Add test for usage of FTP_TLS (#1149)

* Performance improvement in blacklist function The blacklisting function is currently using fnmatch.fnmatch() to do matching of qualified names of blacklist calls. It seems it is only used for telnetlib and ftplib where they are setting the qualified name in a file glob style (telnetlib.*). This change would slightly break backward compatibility if there are any third-party plugins that use globbing in the qualified names for blacklisting. I think the likelyhood is small. I also think it is better to be more explicit in the qualified name patterns. In the case of ftplib, FTP is insecure, but FTP_TLS is not. So this already is resolving one false postive. The other effect of this change is a slight boost to performance. When scanning cpython prior to this fix, it would take around 1 min. After the fix, closer to 50 seconds. So a nice little bump in speed. Fixes: #438 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com> * Add test for usage of FTP_TLS This change adds an FTP_TLS call to the examples. A high severity error is no longer reported as a result of the fix in PR #1148 that explicitly now matches blacklist call qualified names rather than using a file glob. However, you will notice that there is one more high severity issue reported in the tests as a result of the import of ftplib.FTP_TLS because the blacklist import is only checking for "ftplib". Fixes: #148 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com> --------- Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
PyCQA · Jun 24, 2024 · 6142b7a · 6142b7a
1 parent 4208e9d
commit 6142b7a
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 3 deletions.
diff --git a/examples/ftplib.py b/examples/ftplib.py
@@ -1,9 +1,24 @@
 from ftplib import FTP
+from ftplib import FTP_TLS
 
+
+# bad
 ftp = FTP('ftp.debian.org')
 ftp.login()
 
 ftp.cwd('debian')
 ftp.retrlines('LIST')
 
-ftp.quit()
+ftp.quit()
+
+# okay
+ftp = ftplib.FTP_TLS(
+    "ftp.us.debian.org",
+    context=ssl.create_default_context(),
+)
+ftp.login()
+
+ftp.cwd("debian")
+ftp.retrlines("LIST")
+
+ftp.quit()
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
@@ -246,8 +246,8 @@ def test_telnet_usage(self):
     def test_ftp_usage(self):
         """Test for `import ftplib` and FTP.* calls."""
         expect = {
-            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 2},
-            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 2},
+            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 3},
+            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 3},
         }
         self.check_example("ftplib.py", expect)