Merge "Adds Bandit #nosec flag to instances of SHA1"

This commit is contained in:
Jenkins 2017-09-12 23:30:22 +00:00 committed by Gerrit Code Review
commit 02dce05678
3 changed files with 15 additions and 3 deletions

View File

@ -60,8 +60,12 @@ def _generate_totp_passcode(secret):
secret = secret + b'='
decoded = base64.b32decode(secret)
# NOTE(lhinds) This is marked as #nosec since bandit will see SHA1
# which is marked as insecure. In this instance however, keystone uses
# HMAC-SHA1 when generating the TOTP, which is currently not insecure but
# will still trigger when scanned by bandit.
totp = crypto_totp.TOTP(
decoded, 6, hashes.SHA1(), 30, backend=default_backend())
decoded, 6, hashes.SHA1(), 30, backend=default_backend()) # nosec
return totp.generate(timeutils.utcnow_ts(microsecond=True)).decode('utf-8')

View File

@ -57,7 +57,11 @@ def primary_key_hash(keys):
"""Calculate a hash of the primary key used for encryption."""
if isinstance(keys[0], six.text_type):
keys[0] = keys[0].encode('utf-8')
return hashlib.sha1(keys[0]).hexdigest()
# NOTE(lhinds) This is marked as #nosec since bandit will see SHA1 which
# is marked as insecure. However, this hash function is used alongside
# encrypted blobs to implement HMAC-SHA1, which is currently not insecure
# but will still trigger when scanned by bandit.
return hashlib.sha1(keys[0]).hexdigest() # nosec
class Provider(core.Provider):

View File

@ -64,7 +64,11 @@ class TestFernetCredentialProviderWithNullKey(unit.TestCase):
def test_encryption_with_null_key(self):
null_key = fernet_utils.NULL_KEY
null_key_hash = hashlib.sha1(null_key).hexdigest()
# NOTE(lhinds) This is marked as #nosec since bandit will see SHA1
# which is marked insecure. Keystone uses SHA1 in this case as part of
# HMAC-SHA1 which is currently not insecure but will still get
# caught when scanning with bandit.
null_key_hash = hashlib.sha1(null_key).hexdigest() # nosec
blob = uuid.uuid4().hex
encrypted_blob, primary_key_hash = self.provider.encrypt(blob)