openstack/oslo.utils
Code Issues Proposed changes

Add a bandit target to tox.ini

Browse Source 
Some parts of the code have been annoted with "# nosec" as they made bandit
raise false positives.

Change-Id: I9d8a8ab79e8b5de98e7d291ac132f8971a44216d
This commit is contained in:
Cyril Roelandt 2015-11-20 15:51:55 +01:00
parent 6d11be648f
commit 92661e47ba
7 changed files with 410 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

393
bandit.yaml Normal file
View File

@ -0,0 +1,393 @@
# Generated using bandit_conf_generator with the following configuration:
# profile_name: gate
#
profiles:
gate:
include:
- any_other_function_with_shell_equals_true
- assert_used
- blacklist_calls
- blacklist_import_func
- blacklist_imports
- exec_used
- execute_with_run_as_root_equals_true
- hardcoded_bind_all_interfaces
- hardcoded_password_string
- hardcoded_password_funcarg
- hardcoded_password_default
- hardcoded_sql_expressions
- hardcoded_tmp_directory
- jinja2_autoescape_false
- linux_commands_wildcard_injection
- paramiko_calls
- password_config_option_not_marked_secret
- request_with_no_cert_validation
- set_bad_file_permissions
- subprocess_popen_with_shell_equals_true
- subprocess_without_shell_equals_true
- start_process_with_a_shell
- start_process_with_no_shell
- start_process_with_partial_path
- ssl_with_bad_defaults
- ssl_with_bad_version
- ssl_with_no_version
- try_except_pass
- use_of_mako_templates
- weak_cryptographic_key
exclude_dirs:
- /tests/
shell_injection:
no_shell:
- os.execl
- os.execle
- os.execlp
- os.execlpe
- os.execv
- os.execve
- os.execvp
- os.execvpe
- os.spawnl
- os.spawnle
- os.spawnlp
- os.spawnlpe
- os.spawnv
- os.spawnve
- os.spawnvp
- os.spawnvpe
- os.startfile
shell:
- os.system
- os.popen
- os.popen2
- os.popen3
- os.popen4
- popen2.popen2
- popen2.popen3
- popen2.popen4
- popen2.Popen3
- popen2.Popen4
- commands.getoutput
- commands.getstatusoutput
subprocess:
- subprocess.Popen
- subprocess.call
- subprocess.check_call
- subprocess.check_output
- utils.execute
- utils.execute_with_timeout
ssl_with_bad_version:
bad_protocol_versions:
- PROTOCOL_SSLv2
- SSLv2_METHOD
- SSLv23_METHOD
- PROTOCOL_SSLv3
- PROTOCOL_TLSv1
- SSLv3_METHOD
- TLSv1_METHOD
try_except_pass:
check_typed_exception: true
plugin_name_pattern: '*.py'
profiles:
gate:
include:
- any_other_function_with_shell_equals_true
- assert_used
- blacklist_calls
- blacklist_import_func
- blacklist_imports
- exec_used
- execute_with_run_as_root_equals_true
- hardcoded_bind_all_interfaces
- hardcoded_password_string
- hardcoded_password_funcarg
- hardcoded_password_default
- hardcoded_sql_expressions
- hardcoded_tmp_directory
- jinja2_autoescape_false
- linux_commands_wildcard_injection
- paramiko_calls
- password_config_option_not_marked_secret
- request_with_no_cert_validation
- set_bad_file_permissions
- subprocess_popen_with_shell_equals_true
- subprocess_without_shell_equals_true
- start_process_with_a_shell
- start_process_with_no_shell
- start_process_with_partial_path
- ssl_with_bad_defaults
- ssl_with_bad_version
- ssl_with_no_version
- try_except_pass
- use_of_mako_templates
- weak_cryptographic_key
blacklist_calls:
bad_name_sets:
- pickle:
message: 'Pickle library appears to be in use, possible security issue.
'
qualnames:
- pickle.loads
- pickle.load
- pickle.Unpickler
- cPickle.loads
- cPickle.load
- cPickle.Unpickler
- marshal:
message: 'Deserialization with the marshal module is possibly dangerous.
'
qualnames:
- marshal.load
- marshal.loads
- md5:
message: Use of insecure MD2, MD4, or MD5 hash function.
qualnames:
- hashlib.md5
- Crypto.Hash.MD2.new
- Crypto.Hash.MD4.new
- Crypto.Hash.MD5.new
- cryptography.hazmat.primitives.hashes.MD5
- ciphers:
level: HIGH
message: 'Use of insecure cipher {func}. Replace with a known secure cipher
such as AES.
'
qualnames:
- Crypto.Cipher.ARC2.new
- Crypto.Cipher.ARC4.new
- Crypto.Cipher.Blowfish.new
- Crypto.Cipher.DES.new
- Crypto.Cipher.XOR.new
- cryptography.hazmat.primitives.ciphers.algorithms.ARC4
- cryptography.hazmat.primitives.ciphers.algorithms.Blowfish
- cryptography.hazmat.primitives.ciphers.algorithms.IDEA
- cipher_modes:
message: Use of insecure cipher mode {func}.
qualnames:
- cryptography.hazmat.primitives.ciphers.modes.ECB
- mktemp_q:
message: Use of insecure and deprecated function (mktemp).
qualnames:
- tempfile.mktemp
- eval:
message: 'Use of possibly insecure function - consider using safer ast.literal_eval.
'
qualnames:
- eval
- mark_safe:
message: 'Use of mark_safe() may expose cross-site scripting vulnerabilities
and should be reviewed.
'
names:
- mark_safe
- httpsconnection:
message: 'Use of HTTPSConnection does not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033
'
qualnames:
- httplib.HTTPSConnection
- http.client.HTTPSConnection
- six.moves.http_client.HTTPSConnection
- yaml_load:
message: 'Use of unsafe yaml load. Allows instantiation of arbitrary objects.
Consider yaml.safe_load().
'
qualnames:
- yaml.load
- urllib_urlopen:
message: 'Audit url open for permitted schemes. Allowing use of file:/ or custom
schemes is often unexpected.
'
qualnames:
- urllib.urlopen
- urllib.request.urlopen
- urllib.urlretrieve
- urllib.request.urlretrieve
- urllib.URLopener
- urllib.request.URLopener
- urllib.FancyURLopener
- urllib.request.FancyURLopener
- urllib2.urlopen
- urllib2.Request
- six.moves.urllib.request.urlopen
- six.moves.urllib.request.urlretrieve
- six.moves.urllib.request.URLopener
- six.moves.urllib.request.FancyURLopener
- random:
level: LOW
message: 'Standard pseudo-random generators are not suitable for security/cryptographic
purposes.
'
qualnames:
- random.random
- random.randrange
- random.randint
- random.choice
- random.uniform
- random.triangular
- telnetlib:
level: HIGH
message: 'Telnet-related funtions are being called. Telnet is considered insecure.
Use SSH or some other encrypted protocol.
'
qualnames:
- telnetlib.*
- xml_bad_cElementTree:
message: 'Using {func} to parse untrusted XML data is known to be vulnerable
to XML attacks. Replace {func} with its defusedxml equivalent function.
'
qualnames:
- xml.etree.cElementTree.parse
- xml.etree.cElementTree.iterparse
- xml.etree.cElementTree.fromstring
- xml.etree.cElementTree.XMLParser
- xml_bad_ElementTree:
message: 'Using {func} to parse untrusted XML data is known to be vulnerable
to XML attacks. Replace {func} with its defusedxml equivalent function.
'
qualnames:
- xml.etree.ElementTree.parse
- xml.etree.ElementTree.iterparse
- xml.etree.ElementTree.fromstring
- xml.etree.ElementTree.XMLParser
- xml_bad_expatreader:
message: 'Using {func} to parse untrusted XML data is known to be vulnerable
to XML attacks. Replace {func} with its defusedxml equivalent function.
'
qualnames:
- xml.sax.expatreader.create_parser
- xml_bad_expatbuilder:
message: 'Using {func} to parse untrusted XML data is known to be vulnerable
to XML attacks. Replace {func} with its defusedxml equivalent function.
'
qualnames:
- xml.dom.expatbuilder.parse
- xml.dom.expatbuilder.parseString
- xml_bad_sax:
message: 'Using {func} to parse untrusted XML data is known to be vulnerable
to XML attacks. Replace {func} with its defusedxml equivalent function.
'
qualnames:
- xml.sax.parse
- xml.sax.parseString
- xml.sax.make_parser
- xml_bad_minidom:
message: 'Using {func} to parse untrusted XML data is known to be vulnerable
to XML attacks. Replace {func} with its defusedxml equivalent function.
'
qualnames:
- xml.dom.minidom.parse
- xml.dom.minidom.parseString
- xml_bad_pulldom:
message: 'Using {func} to parse untrusted XML data is known to be vulnerable
to XML attacks. Replace {func} with its defusedxml equivalent function.
'
qualnames:
- xml.dom.pulldom.parse
- xml.dom.pulldom.parseString
- xml_bad_etree:
message: 'Using {func} to parse untrusted XML data is known to be vulnerable
to XML attacks. Replace {func} with its defusedxml equivalent function.
'
qualnames:
- lxml.etree.parse
- lxml.etree.fromstring
- lxml.etree.RestrictedElement
- lxml.etree.GlobalParserTLS
- lxml.etree.getDefaultParser
- lxml.etree.check_docinfo
hardcoded_tmp_directory:
tmp_dirs:
- /tmp
- /var/tmp
- /dev/shm
blacklist_imports:
bad_import_sets:
- telnet:
imports:
- telnetlib
level: HIGH
message: 'A telnet-related module is being imported. Telnet is considered insecure.
Use SSH or some other encrypted protocol.
'
- info_libs:
imports:
- pickle
- cPickle
- subprocess
- Crypto
level: LOW
message: 'Consider possible security implications associated with {module} module.
'
- xml_libs:
imports:
- xml.etree.cElementTree
- xml.etree.ElementTree
- xml.sax.expatreader
- xml.sax
- xml.dom.expatbuilder
- xml.dom.minidom
- xml.dom.pulldom
- lxml.etree
- lxml
level: LOW
message: 'Using {module} to parse untrusted XML data is known to be vulnerable
to XML attacks. Replace {module} with the equivalent defusedxml package.
'
- xml_libs_high:
imports:
- xmlrpclib
level: HIGH
message: 'Using {module} to parse untrusted XML data is known to be vulnerable
to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch
xmlrpclib and mitigate XML vulnerabilities.
'
include:
- '*.py'
- '*.pyw'
password_config_option_not_marked_secret:
function_names:
- oslo.config.cfg.StrOpt
- oslo_config.cfg.StrOpt
hardcoded_password:
word_list: '%(site_data_dir)s/wordlist/default-passwords'
execute_with_run_as_root_equals_true:
function_names:
- ceilometer.utils.execute
- cinder.utils.execute
- neutron.agent.linux.utils.execute
- nova.utils.execute
- nova.utils.trycmd

6
oslo_utils/encodeutils.py
View File

@ -124,7 +124,7 @@ def exception_to_unicode(exc):
# the implicit decoding from the default encoding # the implicit decoding from the default encoding
try: try:
msg = exc.__unicode__() msg = exc.__unicode__()
except UnicodeError: except UnicodeError: # nosec
pass pass
if msg is None: if msg is None:
@ -145,7 +145,7 @@ def exception_to_unicode(exc):
# if the string is not a valid UTF-8 string: the UTF-8 codec includes # if the string is not a valid UTF-8 string: the UTF-8 codec includes
# a validation algorithm to ensure the consistency of the codec. # a validation algorithm to ensure the consistency of the codec.
return msg.decode('utf-8') return msg.decode('utf-8')
except UnicodeDecodeError: except UnicodeDecodeError: # nosec
pass pass
# Try the locale encoding, most error messages are encoded to this encoding # Try the locale encoding, most error messages are encoded to this encoding
@ -153,7 +153,7 @@ def exception_to_unicode(exc):
encoding = sys.getfilesystemencoding() encoding = sys.getfilesystemencoding()
try: try:
return msg.decode(encoding) return msg.decode(encoding)
except UnicodeDecodeError: except UnicodeDecodeError: # nosec
pass pass
# The encoding is not ASCII, not UTF-8, nor the locale encoding. Fallback # The encoding is not ASCII, not UTF-8, nor the locale encoding. Fallback

4
oslo_utils/reflection.py
View File

@ -64,7 +64,7 @@ def get_class_name(obj, fully_qualified=True):
obj = type(obj) obj = type(obj)
try: try:
built_in = obj.__module__ in _BUILTIN_MODULES built_in = obj.__module__ in _BUILTIN_MODULES
except AttributeError: except AttributeError: # nosec
pass pass
else: else:
if built_in: if built_in:
@ -158,7 +158,7 @@ def is_same_callback(callback1, callback2, strict=True):
self1 = six.get_method_self(callback1) self1 = six.get_method_self(callback1)
self2 = six.get_method_self(callback2) self2 = six.get_method_self(callback2)
return self1 is self2 return self1 is self2
except AttributeError: except AttributeError: # nosec
pass pass
return False return False

4
oslo_utils/strutils.py
View File

@ -212,7 +212,7 @@ def to_slug(value, incoming=None, errors="strict"):
return SLUGIFY_HYPHENATE_RE.sub("-", value) return SLUGIFY_HYPHENATE_RE.sub("-", value)
def mask_password(message, secret="***"): def mask_password(message, secret="***"): # nosec
"""Replace password with *secret* in message. """Replace password with *secret* in message.
:param message: The string which includes security information. :param message: The string which includes security information.
@ -253,7 +253,7 @@ def mask_password(message, secret="***"):
try: try:
message = six.text_type(message) message = six.text_type(message)
except UnicodeDecodeError: except UnicodeDecodeError: # nosec
# NOTE(jecarey): Temporary fix to handle cases where message is a # NOTE(jecarey): Temporary fix to handle cases where message is a
# byte string. A better solution will be provided in Kilo. # byte string. A better solution will be provided in Kilo.
pass pass

4
oslo_utils/timeutils.py
View File

@ -217,7 +217,7 @@ def advance_time_delta(timedelta):
See :py:class:`oslo_utils.fixture.TimeFixture`. See :py:class:`oslo_utils.fixture.TimeFixture`.
""" """
assert utcnow.override_time is not None assert utcnow.override_time is not None # nosec
try: try:
for dt in utcnow.override_time: for dt in utcnow.override_time:
dt += timedelta dt += timedelta
@ -450,7 +450,7 @@ class StopWatch(object):
"""Stops the watch (ignoring errors if stop fails).""" """Stops the watch (ignoring errors if stop fails)."""
try: try:
self.stop() self.stop()
except RuntimeError: except RuntimeError: # nosec: errors are meant to be ignored
pass pass
def leftover(self, return_none=False): def leftover(self, return_none=False):

3
test-requirements.txt
View File

@ -26,3 +26,6 @@ mock>=1.2
# used for oslotest cross-testing scripts # used for oslotest cross-testing scripts
oslo.config>=2.7.0 # Apache-2.0 oslo.config>=2.7.0 # Apache-2.0
# Bandit security code scanner
bandit>=0.13.2

6
tox.ini
View File

@ -1,6 +1,6 @@
[tox] [tox]
minversion = 1.6 minversion = 1.6
envlist = py34,py27,pep8 envlist = py34,py27,pep8,bandit
[testenv] [testenv]
deps = -r{toxinidir}/test-requirements.txt deps = -r{toxinidir}/test-requirements.txt
@ -18,6 +18,10 @@ commands = python setup.py build_sphinx
[testenv:cover] [testenv:cover]
commands = python setup.py test --coverage --coverage-package-name=oslo_utils --testr-args='{posargs}' commands = python setup.py test --coverage --coverage-package-name=oslo_utils --testr-args='{posargs}'
[testenv:bandit]
deps=-r{toxinidir}/test-requirements.txt
commands = bandit -c bandit.yaml -r oslo_utils -n5 -p gate
[flake8] [flake8]
ignore = E123,H405 ignore = E123,H405
show-source = True show-source = True