From c767160e287bad72e7a3ff1c191571a68f446e6c Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Thu, 18 Jan 2024 14:41:19 -0800 Subject: [PATCH] Add random.randbytes to blacklist calls In Python 3.9, the random module added new function randbytes(n). This function shouldn't be used for any cryptographic operations. As the doc recommends, use secrets.token_bytes() instead. https://docs.python.org/3/library/random.html#random.randbytes Signed-off-by: Eric Brown --- bandit/blacklists/calls.py | 1 + examples/random_module.py | 1 + tests/functional/test_functional.py | 4 ++-- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/bandit/blacklists/calls.py b/bandit/blacklists/calls.py index 9e7ec7447..60c08845f 100644 --- a/bandit/blacklists/calls.py +++ b/bandit/blacklists/calls.py @@ -523,6 +523,7 @@ def gen_blacklist(): "random.choices", "random.uniform", "random.triangular", + "random.randbytes", ], "Standard pseudo-random generators are not suitable for " "security/cryptographic purposes.", diff --git a/examples/random_module.py b/examples/random_module.py index 2bf80d037..224f2513c 100644 --- a/examples/random_module.py +++ b/examples/random_module.py @@ -10,6 +10,7 @@ bad = random.choices() bad = random.uniform() bad = random.triangular() +bad = random.randbytes() good = os.urandom() good = random.SystemRandom() diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 846994379..a230dc30b 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -396,8 +396,8 @@ def test_popen_wrappers(self): def test_random_module(self): """Test for the `random` module.""" expect = { - "SEVERITY": {"UNDEFINED": 0, "LOW": 8, "MEDIUM": 0, "HIGH": 0}, - "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 8}, + "SEVERITY": {"UNDEFINED": 0, "LOW": 9, "MEDIUM": 0, "HIGH": 0}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 9}, } self.check_example("random_module.py", expect)