Remove checks for Python2 urllib (#999)

ericwb · web-flow · commit 02d73e94750a · 2023-03-13T12:22:58.000-07:00
Removal of checks for Python2 version of urllib and urllib2. Fixes #998 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
diff --git a/bandit/blacklists/calls.py b/bandit/blacklists/calls.py
@@ -493,16 +493,10 @@ def gen_blacklist():
             "B310",
             issue.Cwe.PATH_TRAVERSAL,
             [
-                "urllib.urlopen",
                 "urllib.request.urlopen",
-                "urllib.urlretrieve",
                 "urllib.request.urlretrieve",
-                "urllib.URLopener",
                 "urllib.request.URLopener",
-                "urllib.FancyURLopener",
                 "urllib.request.FancyURLopener",
-                "urllib2.urlopen",
-                "urllib2.Request",
                 "six.moves.urllib.request.urlopen",
                 "six.moves.urllib.request.urlretrieve",
                 "six.moves.urllib.request.URLopener",
diff --git a/examples/urlopen.py b/examples/urlopen.py
@@ -1,43 +1,18 @@
-''' Example dangerous usage of urllib[2] opener functions
+''' Example dangerous usage of urllib.request opener functions
 
-The urllib and urllib2 opener functions and object can open http, ftp,
+The urllib.request opener functions and object can open http, ftp,
 and file urls. Often, the ability to open file urls is overlooked leading
 to code that can unexpectedly open files on the local server. This
 could be used by an attacker to leak information about the server.
 '''
 
-
-import urllib
-import urllib2
-
 # Python 3
 import urllib.request
 
 # Six
 import six
 
 def test_urlopen():
-    # urllib
-    url = urllib.quote('file:///bin/ls')
-    urllib.urlopen(url, 'blah', 32)
-    urllib.urlretrieve('file:///bin/ls', '/bin/ls2')
-    opener = urllib.URLopener()
-    opener.open('file:///bin/ls')
-    opener.retrieve('file:///bin/ls')
-    opener = urllib.FancyURLopener()
-    opener.open('file:///bin/ls')
-    opener.retrieve('file:///bin/ls')
-
-    # urllib2
-    handler = urllib2.HTTPBasicAuthHandler()
-    handler.add_password(realm='test',
-                         uri='http://mysite.com',
-                         user='bob')
-    opener = urllib2.build_opener(handler)
-    urllib2.install_opener(opener)
-    urllib2.urlopen('file:///bin/ls')
-    urllib2.Request('file:///bin/ls')
-
     # Python 3
     urllib.request.urlopen('file:///bin/ls')
     urllib.request.urlretrieve('file:///bin/ls', '/bin/ls2')
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
@@ -513,8 +513,8 @@ def test_subprocess_shell(self):
     def test_urlopen(self):
         """Test for dangerous URL opening."""
         expect = {
-            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 14, "HIGH": 0},
-            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 14},
+            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 8, "HIGH": 0},
+            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 8},
         }
         self.check_example("urlopen.py", expect)
 
