blacklist_imports — Bandit documentation (2024)

Table of Contents
Blacklist various Python imports known to be dangerous¶ B401: import_telnetlib¶ B402: import_ftplib¶ B403: import_pickle¶ B404: import_subprocess¶ B405: import_xml_etree¶ B406: import_xml_sax¶ B407: import_xml_expat¶ B408: import_xml_minidom¶ B409: import_xml_pulldom¶ B410: import_lxml¶ B411: import_xmlrpclib¶ B412: import_httpoxy¶ B413: import_pycrypto¶ B414: import_pycryptodome¶

Blacklist various Python imports known to be dangerous

This blacklist data checks for a number of Python modules known to havepossible security implications. The following blacklist tests are run againstany import statements or calls encountered in the scanned code base.

Note that the XML rules listed here are mostly based off of Christian Heimes’work on defusedxml: https://pypi.org/project/defusedxml/

B401: import_telnetlib

A telnet-related module is being imported. Telnet is considered insecure. UseSSH or some other encrypted protocol.

IDNameImportsSeverity
B401import_telnetlib
  • telnetlib
high

B402: import_ftplib

A FTP-related module is being imported. FTP is considered insecure. UseSSH/SFTP/SCP or some other encrypted protocol.

IDNameImportsSeverity
B402import_ftplib
  • ftplib
high

B403: import_pickle

Consider possible security implications associated with these modules.

See Also
Top 10 Python Libraries For Cybersecurity - GeeksforGeeksWhat is Ciphertext?Why Python is a great language for Crypto market analytics.pycrypto is not maintained anymore please use PyCryptodome for existing software that depends on…

IDNameImportsSeverity
B403import_pickle
  • pickle
  • cPickle
  • dill
  • shelve
low

B404: import_subprocess

Consider possible security implications associated with these modules.

IDNameImportsSeverity
B404import_subprocess
  • subprocess
low

B405: import_xml_etree

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

IDNameImportsSeverity
B405import_xml_etree
  • xml.etree.cElementTree
  • xml.etree.ElementTree
low

B406: import_xml_sax

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

IDNameImportsSeverity
B406import_xml_sax
  • xml.sax
low

B407: import_xml_expat

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

See Also
The Caesar cipher (video) | Cryptography | Khan Academy

IDNameImportsSeverity
B407import_xml_expat
  • xml.dom.expatbuilder
low

B408: import_xml_minidom

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

IDNameImportsSeverity
B408import_xml_minidom
  • xml.dom.minidom
low

B409: import_xml_pulldom

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package,or make sure defusedxml.defuse_stdlib() is called.

IDNameImportsSeverity
B409import_xml_pulldom
  • xml.dom.pulldom
low

B410: import_lxml

Using various methods to parse untrusted XML data is known to be vulnerable toXML attacks. Replace vulnerable imports with the equivalent defusedxml package.

IDNameImportsSeverity
B410import_lxml
  • lxml
low

B411: import_xmlrpclib

XMLRPC is particularly dangerous as it is also concerned with communicatingdata over a network. Use defused.xmlrpc.monkey_patch() function to monkey-patchxmlrpclib and mitigate remote XML attacks.

IDNameImportsSeverity
B411import_xmlrpclib
  • xmlrpclib
high

B412: import_httpoxy

httpoxy is a set of vulnerabilities that affect application code running inCGI, or CGI-like environments. The use of CGI for web applications should beavoided to prevent this class of attack. More details are availableat https://httpoxy.org/.

IDNameImportsSeverity
B412import_httpoxy
  • wsgiref.handlers.CGIHandler
  • twisted.web.twcgi.CGIScript
high

B413: import_pycrypto

pycrypto library is known to have publicly disclosed buffer overflowvulnerability https://github.com/dlitz/pycrypto/issues/176. It is no longeractively maintained and has been deprecated in favor of pyca/cryptographylibrary.

IDNameImportsSeverity
B413import_pycrypto
  • Crypto.Cipher
  • Crypto.Hash
  • Crypto.IO
  • Crypto.Protocol
  • Crypto.PublicKey
  • Crypto.Random
  • Crypto.Signature
  • Crypto.Util
high

B414: import_pycryptodome

This import blacklist has been removed. The information here has beenleft for historical purposes.

pycryptodome is a direct fork of pycrypto that has not fully addressedthe issues inherent in PyCrypto. It seems to exist, mainly, as an APIcompatible continuation of pycrypto and should be deprecated in favorof pyca/cryptography which has more support among the Python community.

IDNameImportsSeverity
B414import_pycryptodome
  • Cryptodome.Cipher
  • Cryptodome.Hash
  • Cryptodome.IO
  • Cryptodome.Protocol
  • Cryptodome.PublicKey
  • Cryptodome.Random
  • Cryptodome.Signature
  • Cryptodome.Util
high
blacklist_imports — Bandit documentation (2024)
Top Articles
Indemnification Clauses in Commercial Contracts
How can I keep track of my Zelle® payments?
WALB Locker Room Report Week 5 2024
Cold Air Intake - High-flow, Roto-mold Tube - TOYOTA TACOMA V6-4.0
Team 1 Elite Club Invite
From Algeria to Uzbekistan-These Are the Top Baby Names Around the World
Craigslist Vermillion South Dakota
Optimal Perks Rs3
Costco in Hawthorne (14501 Hindry Ave)
Imbigswoo
[PDF] INFORMATION BROCHURE - Free Download PDF
The Blind Showtimes Near Showcase Cinemas Springdale
Ladyva Is She Married
ATV Blue Book - Values & Used Prices
Insidekp.kp.org Hrconnect
Love In The Air Ep 9 Eng Sub Dailymotion
Minecraft Jar Google Drive
Michael Shaara Books In Order - Books In Order
Tamilrockers Movies 2023 Download
SF bay area cars & trucks "chevrolet 50" - craigslist
Nordstrom Rack Glendale Photos
Ubg98.Github.io Unblocked
Hyvee Workday
Jenna Ortega’s Height, Age, Net Worth & Biography
Nz Herald Obituary Notices
Kabob-House-Spokane Photos
Craigslist List Albuquerque: Your Ultimate Guide to Buying, Selling, and Finding Everything - First Republic Craigslist
Relaxed Sneak Animations
Unreasonable Zen Riddle Crossword
3 Ways to Drive Employee Engagement with Recognition Programs | UKG
Kuttymovies. Com
Khatrimmaza
Puerto Rico Pictures and Facts
Myhrconnect Kp
Watchdocumentaries Gun Mayhem 2
Pickle Juiced 1234
Indiana Wesleyan Transcripts
Western Gold Gateway
How Much Is Mink V3
Reborn Rich Ep 12 Eng Sub
Scanning the Airwaves
Rochester Ny Missed Connections
301 Priest Dr, KILLEEN, TX 76541 - HAR.com
Alpha Labs Male Enhancement – Complete Reviews And Guide
Divinity: Original Sin II - How to Use the Conjurer Class
Mitchell Kronish Obituary
Satucket Lectionary
Portal Pacjenta LUX MED
Skyward Cahokia
Kjccc Sports
Wvu Workday
Epower Raley's
Latest Posts
Best Financial Modeling Courses (2024) ranked by Bankers - Bankers By Day
Factorial Calculator n!
Article information

Author: Roderick King

Last Updated:

Views: 6380

Rating: 4 / 5 (71 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Roderick King

Birthday: 1997-10-09

Address: 3782 Madge Knoll, East Dudley, MA 63913

Phone: +2521695290067

Job: Customer Sales Coordinator

Hobby: Gunsmithing, Embroidery, Parkour, Kitesurfing, Rock climbing, Sand art, Beekeeping

Introduction: My name is Roderick King, I am a cute, splendid, excited, perfect, gentle, funny, vivacious person who loves writing and wants to share my knowledge and understanding with you.