67513fc17c
This change adds a basic bandit config for Swift. It can be invoked
by running the tox environment for bandit;
tox -e bandit
This is an initial step for using bandit with Swift
and it should be revisited to improve the testing as more is learned
about the specific needs of the Swift code base.As per now some tests
are excluded as they were used on purpose.
https://wiki.openstack.org/wiki/Security/Projects/Bandit
Implements: blueprint swift-bandit
Change-Id: I621be9a68ae9311f3a6eadd1636b05e646260cf2
150 lines
5.3 KiB
YAML
150 lines
5.3 KiB
YAML
# optional: after how many files to update progress
|
|
#show_progress_every: 100
|
|
|
|
# optional: plugins directory name
|
|
#plugins_dir: 'plugins'
|
|
|
|
# optional: plugins discovery name pattern
|
|
plugin_name_pattern: '*.py'
|
|
|
|
# optional: terminal escape sequences to display colors
|
|
#output_colors:
|
|
# DEFAULT: '\033[0m'
|
|
# HEADER: '\033[95m'
|
|
# LOW: '\033[94m'
|
|
# MEDIUM: '\033[93m'
|
|
# HIGH: '\033[91m'
|
|
|
|
# optional: log format string
|
|
#log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
|
|
|
|
# globs of files which should be analyzed
|
|
include:
|
|
- '*.py'
|
|
|
|
# a list of strings, which if found in the path will cause files to be
|
|
# excluded
|
|
# for example /tests/ - to remove all all files in tests directory
|
|
#exclude_dirs:
|
|
# - '/tests/'
|
|
|
|
#configured for swift
|
|
profiles:
|
|
gate:
|
|
include:
|
|
- blacklist_calls
|
|
- blacklist_imports
|
|
- exec_used
|
|
- linux_commands_wildcard_injection
|
|
- request_with_no_cert_validation
|
|
- set_bad_file_permissions
|
|
- subprocess_popen_with_shell_equals_true
|
|
- ssl_with_bad_version
|
|
- password_config_option_not_marked_secret
|
|
|
|
# - any_other_function_with_shell_equals_true
|
|
# - ssl_with_bad_defaults
|
|
# - jinja2_autoescape_false
|
|
# - use_of_mako_templates
|
|
# - subprocess_without_shell_equals_true
|
|
# - any_other_function_with_shell_equals_true
|
|
# - start_process_with_a_shell
|
|
# - start_process_with_no_shell
|
|
# - hardcoded_sql_expressions
|
|
# - hardcoded_tmp_director
|
|
# - linux_commands_wildcard_injection
|
|
#For now some items are commented which could be included as per use later.
|
|
blacklist_calls:
|
|
bad_name_sets:
|
|
# - pickle:
|
|
# qualnames: [pickle.loads, pickle.load, pickle.Unpickler,
|
|
# cPickle.loads, cPickle.load, cPickle.Unpickler]
|
|
# level: LOW
|
|
# message: "Pickle library appears to be in use, possible security
|
|
#issue."
|
|
|
|
- marshal:
|
|
qualnames: [marshal.load, marshal.loads]
|
|
message: "Deserialization with the marshal module is possibly
|
|
dangerous."
|
|
# - md5:
|
|
# qualnames: [hashlib.md5]
|
|
# level: LOW
|
|
# message: "Use of insecure MD5 hash function."
|
|
- mktemp_q:
|
|
qualnames: [tempfile.mktemp]
|
|
message: "Use of insecure and deprecated function (mktemp)."
|
|
# - eval:
|
|
# qualnames: [eval]
|
|
# level: LOW
|
|
# message: "Use of possibly insecure function - consider using safer
|
|
#ast.literal_eval."
|
|
- mark_safe:
|
|
names: [mark_safe]
|
|
message: "Use of mark_safe() may expose cross-site scripting
|
|
vulnerabilities and should be reviewed."
|
|
- httpsconnection:
|
|
qualnames: [httplib.HTTPSConnection]
|
|
message: "Use of HTTPSConnection does not provide security, see
|
|
https://wiki.openstack.org/wiki/OSSN/OSSN-0033"
|
|
- yaml_load:
|
|
qualnames: [yaml.load]
|
|
message: "Use of unsafe yaml load. Allows instantiation of
|
|
arbitrary objects. Consider yaml.safe_load()."
|
|
- urllib_urlopen:
|
|
qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener,
|
|
urllib.FancyURLopener, urllib2.urlopen, urllib2.Request]
|
|
message: "Audit url open for permitted schemes. Allowing use of
|
|
file:/ or custom schemes is often unexpected."
|
|
- paramiko_injection:
|
|
qualnames: [paramiko.exec_command, paramiko.invoke_shell]
|
|
message: "Paramiko exec_command() and invoke_shell() usage may
|
|
expose command injection vulnerabilities and should be reviewed."
|
|
|
|
shell_injection:
|
|
# Start a process using the subprocess module, or one of its wrappers.
|
|
subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
|
|
subprocess.check_output, utils.execute,
|
|
utils.execute_with_timeout]
|
|
# Start a process with a function vulnerable to shell injection.
|
|
shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4,
|
|
popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3,
|
|
popen2.Popen4, commands.getoutput, commands.getstatusoutput]
|
|
# Start a process with a function that is not vulnerable to shell
|
|
# injection.
|
|
no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve,
|
|
os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp,
|
|
os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe,
|
|
os.startfile]
|
|
|
|
blacklist_imports:
|
|
bad_import_sets:
|
|
- telnet:
|
|
imports: [telnetlib]
|
|
level: HIGH
|
|
message: "Telnet is considered insecure. Use SSH or some other
|
|
encrypted protocol."
|
|
- info_libs:
|
|
imports: [Crypto]
|
|
level: LOW
|
|
message: "Consider possible security implications associated with
|
|
#{module} module."
|
|
|
|
hardcoded_password:
|
|
word_list: "wordlist/default-passwords"
|
|
|
|
ssl_with_bad_version:
|
|
bad_protocol_versions:
|
|
- 'PROTOCOL_SSLv2'
|
|
- 'SSLv2_METHOD'
|
|
- 'SSLv23_METHOD'
|
|
- 'PROTOCOL_SSLv3' # strict option
|
|
- 'PROTOCOL_TLSv1' # strict option
|
|
- 'SSLv3_METHOD' # strict option
|
|
- 'TLSv1_METHOD' # strict option
|
|
|
|
password_config_option_not_marked_secret:
|
|
function_names:
|
|
- oslo.config.cfg.StrOpt
|
|
- oslo_config.cfg.StrOpt
|