Enable subprocess_without_shell_equals_true Bandit test
The subprocess_without_shell_equals_true test checks that subprocess is called because it can easily be used incorrectly. The current use is correct since it passes a list rather than a command string. Change-Id: Ia31b1911547560e245cd1ae0c91cf7789146424f
This commit is contained in:
Brant Knudson
parent
2fd0f65712
commit
61397486a3
|
|
@ -74,10 +74,7 @@ profiles:
|
|||
- request_with_no_cert_validation
|
||||
- set_bad_file_permissions
|
||||
- subprocess_popen_with_shell_equals_true
|
||||
|
||||
# TODO:
|
||||
# - subprocess_without_shell_equals_true
|
||||
|
||||
- subprocess_without_shell_equals_true
|
||||
- start_process_with_a_shell
|
||||
- start_process_with_no_shell
|
||||
- start_process_with_partial_path
|
||||
|
|
|
|||
|
|
@ -425,7 +425,18 @@ def _sign_assertion(assertion):
|
|||
nspair={'saml': saml2.NAMESPACE,
|
||||
'xmldsig': xmldsig.NAMESPACE}))
|
||||
command_list.append(file_path)
|
||||
stdout = subprocess.check_output(command_list,
|
||||
stdout = subprocess.check_output(command_list, # nosec : The contents
|
||||
# of the command list are coming from
|
||||
# a trusted source because the
|
||||
# executable and arguments all either
|
||||
# come from the config file or are
|
||||
# hardcoded. The command list is
|
||||
# initialized earlier in this function
|
||||
# to a list and it's still a list at
|
||||
# this point in the function. There is
|
||||
# no opportunity for an attacker to
|
||||
# attempt command injection via string
|
||||
# parsing.
|
||||
stderr=subprocess.STDOUT)
|
||||
except Exception as e:
|
||||
msg = _LE('Error when signing assertion, reason: %(reason)s%(output)s')
|
||||
|
|
|
|||
Loading…
Reference in New Issue