From: Jeremy Stanley <fungi@yuggoth.org>
Date: Sun, 29 Dec 2019 14:19:57 +0000 (+0000)
Subject: Whitelist uses of stdlib random module for bandit
X-Git-Tag: 0.1.0~4
X-Git-Url: https://mudpy.org/gitweb?p=mudpy.git;a=commitdiff_plain;h=472e1de5356e4df0f099fe6a17ff6dab585314f3

Whitelist uses of stdlib random module for bandit

There are currently two uses of random.randrange() and one of
random.choice() for non-security/non-crypto purposes. Mark them as
whitelisted for bandit checks and add comments explaining why.
---

diff --git a/mudpy/command.py b/mudpy/command.py
index 601bc82..d72e4e3 100644
--- a/mudpy/command.py
+++ b/mudpy/command.py
@@ -111,7 +111,9 @@ def error(actor, input_data):
     """Generic error for an unrecognized command word."""
 
     # 90% of the time use a generic error
-    if random.randrange(10):
+    # Whitelist the random.randrange() call in bandit since it's not used for
+    # security/cryptographic purposes
+    if random.randrange(10):  # nosec
         message = '''I'm not sure what "''' + input_data + '''" means...'''
 
     # 10% of the time use the classic diku error
diff --git a/mudpy/misc.py b/mudpy/misc.py
index 5f09938..5beb3b6 100644
--- a/mudpy/misc.py
+++ b/mudpy/misc.py
@@ -1218,7 +1218,9 @@ def weighted_choice(data):
             expanded.append(key)
 
     # return one at random
-    return random.choice(expanded)
+    # Whitelist the random.randrange() call in bandit since it's not used for
+    # security/cryptographic purposes
+    return random.choice(expanded)  # nosec
 
 
 def random_name():
@@ -1265,7 +1267,9 @@ def random_name():
     name = ""
 
     # create a name of random length from the syllables
-    for _syllable in range(random.randrange(2, 6)):
+    # Whitelist the random.randrange() call in bandit since it's not used for
+    # security/cryptographic purposes
+    for _syllable in range(random.randrange(2, 6)):  # nosec
         name += weighted_choice(syllables)
 
     # strip any leading quotemark, capitalize and return the name