diff --git a/bandit.yaml b/bandit.yaml new file mode 100644 index 0000000000..6599ee50b8 --- /dev/null +++ b/bandit.yaml @@ -0,0 +1,149 @@ +# optional: after how many files to update progress +#show_progress_every: 100 + +# optional: plugins directory name +#plugins_dir: 'plugins' + +# optional: plugins discovery name pattern +plugin_name_pattern: '*.py' + +# optional: terminal escape sequences to display colors +#output_colors: +# DEFAULT: '\033[0m' +# HEADER: '\033[95m' +# LOW: '\033[94m' +# MEDIUM: '\033[93m' +# HIGH: '\033[91m' + +# optional: log format string +#log_format: "[%(module)s]\t%(levelname)s\t%(message)s" + +# globs of files which should be analyzed +include: + - '*.py' + +# a list of strings, which if found in the path will cause files to be +# excluded +# for example /tests/ - to remove all all files in tests directory +#exclude_dirs: +# - '/tests/' + +#configured for swift +profiles: + gate: + include: + - blacklist_calls + - blacklist_imports + - exec_used + - linux_commands_wildcard_injection + - request_with_no_cert_validation + - set_bad_file_permissions + - subprocess_popen_with_shell_equals_true + - ssl_with_bad_version + - password_config_option_not_marked_secret + +# - any_other_function_with_shell_equals_true +# - ssl_with_bad_defaults +# - jinja2_autoescape_false +# - use_of_mako_templates +# - subprocess_without_shell_equals_true +# - any_other_function_with_shell_equals_true +# - start_process_with_a_shell +# - start_process_with_no_shell +# - hardcoded_sql_expressions +# - hardcoded_tmp_director +# - linux_commands_wildcard_injection +#For now some items are commented which could be included as per use later. +blacklist_calls: + bad_name_sets: +# - pickle: +# qualnames: [pickle.loads, pickle.load, pickle.Unpickler, +# cPickle.loads, cPickle.load, cPickle.Unpickler] +# level: LOW +# message: "Pickle library appears to be in use, possible security +#issue." + + - marshal: + qualnames: [marshal.load, marshal.loads] + message: "Deserialization with the marshal module is possibly +dangerous." +# - md5: +# qualnames: [hashlib.md5] +# level: LOW +# message: "Use of insecure MD5 hash function." + - mktemp_q: + qualnames: [tempfile.mktemp] + message: "Use of insecure and deprecated function (mktemp)." +# - eval: +# qualnames: [eval] +# level: LOW +# message: "Use of possibly insecure function - consider using safer +#ast.literal_eval." + - mark_safe: + names: [mark_safe] + message: "Use of mark_safe() may expose cross-site scripting +vulnerabilities and should be reviewed." + - httpsconnection: + qualnames: [httplib.HTTPSConnection] + message: "Use of HTTPSConnection does not provide security, see +https://wiki.openstack.org/wiki/OSSN/OSSN-0033" + - yaml_load: + qualnames: [yaml.load] + message: "Use of unsafe yaml load. Allows instantiation of +arbitrary objects. Consider yaml.safe_load()." + - urllib_urlopen: + qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, +urllib.FancyURLopener, urllib2.urlopen, urllib2.Request] + message: "Audit url open for permitted schemes. Allowing use of +file:/ or custom schemes is often unexpected." + - paramiko_injection: + qualnames: [paramiko.exec_command, paramiko.invoke_shell] + message: "Paramiko exec_command() and invoke_shell() usage may +expose command injection vulnerabilities and should be reviewed." + +shell_injection: + # Start a process using the subprocess module, or one of its wrappers. + subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, + subprocess.check_output, utils.execute, +utils.execute_with_timeout] + # Start a process with a function vulnerable to shell injection. + shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, + popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3, + popen2.Popen4, commands.getoutput, commands.getstatusoutput] + # Start a process with a function that is not vulnerable to shell + # injection. + no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve, + os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp, + os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe, + os.startfile] + +blacklist_imports: + bad_import_sets: + - telnet: + imports: [telnetlib] + level: HIGH + message: "Telnet is considered insecure. Use SSH or some other +encrypted protocol." + - info_libs: + imports: [Crypto] + level: LOW + message: "Consider possible security implications associated with +#{module} module." + +hardcoded_password: + word_list: "wordlist/default-passwords" + +ssl_with_bad_version: + bad_protocol_versions: + - 'PROTOCOL_SSLv2' + - 'SSLv2_METHOD' + - 'SSLv23_METHOD' + - 'PROTOCOL_SSLv3' # strict option + - 'PROTOCOL_TLSv1' # strict option + - 'SSLv3_METHOD' # strict option + - 'TLSv1_METHOD' # strict option + +password_config_option_not_marked_secret: + function_names: + - oslo.config.cfg.StrOpt + - oslo_config.cfg.StrOpt diff --git a/test-requirements.txt b/test-requirements.txt index b3f7eed5be..e8b3b42dfe 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -13,3 +13,6 @@ sphinx>=1.1.2,<1.2 mock>=1.0 python-swiftclient python-keystoneclient>=1.3.0 + +# Security checks +bandit>=0.10.1 diff --git a/tox.ini b/tox.ini index 8b7061a026..4ed27daed6 100644 --- a/tox.ini +++ b/tox.ini @@ -49,6 +49,10 @@ commands = {posargs} [testenv:docs] commands = python setup.py build_sphinx +[testenv:bandit] +deps = -r{toxinidir}/test-requirements.txt +commands = bandit -c bandit.yaml -r swift bin -n 5 -p gate + [flake8] # it's not a bug that we aren't using all of hacking # H102 -> apache2 license exists