x/ranger
Code Issues Proposed changes

Bandit scan changes for ranger

Browse Source 
Change-Id: Ieb0f8656b7d5a3124e1f487c9a550e9c0c19bb82
This commit is contained in:
madurranjani 2018-11-29 12:44:10 -06:00 committed by ranadheer
parent 8987472a51
commit ee3fc98be3
15 changed files with 136 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
bandit.yaml Normal file
View File

@ -0,0 +1,92 @@
### Bandit config file generated from:
# '/usr/local/bin/bandit-config-generator -o bandit.yaml'
### This config may optionally select a subset of tests to run or skip by
### filling out the 'tests' and 'skips' lists given below. If no tests are
### specified for inclusion then it is assumed all tests are desired. The skips
### set will remove specific tests from the include set. This can be controlled
### using the -t/-s CLI options. Note that the same test ID should not appear
### in both 'tests' and 'skips', this would be nonsensical and is detected by
### Bandit at runtime.
# Available tests:
# B101 : assert_used
# B102 : exec_used
# B103 : set_bad_file_permissions
# B104 : hardcoded_bind_all_interfaces
# B105 : hardcoded_password_string
# B106 : hardcoded_password_funcarg
# B107 : hardcoded_password_default
# B108 : hardcoded_tmp_directory
# B109 : password_config_option_not_marked_secret
# B110 : try_except_pass
# B111 : execute_with_run_as_root_equals_true
# B112 : try_except_continue
# B201 : flask_debug_true
# B301 : pickle
# B302 : marshal
# B303 : md5
# B304 : ciphers
# B305 : cipher_modes
# B306 : mktemp_q
# B307 : eval
# B308 : mark_safe
# B309 : httpsconnection
# B310 : urllib_urlopen
# B311 : random
# B312 : telnetlib
# B313 : xml_bad_cElementTree
# B314 : xml_bad_ElementTree
# B315 : xml_bad_expatreader
# B316 : xml_bad_expatbuilder
# B317 : xml_bad_sax
# B318 : xml_bad_minidom
# B319 : xml_bad_pulldom
# B320 : xml_bad_etree
# B321 : ftplib
# B322 : input
# B401 : import_telnetlib
# B402 : import_ftplib
# B403 : import_pickle
# B404 : import_subprocess
# B405 : import_xml_etree
# B406 : import_xml_sax
# B407 : import_xml_expat
# B408 : import_xml_minidom
# B409 : import_xml_pulldom
# B410 : import_lxml
# B411 : import_xmlrpclib
# B412 : import_httpoxy
# B501 : request_with_no_cert_validation
# B502 : ssl_with_bad_version
# B503 : ssl_with_bad_defaults
# B504 : ssl_with_no_version
# B505 : weak_cryptographic_key
# B506 : yaml_load
# B601 : paramiko_calls
# B602 : subprocess_popen_with_shell_equals_true
# B603 : subprocess_without_shell_equals_true
# B604 : any_other_function_with_shell_equals_true
# B605 : start_process_with_a_shell
# B606 : start_process_with_no_shell
# B607 : start_process_with_partial_path
# B608 : hardcoded_sql_expressions
# B609 : linux_commands_wildcard_injection
# B701 : jinja2_autoescape_false
# B702 : use_of_mako_templates
# (optional) list included test IDs here, eg '[B101, B406]':
tests:
# (optional) list skipped test IDs here, eg '[B101, B406]':
skips: [B101, B404, B603, B606]
# globs of files which should be analyzed
include:
- '*.py'
- '*.pyw'
# a list of strings, which if found in the path will cause files to be excluded
# for example /tests/ - will exclude all files in test folder.
exclude_dirs:
- '/tests/'

8
orm/common/client/audit/audit_client/api/audit.py
View File

@ -169,13 +169,13 @@ def _post_data(data):
# Validate that the configuration was initialized # Validate that the configuration was initialized
_validate() _validate()
# Send the data # Send the data
req = urllib2.Request(config['AUDIT_SERVER_URL']) req = urllib2.Request(config['AUDIT_SERVER_URL']) # nosec
req.add_header('Content-Type', 'application/json') req.add_header('Content-Type', 'application/json')
# Retry to send the data to the audit server # Retry to send the data to the audit server
success = False success = False
for retry_number in range(config['NUM_OF_SEND_RETRIES']): for retry_number in range(config['NUM_OF_SEND_RETRIES']):
try: try:
urllib2.urlopen(req, json.dumps(data)) urllib2.urlopen(req, json.dumps(data)) # nosec
success = True success = True
break break
except Exception as error: except Exception as error:
@ -197,13 +197,13 @@ def _get_data(query):
# Send the data # Send the data
audit_server_url_with_query = "{}?{}".format(config['AUDIT_SERVER_URL'], audit_server_url_with_query = "{}?{}".format(config['AUDIT_SERVER_URL'],
query) query)
req = urllib2.Request(audit_server_url_with_query) req = urllib2.Request(audit_server_url_with_query) # nosec
# Retry to get the data from the audit server # Retry to get the data from the audit server
success = False success = False
response = None response = None
for retry_number in range(config['NUM_OF_SEND_RETRIES']): for retry_number in range(config['NUM_OF_SEND_RETRIES']):
try: try:
response = urllib2.urlopen(req) response = urllib2.urlopen(req) # nosec
success = True success = True
break break
except Exception as error: except Exception as error:

2
orm/common/config.py
View File

@ -22,7 +22,7 @@ CONF = cfg.CONF
api_opts = [ api_opts = [
cfg.HostAddressOpt( cfg.HostAddressOpt(
'host', 'host',
default='0.0.0.0', default='0.0.0.0', # nosec
help='Ranger API server host' help='Ranger API server host'
), ),
cfg.BoolOpt('ssl_verify', default=False, help='Enable HTTPS') cfg.BoolOpt('ssl_verify', default=False, help='Enable HTTPS')

14
orm/orm_client/db_clear/db_comander.py
View File

@ -60,7 +60,7 @@ def _build_delet_resource_status_query(resource_id, table_name):
query = ''' query = '''
DELETE from %s DELETE from %s
WHERE resource_id = '%s' WHERE resource_id = '%s'
''' % (table_name, resource_id) ''' % (table_name, resource_id) # nosec
return query return query
@ -70,7 +70,7 @@ def _build_delete_image_metadata(resource_id, image_metadata_table,
DELETE from %s DELETE from %s
WHERE image_meta_data_id in WHERE image_meta_data_id in
(SELECT id from %s where resource_id = '%s') (SELECT id from %s where resource_id = '%s')
''' % (image_metadata_table, resource_table, resource_id) ''' % (image_metadata_table, resource_table, resource_id) # nosec
return query return query
@ -78,7 +78,7 @@ def _build_delete_resource_query(resource_id, table_col, table_name):
query = ''' query = '''
DELETE from %s DELETE from %s
WHERE %s.%s = '%s' WHERE %s.%s = '%s'
''' % (table_name, table_name, table_col, resource_id) ''' % (table_name, table_name, table_col, resource_id) # nosec
return query return query
@ -86,7 +86,7 @@ def _build_get_cms_regions_query(resource_id, table_name):
query = ''' query = '''
select region_id from %s select region_id from %s
WHERE customer_id = '%s' and region_id != '-1' WHERE customer_id = '%s' and region_id != '-1'
''' % (table_name, resource_id) ''' % (table_name, resource_id) # nosec
return query return query
@ -94,7 +94,7 @@ def _build_get_fms_regions_query(resource_id, table_name):
query = ''' query = '''
select region_name from %s select region_name from %s
WHERE flavor_internal_id = '%s' WHERE flavor_internal_id = '%s'
''' % (table_name, resource_id) ''' % (table_name, resource_id) # nosec
return query return query
@ -102,7 +102,7 @@ def _build_get_ims_regions_query(resource_id, table_name):
query = ''' query = '''
select region_name from %s select region_name from %s
WHERE image_id = '%s' WHERE image_id = '%s'
''' % (table_name, resource_id) ''' % (table_name, resource_id) # nosec
return query return query
@ -110,7 +110,7 @@ def _build_get_resource_id_query(resource_id, table_col, table_name):
query = ''' query = '''
select * from %s select * from %s
WHERE %s.%s = '%s' WHERE %s.%s = '%s'
''' % (table_name, table_name, table_col, resource_id) ''' % (table_name, table_name, table_col, resource_id) # nosec
return query return query

2
orm/services/customer_manager/cms_rest/data/sql_alchemy/cms_user_record.py
View File

@ -38,7 +38,7 @@ class CmsUserRecord:
raise raise
def get_cms_user_id_from_name(self, cms_user_name): def get_cms_user_id_from_name(self, cms_user_name):
result = self.session.connection().scalar("SELECT id from cms_user WHERE name = \"%s\"" % (cms_user_name)) result = self.session.connection().scalar("SELECT id from cms_user WHERE name = \"%s\"", (cms_user_name,))
if result is not None: if result is not None:
return int(result) return int(result)
return result return result

6
orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_record.py
View File

@ -42,7 +42,7 @@ class CustomerRecord:
raise raise
def delete_by_primary_key(self, customer_id): def delete_by_primary_key(self, customer_id):
result = self.session.connection().execute("delete from customer where id = {}".format(customer_id)) result = self.session.connection().execute("delete from customer where id = {}".format(customer_id)) # nosec
return result return result
def read_by_primary_key(self): def read_by_primary_key(self):
@ -69,7 +69,7 @@ class CustomerRecord:
raise raise
def get_customer_id_from_uuid(self, uuid): def get_customer_id_from_uuid(self, uuid):
result = self.session.connection().scalar("SELECT id from customer WHERE uuid = \"{}\"".format(uuid)) result = self.session.connection().scalar("SELECT id from customer WHERE uuid = \"{}\"".format(uuid)) # nosec
if result: if result:
return int(result) return int(result)
@ -77,7 +77,7 @@ class CustomerRecord:
return None return None
def get_customers_status_by_uuids(self, uuid_str): def get_customers_status_by_uuids(self, uuid_str):
results = self.session.connection().execute("SELECT id, resource_id, region, status" results = self.session.connection().execute("SELECT id, resource_id, region, status" # nosec
" FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str)) " FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str))
cust_region_dict = {} cust_region_dict = {}
if results: if results:

4
orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_region_record.py
View File

@ -68,7 +68,7 @@ class CustomerRegionRecord:
'region with the region name {0} not found'.format( 'region with the region name {0} not found'.format(
region_name)) region_name))
result = self.session.connection().execute( result = self.session.connection().execute(
"delete from customer_region where customer_id = {} and region_id = {}".format(customer_id, region_id)) "delete from customer_region where customer_id = {} and region_id = {}".format(customer_id, region_id)) # nosec
self.session.flush() self.session.flush()
if result.rowcount == 0: if result.rowcount == 0:
@ -86,6 +86,6 @@ class CustomerRegionRecord:
customer_id = customer_record.get_customer_id_from_uuid(customer_id) customer_id = customer_record.get_customer_id_from_uuid(customer_id)
result = self.session.connection().execute( result = self.session.connection().execute(
"delete from customer_region where customer_id = {} and region_id <> -1 ".format(customer_id)) "delete from customer_region where customer_id = {} and region_id <> -1 ".format(customer_id)) # nosec
# print "num records deleted from customer regions: " + str(result.rowcount) # print "num records deleted from customer regions: " + str(result.rowcount)
return result return result

2
orm/services/customer_manager/cms_rest/data/sql_alchemy/region_record.py
View File

@ -37,7 +37,7 @@ class RegionRecord:
raise raise
def get_region_id_from_name(self, region_name): def get_region_id_from_name(self, region_name):
result = self.session.connection().scalar("SELECT id from cms_region WHERE name = \"{}\"".format(region_name)) result = self.session.connection().scalar("SELECT id from cms_region WHERE name = \"{}\"".format(region_name)) # nosec
if result is not None: if result is not None:
return int(result) return int(result)
return result return result

7
orm/services/customer_manager/cms_rest/data/sql_alchemy/user_role_record.py
View File

@ -64,9 +64,10 @@ class UserRoleRecord:
# additional logic for delete_user only: check if the provided user id # additional logic for delete_user only: check if the provided user id
# is associated with the customer and region in cms delete_user request # is associated with the customer and region in cms delete_user request
elif region_id > -1: elif region_id > -1:
user_check = "SELECT DISTINCT user_id from user_role " \ user_check = '''
"WHERE customer_id =%d AND region_id =%d " \ SELECT DISTINCT user_id from user_role
"AND user_id =%d" % (customer_id, region_id, user_id) WHERE customer_id =%d AND region_id =%d AND user_id =%d"
''' % (customer_id, region_id, user_id) # nosec
result = self.session.connection().execute(user_check) result = self.session.connection().execute(user_check)
if result.rowcount == 0: if result.rowcount == 0:

4
orm/services/flavor_manager/fms_rest/data/sql_alchemy/flavor/flavor_record.py
View File

@ -53,7 +53,7 @@ class FlavorRecord:
def delete_by_uuid(self, flavor_uuid): def delete_by_uuid(self, flavor_uuid):
try: try:
result = self.session.connection().execute("delete from flavor where id = \"{0}\"".format(flavor_uuid)) result = self.session.connection().execute("delete from flavor where id = \"{0}\"".format(flavor_uuid)) # nosec
return result return result
except Exception as exception: except Exception as exception:
@ -148,7 +148,7 @@ class FlavorRecord:
raise raise
def get_flavors_status_by_uuids(self, uuid_str): def get_flavors_status_by_uuids(self, uuid_str):
results = self.session.connection().execute("SELECT id, resource_id, region, status" results = self.session.connection().execute("SELECT id, resource_id, region, status" # nosec
" FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str)) " FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str))
flvr_region_dict = {} flvr_region_dict = {}

3
orm/services/flavor_manager/fms_rest/data/wsme/models.py
View File

@ -1,3 +1,4 @@
import ast
import wsme import wsme
from orm.common.orm_common.utils.cross_api_utils import (set_utils_conf, from orm.common.orm_common.utils.cross_api_utils import (set_utils_conf,
@ -254,7 +255,7 @@ class Flavor(Model):
if self.series == 'p1': if self.series == 'p1':
if {'n0'}.issubset(self.options.keys()) and \ if {'n0'}.issubset(self.options.keys()) and \
eval(self.options.get('n0').lower().capitalize()): ast.literal_eval(self.options.get('n0').lower().capitalize()):
vcpu_limit = int(conf.flavor_limits.p1_n0_vcpu_limit) vcpu_limit = int(conf.flavor_limits.p1_n0_vcpu_limit)
vram_limit = int(conf.flavor_limits.p1_n0_vram_limit) vram_limit = int(conf.flavor_limits.p1_n0_vram_limit)
else: else:

6
orm/services/image_manager/ims/persistency/sql_alchemy/image/image_record.py
View File

@ -9,7 +9,7 @@ LOG = get_logger(__name__)
class ImageRecord(Record): class ImageRecord(Record):
def __init__(self, session): def __init__(self, session):
# this model is uses only for the parameters of access mothods, not an instance of model in the database # this model is uses only for the parameters of access methods, not an instance of model in the database
self.__image = Image() self.__image = Image()
# self.set_record_data(self.__image) # self.set_record_data(self.__image)
# self.__image.clear() # self.__image.clear()
@ -48,7 +48,7 @@ class ImageRecord(Record):
def delete_image_by_id(self, id): def delete_image_by_id(self, id):
try: try:
result = self.session.connection().execute("delete from image where id = '{0}'".format(id)) result = self.session.connection().execute("delete from image where id = '{0}'".format(id)) # nosec
return result return result
except Exception as exception: except Exception as exception:
@ -95,7 +95,7 @@ class ImageRecord(Record):
raise raise
def get_images_status_by_uuids(self, uuid_str): def get_images_status_by_uuids(self, uuid_str):
results = self.session.connection().execute("SELECT id, resource_id, region, status" results = self.session.connection().execute("SELECT id, resource_id, region, status" # nosec
" FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str)) " FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str))
img_region_dict = {} img_region_dict = {}
if results: if results:

9
orm/services/region_manager/rms/model/model.py
View File

@ -1,8 +1,10 @@
"""model module.""" """model module."""
from orm.services.region_manager.rms.logger import get_logger
from orm.services.region_manager.rms.services import error_base from orm.services.region_manager.rms.services import error_base
from pecan import conf from pecan import conf
logger = get_logger(__name__)
class Address(object): class Address(object):
"""address class.""" """address class."""
@ -123,8 +125,9 @@ class RegionData(object):
"type {}".format(endpoint.type)) "type {}".format(endpoint.type))
try: try:
endpoints_types_must_have.remove(endpoint.type) endpoints_types_must_have.remove(endpoint.type)
except Exception: except Exception as exp:
pass # pass
logger.debug(exp)
if len(endpoints_types_must_have) > 0: if len(endpoints_types_must_have) > 0:
raise error_base.InputValueError( raise error_base.InputValueError(
message="Invalid endpoints. Endpoint type '{}' " message="Invalid endpoints. Endpoint type '{}' "

2
test-requirements.txt
View File

@ -3,7 +3,7 @@
# process, which may cause wedges in the gate later. # process, which may cause wedges in the gate later.
hacking>=0.12.0,<0.13 # Apache-2.0 hacking>=0.12.0,<0.13 # Apache-2.0
bandit>=1.5.1
coverage>=4.0,!=4.4 # Apache-2.0 coverage>=4.0,!=4.4 # Apache-2.0
openstackdocstheme>=1.11.0 # Apache-2.0 openstackdocstheme>=1.11.0 # Apache-2.0
oslotest>=1.10.0 # Apache-2.0 oslotest>=1.10.0 # Apache-2.0

8
tox.ini
View File

@ -21,8 +21,14 @@ whitelist_externals =
bash bash
find find
[testenv:bandit]
deps = .[bandit]
commands = bandit-baseline -r orm -n5 -c bandit.yaml
[testenv:pep8] [testenv:pep8]
commands = flake8 {posargs} commands =
flake8 {posargs}
{[testenv:bandit]commands}
[testenv:venv] [testenv:venv]
commands = {posargs} commands = {posargs}