Skip to main content

Bandit

💎Vulnerabiltiies to be discovered
The next vulnerabilities should be discovered in this sections:
  • VULN-FIND-CMD
  • VULN-FLASK-DEBUG
  • VULN-LOGGING-PERMS
  • VULN-TAR-SLIP
⚙️Bandit setup
If you didn't set up the static-analysis profile's infrastructure, please do so by running the command docker-compose --profile static-analysis up.

Use docker exec --interactive --tty static-analysers bash to enter the container where the CLI application is contained.
⚙️Coder setup
If you didn't set up the static-analysis profile's infrastructure, please do so by running the command docker-compose --profile static-analysis up.

Access this link to interact with the application's web user interface. Use the ossfortress password for login.
📚Bandit documentation
The Bandit documentation is available here.

Steps

Scanning

  1. Scan all files in the /root/codebase/sandcastle/sandcastle folder, generating an output SARIF file, /root/analysis/bandit.sarif.
  2. Using bandit-config-generator, generate the default configuration for Bandit in /root/analysis/bandit.conf.
  3. Remove sandcastle/c_modules from the folders to be scanned. Test the created configuration by running Bandit again.
  4. Validate each warning produced by Bandit by manually inspecting the code. Use the Coder instance in the Docker infrastructure to review the results.
🚧Solution

To display the solution of this task, enter the text i-surrender-to-the-code-security-gods in the field below.

Creating a baseline

  1. Adapt the command created in the first section to output in the JSON file in /root/analysis/bandit.baseline.json.
  2. Find the Bandit configuration to use the created JSON file as a baseline. The newly created JSON output file, /root/analysis/bandit.diff.json, shouldn't contain any warnings. SARIF is not supported yet in the baselining process.
  3. Include a new vulnerability in the code and run the previous command again. Was the secret found?
🚧Solution

To display the solution of this task, enter the text i-surrender-to-the-code-security-gods in the field below.