Merge branch 'main' into pre-commit-ci-update-config

Author: ericwb

.github/workflows/build-publish-image.yml

@@ -34,7 +34,7 @@ jobs:
       uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
     - name: Log in to GitHub Container Registry
-      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
@@ -51,7 +51,7 @@ jobs:
 
     - name: Build and push Docker image
       id: build-and-push
-      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+      uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
       with:
         context: .
         file: ./docker/Dockerfile

bandit/cli/main.py

@@ -94,10 +94,10 @@ def _log_option_source(default_val, arg_val, ini_val, option_name):
             return ini_val
         else:
             return None
-    # No value passed to commad line and default value is used
+    # No value passed to command line and default value is used
     elif default_val == arg_val:
         return ini_val if ini_val else arg_val
-    # Certainly a value is passed to commad line
+    # Certainly a value is passed to command line
     else:
         return arg_val
 

bandit/core/manager.py

@@ -204,7 +204,7 @@ def discover_files(self, targets, recursive=False, excluded_paths=""):
         :param recursive: True/False - whether to add all files from dirs
         :return:
         """
-        # We'll mantain a list of files which are added, and ones which have
+        # We'll maintain a list of files which are added, and ones which have
         # been explicitly excluded
         files_list = set()
         excluded_files = set()

bandit/core/tester.py

@@ -112,7 +112,9 @@ def run_tests(self, raw_context, checktype):
                     ):
                         LOG.warning(
                             f"nosec encountered ({test._test_id}), but no "
-                            f"failed test on line {temp_context['lineno']}"
+                            f"failed test on file "
+                            f"{temp_context['filename']}:"
+                            f"{temp_context['lineno']}"
                         )
 
             except Exception as e:

bandit/core/utils.py

@@ -370,9 +370,9 @@ def parse_ini_file(f_loc):
 def check_ast_node(name):
     "Check if the given name is that of a valid AST node."
     try:
-        # These ast Node types don't exist in Python 3.14, but plugins may
-        # still check on them.
-        if sys.version_info >= (3, 14) and name in (
+        # These ast Node types were deprecated in Python 3.12 and removed
+        # in Python 3.14, but plugins may still check on them.
+        if sys.version_info >= (3, 12) and name in (
             "Num",
             "Str",
             "Ellipsis",

bandit/plugins/huggingface_unsafe_download.py

@@ -60,6 +60,7 @@
 
 """
 
+import ast
 import string
 
 import bandit
@@ -114,7 +115,19 @@ def huggingface_unsafe_download(context):
     if not any(module in qualname_parts for module in required_modules):
         return
 
-    # Check for revision parameter (the key security control)
+    # Check for revision parameter (the key security control).
+    # First, check the raw AST to see if a revision/commit_id keyword was
+    # passed as a non-literal expression (variable, attribute, subscript,
+    # function call, etc.).  In those cases we cannot statically determine
+    # the value, so we give the user the benefit of the doubt.
+    call_node = context._context.get("call")
+    if call_node is not None:
+        for kw in getattr(call_node, "keywords", []):
+            if kw.arg in ("revision", "commit_id") and not isinstance(
+                kw.value, ast.Constant
+            ):
+                return
+
     revision_value = context.get_call_arg_value("revision")
     commit_id_value = context.get_call_arg_value("commit_id")
 

bandit/plugins/injection_shell.py

@@ -10,7 +10,7 @@
 from bandit.core import test_properties as test
 
 # yuck, regex: starts with a windows drive letter (eg C:)
-# or one of our path delimeter characters (/, \, .)
+# or one of our path delimiter characters (/, \, .)
 full_path_match = re.compile(r"^(?:[A-Za-z](?=\:)|[\\\/\.])")
 
 

bandit/plugins/trojansource.py

@@ -54,26 +54,29 @@
 @test.test_id("B613")
 @test.checks("File")
 def trojansource(context):
-    with open(context.filename, "rb") as src_file:
-        encoding, _ = detect_encoding(src_file.readline)
-    with open(context.filename, encoding=encoding) as src_file:
-        for lineno, line in enumerate(src_file.readlines(), start=1):
-            for char in BIDI_CHARACTERS:
-                try:
-                    col_offset = line.index(char) + 1
-                except ValueError:
-                    continue
-                text = (
-                    "A Python source file contains bidirectional"
-                    " control characters (%r)." % char
-                )
-                b_issue = bandit.Issue(
-                    severity=bandit.HIGH,
-                    confidence=bandit.MEDIUM,
-                    cwe=issue.Cwe.INAPPROPRIATE_ENCODING_FOR_OUTPUT_CONTEXT,
-                    text=text,
-                    lineno=lineno,
-                    col_offset=col_offset,
-                )
-                b_issue.linerange = [lineno]
-                return b_issue
+    src_data = context.file_data
+    src_data.seek(0)
+    encoding, _ = detect_encoding(src_data.readline)
+    src_data.seek(0)
+    for lineno, line in enumerate(
+        src_data.read().decode(encoding).splitlines(), start=1
+    ):
+        for char in BIDI_CHARACTERS:
+            try:
+                col_offset = line.index(char) + 1
+            except ValueError:
+                continue
+            text = (
+                "A Python source file contains bidirectional"
+                " control characters (%r)." % char
+            )
+            b_issue = bandit.Issue(
+                severity=bandit.HIGH,
+                confidence=bandit.MEDIUM,
+                cwe=issue.Cwe.INAPPROPRIATE_ENCODING_FOR_OUTPUT_CONTEXT,
+                text=text,
+                lineno=lineno,
+                col_offset=col_offset,
+            )
+            b_issue.linerange = [lineno]
+            return b_issue

examples/huggingface_unsafe_download.py

@@ -147,3 +147,18 @@
     repo_id="org/model_name",
     revision="5d0f2e8a7f1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d"
 )
+
+
+# Example #24: Revision passed as a variable (can't be statically checked)
+MODEL_REVISION = "548fc3543a"
+safe_model_variable = AutoModel.from_pretrained(
+    "org/model_name",
+    revision=MODEL_REVISION
+)
+
+# Example #25: Revision from a dict/subscript access
+config = {"revision": "abc1234567"}
+safe_model_subscript = AutoModel.from_pretrained(
+    "org/model_name",
+    revision=config["revision"]
+)