忽略/跳过python bandit安全问题报告中的一些问题的方法是什么？

Question

我有一堆django_mark_safe错误

>> Issue: [B703:django_mark_safe] Potential XSS on mark_safe function.
   Severity: Medium   Confidence: High
   Location: ...
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b703_django_mark_safe.html
54 return mark_safe(f'<a href="{url}" target="_blank">{title}</a>')

>> Issue: [B308:blacklist] Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
   Severity: Medium   Confidence: High
   Location: ...
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b308-mark-safe
54 return mark_safe(f'<a href="{url}" target="_blank">{title}</a>')

我很好奇是否有一种方法可以跳过或忽略这些行？我知道使用mark_safe可能很危险，但如果我想冒这个风险呢？例如，此方法是在Django admin中显示自定义链接的唯一方法，因此我不知道在没有mark_safe的情况下如何使用其他选项

Answer 1

我已经得到了答案here

有两种方式：

1. 您可以在命令行中使用-- B703参数跳过注释和B308。
2. 或者您可以在要跳过的行上附加注释# nosec。

https://github.com/PyCQA/bandit#exclusions

Answer 2

使用# nosec注记多行的注意事项

给定：

li_without_nosec = [
    "select * from %s where 1 = 1 "
    % "foo"
]

li_nosec_at_start_works = [  # nosec - ✅ and you can put a comment
    "select * from %s where 1 = 1 "
    % "foo"
]  

# nosec - there's an enhancement request to marker above line
li_nosec_on_top_doesntwork = [  
    "select * from %s where 1 = 1 "
    % "foo"
]  

li_nosec_at_end_doesntwork = [
    "select * from %s where 1 = 1 "
    % "foo"
]  # nosec 

输出：

>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   Location: test.py:3
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
2   li_without_nosec = [
3       "select * from %s where 1 = 1 "
4       % "foo"
5   ]

--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   Location: test.py:15
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
14  li_nosec_on_top_doesntwork = [
15      "select * from %s where 1 = 1 "
16      % "foo"
17  ]

--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   Location: test.py:21
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
20  li_nosec_at_end_doesntwork = [
21      "select * from %s where 1 = 1 "
22      % "foo"
23  ]  # nosec

黑色

这里希望black不会参与进来，不会重新组织线路，不会移动# nosec。

希望到此为止..。每当行变得太长时，pylint black确实会移动东西，就像它对pylint指令所做的那样。在这一点上，# nosec最终结束了。

您可以主动拆分这条线并将# nosec放在第一条线上。或者你可以等待黑屏，如果需要的话，再进行调整。

Answer 3

为了完成这个主题-在我的例子中，我必须摆脱B322: input规则，并且不想每次在代码中发现这个问题时都编写# nosec，或者总是使用--skip标志执行Bandit。

因此，如果您希望为整个解决方案省略某个规则，您可以在项目根目录中创建一个.bandit文件。然后，您可以编写每次都应跳过的规则，例如：

[bandit]
skips: B322

然后，Bandit将在默认情况下跳过此检查，而不需要在代码中提供额外的注释。