Merge branch 'main' into pre-commit-ci-update-config

Author: ericwb

.github/workflows/pythonpackage.yml

@@ -52,6 +52,7 @@ jobs:
           ["3.11", "311"],
           ["3.12", "312"],
           ["3.13", "313"],
+          ["3.14", "314"],
         ]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}

bandit/core/blacklisting.py

@@ -35,8 +35,10 @@ def blacklist(context, config):
         func = context.node.func
         if isinstance(func, ast.Name) and func.id == "__import__":
             if len(context.node.args):
-                if isinstance(context.node.args[0], ast.Str):
-                    name = context.node.args[0].s
+                if isinstance(
+                    context.node.args[0], ast.Constant
+                ) and isinstance(context.node.args[0].value, str):
+                    name = context.node.args[0].value
                 else:
                     # TODO(??): import through a variable, need symbol tab
                     name = "UNKNOWN"

bandit/core/context.py

@@ -178,11 +178,13 @@ def _get_literal_value(self, literal):
         :param literal: The AST literal to convert
         :return: The value of the AST literal
         """
-        if isinstance(literal, ast.Num):
-            literal_value = literal.n
-
-        elif isinstance(literal, ast.Str):
-            literal_value = literal.s
+        if isinstance(literal, ast.Constant):
+            if isinstance(literal.value, bool):
+                literal_value = str(literal.value)
+            elif literal.value is None:
+                literal_value = str(literal.value)
+            else:
+                literal_value = literal.value
 
         elif isinstance(literal, ast.List):
             return_list = list()
@@ -205,19 +207,9 @@ def _get_literal_value(self, literal):
         elif isinstance(literal, ast.Dict):
             literal_value = dict(zip(literal.keys, literal.values))
 
-        elif isinstance(literal, ast.Ellipsis):
-            # what do we want to do with this?
-            literal_value = None
-
         elif isinstance(literal, ast.Name):
             literal_value = literal.id
 
-        elif isinstance(literal, ast.NameConstant):
-            literal_value = str(literal.value)
-
-        elif isinstance(literal, ast.Bytes):
-            literal_value = literal.s
-
         else:
             literal_value = None
 

bandit/core/node_visitor.py

@@ -168,7 +168,7 @@ def visit_Str(self, node):
         :param node: The node that is being inspected
         :return: -
         """
-        self.context["str"] = node.s
+        self.context["str"] = node.value
         if not isinstance(node._bandit_parent, ast.Expr):  # docstring
             self.context["linerange"] = b_utils.linerange(node._bandit_parent)
             self.update_scores(self.tester.run_tests(self.context, "Str"))
@@ -181,7 +181,7 @@ def visit_Bytes(self, node):
         :param node: The node that is being inspected
         :return: -
         """
-        self.context["bytes"] = node.s
+        self.context["bytes"] = node.value
         if not isinstance(node._bandit_parent, ast.Expr):  # docstring
             self.context["linerange"] = b_utils.linerange(node._bandit_parent)
             self.update_scores(self.tester.run_tests(self.context, "Bytes"))

bandit/core/utils.py

@@ -273,12 +273,12 @@ def linerange(node):
 def concat_string(node, stop=None):
     """Builds a string from a ast.BinOp chain.
 
-    This will build a string from a series of ast.Str nodes wrapped in
+    This will build a string from a series of ast.Constant nodes wrapped in
     ast.BinOp nodes. Something like "a" + "b" + "c" or "a %s" % val etc.
     The provided node can be any participant in the BinOp chain.
 
-    :param node: (ast.Str or ast.BinOp) The node to process
-    :param stop: (ast.Str or ast.BinOp) Optional base node to stop at
+    :param node: (ast.Constant or ast.BinOp) The node to process
+    :param stop: (ast.Constant or ast.BinOp) Optional base node to stop at
     :returns: (Tuple) the root node of the expression, the string value
     """
 
@@ -300,7 +300,10 @@ def _get(node, bits, stop=None):
         node = node._bandit_parent
     if isinstance(node, ast.BinOp):
         _get(node, bits, stop)
-    return (node, " ".join([x.s for x in bits if isinstance(x, ast.Str)]))
+    return (
+        node,
+        " ".join([x.value for x in bits if isinstance(x, ast.Constant)]),
+    )
 
 
 def get_called_name(node):
@@ -361,6 +364,17 @@ def parse_ini_file(f_loc):
 def check_ast_node(name):
     "Check if the given name is that of a valid AST node."
     try:
+        # These ast Node types don't exist in Python 3.14, but plugins may
+        # still check on them.
+        if sys.version_info >= (3, 14) and name in (
+            "Num",
+            "Str",
+            "Ellipsis",
+            "NameConstant",
+            "Bytes",
+        ):
+            return name
+
         node = getattr(ast, name)
         if issubclass(node, ast.AST):
             return name

bandit/plugins/django_sql_injection.py

@@ -68,7 +68,10 @@ def django_extra_used(context):
             if key in kwargs:
                 if isinstance(kwargs[key], ast.List):
                     for val in kwargs[key].elts:
-                        if not isinstance(val, ast.Str):
+                        if not (
+                            isinstance(val, ast.Constant)
+                            and isinstance(val.value, str)
+                        ):
                             insecure = True
                             break
                 else:
@@ -77,12 +80,18 @@ def django_extra_used(context):
         if not insecure and "select" in kwargs:
             if isinstance(kwargs["select"], ast.Dict):
                 for k in kwargs["select"].keys:
-                    if not isinstance(k, ast.Str):
+                    if not (
+                        isinstance(k, ast.Constant)
+                        and isinstance(k.value, str)
+                    ):
                         insecure = True
                         break
                 if not insecure:
                     for v in kwargs["select"].values:
-                        if not isinstance(v, ast.Str):
+                        if not (
+                            isinstance(v, ast.Constant)
+                            and isinstance(v.value, str)
+                        ):
                             insecure = True
                             break
             else:
@@ -135,7 +144,9 @@ def django_rawsql_used(context):
                 kwargs = keywords2dict(context.node.keywords)
                 sql = kwargs["sql"]
 
-            if not isinstance(sql, ast.Str):
+            if not (
+                isinstance(sql, ast.Constant) and isinstance(sql.value, str)
+            ):
                 return bandit.Issue(
                     severity=bandit.MEDIUM,
                     confidence=bandit.MEDIUM,

bandit/plugins/django_xss.py

@@ -96,7 +96,7 @@ def evaluate_var(xss_var, parent, until, ignore_nodes=None):
                 break
             to = analyser.is_assigned(node)
             if to:
-                if isinstance(to, ast.Str):
+                if isinstance(to, ast.Constant) and isinstance(to.value, str):
                     secure = True
                 elif isinstance(to, ast.Name):
                     secure = evaluate_var(to, parent, to.lineno, ignore_nodes)
@@ -105,7 +105,9 @@ def evaluate_var(xss_var, parent, until, ignore_nodes=None):
                 elif isinstance(to, (list, tuple)):
                     num_secure = 0
                     for some_to in to:
-                        if isinstance(some_to, ast.Str):
+                        if isinstance(some_to, ast.Constant) and isinstance(
+                            some_to.value, str
+                        ):
                             num_secure += 1
                         elif isinstance(some_to, ast.Name):
                             if evaluate_var(
@@ -131,7 +133,10 @@ def evaluate_call(call, parent, ignore_nodes=None):
     secure = False
     evaluate = False
     if isinstance(call, ast.Call) and isinstance(call.func, ast.Attribute):
-        if isinstance(call.func.value, ast.Str) and call.func.attr == "format":
+        if (
+            isinstance(call.func.value, ast.Constant)
+            and call.func.attr == "format"
+        ):
             evaluate = True
             if call.keywords:
                 evaluate = False  # TODO(??) get support for this
@@ -140,7 +145,7 @@ def evaluate_call(call, parent, ignore_nodes=None):
         args = list(call.args)
         num_secure = 0
         for arg in args:
-            if isinstance(arg, ast.Str):
+            if isinstance(arg, ast.Constant) and isinstance(arg.value, str):
                 num_secure += 1
             elif isinstance(arg, ast.Name):
                 if evaluate_var(arg, parent, call.lineno, ignore_nodes):
@@ -167,7 +172,9 @@ def evaluate_call(call, parent, ignore_nodes=None):
 def transform2call(var):
     if isinstance(var, ast.BinOp):
         is_mod = isinstance(var.op, ast.Mod)
-        is_left_str = isinstance(var.left, ast.Str)
+        is_left_str = isinstance(var.left, ast.Constant) and isinstance(
+            var.left.value, str
+        )
         if is_mod and is_left_str:
             new_call = ast.Call()
             new_call.args = []
@@ -212,7 +219,9 @@ def check_risk(node):
         secure = evaluate_call(xss_var, parent)
     elif isinstance(xss_var, ast.BinOp):
         is_mod = isinstance(xss_var.op, ast.Mod)
-        is_left_str = isinstance(xss_var.left, ast.Str)
+        is_left_str = isinstance(xss_var.left, ast.Constant) and isinstance(
+            xss_var.left.value, str
+        )
         if is_mod and is_left_str:
             parent = node._bandit_parent
             while not isinstance(parent, (ast.Module, ast.FunctionDef)):
@@ -272,5 +281,7 @@ def django_mark_safe(context):
         ]
         if context.call_function_name in affected_functions:
             xss = context.node.args[0]
-            if not isinstance(xss, ast.Str):
+            if not (
+                isinstance(xss, ast.Constant) and isinstance(xss.value, str)
+            ):
                 return check_risk(context.node)

bandit/plugins/general_hardcoded_password.py

@@ -83,45 +83,53 @@ def hardcoded_password_string(context):
         # looks for "candidate='some_string'"
         for targ in node._bandit_parent.targets:
             if isinstance(targ, ast.Name) and RE_CANDIDATES.search(targ.id):
-                return _report(node.s)
+                return _report(node.value)
             elif isinstance(targ, ast.Attribute) and RE_CANDIDATES.search(
                 targ.attr
             ):
-                return _report(node.s)
+                return _report(node.value)
 
     elif isinstance(
         node._bandit_parent, ast.Subscript
-    ) and RE_CANDIDATES.search(node.s):
+    ) and RE_CANDIDATES.search(node.value):
         # Py39+: looks for "dict[candidate]='some_string'"
         # subscript -> index -> string
         assign = node._bandit_parent._bandit_parent
-        if isinstance(assign, ast.Assign) and isinstance(
-            assign.value, ast.Str
+        if (
+            isinstance(assign, ast.Assign)
+            and isinstance(assign.value, ast.Constant)
+            and isinstance(assign.value.value, str)
         ):
-            return _report(assign.value.s)
+            return _report(assign.value.value)
 
     elif isinstance(node._bandit_parent, ast.Index) and RE_CANDIDATES.search(
-        node.s
+        node.value
     ):
         # looks for "dict[candidate]='some_string'"
         # assign -> subscript -> index -> string
         assign = node._bandit_parent._bandit_parent._bandit_parent
-        if isinstance(assign, ast.Assign) and isinstance(
-            assign.value, ast.Str
+        if (
+            isinstance(assign, ast.Assign)
+            and isinstance(assign.value, ast.Constant)
+            and isinstance(assign.value.value, str)
         ):
-            return _report(assign.value.s)
+            return _report(assign.value.value)
 
     elif isinstance(node._bandit_parent, ast.Compare):
         # looks for "candidate == 'some_string'"
         comp = node._bandit_parent
         if isinstance(comp.left, ast.Name):
             if RE_CANDIDATES.search(comp.left.id):
-                if isinstance(comp.comparators[0], ast.Str):
-                    return _report(comp.comparators[0].s)
+                if isinstance(
+                    comp.comparators[0], ast.Constant
+                ) and isinstance(comp.comparators[0].value, str):
+                    return _report(comp.comparators[0].value)
         elif isinstance(comp.left, ast.Attribute):
             if RE_CANDIDATES.search(comp.left.attr):
-                if isinstance(comp.comparators[0], ast.Str):
-                    return _report(comp.comparators[0].s)
+                if isinstance(
+                    comp.comparators[0], ast.Constant
+                ) and isinstance(comp.comparators[0].value, str):
+                    return _report(comp.comparators[0].value)
 
 
 @test.checks("Call")
@@ -176,8 +184,12 @@ def hardcoded_password_funcarg(context):
     """
     # looks for "function(candidate='some_string')"
     for kw in context.node.keywords:
-        if isinstance(kw.value, ast.Str) and RE_CANDIDATES.search(kw.arg):
-            return _report(kw.value.s)
+        if (
+            isinstance(kw.value, ast.Constant)
+            and isinstance(kw.value.value, str)
+            and RE_CANDIDATES.search(kw.arg)
+        ):
+            return _report(kw.value.value)
 
 
 @test.checks("FunctionDef")
@@ -246,9 +258,12 @@ def hardcoded_password_default(context):
         if isinstance(key, (ast.Name, ast.arg)):
             # Skip if the default value is None
             if val is None or (
-                isinstance(val, (ast.Constant, ast.NameConstant))
-                and val.value is None
+                isinstance(val, ast.Constant) and val.value is None
             ):
                 continue
-            if isinstance(val, ast.Str) and RE_CANDIDATES.search(key.arg):
-                return _report(val.s)
+            if (
+                isinstance(val, ast.Constant)
+                and isinstance(val.value, str)
+                and RE_CANDIDATES.search(key.arg)
+            ):
+                return _report(val.value)

bandit/plugins/injection_shell.py

@@ -15,7 +15,9 @@
 
 
 def _evaluate_shell_call(context):
-    no_formatting = isinstance(context.node.args[0], ast.Str)
+    no_formatting = isinstance(
+        context.node.args[0], ast.Constant
+    ) and isinstance(context.node.args[0].value, str)
 
     if no_formatting:
         return bandit.LOW
@@ -83,15 +85,19 @@ def has_shell(context):
         for key in keywords:
             if key.arg == "shell":
                 val = key.value
-                if isinstance(val, ast.Num):
-                    result = bool(val.n)
+                if isinstance(val, ast.Constant) and (
+                    isinstance(val.value, int)
+                    or isinstance(val.value, float)
+                    or isinstance(val.value, complex)
+                ):
+                    result = bool(val.value)
                 elif isinstance(val, ast.List):
                     result = bool(val.elts)
                 elif isinstance(val, ast.Dict):
                     result = bool(val.keys)
                 elif isinstance(val, ast.Name) and val.id in ["False", "None"]:
                     result = False
-                elif isinstance(val, ast.NameConstant):
+                elif isinstance(val, ast.Constant):
                     result = val.value
                 else:
                     result = True
@@ -687,7 +693,11 @@ def start_process_with_partial_path(context, config):
                 node = node.elts[0]
 
             # make sure the param is a string literal and not a var name
-            if isinstance(node, ast.Str) and not full_path_match.match(node.s):
+            if (
+                isinstance(node, ast.Constant)
+                and isinstance(node.value, str)
+                and not full_path_match.match(node.value)
+            ):
                 return bandit.Issue(
                     severity=bandit.LOW,
                     confidence=bandit.HIGH,