Fix security vulnerabilities using Bandit

Refstack was using: -1024 bits long key[1] -hardcoded sql expressions[2] Both of these was vulnerable to security attacks. Instead of 1024 bits keys refstack is now using 2048 bits keys. Sql expressions were rewriten in the recomended way[3]. [1] https://bandit.readthedocs.io/en/1.7.4/plugins/b505_weak_cryptographic_key.html [2] https://bandit.readthedocs.io/en/1.7.4/plugins/b608_hardcoded_sql_expressions.html [3] https://security.openstack.org/guidelines/dg_parameterize-database-queries.html Change-Id: I91a18ef0fd4c300094553f7c3b21d8a745c057c7
2022-10-17 13:31:51 +00:00 · 2022-10-17 13:31:51 +00:00 · 5ba7c56a7f
commit 5ba7c56a7f
parent f222f3fb95
4 changed files with 7 additions and 8 deletions
--- a/refstack/db/migrations/alembic/versions/434be17a6ec3_fix_openids_with_space.py
+++ b/refstack/db/migrations/alembic/versions/434be17a6ec3_fix_openids_with_space.py
@ -32,13 +32,12 @@ def upgrade():

        # Remove instances of the new openid so the old one can take
        # its place.
-        query = "delete from user where openid='%s'" % (new_openid)
-        conn.execute(query.replace('%', '%%'))
+        query = "delete from user where openid=%%:user"
+        conn.execute(query, user=new_openid)

        # Update the openid.
-        query = ("update user set openid='%s' where openid='%s'" %
-                 (new_openid, old_openid))
-        conn.execute(query.replace('%', '%%'))
+        query = ("update user set openid=%%:new where openid=%%:old")
+        conn.execute(query, new=new_openid, old=old_openid)

    # Update all usage of %20 in all openid references using MySQL Replace.
    conn.execute("update meta set value = "
--- a/refstack/tests/api/test_profile.py
+++ b/refstack/tests/api/test_profile.py
@ -53,7 +53,7 @@ class TestProfileEndpoint(api.FunctionalTest):
        url = self.URL + 'pubkeys'
        key = rsa.generate_private_key(
            public_exponent=65537,
-            key_size=1024,
+            key_size=2048,
            backend=default_backend()
        )
        signer = key.signer(padding.PKCS1v15(), hashes.SHA256())
--- a/refstack/tests/api/test_results.py
+++ b/refstack/tests/api/test_results.py
@ -423,7 +423,7 @@ class TestResultsEndpointNoAnonymous(api.FunctionalTest):
    def _generate_keypair_(self):
        return rsa.generate_private_key(
            public_exponent=65537,
-            key_size=1024,
+            key_size=2048,
            backend=default_backend()
        )

--- a/refstack/tests/unit/test_validators.py
+++ b/refstack/tests/unit/test_validators.py
@ -109,7 +109,7 @@ class TestResultValidatorTestCase(base.BaseTestCase):

        key = rsa.generate_private_key(
            public_exponent=65537,
-            key_size=1024,
+            key_size=2048,
            backend=default_backend()
        )
        signer = key.signer(padding.PKCS1v15(), hashes.SHA256())