Adds Bandit #nosec flag to instances of SHA1

Currently, bandit marks usages of SHA1 as insecure, which
results in false positives for instances of SHA1 in keystone.
However, keystone uses HMAC-SHA1 which is currently considered
secure as opposed to just SHA1 hashing.

This change marks a # nosec comment against the lines which
are triggering the false positives in Bandit in order to
tell bandit to avoid these instances of SHA1.

See [1] for HMAC-SHA1 discussion in keystone

[1] https://review.openstack.org/#/c/453365/

Change-Id: Ibb44db1f8727d014d186b412106d0cd4e2f4a6dd
This commit is contained in:
lhinds 2017-09-01 16:46:08 +01:00 committed by Gage Hugo
parent e0a8780b63
commit 76bd54d491
3 changed files with 15 additions and 3 deletions

View File

@ -60,8 +60,12 @@ def _generate_totp_passcode(secret):
secret = secret + b'='
decoded = base64.b32decode(secret)
# NOTE(lhinds) This is marked as #nosec since bandit will see SHA1
# which is marked as insecure. In this instance however, keystone uses
# HMAC-SHA1 when generating the TOTP, which is currently not insecure but
# will still trigger when scanned by bandit.
totp = crypto_totp.TOTP(
decoded, 6, hashes.SHA1(), 30, backend=default_backend())
decoded, 6, hashes.SHA1(), 30, backend=default_backend()) # nosec
return totp.generate(timeutils.utcnow_ts(microsecond=True)).decode('utf-8')

View File

@ -57,7 +57,11 @@ def primary_key_hash(keys):
"""Calculate a hash of the primary key used for encryption."""
if isinstance(keys[0], six.text_type):
keys[0] = keys[0].encode('utf-8')
return hashlib.sha1(keys[0]).hexdigest()
# NOTE(lhinds) This is marked as #nosec since bandit will see SHA1 which
# is marked as insecure. However, this hash function is used alongside
# encrypted blobs to implement HMAC-SHA1, which is currently not insecure
# but will still trigger when scanned by bandit.
return hashlib.sha1(keys[0]).hexdigest() # nosec
class Provider(core.Provider):

View File

@ -64,7 +64,11 @@ class TestFernetCredentialProviderWithNullKey(unit.TestCase):
def test_encryption_with_null_key(self):
null_key = fernet_utils.NULL_KEY
null_key_hash = hashlib.sha1(null_key).hexdigest()
# NOTE(lhinds) This is marked as #nosec since bandit will see SHA1
# which is marked insecure. Keystone uses SHA1 in this case as part of
# HMAC-SHA1 which is currently not insecure but will still get
# caught when scanning with bandit.
null_key_hash = hashlib.sha1(null_key).hexdigest() # nosec
blob = uuid.uuid4().hex
encrypted_blob, primary_key_hash = self.provider.encrypt(blob)