gitlab.bandit.B507

385

Download Count*

License

Detected a paramiko host key policy that implicitly trusts a server's host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: bandit.B507
    patterns:
      - pattern-inside: |
          $CLIENT = paramiko.client.SSHClient(...)
          ...
          $CLIENT.set_missing_host_key_policy(...)
      - pattern-either:
          - pattern: paramiko.client.AutoAddPolicy
          - pattern: paramiko.client.WarningPolicy
    message: |
      Detected a paramiko host key policy that implicitly trusts a server's
      host key. Host keys should be verified to ensure the connection
      is not to a malicious server. Use RejectPolicy or a custom subclass
      instead.
    metadata:
      cwe: "CWE-322: Key Exchange without Entity Authentication"
      owasp: "A5: Broken Access Control"
      primary_identifier: bandit.B507
      secondary_identifiers:
        - name: Bandit Test ID B507
          type: bandit_test_id
          value: B507
      license: MIT
    severity: WARNING
    languages:
      - python

Short Link: https://sg.run/WOO4