Support of Python 3.14 (#1323)

* Support of Python 3.14

This is a re-opening of PR #1189 and revert of revert #1217.
PR #1189 caused issue #1216 which must be fixed as part of
this PR.

This change starts testing against Python 3.14 now that is has
been officially released.

Python 3.14 has dropped the deprecated use of ast.Bytes,
ast.Ellipsis, ast.NameConstant, ast.Num, ast.Str. They are
replaced with ast.Constant and Node.value is used to get the
value instead of the previous attributes like Node.s.

https://docs.python.org/3.14/whatsnew/3.14.html#id2

This also has the potential to break 3rd party plugins that
were checking on Str or Num, etc. As a result, Bandit keeps
the validity of checking on those non-existent ast types.

These changes did break a quite a few plugins that were
directly accessing ast classes to determine a result, but
were fixed as part of this PR.

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

* Add 3.14 classifier

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

* Add test case

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

* Check if value.value is str

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

* Incorrect comment

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

* Fix up injection_sql.py

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

* More checking on Constant.value

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

* Final Constant value checks

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

---------

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

Author: ericwb

.github/workflows/pythonpackage.yml

@@ -52,6 +52,7 @@ jobs:
           ["3.11", "311"],
           ["3.12", "312"],
           ["3.13", "313"],
+          ["3.14", "314"],
         ]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}

bandit/core/blacklisting.py

@@ -35,8 +35,10 @@ def blacklist(context, config):
         func = context.node.func
         if isinstance(func, ast.Name) and func.id == "__import__":
             if len(context.node.args):
-                if isinstance(context.node.args[0], ast.Str):
-                    name = context.node.args[0].s
+                if isinstance(
+                    context.node.args[0], ast.Constant
+                ) and isinstance(context.node.args[0].value, str):
+                    name = context.node.args[0].value
                 else:
                     # TODO(??): import through a variable, need symbol tab
                     name = "UNKNOWN"

bandit/core/context.py

@@ -178,11 +178,13 @@ def _get_literal_value(self, literal):
         :param literal: The AST literal to convert
         :return: The value of the AST literal
         """
-        if isinstance(literal, ast.Num):
-            literal_value = literal.n
-
-        elif isinstance(literal, ast.Str):
-            literal_value = literal.s
+        if isinstance(literal, ast.Constant):
+            if isinstance(literal.value, bool):
+                literal_value = str(literal.value)
+            elif literal.value is None:
+                literal_value = str(literal.value)
+            else:
+                literal_value = literal.value
 
         elif isinstance(literal, ast.List):
             return_list = list()
@@ -205,19 +207,9 @@ def _get_literal_value(self, literal):
         elif isinstance(literal, ast.Dict):
             literal_value = dict(zip(literal.keys, literal.values))
 
-        elif isinstance(literal, ast.Ellipsis):
-            # what do we want to do with this?
-            literal_value = None
-
         elif isinstance(literal, ast.Name):
             literal_value = literal.id
 
-        elif isinstance(literal, ast.NameConstant):
-            literal_value = str(literal.value)
-
-        elif isinstance(literal, ast.Bytes):
-            literal_value = literal.s
-
         else:
             literal_value = None
 

bandit/core/node_visitor.py

@@ -168,7 +168,7 @@ def visit_Str(self, node):
         :param node: The node that is being inspected
         :return: -
         """
-        self.context["str"] = node.s
+        self.context["str"] = node.value
         if not isinstance(node._bandit_parent, ast.Expr):  # docstring
             self.context["linerange"] = b_utils.linerange(node._bandit_parent)
             self.update_scores(self.tester.run_tests(self.context, "Str"))
@@ -181,7 +181,7 @@ def visit_Bytes(self, node):
         :param node: The node that is being inspected
         :return: -
         """
-        self.context["bytes"] = node.s
+        self.context["bytes"] = node.value
         if not isinstance(node._bandit_parent, ast.Expr):  # docstring
             self.context["linerange"] = b_utils.linerange(node._bandit_parent)
             self.update_scores(self.tester.run_tests(self.context, "Bytes"))

bandit/core/utils.py

@@ -273,12 +273,12 @@ def linerange(node):
 def concat_string(node, stop=None):
     """Builds a string from a ast.BinOp chain.
 
-    This will build a string from a series of ast.Str nodes wrapped in
+    This will build a string from a series of ast.Constant nodes wrapped in
     ast.BinOp nodes. Something like "a" + "b" + "c" or "a %s" % val etc.
     The provided node can be any participant in the BinOp chain.
 
-    :param node: (ast.Str or ast.BinOp) The node to process
-    :param stop: (ast.Str or ast.BinOp) Optional base node to stop at
+    :param node: (ast.Constant or ast.BinOp) The node to process
+    :param stop: (ast.Constant or ast.BinOp) Optional base node to stop at
     :returns: (Tuple) the root node of the expression, the string value
     """
 
@@ -300,7 +300,10 @@ def _get(node, bits, stop=None):
         node = node._bandit_parent
     if isinstance(node, ast.BinOp):
         _get(node, bits, stop)
-    return (node, " ".join([x.s for x in bits if isinstance(x, ast.Str)]))
+    return (
+        node,
+        " ".join([x.value for x in bits if isinstance(x, ast.Constant)]),
+    )
 
 
 def get_called_name(node):
@@ -361,6 +364,17 @@ def parse_ini_file(f_loc):
 def check_ast_node(name):
     "Check if the given name is that of a valid AST node."
     try:
+        # These ast Node types don't exist in Python 3.14, but plugins may
+        # still check on them.
+        if sys.version_info >= (3, 14) and name in (
+            "Num",
+            "Str",
+            "Ellipsis",
+            "NameConstant",
+            "Bytes",
+        ):
+            return name
+
         node = getattr(ast, name)
         if issubclass(node, ast.AST):
             return name

bandit/plugins/django_sql_injection.py

@@ -68,7 +68,10 @@ def django_extra_used(context):
             if key in kwargs:
                 if isinstance(kwargs[key], ast.List):
                     for val in kwargs[key].elts:
-                        if not isinstance(val, ast.Str):
+                        if not (
+                            isinstance(val, ast.Constant)
+                            and isinstance(val.value, str)
+                        ):
                             insecure = True
                             break
                 else:
@@ -77,12 +80,18 @@ def django_extra_used(context):
         if not insecure and "select" in kwargs:
             if isinstance(kwargs["select"], ast.Dict):
                 for k in kwargs["select"].keys:
-                    if not isinstance(k, ast.Str):
+                    if not (
+                        isinstance(k, ast.Constant)
+                        and isinstance(k.value, str)
+                    ):
                         insecure = True
                         break
                 if not insecure:
                     for v in kwargs["select"].values:
-                        if not isinstance(v, ast.Str):
+                        if not (
+                            isinstance(v, ast.Constant)
+                            and isinstance(v.value, str)
+                        ):
                             insecure = True
                             break
             else:
@@ -135,7 +144,9 @@ def django_rawsql_used(context):
                 kwargs = keywords2dict(context.node.keywords)
                 sql = kwargs["sql"]
 
-            if not isinstance(sql, ast.Str):
+            if not (
+                isinstance(sql, ast.Constant) and isinstance(sql.value, str)
+            ):
                 return bandit.Issue(
                     severity=bandit.MEDIUM,
                     confidence=bandit.MEDIUM,

bandit/plugins/django_xss.py

@@ -96,7 +96,7 @@ def evaluate_var(xss_var, parent, until, ignore_nodes=None):
                 break
             to = analyser.is_assigned(node)
             if to:
-                if isinstance(to, ast.Str):
+                if isinstance(to, ast.Constant) and isinstance(to.value, str):
                     secure = True
                 elif isinstance(to, ast.Name):
                     secure = evaluate_var(to, parent, to.lineno, ignore_nodes)
@@ -105,7 +105,9 @@ def evaluate_var(xss_var, parent, until, ignore_nodes=None):
                 elif isinstance(to, (list, tuple)):
                     num_secure = 0
                     for some_to in to:
-                        if isinstance(some_to, ast.Str):
+                        if isinstance(some_to, ast.Constant) and isinstance(
+                            some_to.value, str
+                        ):
                             num_secure += 1
                         elif isinstance(some_to, ast.Name):
                             if evaluate_var(
@@ -131,7 +133,10 @@ def evaluate_call(call, parent, ignore_nodes=None):
     secure = False
     evaluate = False
     if isinstance(call, ast.Call) and isinstance(call.func, ast.Attribute):
-        if isinstance(call.func.value, ast.Str) and call.func.attr == "format":
+        if (
+            isinstance(call.func.value, ast.Constant)
+            and call.func.attr == "format"
+        ):
             evaluate = True
             if call.keywords:
                 evaluate = False  # TODO(??) get support for this
@@ -140,7 +145,7 @@ def evaluate_call(call, parent, ignore_nodes=None):
         args = list(call.args)
         num_secure = 0
         for arg in args:
-            if isinstance(arg, ast.Str):
+            if isinstance(arg, ast.Constant) and isinstance(arg.value, str):
                 num_secure += 1
             elif isinstance(arg, ast.Name):
                 if evaluate_var(arg, parent, call.lineno, ignore_nodes):
@@ -167,7 +172,9 @@ def evaluate_call(call, parent, ignore_nodes=None):
 def transform2call(var):
     if isinstance(var, ast.BinOp):
         is_mod = isinstance(var.op, ast.Mod)
-        is_left_str = isinstance(var.left, ast.Str)
+        is_left_str = isinstance(var.left, ast.Constant) and isinstance(
+            var.left.value, str
+        )
         if is_mod and is_left_str:
             new_call = ast.Call()
             new_call.args = []
@@ -212,7 +219,9 @@ def check_risk(node):
         secure = evaluate_call(xss_var, parent)
     elif isinstance(xss_var, ast.BinOp):
         is_mod = isinstance(xss_var.op, ast.Mod)
-        is_left_str = isinstance(xss_var.left, ast.Str)
+        is_left_str = isinstance(xss_var.left, ast.Constant) and isinstance(
+            xss_var.left.value, str
+        )
         if is_mod and is_left_str:
             parent = node._bandit_parent
             while not isinstance(parent, (ast.Module, ast.FunctionDef)):
@@ -272,5 +281,7 @@ def django_mark_safe(context):
         ]
         if context.call_function_name in affected_functions:
             xss = context.node.args[0]
-            if not isinstance(xss, ast.Str):
+            if not (
+                isinstance(xss, ast.Constant) and isinstance(xss.value, str)
+            ):
                 return check_risk(context.node)

bandit/plugins/general_hardcoded_password.py

@@ -83,45 +83,53 @@ def hardcoded_password_string(context):
         # looks for "candidate='some_string'"
         for targ in node._bandit_parent.targets:
             if isinstance(targ, ast.Name) and RE_CANDIDATES.search(targ.id):
-                return _report(node.s)
+                return _report(node.value)
             elif isinstance(targ, ast.Attribute) and RE_CANDIDATES.search(
                 targ.attr
             ):
-                return _report(node.s)
+                return _report(node.value)
 
     elif isinstance(
         node._bandit_parent, ast.Subscript
-    ) and RE_CANDIDATES.search(node.s):
+    ) and RE_CANDIDATES.search(node.value):
         # Py39+: looks for "dict[candidate]='some_string'"
         # subscript -> index -> string
         assign = node._bandit_parent._bandit_parent
-        if isinstance(assign, ast.Assign) and isinstance(
-            assign.value, ast.Str
+        if (
+            isinstance(assign, ast.Assign)
+            and isinstance(assign.value, ast.Constant)
+            and isinstance(assign.value.value, str)
         ):
-            return _report(assign.value.s)
+            return _report(assign.value.value)
 
     elif isinstance(node._bandit_parent, ast.Index) and RE_CANDIDATES.search(
-        node.s
+        node.value
     ):
         # looks for "dict[candidate]='some_string'"
         # assign -> subscript -> index -> string
         assign = node._bandit_parent._bandit_parent._bandit_parent
-        if isinstance(assign, ast.Assign) and isinstance(
-            assign.value, ast.Str
+        if (
+            isinstance(assign, ast.Assign)
+            and isinstance(assign.value, ast.Constant)
+            and isinstance(assign.value.value, str)
         ):
-            return _report(assign.value.s)
+            return _report(assign.value.value)
 
     elif isinstance(node._bandit_parent, ast.Compare):
         # looks for "candidate == 'some_string'"
         comp = node._bandit_parent
         if isinstance(comp.left, ast.Name):
             if RE_CANDIDATES.search(comp.left.id):
-                if isinstance(comp.comparators[0], ast.Str):
-                    return _report(comp.comparators[0].s)
+                if isinstance(
+                    comp.comparators[0], ast.Constant
+                ) and isinstance(comp.comparators[0].value, str):
+                    return _report(comp.comparators[0].value)
         elif isinstance(comp.left, ast.Attribute):
             if RE_CANDIDATES.search(comp.left.attr):
-                if isinstance(comp.comparators[0], ast.Str):
-                    return _report(comp.comparators[0].s)
+                if isinstance(
+                    comp.comparators[0], ast.Constant
+                ) and isinstance(comp.comparators[0].value, str):
+                    return _report(comp.comparators[0].value)
 
 
 @test.checks("Call")
@@ -176,8 +184,12 @@ def hardcoded_password_funcarg(context):
     """
     # looks for "function(candidate='some_string')"
     for kw in context.node.keywords:
-        if isinstance(kw.value, ast.Str) and RE_CANDIDATES.search(kw.arg):
-            return _report(kw.value.s)
+        if (
+            isinstance(kw.value, ast.Constant)
+            and isinstance(kw.value.value, str)
+            and RE_CANDIDATES.search(kw.arg)
+        ):
+            return _report(kw.value.value)
 
 
 @test.checks("FunctionDef")
@@ -246,9 +258,12 @@ def hardcoded_password_default(context):
         if isinstance(key, (ast.Name, ast.arg)):
             # Skip if the default value is None
             if val is None or (
-                isinstance(val, (ast.Constant, ast.NameConstant))
-                and val.value is None
+                isinstance(val, ast.Constant) and val.value is None
             ):
                 continue
-            if isinstance(val, ast.Str) and RE_CANDIDATES.search(key.arg):
-                return _report(val.s)
+            if (
+                isinstance(val, ast.Constant)
+                and isinstance(val.value, str)
+                and RE_CANDIDATES.search(key.arg)
+            ):
+                return _report(val.value)

bandit/plugins/injection_shell.py

@@ -15,7 +15,9 @@
 
 
 def _evaluate_shell_call(context):
-    no_formatting = isinstance(context.node.args[0], ast.Str)
+    no_formatting = isinstance(
+        context.node.args[0], ast.Constant
+    ) and isinstance(context.node.args[0].value, str)
 
     if no_formatting:
         return bandit.LOW
@@ -83,15 +85,19 @@ def has_shell(context):
         for key in keywords:
             if key.arg == "shell":
                 val = key.value
-                if isinstance(val, ast.Num):
-                    result = bool(val.n)
+                if isinstance(val, ast.Constant) and (
+                    isinstance(val.value, int)
+                    or isinstance(val.value, float)
+                    or isinstance(val.value, complex)
+                ):
+                    result = bool(val.value)
                 elif isinstance(val, ast.List):
                     result = bool(val.elts)
                 elif isinstance(val, ast.Dict):
                     result = bool(val.keys)
                 elif isinstance(val, ast.Name) and val.id in ["False", "None"]:
                     result = False
-                elif isinstance(val, ast.NameConstant):
+                elif isinstance(val, ast.Constant):
                     result = val.value
                 else:
                     result = True
@@ -687,7 +693,11 @@ def start_process_with_partial_path(context, config):
                 node = node.elts[0]
 
             # make sure the param is a string literal and not a var name
-            if isinstance(node, ast.Str) and not full_path_match.match(node.s):
+            if (
+                isinstance(node, ast.Constant)
+                and isinstance(node.value, str)
+                and not full_path_match.match(node.value)
+            ):
                 return bandit.Issue(
                     severity=bandit.LOW,
                     confidence=bandit.HIGH,