add nosec to remote ssh pickle usages

this change will suppress the warnings from bandit about the pickle usages in the remote ssh related modules. this also adds TODO items to remind of future investigation. Change-Id: Iefd8fd240189a5a4e35c2ee433ba0a8ed899da91 Closes-Bug: 1552465
2016-03-02 19:08:04 -05:00 · 2016-03-02 19:08:04 -05:00 · 1deef56cc6
commit 1deef56cc6
parent e4432510e9
2 changed files with 15 additions and 10 deletions
--- a/sahara/cli/sahara_subprocess.py
+++ b/sahara/cli/sahara_subprocess.py
@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-import pickle
+import pickle  # nosec
 import sys
 import traceback

@ -29,9 +29,12 @@ def main():
            result = dict()

            try:
-                func = pickle.load(sys.stdin)
-                args = pickle.load(sys.stdin)
-                kwargs = pickle.load(sys.stdin)
+                # TODO(elmiko) these pickle usages should be
+                # reinvestigated to determine a more secure manner to
+                # deploy remote commands.
+                func = pickle.load(sys.stdin)  # nosec
+                args = pickle.load(sys.stdin)  # nosec
+                kwargs = pickle.load(sys.stdin)  # nosec

                result['output'] = func(*args, **kwargs)
            except BaseException as e:
@ -39,5 +42,5 @@ def main():
                result['exception'] = cls_name + ': ' + str(e)
                result['traceback'] = traceback.format_exc()

-            pickle.dump(result, sys.stdout)
+            pickle.dump(result, sys.stdout)  # nosec
            sys.stdout.flush()
--- a/sahara/utils/procutils.py
+++ b/sahara/utils/procutils.py
@ -14,7 +14,7 @@
 # limitations under the License.

 import os
-import pickle
+import pickle  # nosec
 import sys

 from eventlet.green import subprocess
@ -43,13 +43,15 @@ def run_in_subprocess(proc, func, args=None, kwargs=None, interactive=False):
    args = args or ()
    kwargs = kwargs or {}
    try:
-        pickle.dump(func, proc.stdin)
-        pickle.dump(args, proc.stdin)
-        pickle.dump(kwargs, proc.stdin)
+        # TODO(elmiko) these pickle usages should be reinvestigated to
+        # determine a more secure manner to deploy remote commands.
+        pickle.dump(func, proc.stdin)  # nosec
+        pickle.dump(args, proc.stdin)  # nosec
+        pickle.dump(kwargs, proc.stdin)  # nosec
        proc.stdin.flush()

        if not interactive:
-            result = pickle.load(proc.stdout)
+            result = pickle.load(proc.stdout)  # nosec

            if 'exception' in result:
                raise exceptions.SubprocessException(result['exception'])