好的,我现在要帮用户总结这篇文章的内容。用户的要求是用中文总结,控制在100字以内,不需要特定的开头,直接写描述即可。 首先,我需要快速浏览文章内容。文章的作者Xavier Mertens主要讨论了他使用AI生成代码的情况,并测试了一个名为Bandit的安全工具。他提到自己主要写Python代码,并且大部分代码是由AI生成的。今天他发现了Bandit这个工具,用来检测Python代码中的安全问题。 接下来,他详细描述了如何使用Bandit,包括下载Docker镜像和运行扫描命令。扫描结果显示了他的脚本中存在一些低、中、高严重性的安全问题,比如使用subprocess模块和xml.etree.ElementTree.fromstring函数等。不过他认为这些结果在内部环境下是可以接受的,但如果应用暴露在互联网上,情况就不同了。 最后,他建议在生成代码时要强调安全性,并提供了一些具体的提示,比如如何处理外部输入、避免危险函数等。 现在我要把这些信息浓缩到100字以内。重点包括:作者使用AI生成代码,测试Bandit工具,扫描结果及其安全性评估,以及生成安全代码的建议。 可能的结构是:作者测试AI生成代码的安全性,使用Bandit工具发现潜在问题,并根据环境评估风险。最后强调安全编码的重要性。 检查一下字数是否合适,并确保涵盖所有关键点:AI生成代码、Bandit工具、安全问题、环境评估、安全编码建议。 最终总结应该是简洁明了的。 </think> 作者测试了由AI生成的Python脚本的安全性,并使用Bandit工具检测出潜在漏洞。尽管结果表明脚本在内部环境下相对安全,但若暴露于互联网则需谨慎。作者建议在生成代码时强调安全性,并提供相关提示以确保生产环境的安全性。 2026-1-22 08:31:30 Author: isc.sans.edu(查看原文) 阅读量:1 收藏
The title of this diary is perhaps a bit catchy but the question is important. I don’t consider myself as a good developer. That’s not my day job and I’m writing code to improve my daily tasks. I like to say “I’m writing sh*ty code! It works for me, no warranty that it will for for you”. Today, most of my code (the skeleton of the program) is generated by AI, probably like most of you.
My daily morning routing is to follow RSS feeds, news and today I spotted an interesting tool called “Bandit”[1]. It’s a tool designed to find common security issues in Python code. Because I’m mainly writing Python code, it made me curious to test it.
I use regularly a Python script that was 99% generated by AI. I just made some adjustments but all the core features have been generated. This script was good candidate to be analyzed by Bandit because:
- It has a decent size (1500 lines)
- It uses many dependences (Python libraries)
- It is multi-threaded for performance
- It collects data from online resources (network interactions)
Bandit is super easy to use, first download the Docker image (good to know, images are signed!):
docker pull ghcr.io/pycqa/bandit/bandit
Now, scan your code:
docker run -it --rm -v $(pwd):/data ghcr.io/pycqa/bandit/bandit --severity-level all -v /data/myscript.py
Here are the scan results for my script:
Total issues (by severity):
Undefined: 0
Low: 13
Medium: 1
High: 0
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 0
High: 14
The following table shows what has been spotted in the code (I grouped them)
| Issue | Severity | Confidence | Reference | Occurences |
|---|---|---|---|---|
| Consider possible security implications associated with the subprocess module | Low | High | https://cwe.mitre.org/data/definitions/78.html | 1 |
| Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | Medium | High | https://cwe.mitre.org/data/definitions/20.html | 2 |
| subprocess call - check for execution of untrusted input | Low | High | https://cwe.mitre.org/data/definitions/78.html | 3 |
| Standard pseudo-random generators are not suitable for security/cryptographic purposes | Low | High | https://cwe.mitre.org/data/definitions/330.html | 1 |
| Try, Except, Pass detected | Low | High | https://cwe.mitre.org/data/definitions/703.html | 7 |
Like any vulnerability scan, results must be interpreted and put back in the environment where the code is executed. In my case, the script is running internally with trusted set of (XML) data so I consider the results as "good". Now, if you application is facing the Internet and publiclly available, that's another story!
If you are curious about the tests performed by Bandit, the list of plugins is availabe in the documentation[2].
Conclusion: the AI-generated script looks not too bad. Tip: when writing your prompt to generate the initial code, don't forget to mention that "security is very important" like:
Generate production-quality Python code with a security-first approach. Requirements: - Treat all external input as untrusted - Validate input types, length, and format - Sanitize strings (e.g., for file paths, URLs, commands, JSON, CSV) - Use explicit allow-lists where possible - Handle errors with clear exceptions (no silent failures) - Avoid dangerous functions (eval, exec, os.system, shell=True) - Prevent command injection, path traversal, and deserialization issues - Use safe libraries and best practices - Include input validation helpers if needed
[1] https://github.com/PyCQA/bandit
[2] https://bandit.readthedocs.io/en/latest/plugins/index.html
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
如有侵权请联系:admin#unsafe.sh