From 5ba7c56a7fad31be119a24b0775f2faa5549f8de Mon Sep 17 00:00:00 2001
From: jskunda <jskunda@redhat.com>
Date: Mon, 17 Oct 2022 13:31:51 +0000
Subject: [PATCH] Fix security vulnerabilities using Bandit

Refstack was using:
-1024 bits long key[1]
-hardcoded sql expressions[2]

Both of these was vulnerable to security attacks.

Instead of 1024 bits keys refstack is now using 2048 bits keys.
Sql expressions were rewriten in the recomended way[3].

[1] https://bandit.readthedocs.io/en/1.7.4/plugins/b505_weak_cryptographic_key.html
[2] https://bandit.readthedocs.io/en/1.7.4/plugins/b608_hardcoded_sql_expressions.html
[3] https://security.openstack.org/guidelines/dg_parameterize-database-queries.html

Change-Id: I91a18ef0fd4c300094553f7c3b21d8a745c057c7
---
 .../versions/434be17a6ec3_fix_openids_with_space.py      | 9 ++++-----
 refstack/tests/api/test_profile.py                       | 2 +-
 refstack/tests/api/test_results.py                       | 2 +-
 refstack/tests/unit/test_validators.py                   | 2 +-
 4 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/refstack/db/migrations/alembic/versions/434be17a6ec3_fix_openids_with_space.py b/refstack/db/migrations/alembic/versions/434be17a6ec3_fix_openids_with_space.py
index 0f0c901f..76cc793c 100644
--- a/refstack/db/migrations/alembic/versions/434be17a6ec3_fix_openids_with_space.py
+++ b/refstack/db/migrations/alembic/versions/434be17a6ec3_fix_openids_with_space.py
@@ -32,13 +32,12 @@ def upgrade():
 
         # Remove instances of the new openid so the old one can take
         # its place.
-        query = "delete from user where openid='%s'" % (new_openid)
-        conn.execute(query.replace('%', '%%'))
+        query = "delete from user where openid=%%:user"
+        conn.execute(query, user=new_openid)
 
         # Update the openid.
-        query = ("update user set openid='%s' where openid='%s'" %
-                 (new_openid, old_openid))
-        conn.execute(query.replace('%', '%%'))
+        query = ("update user set openid=%%:new where openid=%%:old")
+        conn.execute(query, new=new_openid, old=old_openid)
 
     # Update all usage of %20 in all openid references using MySQL Replace.
     conn.execute("update meta set value = "
diff --git a/refstack/tests/api/test_profile.py b/refstack/tests/api/test_profile.py
index 4532c483..a64778ab 100644
--- a/refstack/tests/api/test_profile.py
+++ b/refstack/tests/api/test_profile.py
@@ -53,7 +53,7 @@ class TestProfileEndpoint(api.FunctionalTest):
         url = self.URL + 'pubkeys'
         key = rsa.generate_private_key(
             public_exponent=65537,
-            key_size=1024,
+            key_size=2048,
             backend=default_backend()
         )
         signer = key.signer(padding.PKCS1v15(), hashes.SHA256())
diff --git a/refstack/tests/api/test_results.py b/refstack/tests/api/test_results.py
index 612df64c..0f5d6edb 100644
--- a/refstack/tests/api/test_results.py
+++ b/refstack/tests/api/test_results.py
@@ -423,7 +423,7 @@ class TestResultsEndpointNoAnonymous(api.FunctionalTest):
     def _generate_keypair_(self):
         return rsa.generate_private_key(
             public_exponent=65537,
-            key_size=1024,
+            key_size=2048,
             backend=default_backend()
         )
 
diff --git a/refstack/tests/unit/test_validators.py b/refstack/tests/unit/test_validators.py
index b9d64e45..7a3f9fb2 100644
--- a/refstack/tests/unit/test_validators.py
+++ b/refstack/tests/unit/test_validators.py
@@ -109,7 +109,7 @@ class TestResultValidatorTestCase(base.BaseTestCase):
 
         key = rsa.generate_private_key(
             public_exponent=65537,
-            key_size=1024,
+            key_size=2048,
             backend=default_backend()
         )
         signer = key.signer(padding.PKCS1v15(), hashes.SHA256())