Additional Changes to Huggingface Revision Checks

lukehinds · lukehinds · commit 04a9d5f093df · 2025-07-02T16:25:49.000+01:00
- Add an entry for CWE 494
- Use string.hexdigits
- Set to 18.6 release
- Remove Copywright
- Order after markupsafe
diff --git a/bandit/core/issue.py b/bandit/core/issue.py
@@ -31,6 +31,7 @@ class Cwe:
     IMPROPER_CHECK_OF_EXCEPT_COND = 703
     INCORRECT_PERMISSION_ASSIGNMENT = 732
     INAPPROPRIATE_ENCODING_FOR_OUTPUT_CONTEXT = 838
+    DOWNLOAD_OF_CODE_WITHOUT_INTEGRITY_CHECK = 494
 
     MITRE_URL_PATTERN = "https://cwe.mitre.org/data/definitions/%s.html"
 
diff --git a/bandit/plugins/huggingface_unsafe_download.py b/bandit/plugins/huggingface_unsafe_download.py
@@ -1,5 +1,3 @@
-# Copyright (c) 2024 PyCQA
-#
 # SPDX-License-Identifier: Apache-2.0
 r"""
 ================================================
@@ -58,9 +56,11 @@
      - https://cwe.mitre.org/data/definitions/494.html
      - https://huggingface.co/docs/huggingface_hub/en/guides/download
 
-.. versionadded:: 1.9.0
+.. versionadded:: 1.8.6
 
 """
+import string
+
 import bandit
 from bandit.core import issue
 from bandit.core import test_properties as test
@@ -129,8 +129,7 @@ def huggingface_unsafe_download(context):
 
             # Check if it looks like a commit hash (hexadecimal string)
             # Must be at least 7 characters and all hexadecimal
-            hex_chars = "0123456789abcdefABCDEF"
-            is_hex = all(c in hex_chars for c in revision_str)
+            is_hex = all(c in string.hexdigits for c in revision_str)
             if len(revision_str) >= 7 and is_hex:
                 # This looks like a commit hash, which is secure
                 return
@@ -149,6 +148,6 @@ def huggingface_unsafe_download(context):
             f"Unsafe Hugging Face Hub download without revision pinning "
             f"in {func_name}()"
         ),
-        cwe=issue.Cwe.IMPROPER_INPUT_VALIDATION,
+        cwe=issue.Cwe.DOWNLOAD_OF_CODE_WITHOUT_INTEGRITY_CHECK,
         lineno=context.get_lineno_for_call_arg(func_name),
     )
diff --git a/setup.cfg b/setup.cfg
@@ -157,15 +157,15 @@ bandit.plugins =
     #bandit/plugins/pytorch_load.py
     pytorch_load = bandit.plugins.pytorch_load:pytorch_load
 
-    # bandit/plugins/huggingface_unsafe_download.py
-    huggingface_unsafe_download = bandit.plugins.huggingface_unsafe_download:huggingface_unsafe_download
-
     # bandit/plugins/trojansource.py
     trojansource = bandit.plugins.trojansource:trojansource
 
     # bandit/plugins/markupsafe_markup_xss.py
     markupsafe_markup_xss = bandit.plugins.markupsafe_markup_xss:markupsafe_markup_xss
 
+    # bandit/plugins/huggingface_unsafe_download.py
+    huggingface_unsafe_download = bandit.plugins.huggingface_unsafe_download:huggingface_unsafe_download
+
 [build_sphinx]
 all_files = 1
 build-dir = doc/build
