问答博客资讯标签用户活动
logo极客观点logo项目管理logoHarmonyOS
开发者社区
javascript
前端
python
node.js
react
vue.js
php
laravel
go
人工智能
mysql
linux
ios
java
android
css
typescript
spring
程序员
logoONES 研发管理logo思否企业问答logo安谋科技 XPU

忽略/跳过 python bandit 安全问题报告中的某些问题的方法是什么?

社区维基
1
新手上路,请多包涵

我有一堆 django_mark_safe 错误

>> Issue: [B703:django_mark_safe] Potential XSS on mark_safe function.
   Severity: Medium   Confidence: High
   Location: ...
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b703_django_mark_safe.html
54 return mark_safe(f'<a href="{url}" target="_blank">{title}</a>')

>> Issue: [B308:blacklist] Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
   Severity: Medium   Confidence: High
   Location: ...
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b308-mark-safe
54 return mark_safe(f'<a href="{url}" target="_blank">{title}</a>')

我很好奇是否有办法跳过或忽略这些行?我知道使用 mark_safe 可能很危险,但如果我想冒险怎么办?例如,此方法是在 Django 管理中显示自定义链接的唯一方法,所以我不知道没有任何其他选项如何做到这一点 mark_safe

原文由 ramusus 发布,翻译遵循 CC BY-SA 4.0 许可协议

Stack Overflow 翻译pythondjangodjango-adminbandit-python
阅读 679
2 个回答
得票最新
社区维基
1
✓ 已被采纳
社区维基
1

注意使用 \# nosec 注释多行:

给出:

 li_without_nosec = [
    "select * from %s where 1 = 1 "
    % "foo"
]

li_nosec_at_start_works = [  # nosec - ✅ and you can put a comment
    "select * from %s where 1 = 1 "
    % "foo"
]

# nosec - there's an enhancement request to marker above line
li_nosec_on_top_doesntwork = [
    "select * from %s where 1 = 1 "
    % "foo"
]

li_nosec_at_end_doesntwork = [
    "select * from %s where 1 = 1 "
    % "foo"
]  # nosec

输出:

 >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   Location: test.py:3
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
2   li_without_nosec = [
3       "select * from %s where 1 = 1 "
4       % "foo"
5   ]

--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   Location: test.py:15
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
14  li_nosec_on_top_doesntwork = [
15      "select * from %s where 1 = 1 "
16      % "foo"
17  ]

--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   Location: test.py:21
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
20  li_nosec_at_end_doesntwork = [
21      "select * from %s where 1 = 1 "
22      % "foo"
23  ]  # nosec

黑色的

希望 黑棋 不会介入并重组线路,移动 # nosec

希望如此之大……每当行长度变得太长时, 黑色 确实会四处移动,就像它对 pylint 指令所做的那样。此时 # nosec 结束。

您可以在第一个位置主动分解线和位置 # nosec 。或者您可以等待黑色并根据需要进行调整。

原文由 JL Peyret 发布,翻译遵循 CC BY-SA 4.0 许可协议

撰写回答
你尚未登录,登录后可以
  • 和开发者交流问题的细节
  • 关注并接收问题和回答的更新提醒
  • 参与内容的编辑和改进,让解决方法与时俱进
推荐问题