Add Bandit to tox for security static analysis

Bandit is a tool designed to find common security issues in Python code. This change adds a bandit target to tox.ini. The config file bandit.yaml was generated using bandit-config-generator Run bandit: tox -e bandit Change-Id: I3bd64e1e58d4dc460ce869c50818e9913fe1b9b8
2015-07-13 16:03:57 +03:00 · 2015-07-13 16:03:57 +03:00 · 1c763f2285
commit 1c763f2285
parent 5c927520e0
6 changed files with 365 additions and 6 deletions
--- a/bandit.yaml
+++ b/bandit.yaml
@ -0,0 +1,344 @@
+# Generated using bandit_conf_generator
+profiles:
+  gate:
+    include:
+    - any_other_function_with_shell_equals_true
+    - assert_used
+    - blacklist_calls
+    - blacklist_import_func
+    - blacklist_imports
+    - exec_used
+    - execute_with_run_as_root_equals_true
+    - hardcoded_bind_all_interfaces
+    - hardcoded_password_string
+    - hardcoded_password_funcarg
+    - hardcoded_password_default
+    - hardcoded_sql_expressions
+    - hardcoded_tmp_directory
+    - jinja2_autoescape_false
+    - linux_commands_wildcard_injection
+    - paramiko_calls
+    - password_config_option_not_marked_secret
+    - request_with_no_cert_validation
+    - set_bad_file_permissions
+    - subprocess_popen_with_shell_equals_true
+    - subprocess_without_shell_equals_true
+    - start_process_with_a_shell
+    - start_process_with_no_shell
+    - start_process_with_partial_path
+    - ssl_with_bad_defaults
+    - ssl_with_bad_version
+    - ssl_with_no_version
+    - try_except_pass
+    - use_of_mako_templates
+    - weak_cryptographic_key
+
+exclude_dirs:
+- /tests/
+
+shell_injection:
+  no_shell:
+  - os.execl
+  - os.execle
+  - os.execlp
+  - os.execlpe
+  - os.execv
+  - os.execve
+  - os.execvp
+  - os.execvpe
+  - os.spawnl
+  - os.spawnle
+  - os.spawnlp
+  - os.spawnlpe
+  - os.spawnv
+  - os.spawnve
+  - os.spawnvp
+  - os.spawnvpe
+  - os.startfile
+  shell:
+  - os.system
+  - os.popen
+  - os.popen2
+  - os.popen3
+  - os.popen4
+  - popen2.popen2
+  - popen2.popen3
+  - popen2.popen4
+  - popen2.Popen3
+  - popen2.Popen4
+  - commands.getoutput
+  - commands.getstatusoutput
+  subprocess:
+  - subprocess.Popen
+  - subprocess.call
+  - subprocess.check_call
+  - subprocess.check_output
+  - utils.execute
+  - utils.execute_with_timeout
+
+ssl_with_bad_version:
+  bad_protocol_versions:
+  - PROTOCOL_SSLv2
+  - SSLv2_METHOD
+  - SSLv23_METHOD
+  - PROTOCOL_SSLv3
+  - PROTOCOL_TLSv1
+  - SSLv3_METHOD
+  - TLSv1_METHOD
+
+try_except_pass:
+  check_typed_exception: true
+
+plugin_name_pattern: '*.py'
+
+blacklist_calls:
+  bad_name_sets:
+  - pickle:
+      message: 'Pickle library appears to be in use, possible security issue.
+
+        '
+      qualnames:
+      - pickle.loads
+      - pickle.load
+      - pickle.Unpickler
+      - cPickle.loads
+      - cPickle.load
+      - cPickle.Unpickler
+  - marshal:
+      message: 'Deserialization with the marshal module is possibly dangerous.
+
+        '
+      qualnames:
+      - marshal.load
+      - marshal.loads
+  - md5:
+      message: Use of insecure MD2, MD4, or MD5 hash function.
+      qualnames:
+      - hashlib.md5
+      - Crypto.Hash.MD2.new
+      - Crypto.Hash.MD4.new
+      - Crypto.Hash.MD5.new
+      - cryptography.hazmat.primitives.hashes.MD5
+  - ciphers:
+      level: HIGH
+      message: 'Use of insecure cipher {func}. Replace with a known secure cipher
+        such as AES.
+
+        '
+      qualnames:
+      - Crypto.Cipher.ARC2.new
+      - Crypto.Cipher.ARC4.new
+      - Crypto.Cipher.Blowfish.new
+      - Crypto.Cipher.DES.new
+      - Crypto.Cipher.XOR.new
+      - cryptography.hazmat.primitives.ciphers.algorithms.ARC4
+      - cryptography.hazmat.primitives.ciphers.algorithms.Blowfish
+      - cryptography.hazmat.primitives.ciphers.algorithms.IDEA
+  - cipher_modes:
+      message: Use of insecure cipher mode {func}.
+      qualnames:
+      - cryptography.hazmat.primitives.ciphers.modes.ECB
+  - mktemp_q:
+      message: Use of insecure and deprecated function (mktemp).
+      qualnames:
+      - tempfile.mktemp
+  - eval:
+      message: 'Use of possibly insecure function - consider using safer ast.literal_eval.
+
+        '
+      qualnames:
+      - eval
+  - mark_safe:
+      message: 'Use of mark_safe() may expose cross-site scripting vulnerabilities
+        and should be reviewed.
+
+        '
+      names:
+      - mark_safe
+  - httpsconnection:
+      message: 'Use of HTTPSConnection does not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033
+
+        '
+      qualnames:
+      - httplib.HTTPSConnection
+      - http.client.HTTPSConnection
+      - six.moves.http_client.HTTPSConnection
+  - yaml_load:
+      message: 'Use of unsafe yaml load. Allows instantiation of arbitrary objects.
+        Consider yaml.safe_load().
+
+        '
+      qualnames:
+      - yaml.load
+  - urllib_urlopen:
+      message: 'Audit url open for permitted schemes. Allowing use of file:/ or custom
+        schemes is often unexpected.
+
+        '
+      qualnames:
+      - urllib.urlopen
+      - urllib.request.urlopen
+      - urllib.urlretrieve
+      - urllib.request.urlretrieve
+      - urllib.URLopener
+      - urllib.request.URLopener
+      - urllib.FancyURLopener
+      - urllib.request.FancyURLopener
+      - urllib2.urlopen
+      - urllib2.Request
+      - six.moves.urllib.request.urlopen
+      - six.moves.urllib.request.urlretrieve
+      - six.moves.urllib.request.URLopener
+      - six.moves.urllib.request.FancyURLopener
+  - telnetlib:
+      level: HIGH
+      message: 'Telnet-related funtions are being called. Telnet is considered insecure.
+        Use SSH or some other encrypted protocol.
+
+        '
+      qualnames:
+      - telnetlib.*
+  - xml_bad_cElementTree:
+      message: 'Using {func} to parse untrusted XML data is known to be vulnerable
+        to XML attacks. Replace {func} with its defusedxml equivalent function.
+
+        '
+      qualnames:
+      - xml.etree.cElementTree.parse
+      - xml.etree.cElementTree.iterparse
+      - xml.etree.cElementTree.fromstring
+      - xml.etree.cElementTree.XMLParser
+  - xml_bad_ElementTree:
+      message: 'Using {func} to parse untrusted XML data is known to be vulnerable
+        to XML attacks. Replace {func} with its defusedxml equivalent function.
+
+        '
+      qualnames:
+      - xml.etree.ElementTree.parse
+      - xml.etree.ElementTree.iterparse
+      - xml.etree.ElementTree.fromstring
+      - xml.etree.ElementTree.XMLParser
+  - xml_bad_expatreader:
+      message: 'Using {func} to parse untrusted XML data is known to be vulnerable
+        to XML attacks. Replace {func} with its defusedxml equivalent function.
+
+        '
+      qualnames:
+      - xml.sax.expatreader.create_parser
+  - xml_bad_expatbuilder:
+      message: 'Using {func} to parse untrusted XML data is known to be vulnerable
+        to XML attacks. Replace {func} with its defusedxml equivalent function.
+
+        '
+      qualnames:
+      - xml.dom.expatbuilder.parse
+      - xml.dom.expatbuilder.parseString
+  - xml_bad_sax:
+      message: 'Using {func} to parse untrusted XML data is known to be vulnerable
+        to XML attacks. Replace {func} with its defusedxml equivalent function.
+
+        '
+      qualnames:
+      - xml.sax.parse
+      - xml.sax.parseString
+      - xml.sax.make_parser
+  - xml_bad_minidom:
+      message: 'Using {func} to parse untrusted XML data is known to be vulnerable
+        to XML attacks. Replace {func} with its defusedxml equivalent function.
+
+        '
+      qualnames:
+      - xml.dom.minidom.parse
+      - xml.dom.minidom.parseString
+  - xml_bad_pulldom:
+      message: 'Using {func} to parse untrusted XML data is known to be vulnerable
+        to XML attacks. Replace {func} with its defusedxml equivalent function.
+
+        '
+      qualnames:
+      - xml.dom.pulldom.parse
+      - xml.dom.pulldom.parseString
+  - xml_bad_etree:
+      message: 'Using {func} to parse untrusted XML data is known to be vulnerable
+        to XML attacks. Replace {func} with its defusedxml equivalent function.
+
+        '
+      qualnames:
+      - lxml.etree.parse
+      - lxml.etree.fromstring
+      - lxml.etree.RestrictedElement
+      - lxml.etree.GlobalParserTLS
+      - lxml.etree.getDefaultParser
+      - lxml.etree.check_docinfo
+
+hardcoded_tmp_directory:
+  tmp_dirs:
+  - /tmp
+  - /var/tmp
+  - /dev/shm
+
+blacklist_imports:
+  bad_import_sets:
+  - telnet:
+      imports:
+      - telnetlib
+      level: HIGH
+      message: 'A telnet-related module is being imported.  Telnet is considered insecure.
+        Use SSH or some other encrypted protocol.
+
+        '
+  - info_libs:
+      imports:
+      - pickle
+      - cPickle
+      - subprocess
+      - Crypto
+      level: LOW
+      message: 'Consider possible security implications associated with {module} module.
+
+        '
+  - xml_libs:
+      imports:
+      - xml.etree.cElementTree
+      - xml.etree.ElementTree
+      - xml.sax.expatreader
+      - xml.sax
+      - xml.dom.expatbuilder
+      - xml.dom.minidom
+      - xml.dom.pulldom
+      - lxml.etree
+      - lxml
+      level: LOW
+      message: 'Using {module} to parse untrusted XML data is known to be vulnerable
+        to XML attacks. Replace {module} with the equivalent defusedxml package.
+
+        '
+  - xml_libs_high:
+      imports:
+      - xmlrpclib
+      level: HIGH
+      message: 'Using {module} to parse untrusted XML data is known to be vulnerable
+        to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch
+        xmlrpclib and mitigate XML vulnerabilities.
+
+        '
+
+include:
+- '*.py'
+- '*.pyw'
+
+password_config_option_not_marked_secret:
+  function_names:
+  - oslo.config.cfg.StrOpt
+  - oslo_config.cfg.StrOpt
+
+hardcoded_password:
+  word_list: '%(site_data_dir)s/wordlist/default-passwords'
+
+execute_with_run_as_root_equals_true:
+  function_names:
+  - ceilometer.utils.execute
+  - cinder.utils.execute
+  - neutron.agent.linux.utils.execute
+  - nova.utils.execute
+  - nova.utils.trycmd
--- a/oslo_service/sslutils.py
+++ b/oslo_service/sslutils.py
@ -37,7 +37,7 @@ for protocol in _OPTIONAL_PROTOCOLS:
    try:
        _SSL_PROTOCOLS[protocol] = getattr(ssl,
                                           _OPTIONAL_PROTOCOLS[protocol])
-    except AttributeError:
+    except AttributeError:  # nosec
        pass


@ -99,4 +99,6 @@ def wrap(conf, sock):
        if conf.ssl.ciphers:
            ssl_kwargs['ciphers'] = conf.ssl.ciphers

-    return ssl.wrap_socket(sock, **ssl_kwargs)
+    # NOTE(eezhova): SSL/TLS protocol version is injected in ssl_kwargs above,
+    # so skipping bandit check
+    return ssl.wrap_socket(sock, **ssl_kwargs)  # nosec
--- a/oslo_service/threadgroup.py
+++ b/oslo_service/threadgroup.py
@ -109,7 +109,8 @@ class ThreadGroup(object):
                continue
            try:
                action_func(x)
-            except eventlet.greenlet.GreenletExit:
+            except eventlet.greenlet.GreenletExit:  # nosec
+                # greenlet exited successfully
                pass
            except Exception:
                on_error_func(x)
@ -145,7 +146,8 @@ class ThreadGroup(object):
        for x in self.timers:
            try:
                x.wait()
-            except eventlet.greenlet.GreenletExit:
+            except eventlet.greenlet.GreenletExit:  # nosec
+                # greenlet exited successfully
                pass
            except Exception:
                LOG.exception(_LE('Error waiting on timer.'))
--- a/oslo_service/wsgi.py
+++ b/oslo_service/wsgi.py
@ -59,7 +59,11 @@ class InvalidInput(Exception):
 class Server(service.ServiceBase):
    """Server class to manage a WSGI server, serving a WSGI application."""

-    def __init__(self, conf, name, app, host='0.0.0.0', port=0,
+    # TODO(eezhova): Consider changing the default host value to prevent
+    # possible binding to all interfaces. The most appropriate value seems
+    # to be 127.0.0.1, but it has to be verified that the change wouldn't
+    # break any consuming project.
+    def __init__(self, conf, name, app, host='0.0.0.0', port=0,  # nosec
                 pool_size=None, protocol=eventlet.wsgi.HttpProtocol,
                 backlog=128, use_ssl=False, max_url_len=None,
                 logger_name='eventlet.wsgi.server',
--- a/test-requirements.txt
+++ b/test-requirements.txt
@ -13,3 +13,6 @@ sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2
 doc8 # Apache-2.0

 coverage>=3.6
+
+# Bandit security code scanner
+bandit>=0.13.2
--- a/tox.ini
+++ b/tox.ini
@ -1,6 +1,6 @@
 [tox]
 minversion = 1.6
-envlist = py34,py27,pypy,pep8
+envlist = py34,py27,pypy,pep8, bandit

 [testenv]
 deps = -r{toxinidir}/test-requirements.txt
@ -53,3 +53,7 @@ commands = pip-missing-reqs -d --ignore-module=oslo_service* --ignore-module=pkg

 [testenv:debug]
 commands = oslo_debug_helper -t oslo_service/tests {posargs}
+
+[testenv:bandit]
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -c bandit.yaml -r oslo_service -n5 -p gate