Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Audit url open for permitted schemes. Allowing use of "file:" or custom schemes is often unexpected

Tags:

python

pytest

codacy

I am using this statement in Python

 jsonreq = json.dumps({'jsonrpc': '2.0', 'id': 'qwer', 'method': 'aria2.pauseAll'})
 jsonreq = jsonreq.encode('ascii')
 c = urllib.request.urlopen('http://localhost:6800/jsonrpc', jsonreq)

In this I am getting this warning/error when I perform code quality test

Audit url open for permitted schemes. Allowing use of "file:" or custom schemes is often unexpected.

like image 218
Kapil Sharma Avatar asked Feb 14 '18 03:02

Kapil Sharma

3 Answers

Because I stumbled upon this question and the accepted answer did not work for me, I researched this myself:

Why urlib is a security risk

urlib not only opens http:// or https:// URLs, but also ftp:// and file://. With this it might be possible to open local files on the executing machine which might be a security risk if the URL to open can be manipulated by an external user.

How to fix this

You are yourself responsible to validate the URL before opening it with urllib. E.g.

if url.lower().startswith('http'):
  req = urllib.request.Request(url)
else:
  raise ValueError from None

with urllib.request.urlopen(req) as resp:
  [...]

How to fix this so the linter (e.g. bandit) does no longer complain

At least bandit has a simple blacklist for the function call. As long as you use urllib, the linter will raise a warning. Even if you DO validate your input like shown above. (Or even use hardcoded URLs).

Add a #nosec comment to the line to suppress the warning from bandit or look up the suppression keyword for your linter/code-checker. It's best practice to also add additional comments stating WHY you think this is not worth a warning in your case.

like image 118
Chaos_99 Avatar answered Oct 07 '22 08:10

Chaos_99

I think this is what you need

import urllib.request

req = urllib.request.Request('http://www.example.com')
with urllib.request.urlopen(req) as response:
    the_page = response.read()
like image 8
LAMRIN TAWSRAS Avatar answered Oct 07 '22 08:10

LAMRIN TAWSRAS

For the people who couldn't solve it by above answers. You could use requests library instead, which is not black listed in bandit.

https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b310-urllib-urlopen

import requests

url = 'http://www.example.com'
the_page = requests.get(url)

print(the_page.json()) # if the response is json
print(the_page.text) # if the response is some text
like image 3
mhoshdev Avatar answered Oct 07 '22 08:10

mhoshdev
Sign in to Comment

Related questions

Why is my object properly removed from a list when __eq__ isn't being called?
ValueError when using pandas.read_json
Why does the escape key have a delay in Python curses?
pandas: How to work with _iLocIndexer?
Multiline statements using Python doctest
flake8/pylint fails in Tox testing environment, raises InvocationError
Python install failed windows 8.1- Error 0x80240017: Failed to execute MSU package
Why won't dynamically adding a `__call__` method to an instance work?
Matplotlib: Center text in its bbox
Analysing Time Series in Python - pandas formatting error - statsmodels
Python and OpenSSL version reference issue on OS X
Formatting Lists into columns of a table output (python 3)
argparse: How to make mutually exclusive arguments optional?
Huge space between title and plot matplotlib
How to return a string from pandas.DataFrame.info()
filter pandas dataframe for past x days
Invalid and/or missing SSL certificate for URL when calling apiclient.discovery.build
How to convert pandas dataframe to nested dictionary
Apply a method to a list of objects in parallel using multi-processing
Extract verb phrases using Spacy

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!