From 67513fc17c23066f6547b5e3c4ab2dc852e4f7f0 Mon Sep 17 00:00:00 2001
From: janonymous <janonymous.codevulture@gmail.com>
Date: Sat, 27 Jun 2015 23:26:47 +0530
Subject: [PATCH] Adding bandit for security static analysis testing in swift

This change adds a basic bandit config for Swift. It can be invoked
by running the tox environment for bandit;
    tox -e bandit

This is an initial step for using bandit with Swift
and it should be revisited to improve the testing as more is learned
about the specific needs of the Swift code base.As per now some tests
are excluded as they were used on purpose.

https://wiki.openstack.org/wiki/Security/Projects/Bandit

Implements: blueprint swift-bandit

Change-Id: I621be9a68ae9311f3a6eadd1636b05e646260cf2
---
 bandit.yaml           | 149 ++++++++++++++++++++++++++++++++++++++++++
 test-requirements.txt |   3 +
 tox.ini               |   4 ++
 3 files changed, 156 insertions(+)
 create mode 100644 bandit.yaml

diff --git a/bandit.yaml b/bandit.yaml
new file mode 100644
index 0000000000..6599ee50b8
--- /dev/null
+++ b/bandit.yaml
@@ -0,0 +1,149 @@
+# optional: after how many files to update progress
+#show_progress_every: 100
+
+# optional: plugins directory name
+#plugins_dir: 'plugins'
+
+# optional: plugins discovery name pattern
+plugin_name_pattern: '*.py'
+
+# optional: terminal escape sequences to display colors
+#output_colors:
+#    DEFAULT: '\033[0m'
+#    HEADER: '\033[95m'
+#    LOW: '\033[94m'
+#    MEDIUM: '\033[93m'
+#    HIGH: '\033[91m'
+
+# optional: log format string
+#log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
+
+# globs of files which should be analyzed
+include:
+    - '*.py'
+
+# a list of strings, which if found in the path will cause files to be
+# excluded
+# for example /tests/ - to remove all all files in tests directory
+#exclude_dirs:
+#    - '/tests/'
+
+#configured for swift
+profiles:
+    gate:
+        include:
+            - blacklist_calls
+            - blacklist_imports
+            - exec_used
+            - linux_commands_wildcard_injection
+            - request_with_no_cert_validation
+            - set_bad_file_permissions
+            - subprocess_popen_with_shell_equals_true
+            - ssl_with_bad_version
+            - password_config_option_not_marked_secret
+
+#            - any_other_function_with_shell_equals_true
+#            - ssl_with_bad_defaults
+#            - jinja2_autoescape_false
+#            - use_of_mako_templates
+#            - subprocess_without_shell_equals_true
+#            - any_other_function_with_shell_equals_true
+#            - start_process_with_a_shell
+#            - start_process_with_no_shell
+#            - hardcoded_sql_expressions
+#            - hardcoded_tmp_director
+#            - linux_commands_wildcard_injection
+#For now some items are commented which could be included as per use later.
+blacklist_calls:
+    bad_name_sets:
+#        - pickle:
+#            qualnames: [pickle.loads, pickle.load, pickle.Unpickler,
+#                        cPickle.loads, cPickle.load, cPickle.Unpickler]
+#            level: LOW
+#            message: "Pickle library appears to be in use, possible security
+#issue."
+
+        - marshal:
+            qualnames: [marshal.load, marshal.loads]
+            message: "Deserialization with the marshal module is possibly
+dangerous."
+#        - md5:
+#            qualnames: [hashlib.md5]
+#            level: LOW
+#            message: "Use of insecure MD5 hash function."
+        - mktemp_q:
+            qualnames: [tempfile.mktemp]
+            message: "Use of insecure and deprecated function (mktemp)."
+#        - eval:
+#            qualnames: [eval]
+#            level: LOW
+#            message: "Use of possibly insecure function - consider using safer
+#ast.literal_eval."
+        - mark_safe:
+            names: [mark_safe]
+            message: "Use of mark_safe() may expose cross-site scripting
+vulnerabilities and should be reviewed."
+        - httpsconnection:
+            qualnames: [httplib.HTTPSConnection]
+            message: "Use of HTTPSConnection does not provide security, see
+https://wiki.openstack.org/wiki/OSSN/OSSN-0033"
+        - yaml_load:
+            qualnames: [yaml.load]
+            message: "Use of unsafe yaml load. Allows instantiation of
+arbitrary objects. Consider yaml.safe_load()."
+        - urllib_urlopen:
+            qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener,
+urllib.FancyURLopener, urllib2.urlopen, urllib2.Request]
+            message: "Audit url open for permitted schemes. Allowing use of
+file:/ or custom schemes is often unexpected."
+        - paramiko_injection:
+            qualnames: [paramiko.exec_command, paramiko.invoke_shell]
+            message: "Paramiko exec_command() and invoke_shell() usage may
+expose command injection vulnerabilities and should be reviewed."
+
+shell_injection:
+    # Start a process using the subprocess module, or one of its wrappers.
+    subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
+                 subprocess.check_output, utils.execute,
+utils.execute_with_timeout]
+    # Start a process with a function vulnerable to shell injection.
+    shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4,
+            popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3,
+            popen2.Popen4, commands.getoutput, commands.getstatusoutput]
+    # Start a process with a function that is not vulnerable to shell
+    # injection.
+    no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve,
+               os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp,
+               os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe,
+               os.startfile]
+
+blacklist_imports:
+    bad_import_sets:
+        - telnet:
+            imports: [telnetlib]
+            level: HIGH
+            message: "Telnet is considered insecure. Use SSH or some other
+encrypted protocol."
+        - info_libs:
+            imports: [Crypto]
+            level: LOW
+            message: "Consider possible security implications associated with
+#{module} module."
+
+hardcoded_password:
+    word_list: "wordlist/default-passwords"
+
+ssl_with_bad_version:
+    bad_protocol_versions:
+        - 'PROTOCOL_SSLv2'
+        - 'SSLv2_METHOD'
+        - 'SSLv23_METHOD'
+        - 'PROTOCOL_SSLv3'  # strict option
+        - 'PROTOCOL_TLSv1'  # strict option
+        - 'SSLv3_METHOD'    # strict option
+        - 'TLSv1_METHOD'    # strict option
+
+password_config_option_not_marked_secret:
+    function_names:
+        - oslo.config.cfg.StrOpt
+        - oslo_config.cfg.StrOpt
diff --git a/test-requirements.txt b/test-requirements.txt
index b3f7eed5be..e8b3b42dfe 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -13,3 +13,6 @@ sphinx>=1.1.2,<1.2
 mock>=1.0
 python-swiftclient
 python-keystoneclient>=1.3.0
+
+# Security checks
+bandit>=0.10.1
diff --git a/tox.ini b/tox.ini
index 8b7061a026..4ed27daed6 100644
--- a/tox.ini
+++ b/tox.ini
@@ -49,6 +49,10 @@ commands = {posargs}
 [testenv:docs]
 commands = python setup.py build_sphinx
 
+[testenv:bandit]
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -c bandit.yaml -r swift bin -n 5 -p gate
+
 [flake8]
 # it's not a bug that we aren't using all of hacking
 # H102 -> apache2 license exists