From 472e1de5356e4df0f099fe6a17ff6dab585314f3 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Sun, 29 Dec 2019 14:19:57 +0000 Subject: [PATCH] Whitelist uses of stdlib random module for bandit There are currently two uses of random.randrange() and one of random.choice() for non-security/non-crypto purposes. Mark them as whitelisted for bandit checks and add comments explaining why. --- mudpy/command.py | 4 +++- mudpy/misc.py | 8 ++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/mudpy/command.py b/mudpy/command.py index 601bc82..d72e4e3 100644 --- a/mudpy/command.py +++ b/mudpy/command.py @@ -111,7 +111,9 @@ def error(actor, input_data): """Generic error for an unrecognized command word.""" # 90% of the time use a generic error - if random.randrange(10): + # Whitelist the random.randrange() call in bandit since it's not used for + # security/cryptographic purposes + if random.randrange(10): # nosec message = '''I'm not sure what "''' + input_data + '''" means...''' # 10% of the time use the classic diku error diff --git a/mudpy/misc.py b/mudpy/misc.py index 5f09938..5beb3b6 100644 --- a/mudpy/misc.py +++ b/mudpy/misc.py @@ -1218,7 +1218,9 @@ def weighted_choice(data): expanded.append(key) # return one at random - return random.choice(expanded) + # Whitelist the random.randrange() call in bandit since it's not used for + # security/cryptographic purposes + return random.choice(expanded) # nosec def random_name(): @@ -1265,7 +1267,9 @@ def random_name(): name = "" # create a name of random length from the syllables - for _syllable in range(random.randrange(2, 6)): + # Whitelist the random.randrange() call in bandit since it's not used for + # security/cryptographic purposes + for _syllable in range(random.randrange(2, 6)): # nosec name += weighted_choice(syllables) # strip any leading quotemark, capitalize and return the name -- 2.11.0