#694 Bandit fails when using importlib with named arguments (#701)

* #694 Bandit fails when using importlib with named arguments

* add missing tests

* improvement in the tests

Co-authored-by: Luke Hinds <[email protected]>

Author: maciejstromich

bandit/core/blacklisting.py

@@ -47,7 +47,10 @@ def blacklist(context, config):
             # argument name as an actual import module name.
             # Will produce None if argument is not a literal or identifier
             if name in ["importlib.import_module", "importlib.__import__"]:
-                name = context.call_args[0]
+                if context.call_args_count > 0:
+                    name = context.call_args[0]
+                else:
+                    name = context.call_keywords['name']
         for check in blacklists[node_type]:
             for qn in check['qualnames']:
                 if name is not None and fnmatch.fnmatch(name, qn):

examples/imports-with-importlib.py

@@ -7,3 +7,9 @@
 # Do not crash when target is an expression
 e = importlib.import_module(MODULE_MAP[key])
 f = importlib.__import__(MODULE_MAP[key])
+
+# Do not crash when target is a named argument
+g = importlib.import_module(name='sys')
+h = importlib.__import__(name='subprocess')
+i = importlib.import_module(name='subprocess', package='bar.baz')
+j = importlib.__import__(name='sys', package='bar.baz')

tests/functional/test_functional.py

@@ -230,8 +230,8 @@ def test_imports(self):
     def test_imports_using_importlib(self):
         '''Test for dangerous imports using importlib.'''
         expect = {
-            'SEVERITY': {'UNDEFINED': 0, 'LOW': 2, 'MEDIUM': 0, 'HIGH': 0},
-            'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}
+            'SEVERITY': {'UNDEFINED': 0, 'LOW': 4, 'MEDIUM': 0, 'HIGH': 0},
+            'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 4}
         }
         self.check_example('imports-with-importlib.py', expect)