Using shell=False, to make sure default arguments are set, would trigger DUO116:subprocess module with shell=True

This PR allows shell=False.

$ cat -n /tmp/shell.py 
     1  #!/usr/bin/python3
     2  
     3  import subprocess
     4  
     5  command = "/bin/echo"
     6  
     7  subprocess.call(command, shell=False)
     8  subprocess.call(command, shell=True)
     9  subprocess.call(command, shell=False)
$ python3 -m flake8 /tmp/shell.py 
/tmp/shell.py:3:1: S404 Consider possible security implications associated with subprocess module.
/tmp/shell.py:7:1: S603 subprocess call - check for execution of untrusted input.
/tmp/shell.py:8:1: DUO116 use of "shell=True" is insecure in "subprocess" module
/tmp/shell.py:8:1: S602 subprocess call with shell=True identified, security issue.
/tmp/shell.py:9:1: S603 subprocess call - check for execution of untrusted input.
$ python3 -m flake8 -h
[...]
Installed plugins: dlint: 0.10.3, flake8-bandit: 2.1.2, flake8-bugbear:
20.1.4, flake8-darglint: 1.5.5, flake8-executable: 2.0.4, flake8_deprecated:
1.2, mccabe: 0.6.1, naming: 0.11.1, pycodestyle: 2.6.0, pyflakes: 2.2.0,
radon: 4.3.2

Signed-off-by: Thomas Sjögren [email protected]

Hi!

Section Correct code at https://github.com/dlint-py/dlint/blob/master/docs/linters/DUO121.md#correct-code seems overly complicated to me. Could you elaborate why tempfile.mkstemp is being avoided?

Thanks and best, Sebastian

This is a built-in flag that affirms the code is not using md5 for security-related purposes. In my code's case, I'm manually calculating a checksum as required by the AWS S3 API.

closes #4

As issue states, multiple ast nodes have been replaced with ast.Constant. dlint seems to only use ast.Str and NameConstant, so that's what I replaced.

I also looked for any of the corresponding visit_node functions, and they are not used in the repo.

Hi there! I've worked in the python security space before and came across this project. I wanted to start helping and figured the best way is to look around and do some low-hanging fruit cleanup of code.

I found:

• one location where a util func is unused
• code that supported old py versions. I see dlint only supports 3.6+.

should also close #40

Installing the package using pip with the --no-binary flag fails, because no sdist is available on PyPi

$ python -m pip install dlint --no-binary :all:
ERROR: Could not find a version that satisfies the requirement dlint (from versions: none)
ERROR: No matching distribution found for dlint

Please upgrade dlint to support flake8>=4. There doesn't appear to be any breaking changes that will affect dlint.

https://flake8.pycqa.org/en/latest/release-notes/4.0.0.html#backwards-incompatible-changes

What is the relationship between dlint and bandit?

What I can see:

• dlint is a flake8 plugin while bandit is a project of its own (there is flake8-bandit, though)
• bandit is part of PyCQA which includes also flake8 and flake8-bugbear
• bandit has 2700 GitHub stars, dlint has 45

Could somebody maybe point out reasons to use one or the other? Do you maybe use both together? Is there an overlap between the communities?

defusedxml is not capable of creating Element or SubElement

Whitelisting in bad_xml_use.py

@property
    def whitelisted_modules(self):
        return [
            'xml.sax.saxutils',
            'xml.etree.ElementTree.Element',
            'xml.etree.ElementTree.SubElement',
        ]

would help solve this.

A work around could then be used as follows:

from xml.etree.ElementTree import Element, SubElement

import defusedxml.ElementTree as ET

ET.Element = _ElementType = Element
ET.SubElement = SubElement

Note that we still disallow

from xml.etree.ElementTree import parse

FYI: os.EX_OK isn't available on Windows and fails when running flake8 --print-dlint-linters

Not sure what the appropriate substitute is, but I'd be happy to test any changes

https://github.com/dlint-py/dlint/blob/828a156eead73e4140ddc6925ff85bf65424fabb/dlint/extension.py#L46

Similar to these community actions: https://github.com/sdras/awesome-actions

We should build an action for Dlint. Bonus points for running Dlint against Dlint :)

Would it be possible to remove the upper bound on flake8 requirement?

https://iscinumpy.dev/post/bound-version-constraints/

If not, can we get that bumped up to flake8<7 please?

Closes #16

The goal is to detect when a user uses the built-in input function with an arg or kwarg of string containing "password". Unit tests demonstrate when this may be a false positive, such as input("Please enter your name. Please do not enter your password")

First pass attempt, would love feedback.

DUO101 is Python 3.3 only, and these versions are no longer supported by dlint.

Other than removing the md file in docs and the linter itself plus its tests, what are the other deprecation procedures?

DUO108 is outdated in the following ways:

1. it mentions Python 2, deprecated by dlint
2. it says it only runs for Python 2, but that doesn't seem to be the case
3. it suggests use of raw_input which is also deprecated in py3

Anything else?

Python 3.6 was deprecated 8 months ago so it would be good to drop it. Locations to update:

1. setup.py 3.6 mention
2. look for any usage of sys.version_info that needs to be updated accordingly