使用bandit对目标python代码进行安全函数扫描的案例分析
技术背景
在一些对python开源库代码的安全扫描中,我们有可能需要分析库中所使用到的函数是否会对代码的执行环境造成一些非预期的影响。典型的例如python的沙箱逃逸问题,通过一些python的第三方库可以执行系统shell命令,而这就不在python的沙箱防护范围之内了。关于python的沙箱逃逸问题,这里不作展开,这也是困扰业界多年的一个问题,连python官方也提过python的沙箱是没有完美的防护方案的,这里仅作为一个背景案例使用:
# subprocess_popen.py import subprocess import uuid subprocess.popen('touch ' + str(uuid.uuid1()) +'.txt', shell = true)
这里演示的功能是使用subprocess
函数库开启一个系统shell
,并执行一个touch
的指令,可以生成一个指定文件名的文件,类似于mkdir
产生一个文件夹。我们可以看到这个文件成功执行后会在当前的目录下生成一个uuid
随机命名的txt文件:
[dechin@dechin-manjaro bandit_test]$ python3 subprocess_popen.py [dechin@dechin-manjaro bandit_test]$ ll 总用量 4 -rw-r--r-- 1 dechin dechin 0 1月 26 23:03 b7aa0fc8-5fe7-11eb-b5d3-058313e110e4.txt -rw-r--r-- 1 dechin dechin 123 1月 26 23:03 subprocess_popen.py
然而,本次的关注点并不在与这个函数执行了什么功能,而是这个函数中用到了subprocess
这个函数库。按照python的语言特点,当你的系统中如果存在这样的一个模块引用了subprocess
库,那么任何可以调用该功能模块的函数,都可以调用到subprocess
这个函数,以下是另外一个恶意用户的python代码
:
# bad.py from subprocess_popen import subprocess as subprocess subprocess.popen('touch bad.txt', shell = true)
该代码的目的是在不直接import subprocess
的条件下,通过前面创建好的subprocess_popen.py
来进行搭桥调用subprocess
的功能函数。这个脚本的执行结果如下:
[dechin@dechin-manjaro bandit_test]$ python3 bad.py [dechin@dechin-manjaro bandit_test]$ ll 总用量 12 -rw-r--r-- 1 dechin dechin 0 1月 26 23:13 0fda7ede-5fe9-11eb-80a8-ad279ab4e0a6.txt -rw-r--r-- 1 dechin dechin 0 1月 26 23:03 b7aa0fc8-5fe7-11eb-b5d3-058313e110e4.txt -rw-r--r-- 1 dechin dechin 113 1月 26 23:13 bad.py -rw-r--r-- 1 dechin dechin 0 1月 26 23:13 bad.txt drwxr-xr-x 2 dechin dechin 4096 1月 26 23:13 __pycache__ -rw-r--r-- 1 dechin dechin 123 1月 26 23:03 subprocess_popen.py
这个结果意味着,我们成功的使用bad.py
调用了subprocess_popen.py
中所引用的subprocess
,成功touch
了一个bad.txt
的文件。
到这里我们的背景案例演示结束,但我们需要重新梳理这些案例中所包含的逻辑:我们原本是希望在自己的系统中不引入python的沙箱逃逸问题,我们会对其他人传递过来的代码进行扫描,如使用下文中将要介绍的bandit
工具来屏蔽subprocess
等"危险函数"。而如果我们在自己写的python库或者引入的第三方python库中存在类似于subprocess
的引用,这就会导致我们的屏蔽失效,用户可以任意的通过这些引用的搭桥直接调用subprocess
的函数功能。因此,在特殊的条件要求下,我们需要对自己的代码进行安全函数扫描,以免为其他人的系统带来不可预期的安全风险。bandit
只是其中的一种安全函数扫描的工具,接下来我们介绍一下其基本安装和使用方法。
用pip安装bandit
这里直接使用pip
来安装bandit
,有需要的也可以从源码直接安装。关于在pip
的使用中配置国内镜像源的方法,可以参考这篇中对python安装第三方库的介绍。
[dechin@dechin-manjaro bandit_test]$ python3 -m pip install bandit collecting bandit downloading bandit-1.7.0-py3-none-any.whl (115 kb) |████████████████████████████████| 115 kb 101 kb/s requirement already satisfied: pyyaml>=5.3.1 in /home/dechin/anaconda3/lib/python3.8/site-packages (from bandit) (5.3.1) collecting gitpython>=1.0.1 downloading gitpython-3.1.12-py3-none-any.whl (159 kb) |████████████████████████████████| 159 kb 28 kb/s requirement already satisfied: six>=1.10.0 in /home/dechin/anaconda3/lib/python3.8/site-packages (from bandit) (1.15.0) collecting stevedore>=1.20.0 downloading stevedore-3.3.0-py3-none-any.whl (49 kb) |████████████████████████████████| 49 kb 25 kb/s collecting gitdb<5,>=4.0.1 downloading gitdb-4.0.5-py3-none-any.whl (63 kb) |████████████████████████████████| 63 kb 28 kb/s collecting pbr!=2.1.0,>=2.0.0 downloading pbr-5.5.1-py2.py3-none-any.whl (106 kb) |████████████████████████████████| 106 kb 26 kb/s collecting smmap<4,>=3.0.1 downloading smmap-3.0.5-py2.py3-none-any.whl (25 kb) installing collected packages: smmap, gitdb, gitpython, pbr, stevedore, bandit successfully installed gitpython-3.1.12 bandit-1.7.0 gitdb-4.0.5 pbr-5.5.1 smmap-3.0.5 stevedore-3.3.0
安装结束之后,可以通过以下指令验证是否安装成功:
[dechin@dechin-manjaro bandit_test]$ bandit -h usage: bandit [-h] [-r] [-a {file,vuln}] [-n context_lines] [-c config_file] [-p profile] [-t tests] [-s skips] [-l] [-i] [-f {csv,custom,html,json,screen,txt,xml,yaml}] [--msg-template msg_template] [-o [output_file]] [-v] [-d] [-q] [--ignore-nosec] [-x excluded_paths] [-b baseline] [--ini ini_path] [--exit-zero] [--version] [targets [targets ...]] bandit - a python source code security analyzer positional arguments: targets source file(s) or directory(s) to be tested optional arguments: -h, --help show this help message and exit -r, --recursive find and process files in subdirectories -a {file,vuln}, --aggregate {file,vuln} aggregate output by vulnerability (default) or by filename -n context_lines, --number context_lines maximum number of code lines to output for each issue -c config_file, --configfile config_file optional config file to use for selecting plugins and overriding defaults -p profile, --profile profile profile to use (defaults to executing all tests) -t tests, --tests tests comma-separated list of test ids to run -s skips, --skip skips comma-separated list of test ids to skip -l, --level report only issues of a given severity level or higher (-l for low, -ll for medium, -lll for high) -i, --confidence report only issues of a given confidence level or higher (-i for low, -ii for medium, -iii for high) -f {csv,custom,html,json,screen,txt,xml,yaml}, --format {csv,custom,html,json,screen,txt,xml,yaml} specify output format --msg-template msg_template specify output message template (only usable with --format custom), see custom format section for list of available values -o [output_file], --output [output_file] write report to filename -v, --verbose output extra information like excluded and included files -d, --debug turn on debug mode -q, --quiet, --silent only show output in the case of an error --ignore-nosec do not skip lines with # nosec comments -x excluded_paths, --exclude excluded_paths comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,cvs,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) -b baseline, --baseline baseline path of a baseline report to compare against (only json-formatted files are accepted) --ini ini_path path to a .bandit file that supplies command line arguments --exit-zero exit with 0, even with results found --version show program's version number and exit custom formatting ----------------- available tags: {abspath}, {relpath}, {line}, {test_id}, {severity}, {msg}, {confidence}, {range} example usage: default template: bandit -r examples/ --format custom --msg-template \ "{abspath}:{line}: {test_id}[bandit]: {severity}: {msg}" provides same output as: bandit -r examples/ --format custom tags can also be formatted in python string.format() style: bandit -r examples/ --format custom --msg-template \ "{relpath:20.20s}: {line:03}: {test_id:^8}: defect: {msg:>20}" see python documentation for more information about formatting style: https://docs.python.org/3/library/string.html the following tests were discovered and loaded: ----------------------------------------------- b101 assert_used b102 exec_used b103 set_bad_file_permissions b104 hardcoded_bind_all_interfaces b105 hardcoded_password_string b106 hardcoded_password_funcarg b107 hardcoded_password_default b108 hardcoded_tmp_directory b110 try_except_pass b112 try_except_continue b201 flask_debug_true b301 pickle b302 marshal b303 md5 b304 ciphers b305 cipher_modes b306 mktemp_q b307 eval b308 mark_safe b309 httpsconnection b310 urllib_urlopen b311 random b312 telnetlib b313 xml_bad_celementtree b314 xml_bad_elementtree b315 xml_bad_expatreader b316 xml_bad_expatbuilder b317 xml_bad_sax b318 xml_bad_minidom b319 xml_bad_pulldom b320 xml_bad_etree b321 ftplib b323 unverified_context b324 hashlib_new_insecure_functions b325 tempnam b401 import_telnetlib b402 import_ftplib b403 import_pickle b404 import_subprocess b405 import_xml_etree b406 import_xml_sax b407 import_xml_expat b408 import_xml_minidom b409 import_xml_pulldom b410 import_lxml b411 import_xmlrpclib b412 import_httpoxy b413 import_pycrypto b501 request_with_no_cert_validation b502 ssl_with_bad_version b503 ssl_with_bad_defaults b504 ssl_with_no_version b505 weak_cryptographic_key b506 yaml_load b507 ssh_no_host_key_verification b601 paramiko_calls b602 subprocess_popen_with_shell_equals_true b603 subprocess_without_shell_equals_true b604 any_other_function_with_shell_equals_true b605 start_process_with_a_shell b606 start_process_with_no_shell b607 start_process_with_partial_path b608 hardcoded_sql_expressions b609 linux_commands_wildcard_injection b610 django_extra_used b611 django_rawsql_used b701 jinja2_autoescape_false b702 use_of_mako_templates b703 django_mark_safe
从这个列表中的屏蔽函数我们可以看出所谓的"危险函数"到底都有哪些,比如常用的subprocess
和random
都被包含在内。subprocess
是因为其对shell的调用而被列为"危险函数",而random
则是因为其伪随机数的性质(这里简单说明一下,现在一般推荐使用secrets
中的所谓安全随机数,但是实际上只有量子叠加测量才能够真正实现真随机数)。
bandit常用使用方法
直接对py
文件进行扫描:
[dechin@dechin-manjaro bandit_test]$ bandit subprocess_popen.py [main] info profile include tests: none [main] info profile exclude tests: none [main] info cli include tests: none [main] info cli exclude tests: none [main] info running on python 3.8.5 [node_visitor] info unable to find qualified name for module: subprocess_popen.py run started:2021-01-26 15:31:00.425603 test results: >> issue: [b404:blacklist] consider possible security implications associated with subprocess module. severity: low confidence: high location: subprocess_popen.py:3 more info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 2 3 import subprocess 4 import uuid -------------------------------------------------- >> issue: [b602:subprocess_popen_with_shell_equals_true] subprocess call with shell=true identified, security issue. severity: high confidence: high location: subprocess_popen.py:6 more info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html 5 6 subprocess.popen('touch ' + str(uuid.uuid1()) +'.txt', shell = true) -------------------------------------------------- code scanned: total lines of code: 3 total lines skipped (#nosec): 0 run metrics: total issues (by severity): undefined: 0.0 low: 1.0 medium: 0.0 high: 1.0 total issues (by confidence): undefined: 0.0 low: 0.0 medium: 0.0 high: 2.0 files skipped (0):
通过对刚才所创建的调用了危险函数subprocess
的py文件subprocess_popen.py
的扫描,我们识别出了其中的"危险函数",注意这里的issue
编号是602
,定级是severity: low confidence: high
。但是如果我们用bandit
去扫描利用了其他函数对危险函数的调用搭桥来二次调用的bad.py
文件,我们发现是另外一种结果:
[dechin@dechin-manjaro bandit_test]$ bandit bad.py [main] info profile include tests: none [main] info profile exclude tests: none [main] info cli include tests: none [main] info cli exclude tests: none [main] info running on python 3.8.5 [node_visitor] info unable to find qualified name for module: bad.py run started:2021-01-26 15:30:47.370468 test results: >> issue: [b404:blacklist] consider possible security implications associated with subprocess module. severity: low confidence: high location: bad.py:3 more info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 2 3 from subprocess_popen import subprocess as subprocess 4 5 subprocess.popen('touch bad.txt', shell = true) -------------------------------------------------- >> issue: [b604:any_other_function_with_shell_equals_true] function call with shell=true parameter identified, possible security issue. severity: medium confidence: low location: bad.py:5 more info: https://bandit.readthedocs.io/en/latest/plugins/b604_any_other_function_with_shell_equals_true.html 4 5 subprocess.popen('touch bad.txt', shell = true) -------------------------------------------------- code scanned: total lines of code: 2 total lines skipped (#nosec): 0 run metrics: total issues (by severity): undefined: 0.0 low: 1.0 medium: 1.0 high: 0.0 total issues (by confidence): undefined: 0.0 low: 1.0 medium: 0.0 high: 1.0 files skipped (0):
注意这里虽然实现的功能跟上面那个例子是一样的,但是这里的issue
编号为604
,定级也变成了severity: medium confidence: low
。这里的关键并不是定级变成了什么,而是定级被改变了,这是因为bandit
是通过对字符串的处理来识别危险函数的,因此对于这种二次调用的特殊场景,bandit
不一定都能够准确的识别出来对危险函数的调用,甚至可能出现二次调用后,完全无法识别风险函数的使用的可能性。
2.扫描一个目录下的所有py
文件,并将结果写入txt
文件
[dechin@dechin-manjaro bandit_test]$ bandit *.py -o test_bandit.txt -f txt [main] info profile include tests: none [main] info profile exclude tests: none [main] info cli include tests: none [main] info cli exclude tests: none [main] info running on python 3.8.5 [node_visitor] info unable to find qualified name for module: bad.py [node_visitor] info unable to find qualified name for module: subprocess_popen.py [text] info text output written to file: test_bandit.txt
该案例就扫描了当前目录下的所有py文件,其实就是bad.py
和subprocess_popen.py
这两个,并且将最终的扫描结果保存至test_bandit.txt
文件中,这里我们就不展示txt文件的具体内容,大概就是将上一章节的两个执行结果进行了整合。
3.扫描一个目录下的多层文件夹中的py
文件,并将结果写入html
文件
假如我们有如下所示的一个目录结构需要进行扫描测试:
[dechin@dechin-manjaro bandit_test]$ tree . ├── bad.py ├── bad.txt ├── level2 │ └── test_random.py ├── subprocess_popen.py ├── test_bandit.html └── test_bandit.txt 1 directory, 6 files [dechin@dechin-manjaro bandit_test]$ cat level2/test_random.py # test_bandit.py import random a = random.random()
我们可以在当前目录下执行如下指令:
[dechin@dechin-manjaro bandit_test]$ bandit -r . -f html -o test_bandit.html [main] info profile include tests: none [main] info profile exclude tests: none [main] info cli include tests: none [main] info cli exclude tests: none [main] info running on python 3.8.5 [html] info html output written to file: test_bandit.html
这里我们得到的结果是一个test_bandit.html
文件,文件内容如下图所示:
4.使用配置文件禁用部分issue
在执行目录下创建一个.bandit
文件,作如下配置就可以避免对b404
的审查:
[bandit] skips: b404
执行的扫描结果如下图所示,我们可以看到b404
相关的issue已经不在列表中了:
5.在py
文件中直接逃避bandit
审计
在待扫描的py文件的对应风险函数后加上如下注释,即可在bandit
审计过程中自动忽略:
# bad.py from subprocess_popen import subprocess as sb sb.popen('touch bad.txt', shell = 1) # nosec
这里我们可以看到最终的审计结果中,b604
也随之而不见了,如下图所示。从这个案例中我们也可以知悉,bandit
并不是一个用来作安全防护的工具,仅仅是用来做比较初步的python代码安全函数使用规范的审查工作,而扫描出来的问题是否处理,其实最终还是取决于开发者自己。
bandit简单性能测试
众所周知python语言的性能是极其受限的,因此bandit的性能也有可能十分的低下,这里让我们来定量的测试一下bandit的性能到底在什么水准。首先我们创建一个10000行的py文件,内容全部为危险函数的使用:
# gen.py import os with open('test_bandit_power.py', 'w') as py_file: py_file.write('import subprocess as sb\n') for i in range(10000): py_file.write('sb.popen(\'whoami\', shell = 1)\n')
通过执行python3 gen.py
就可以生成一个10000行的危险函数文件test_bandit_power.py
,大约300kb的大小。此时我们针对这单个的文件进行bandit
扫描测试,我们发现这个过程极为漫长,并且生成了大量的错误日志:
[dechin@dechin-manjaro bandit_test]$ time bandit test_bandit_power.py -f html -o test_power.html [main] info profile include tests: none [main] info profile exclude tests: none [main] info cli include tests: none [main] info cli exclude tests: none [main] info running on python 3.8.5 [node_visitor] info unable to find qualified name for module: test_bandit_power.py [html] info html output written to file: test_power.html real 0m6.239s user 0m6.082s sys 0m0.150s
我们可以简单估算,如果10000行的代码都需要6s
的时间来进行扫描,那么对于比较大的项目的1000000+
的代码的扫描时间,则有可能达到10min
往上,这个时间虽然也不是特别长,但是对于大型的项目而言这绝对不是一个非常高效的选择。
总结概要
在一些对安全性要求较高的开发项目中,有可能会禁止使用危险函数,如subprocess
等。而bandit
的作用旨在通过对代码的扫描自动化的给出安全危险函数分析意见,至于是否采纳,还是以不同项目的管理者需求为准。同时经过我们的测试发现,bandit
在实际使用场景下性能表现并不如意,因此在大型项目中我们并不推荐使用,如果一定要使用也可以考虑进行针对性的配置。
版权声明
本文首发链接为:
作者id:dechinphy
更多原著文章请参考:
上一篇: http协议学习笔记(2)
下一篇: STOMP协议规范