From 45136e058034a96c33c7afedcc69ad40f5d514d0 Mon Sep 17 00:00:00 2001 From: Brant Knudson Date: Wed, 13 Jan 2016 13:13:06 -0600 Subject: [PATCH] Remove bandit.yaml in favor of defaults This patch removes the bandit.yaml and just uses the defaults. As such there are a few flagged issues that needed correcting. The hits are now marked with "# nosec" so that they'll be ignored since the hits were not security-related. Co-Authored-By: Brant Knudson Co-Authored-By: Eric Brown Change-Id: Ib253a4a21156b6606c356ade46c72c6ace01a1af --- bandit.yaml | 119 ---------------------- keystonemiddleware/audit.py | 13 ++- keystonemiddleware/auth_token/__init__.py | 4 +- keystonemiddleware/auth_token/_request.py | 3 +- keystonemiddleware/echo/__main__.py | 3 +- tox.ini | 4 +- 6 files changed, 17 insertions(+), 129 deletions(-) delete mode 100644 bandit.yaml diff --git a/bandit.yaml b/bandit.yaml deleted file mode 100644 index f86e6fed..00000000 --- a/bandit.yaml +++ /dev/null @@ -1,119 +0,0 @@ -# optional: after how many files to update progress -#show_progress_every: 100 - -# optional: plugins directory name -#plugins_dir: 'plugins' - -# optional: plugins discovery name pattern -plugin_name_pattern: '*.py' - -# optional: terminal escape sequences to display colors -#output_colors: -# DEFAULT: '\033[0m' -# HEADER: '\033[95m' -# INFO: '\033[94m' -# WARN: '\033[93m' -# ERROR: '\033[91m' - -# optional: log format string -#log_format: "[%(module)s]\t%(levelname)s\t%(message)s" - -# globs of files which should be analyzed -include: - - '*.py' - - '*.pyw' - -# a list of strings, which if found in the path will cause files to be excluded -# for example /tests/ - to remove all all files in tests directory -exclude_dirs: - - '/tests/' - -profiles: - gate: - include: - - blacklist_functions - - blacklist_imports - - request_with_no_cert_validation - - exec_used - - set_bad_file_permissions - - subprocess_popen_with_shell_equals_true - - linux_commands_wildcard_injection - - ssl_with_bad_version - -blacklist_functions: - bad_name_sets: - - pickle: - qualnames: [pickle.loads, pickle.load, pickle.Unpickler, - cPickle.loads, cPickle.load, cPickle.Unpickler] - message: "Pickle library appears to be in use, possible security issue." - - marshal: - qualnames: [marshal.load, marshal.loads] - message: "Deserialization with the marshal module is possibly dangerous." - - md5: - qualnames: [hashlib.md5] - message: "Use of insecure MD5 hash function." - - mktemp_q: - qualnames: [tempfile.mktemp] - message: "Use of insecure and deprecated function (mktemp)." - - eval: - qualnames: [eval] - message: "Use of possibly insecure function - consider using safer ast.literal_eval." - - mark_safe: - names: [mark_safe] - message: "Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed." - - httpsconnection: - qualnames: [httplib.HTTPSConnection] - message: "Use of HTTPSConnection does not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033" - - yaml_load: - qualnames: [yaml.load] - message: "Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load()." - - urllib_urlopen: - qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request] - message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected." - -shell_injection: - # Start a process using the subprocess module, or one of its wrappers. - subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, - subprocess.check_output, utils.execute, utils.execute_with_timeout] - # Start a process with a function vulnerable to shell injection. - shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, - popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3, - popen2.Popen4, commands.getoutput, commands.getstatusoutput] - # Start a process with a function that is not vulnerable to shell injection. - no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve, - os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp, - os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe, - os.startfile] - -blacklist_imports: - bad_import_sets: - - telnet: - imports: [telnetlib] - level: ERROR - message: "Telnet is considered insecure. Use SSH or some other encrypted protocol." - -hardcoded_password: - word_list: "wordlist/default-passwords" - -ssl_with_bad_version: - bad_protocol_versions: - - 'PROTOCOL_SSLv2' - - 'SSLv2_METHOD' - - 'SSLv23_METHOD' - - 'PROTOCOL_SSLv3' # strict option - - 'PROTOCOL_TLSv1' # strict option - - 'SSLv3_METHOD' # strict option - - 'TLSv1_METHOD' # strict option - -password_config_option_not_marked_secret: - function_names: - - oslo.config.cfg.StrOpt - - oslo_config.cfg.StrOpt - -execute_with_run_as_root_equals_true: - function_names: - - ceilometer.utils.execute - - cinder.utils.execute - - neutron.agent.linux.utils.execute - - nova.utils.execute - - nova.utils.trycmd diff --git a/keystonemiddleware/audit.py b/keystonemiddleware/audit.py index e4fefea6..1e53b287 100644 --- a/keystonemiddleware/audit.py +++ b/keystonemiddleware/audit.py @@ -107,22 +107,27 @@ class OpenStackAuditApi(object): try: default_target_endpoint_type = map_conf.get( 'DEFAULT', 'target_endpoint_type') - except configparser.NoOptionError: + except configparser.NoOptionError: # nosec + # Ignore the undefined config option, + # default_target_endpoint_type remains None which is valid. pass try: custom_actions = dict(map_conf.items('custom_actions')) - except configparser.Error: + except configparser.Error: # nosec + # custom_actions remains {} which is valid. pass try: path_kw = dict(map_conf.items('path_keywords')) - except configparser.Error: + except configparser.Error: # nosec + # path_kw remains {} which is valid. pass try: endpoints = dict(map_conf.items('service_endpoints')) - except configparser.Error: + except configparser.Error: # nosec + # endpoints remains {} which is valid. pass except configparser.ParsingError as err: raise PycadfAuditApiConfigError( diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py index 6b94b54d..75a6ec5e 100644 --- a/keystonemiddleware/auth_token/__init__.py +++ b/keystonemiddleware/auth_token/__init__.py @@ -414,8 +414,8 @@ def _conf_values_type_convert(conf): if v is not None: type_, dest = opt_types[k] v = type_(v) - except KeyError: - # This option is not known to auth_token. + except KeyError: # nosec + # This option is not known to auth_token. v is not converted. pass except ValueError as e: raise ksm_exceptions.ConfigurationError( diff --git a/keystonemiddleware/auth_token/_request.py b/keystonemiddleware/auth_token/_request.py index 254376c7..7a6a25ae 100644 --- a/keystonemiddleware/auth_token/_request.py +++ b/keystonemiddleware/auth_token/_request.py @@ -29,7 +29,8 @@ def _v3_to_v2_catalog(catalog): v2_service = {'type': v3_service['type']} try: v2_service['name'] = v3_service['name'] - except KeyError: + except KeyError: # nosec + # v3 service doesn't have a name, so v2_service doesn't either. pass # now convert the endpoints. Because in v3 we specify region per diff --git a/keystonemiddleware/echo/__main__.py b/keystonemiddleware/echo/__main__.py index 88332f02..ac93258a 100644 --- a/keystonemiddleware/echo/__main__.py +++ b/keystonemiddleware/echo/__main__.py @@ -3,5 +3,6 @@ from keystonemiddleware.echo import service try: service.EchoService() -except KeyboardInterrupt: +except KeyboardInterrupt: # nosec + # The user wants this application to exit. pass diff --git a/tox.ini b/tox.ini index cd43ffa6..11f55f2e 100644 --- a/tox.ini +++ b/tox.ini @@ -17,12 +17,12 @@ commands = python setup.py testr --testr-args='{posargs}' [testenv:pep8] commands = flake8 - bandit -c bandit.yaml -r keystonemiddleware -n5 -p gate + bandit -r keystonemiddleware -x tests -n5 [testenv:bandit] # NOTE(browne): This is required for the integration test job of the bandit # project. Please do not remove. -commands = bandit -c bandit.yaml -r keystonemiddleware -n5 -p gate +commands = bandit -r keystonemiddleware -x tests -n5 [testenv:venv] commands = {posargs}