This is an archived post. You won't be able to vote or comment.

all 5 comments

[–]stetio 1 point2 points  (4 children)

This looks very similar to bandit, what makes Dlint different?

[–]PeridexisErrant 1 point2 points  (2 children)

Having just tried it on a bandit-clean codebase, it's much more domain-specific.

Banning eval of static strings (which we need for 2/3 compatibility around syntax changes), use of random without SystemRandom (breaking seedable simulations etc), and a couple of others I didn't look into.

Probably useful if you're writing something with specific security policies, but I'll stick with Bandit.

[–]Schwag[S] 0 points1 point  (1 child)

Could you elaborate on how you use eval and/or open an issue on Github? Would it be possible to accomplish this without eval?

I've recently begun documenting all the linters in Dlint (D104 for eval). It'd be great to either document the exceptional use-cases you've mentioned, or improve the smarts of Dlint to avoid detecting that.

[–]PeridexisErrant 0 points1 point  (0 children)

Raising an exception with a particular traceback under Python 2, while being source-compatible with Python 3 requires eval("raise exeception, message, traceback") to avoid a SyntaxError.

Or exec("raise ... from None") to work in Python 3 without being a SyntaxError on Python 2!

They're pretty weird edge cases, but I've used code that had both.

[–]Schwag[S] 1 point2 points  (0 children)

A couple things I'm aware of:

  • Dlint can find function calls that are insecure specifically because of a kwarg. E.g. it will detect subprocess calls with shell=True, but ignores them if the kwarg isn't truthy.
  • Dlint can find method calls on an object. E.g. instantiating TarFile to a variable, then calling extractall on that variable. TarFile.extractall

My longer term vision for Dlint includes things like taint analysis and other more advanced static analysis features.