Whitelist uses of stdlib random module for bandit

There are currently two uses of random.randrange() and one of
random.choice() for non-security/non-crypto purposes. Mark them as
whitelisted for bandit checks and add comments explaining why.

diff --git a/mudpy/command.py b/mudpy/command.py
index 601bc82..d72e4e3 100644 (file)
--- a/mudpy/command.py
+++ b/mudpy/command.py
@@ -111,7 +111,9 @@ def error(actor, input_data):
     """Generic error for an unrecognized command word."""
 
     # 90% of the time use a generic error
-    if random.randrange(10):
+    # Whitelist the random.randrange() call in bandit since it's not used for
+    # security/cryptographic purposes
+    if random.randrange(10):  # nosec
         message = '''I'm not sure what "''' + input_data + '''" means...'''
 
     # 10% of the time use the classic diku error

diff --git a/mudpy/misc.py b/mudpy/misc.py
index 5f09938..5beb3b6 100644 (file)
--- a/mudpy/misc.py
+++ b/mudpy/misc.py
@@ -1218,7 +1218,9 @@ def weighted_choice(data):
             expanded.append(key)
 
     # return one at random
-    return random.choice(expanded)
+    # Whitelist the random.randrange() call in bandit since it's not used for
+    # security/cryptographic purposes
+    return random.choice(expanded)  # nosec
 
 
 def random_name():
@@ -1265,7 +1267,9 @@ def random_name():
     name = ""
 
     # create a name of random length from the syllables
-    for _syllable in range(random.randrange(2, 6)):
+    # Whitelist the random.randrange() call in bandit since it's not used for
+    # security/cryptographic purposes
+    for _syllable in range(random.randrange(2, 6)):  # nosec
         name += weighted_choice(syllables)
 
     # strip any leading quotemark, capitalize and return the name