocess.run(
370 ["what", "-q", command_full_path],
371 text=True,
372 capture_output=True,
373 check=False,
374 )
380 if shutil.which("what"):
381 results = subprocess.run(
382 ["what", "-q", command_full_path],
383 text=True,
384 capture_output=True,
385 check=False,
386 )

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
Severity: Low Confidence: High
Location: src/b2bt/main.py:369
Location: src/b2bt/main.py:381
More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
368 if shutil.which("what"):
369 results = subprocess.run(
370 ["what", "-q", command_full_path],
371 text=True,
372 capture_output=True,
373 check=False,
374 )
380 if shutil.which("what"):
381 results = subprocess.run(
382 ["what", "-q", command_full_path],
383 text=True,
384 capture_output=True,
385 check=False,
386 )

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: src/b2bt/main.py:377
Location: src/b2bt/main.py:389
More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
376 if shutil.which("ident"):
377 results = subprocess.run(
378 ["ident", "-q", command_full_path],
379 text=True,
380 capture_output=True,
381 check=False,
382 )
388 if shutil.which("ident"):
389 results = subprocess.run(
390 ["ident", "-q", command_full_path],
391 text=True,
392 capture_output=True,
393 check=False,
394 )

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
Severity: Low Confidence: High
Location: src/b2bt/main.py:377
Location: src/b2bt/main.py:389
More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
376 if shutil.which("ident"):
377 results = subprocess.run(
378 ["ident", "-q", command_full_path],
379 text=True,
380 capture_output=True,
381 check=False,
382 )
388 if shutil.which("ident"):
389 results = subprocess.run(
390 ["ident", "-q", command_full_path],
391 text=True,
392 capture_output=True,
393 check=False,
394 )

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
Location: src/b2bt/main.py:454
Location: src/b2bt/main.py:466
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
453 for line in pre_commands:
454 pre_results = subprocess.run(line, shell=True, check=False)
455 if pre_results.returncode != 0:
465 for line in pre_commands:
466 pre_results = subprocess.run(line, shell=True, check=False)
467 if pre_results.returncode != 0:

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
Location: src/b2bt/main.py:491
Location: src/b2bt/main.py:503
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
490 line,
491 shell=True,
492 text=True,
493 input=one_line_input,
494 capture_output=True,
495 timeout=timeout,
496 check=False,
497 )
498 else:
499 results = subprocess.run(
502 line,
503 shell=True,
504 text=True,
505 input=one_line_input,
506 capture_output=True,
507 timeout=timeout,
508 check=False,
509 )
510 else:
511 results = subprocess.run(

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
Location: src/b2bt/main.py:501
Location: src/b2bt/main.py:513
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
500 line,
501 shell=True,
502 text=True,
503 capture_output=True,
504 timeout=timeout,
505 check=False,
506 )
507 except subprocess.TimeoutExpired as status:
508 standard_output = ""
512 line,
513 shell=True,
514 text=True,
515 capture_output=True,
516 timeout=timeout,
517 check=False,
518 )
519 except subprocess.TimeoutExpired as status:
520 standard_output = ""

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
Location: src/b2bt/main.py:537
Location: src/b2bt/main.py:549
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
536 post_results = subprocess.run(
537 line, shell=True, text=True, capture_output=True, check=False
538 )
539 if post_results.returncode != 0:

--------------------------------------------------
>> Issue: [B318:blacklist] Using xml.dom.minidom.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
Location: src/b2bt/main.py:645
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b313-b320-xml-bad-minidom
644 try:
645 test_file = xml.dom.minidom.parse(filename)
646 except xml.parsers.expat.ExpatError as error:
548 post_results = subprocess.run(
549 line, shell=True, text=True, capture_output=True, check=False
550 )
551 if post_results.returncode != 0:

--------------------------------------------------

Code scanned:
Total lines of code: 718
Total lines of code: 758
Total lines skipped (#nosec): 0

Run metrics:
Total issues (by severity):
Undefined: 0.0
Low: 6.0
Medium: 2.0
Low: 5.0
Medium: 1.0
High: 4.0
Total issues (by confidence):
Undefined: 0.0
Low: 0.0
Medium: 0.0
High: 12.0
High: 10.0
Files skipped (0):
*** Error code 1 (ignored)
13 changes: 7 additions & 6 deletions setup.cfg
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name = pnu_b2bt
description = Back to Back Testing tool
long_description = file: README.md
long_description_content_type = text/markdown
version = 1.0.2
version = 1.1.0
license = BSD 3-Clause License
license_files = License
author = HubTou
Expand All @@ -13,16 +13,16 @@ project_urls =
Bug Tracker = https://github.com/HubTou/b2bt/issues
keywords = pnu-project
classifiers =
Programming Language :: Python :: 3
Programming Language :: Python :: 3.7
Development Status :: 5 - Production/Stable
Environment :: Console
Intended Audience :: Developers
License :: OSI Approved :: BSD License
Natural Language :: English
Operating System :: OS Independent
Operating System :: POSIX :: BSD :: FreeBSD
Operating System :: Microsoft :: Windows
Environment :: Console
Development Status :: 5 - Production/Stable
Natural Language :: English
Programming Language :: Python :: 3
Programming Language :: Python :: 3.7
Topic :: Education :: Testing
Topic :: Software Development
Topic :: Software Development :: Testing
Expand All @@ -37,6 +37,7 @@ packages = find:
python_requires = >=3.7
install_requires =
colorama
defusedxml

[options.packages.find]
where = src
Expand Down
Loading

0 comments on commit c1903c1

Please sign in to comment.