Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IndexError: list index out of range #545

Closed
kamathe opened this issue Oct 9, 2019 · 6 comments · Fixed by #930
Closed

IndexError: list index out of range #545

kamathe opened this issue Oct 9, 2019 · 6 comments · Fixed by #930
Labels
bug Something isn't working

Comments

@kamathe
Copy link

kamathe commented Oct 9, 2019
edited by ericwb
Loading

Bandit version

(bandit) [root@test BD]# bandit --version
bandit 1.6.2
python version = 2.7.5 (default, Jun 11 2019, 12:19:05) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
(bandit) [root@test BD]#

Actual error

ERROR	Bandit internal error running: weak_cryptographic_key on file ./ansible/lib/ansible/modules/crypto/openssl_privatekey.py at line 521: list index out of rangeTraceback (most recent call last):
  File "/BD/bandit/lib/python2.7/site-packages/bandit/core/tester.py", line 62, in run_tests
    result = test(context, test._config)
  File "/BD/bandit/lib/python2.7/site-packages/bandit/plugins/weak_cryptographic_key.py", line 139, in weak_cryptographic_key
    return (_weak_crypto_key_size_cryptography_io(context, config) or
  File "/BD/bandit/lib/python2.7/site-packages/bandit/plugins/weak_cryptographic_key.py", line 115, in _weak_crypto_key_size_cryptography_io
    context.call_args[arg_position[key_type]])
IndexError: list index out of range
@ericwb ericwb added the bug Something isn't working label Oct 9, 2019
@sonrohan
Copy link

sonrohan commented Oct 10, 2019
edited
Loading

Can you print out the output of key_type before this line? https://github.com/PyCQA/bandit/blob/master/bandit/plugins/weak_cryptographic_key.py#L115

@kamathe
Copy link
Author

kamathe commented Oct 10, 2019
edited by ericwb
Loading

@sonrohan Check highlighted text below

(bandit) [root@test BD]# bandit ansible/lib/ansible/modules/crypto/openssl_privatekey.py
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 2.7.5
**-----------------------------
key_type : EC
-----------------------------**
[tester]	ERROR	Bandit internal error running: weak_cryptographic_key on file ansible/lib/ansible/modules/crypto/openssl_privatekey.py at line 521: list index out of range
Traceback (most recent call last):
  File "/BD/bandit/lib/python2.7/site-packages/bandit/core/tester.py", line 62, in run_tests
    result = test(context, test._config)
  File "/BD/bandit/lib/python2.7/site-packages/bandit/plugins/weak_cryptographic_key.py", line 142, in weak_cryptographic_key
    return (_weak_crypto_key_size_cryptography_io(context, config) or
  File "/BD/bandit/lib/python2.7/site-packages/bandit/plugins/weak_cryptographic_key.py", line 118, in _weak_crypto_key_size_cryptography_io
    context.call_args[arg_position[key_type]])
IndexError: list index out of range

@amacfie
Copy link
Contributor

amacfie commented Jan 1, 2020

Bandit assumes if your code calls this function you are supplying the positional argument curve. If not you get this error.

@szuliq
Copy link

szuliq commented Sep 30, 2020

Why does it need to be positional? It's perfectly valid Python code to supply it as keyword argument. Therefore I claim this is a bug in bandit, do you agree?

@hosseinsh hosseinsh mentioned this issue Apr 8, 2021
Open
@ericwb
Copy link
Member

ericwb commented Jul 11, 2022

This occurs when the keyword is a ast.Call in this case. Bandit cannot determine the value of any such call, so it should ignore, but not throw a traceback.

@ericwb
Copy link
Member

ericwb commented Jul 11, 2022

An example which exhibits the problem:

ec.generate_private_key(
    curve=curves[self.curve]['create'](self.size),
    backend=backends.default_backend()
)

ericwb added a commit to ericwb/bandit that referenced this issue Jul 11, 2022
@ericwb
weak_cryptographic_key assumes positional arg
27d6652 
The weak_cryptographic_key assumes a positional arg when it doesn't
find a value for the keyword arg. The issue is that sometimes the
keyword arg is a ast.Call or other undeterminate values. And as
a result throws a Traceback.

This change will make the plugin a little more robust so it doesn't
throw the Traceback. It won't be able determine the value of the
curve in this case, but can ignore it.

Fixes PyCQA#545

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
@ericwb ericwb mentioned this issue Jul 11, 2022
Merged
ericwb added a commit to ericwb/bandit that referenced this issue Jul 11, 2022
@ericwb
weak_cryptographic_key assumes positional arg
30ae1ca 
The weak_cryptographic_key assumes a positional arg when it doesn't
find a value for the keyword arg. The issue is that sometimes the
keyword arg is a ast.Call or other undeterminate values. And as
a result throws a Traceback.

This change will make the plugin a little more robust so it doesn't
throw the Traceback. It won't be able determine the value of the
curve in this case, but can ignore it.

Fixes PyCQA#545

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
ericwb added a commit to ericwb/bandit that referenced this issue Jul 11, 2022
@ericwb
weak_cryptographic_key assumes positional arg
05d2763 
The weak_cryptographic_key assumes a positional arg when it doesn't
find a value for the keyword arg. The issue is that sometimes the
keyword arg is a ast.Call or other undeterminate values. And as
a result throws a Traceback.

This change will make the plugin a little more robust so it doesn't
throw the Traceback. It won't be able determine the value of the
curve in this case, but can ignore it.

Fixes PyCQA#545

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
ericwb added a commit that referenced this issue Jul 12, 2022
@ericwb
weak_cryptographic_key assumes positional arg (#930)
521aa00 
The weak_cryptographic_key assumes a positional arg when it doesn't
find a value for the keyword arg. The issue is that sometimes the
keyword arg is a ast.Call or other undeterminate values. And as
a result throws a Traceback.

This change will make the plugin a little more robust so it doesn't
throw the Traceback. It won't be able determine the value of the
curve in this case, but can ignore it.

Fixes #545

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

weak_cryptographic_key assumes positional arg ericwb/bandit
5 participants
@szuliq @amacfie @ericwb @kamathe @sonrohan