-
Notifications
You must be signed in to change notification settings - Fork 11
click 7.1.2
Cory Francis Myers edited this page Sep 21, 2021
·
6 revisions
Click has had 42 releases between 28 April 2014 and 19 May 2021.
Click is one of the Pallets Projects "independently developed by Armin Ronacher and later used as the basis of the Flask microframework".
Bandit found 7 high-severity issues. All are in src/click/_termui_impl.py, which provides platform-specific implementations of interactive terminal features.
cfm@ozymandias{1066}$ bandit -r src [~/Downloads/click-7.1.2 12:21]
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.9.6
Run started:2021-09-21 19:21:41.685514
Test results:
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: src/click/_compat.py:82
More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
81 self.flush()
82 except Exception:
83 pass
84 return self.buffer.write(str(x))
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: src/click/_compat.py:94
More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
93 self.detach()
94 except Exception:
95 pass
96
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: src/click/_compat.py:212
More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
211 fileno = f.fileno()
212 except Exception:
213 pass
214 else:
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: src/click/_compat.py:227
More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
226 fileno = f.fileno()
227 except Exception:
228 pass
229 else:
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: src/click/_compat.py:303
More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
302 return False
303 except Exception:
304 pass
305 return default
--------------------------------------------------
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
Location: src/click/_compat.py:564
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random
563 os.path.dirname(filename),
564 ".__atomic-write{:08x}".format(random.randrange(1 << 32)),
565 )
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: src/click/_compat.py:718
More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
717 _ansi_stream_wrappers[stream] = rv
718 except Exception:
719 pass
720 return rv
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: src/click/_compat.py:764
More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
763 cache[stream] = rv
764 except Exception:
765 pass
766 return rv
--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: src/click/_termui_impl.py:340
More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
339 return _tempfilepager(generator, "more <", color)
340 if hasattr(os, "system") and os.system("(less) 2>/dev/null") == 0:
341 return _pipepager(generator, "less", color)
--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: src/click/_termui_impl.py:340
More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
339 return _tempfilepager(generator, "more <", color)
340 if hasattr(os, "system") and os.system("(less) 2>/dev/null") == 0:
341 return _pipepager(generator, "less", color)
--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: src/click/_termui_impl.py:348
More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
347 try:
348 if hasattr(os, "system") and os.system('more "{}"'.format(filename)) == 0:
349 return _pipepager(generator, "more", color)
--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
Severity: Low Confidence: High
Location: src/click/_termui_impl.py:359
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
358 """
359 import subprocess
360
361 env = dict(os.environ)
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
Location: src/click/_termui_impl.py:374
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
373
374 c = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE, env=env)
375 encoding = get_best_encoding(c.stdin)
--------------------------------------------------
>> Issue: [B306:blacklist] Use of insecure and deprecated function (mktemp).
Severity: Medium Confidence: High
Location: src/click/_termui_impl.py:408
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b306-mktemp-q
407
408 filename = tempfile.mktemp()
409 # TODO: This never terminates if the passed generator never terminates.
--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: src/click/_termui_impl.py:417
More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
416 try:
417 os.system('{} "{}"'.format(cmd, filename))
418 finally:
--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: src/click/_termui_impl.py:447
More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
446 for editor in "sensible-editor", "vim", "nano":
447 if os.system("which {} >/dev/null 2>&1".format(editor)) == 0:
448 return editor
--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
Severity: Low Confidence: High
Location: src/click/_termui_impl.py:452
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
451 def edit_file(self, filename):
452 import subprocess
453
454 editor = self.get_editor()
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
Location: src/click/_termui_impl.py:462
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
461 c = subprocess.Popen(
462 '{} "{}"'.format(editor, filename), env=environ, shell=True,
463 )
464 exit_code = c.wait()
--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
Severity: Low Confidence: High
Location: src/click/_termui_impl.py:507
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
506 def open_url(url, wait=False, locate=False):
507 import subprocess
508
509 def _unquote_file(url):
--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
Severity: Low Confidence: High
Location: src/click/_termui_impl.py:527
More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
526 try:
527 return subprocess.Popen(args, stderr=null).wait()
528 finally:
--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: src/click/_termui_impl.py:538
More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
537 )
538 return os.system(args)
539 elif CYGWIN:
--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
Location: src/click/_termui_impl.py:545
More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
544 args = 'cygstart {} "{}"'.format("-w" if wait else "", url.replace('"', ""))
545 return os.system(args)
546
--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: src/click/_termui_impl.py:552
More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
551 url = _unquote_file(url)
552 c = subprocess.Popen(["xdg-open", url])
553 if wait:
--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
Severity: Low Confidence: High
Location: src/click/_termui_impl.py:552
More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
551 url = _unquote_file(url)
552 c = subprocess.Popen(["xdg-open", url])
553 if wait:
--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
Severity: Low Confidence: High
Location: src/click/_unicodefun.py:67
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
66 if os.name == "posix":
67 import subprocess
68
69 try:
--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: src/click/_unicodefun.py:70
More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
69 try:
70 rv = subprocess.Popen(
71 ["locale", "-a"], stdout=subprocess.PIPE, stderr=subprocess.PIPE
72 ).communicate()[0]
--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
Severity: Low Confidence: High
Location: src/click/_unicodefun.py:70
More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
69 try:
70 rv = subprocess.Popen(
71 ["locale", "-a"], stdout=subprocess.PIPE, stderr=subprocess.PIPE
72 ).communicate()[0]
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: src/click/_winconsole.py:211
More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
210 self.flush()
211 except Exception:
212 pass
213 return self.buffer.write(x)
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: src/click/termui.py:258
More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
257 os.close(fd)
258 except Exception:
259 pass
260 if not cr or not cr[0] or not cr[1]:
--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell: Seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: src/click/termui.py:428
More Info: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
427 if WIN:
428 os.system("cls")
429 else:
--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
Location: src/click/termui.py:428
More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
427 if WIN:
428 os.system("cls")
429 else:
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: src/click/testing.py:252
More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
251 del os.environ[key]
252 except Exception:
253 pass
254 else:
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: src/click/testing.py:262
More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
261 del os.environ[key]
262 except Exception:
263 pass
264 else:
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
Location: src/click/utils.py:42
More Info: https://bandit.readthedocs.io/en/latest/plugins/b110_try_except_pass.html
41 return func(*args, **kwargs)
42 except Exception:
43 pass
44
--------------------------------------------------
Code scanned:
Total lines of code: 6314
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0.0
Low: 26.0
Medium: 1.0
High: 7.0
Total issues (by confidence):
Undefined: 0.0
Low: 0.0
Medium: 0.0
High: 34.0
Files skipped (0):As of this review:
- Click has 11.3K GitHub stars.
- According to https://libraries.io/pypi/click, it is a dependency of 12.4K packages and 54.7K repositories.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Reviewed from:
d2b5255c7c6349bc1bd1e59e08cd12acbbd63ce649f2588755783aa94dfb6b1a click-7.1.2.tar.gz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE8m422wF7k3FrJQXVFKLelAvuBhMFAmFKMfkACgkQFKLelAvu
BhNv8Qf+J4Y4HaVD7j5SBo/AFwWsGCETOKFVrU8MPGaqqdvTlyqs4LlKBh123ijQ
FdC6nPaq9zH+pf45FG36xKrGbmPEV9oyCDm19xl6z/oSRy2nQ8Vggra1KM17G/i4
/FGAido1ik2ruMhf2VF3fbE0Kuqz76MkvTx7qIXC7iuH+d0xAlJY01gFker/Pdpm
g9rS7KZsBBUeQK6uXXADKXlsq40lT8FRZqmvHFM9XT7S8AZv517jmJpe6eCGM7IY
w3JHH7yrHj+hO6eNe2YDMBsnrAGHkuoBm+A3Bs3mQm0Ix+4yUs5vhuhSC34UHmlC
vkgDtMdfM03opEeNgqtAvvkLmBlOpQ==
=LRdw
-----END PGP SIGNATURE-----