Adds Bandit #nosec flag to instances of SHA1

Currently, bandit marks usages of SHA1 as insecure, which results in false positives for instances of SHA1 in keystone. However, keystone uses HMAC-SHA1 which is currently considered secure as opposed to just SHA1 hashing. This change marks a # nosec comment against the lines which are triggering the false positives in Bandit in order to tell bandit to avoid these instances of SHA1. See [1] for HMAC-SHA1 discussion in keystone [1] https://review.openstack.org/#/c/453365/ Change-Id: Ibb44db1f8727d014d186b412106d0cd4e2f4a6dd
2017-09-01 16:46:08 +01:00 · 2017-09-01 16:46:08 +01:00 · 76bd54d491
commit 76bd54d491
parent e0a8780b63
3 changed files with 15 additions and 3 deletions
--- a/keystone/auth/plugins/totp.py
+++ b/keystone/auth/plugins/totp.py
@ -60,8 +60,12 @@ def _generate_totp_passcode(secret):
        secret = secret + b'='

    decoded = base64.b32decode(secret)
+    # NOTE(lhinds) This is marked as #nosec since bandit will see SHA1
+    # which is marked as insecure. In this instance however, keystone uses
+    # HMAC-SHA1 when generating the TOTP, which is currently not insecure but
+    # will still trigger when scanned by bandit.
    totp = crypto_totp.TOTP(
-        decoded, 6, hashes.SHA1(), 30, backend=default_backend())
+        decoded, 6, hashes.SHA1(), 30, backend=default_backend())  # nosec
    return totp.generate(timeutils.utcnow_ts(microsecond=True)).decode('utf-8')


--- a/keystone/credential/providers/fernet/core.py
+++ b/keystone/credential/providers/fernet/core.py
@ -57,7 +57,11 @@ def primary_key_hash(keys):
    """Calculate a hash of the primary key used for encryption."""
    if isinstance(keys[0], six.text_type):
        keys[0] = keys[0].encode('utf-8')
-    return hashlib.sha1(keys[0]).hexdigest()
+    # NOTE(lhinds) This is marked as #nosec since bandit will see SHA1 which
+    # is marked as insecure. However, this hash function is used alongside
+    # encrypted blobs to implement HMAC-SHA1, which is currently not insecure
+    # but will still trigger when scanned by bandit.
+    return hashlib.sha1(keys[0]).hexdigest()  # nosec


 class Provider(core.Provider):
--- a/keystone/tests/unit/credential/test_fernet_provider.py
+++ b/keystone/tests/unit/credential/test_fernet_provider.py
@ -64,7 +64,11 @@ class TestFernetCredentialProviderWithNullKey(unit.TestCase):

    def test_encryption_with_null_key(self):
        null_key = fernet_utils.NULL_KEY
-        null_key_hash = hashlib.sha1(null_key).hexdigest()
+        # NOTE(lhinds) This is marked as #nosec since bandit will see SHA1
+        # which is marked insecure. Keystone uses SHA1 in this case as part of
+        # HMAC-SHA1 which is currently not insecure but will still get
+        # caught when scanning with bandit.
+        null_key_hash = hashlib.sha1(null_key).hexdigest()  # nosec

        blob = uuid.uuid4().hex
        encrypted_blob, primary_key_hash = self.provider.encrypt(blob)