diff --git a/bandit/plugins/general_hardcoded_password.py b/bandit/plugins/general_hardcoded_password.py index 8cde2bb5f..12f629074 100644 --- a/bandit/plugins/general_hardcoded_password.py +++ b/bandit/plugins/general_hardcoded_password.py @@ -89,6 +89,18 @@ def hardcoded_password_string(context): ): return _report(node.value) + elif ( + isinstance(node._bandit_parent, ast.Dict) + and node in node._bandit_parent.keys + and RE_CANDIDATES.search(node.value) + ): + # looks for "{'candidate': 'some_string'}" + dict_node = node._bandit_parent + pos = dict_node.keys.index(node) + value_node = dict_node.values[pos] + if isinstance(value_node, ast.Constant): + return _report(value_node.value) + elif isinstance( node._bandit_parent, ast.Subscript ) and RE_CANDIDATES.search(node.value): diff --git a/examples/hardcoded-passwords.py b/examples/hardcoded-passwords.py index 3899d8786..b1665ae7b 100644 --- a/examples/hardcoded-passwords.py +++ b/examples/hardcoded-passwords.py @@ -87,3 +87,19 @@ def __init__(self, auth_scheme, auth_token=None, auth_username=None, auth_passwo default='', secret=True, ) + +# Possible hardcoded password: 'pass' +# Severity: Low Confidence: Medium +# https://github.com/PyCQA/bandit/issues/313 +log({"server": server, "password": 'pass', "user": user}) + +# ... but not: +log({"server": server, "password": password, "user": user}) + +# Possible hardcoded password: '12345' +# Severity: Low Confidence: Medium +# https://github.com/PyCQA/bandit/issues/1267 +info = {"password": "12345"} + +# ... but not: +info = {"password": password} diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 5f21e2d6b..8a413004e 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -168,8 +168,8 @@ def test_exec(self): def test_hardcoded_passwords(self): """Test for hard-coded passwords.""" expect = { - "SEVERITY": {"UNDEFINED": 0, "LOW": 14, "MEDIUM": 0, "HIGH": 0}, - "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 14, "HIGH": 0}, + "SEVERITY": {"UNDEFINED": 0, "LOW": 16, "MEDIUM": 0, "HIGH": 0}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 16, "HIGH": 0}, } self.check_example("hardcoded-passwords.py", expect)