Enable B307 "eval" bandit check

-Annotated or updated where needed. Change-Id: I7148aaf8cc418dce35e160b696fd48ea40d764a9
gizmo84 · Jul 12, 2023 · 9259dcf · 9259dcf
1 parent 2620557
commit 9259dcf
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 8 deletions.
diff --git a/bandit.yaml b/bandit.yaml
@@ -95,7 +95,6 @@ skips:
   - B104  # hardcoded_bind_all_interfaces
   - B108  # hardcoded_tmp_directory
   - B302  # marshal
-  - B307  # eval
   - B314  # xml_bad_ElementTree
   - B318  # xml_bad_minidom
   - B323  # unverified_context

diff --git a/cmk/base/api/agent_based/register/check_plugins_legacy.py b/cmk/base/api/agent_based/register/check_plugins_legacy.py
@@ -90,7 +90,9 @@ def _resolve_string_parameters(
         # Since Checkmk 2.0 we have a better API and need it only for compatibility. The parameters
         # are resolved now *before* they are written to the autochecks file, and earlier autochecks
         # files are resolved during cmk-update-config.
-        return eval(params_unresolved, context, context)  # pylint: disable=eval-used
+        return eval(  # nosec B307 # BNS:1c6cc2 # pylint: disable=eval-used
+            params_unresolved, context, context
+        )
     except Exception:
         raise ValueError(
             "Invalid check parameter string '%s' found in discovered service %r"

diff --git a/tests/bandit-nosec-markers/bandit-exclusions.md b/tests/bandit-nosec-markers/bandit-exclusions.md
@@ -20,8 +20,10 @@ Note that Bandit is picky about the exact format.
 | `BNS:c3c5e9` | `B301` | `PackedConfigStore` loads a config from file via `pickle.load`. The path is hard-coded to `cmk.utils.paths.core_helper_config_dir` in `ConfigPath`, which is only writable by the site user. |
 | `BNS:e9bfaa` | `B303` | Only used to display fingerprints and in testing. |
 | `BNS:f6c1b9` | `B605` | Shell command has been reviewed. |
-| `BNS:c29b0e` | `B103` | A python file is compiled and marked as executable |
-| `BNS:ce45cd` | `B103` | Creates a spoolfile, this is probably ought to be deleted by the other process |
-| `BNS:7e6b08` | `B103` | We set the traverse permission on a folder, since there are files which needs to be world accessible |
-| `BNS:a29406` | `B102` | User defined input expected within executed files such as custom entries within agent plugin .cfg files |
-| `BNS:aee528` | `B102` | Config file data would be in an expected format however alternatives handle process threads different which may impact timings or cause hanging when loading configurations |
+| `BNS:c29b0e` | `B103` | A python file is compiled and marked as executable. |
+| `BNS:ce45cd` | `B103` | Creates a spoolfile, this is probably ought to be deleted by the other process. |
+| `BNS:7e6b08` | `B103` | We set the traverse permission on a folder, since there are files which needs to be world accessible.|
+| `BNS:a29406` | `B102` | User defined input expected within executed files such as custom entries within agent plugin .cfg files. |
+| `BNS:aee528` | `B102` | Config file data would be in an expected format however alternatives handle process threads different which may impact timings or cause hanging when loading configurations. |
+| `BNS:9666b8` | `B307` | Used to validate that literal_eval still replicates the desired results expected from eval. |
+| `BNS:1c6cc2` | `B307` | Literal_eval cannot be used evaluate non-string fields. |
diff --git a/tests/testlib/event_console.py b/tests/testlib/event_console.py
@@ -83,7 +83,7 @@ def query(self, query: bytes) -> Any:
             if not chunk:
                 break
 
-        return eval(response_text)  # pylint: disable=eval-used
+        return eval(response_text)  # nosec B307 # BNS:1c6cc2 # pylint: disable=eval-used
 
     def query_table_assoc(self, query: bytes) -> list[dict]:
         response = self.query(query)