Merge "Fix bandit gate jobs"

2016-08-28 15:51:00 +00:00 · 2016-08-28 15:51:00 +00:00 · 1fd2d434b1
commit 1fd2d434b1
parent 1b806b66e4 fc30d583f9
8 changed files with 26 additions and 17 deletions
--- a/docker/kolla-toolbox/find_disks.py
+++ b/docker/kolla-toolbox/find_disks.py
@ -67,7 +67,7 @@ EXAMPLES = '''
 import json
 import pyudev
 import re
-import subprocess
+import subprocess  # nosec


 def get_id_part_entry_name(dev):
@ -84,7 +84,10 @@ def get_id_part_entry_name(dev):
        part = re.sub(r'.*[^\d]', '', dev.device_node)
        parent = dev.find_parent('block').device_node
        # NOTE(Mech422): Need to use -i as -p truncates the partition name
-        out = subprocess.Popen(['/usr/sbin/sgdisk', '-i', part, parent],
+        # TODO(pbourke): Consider some form of validation to be performed on
+        #                part/parent [0]
+        out = subprocess.Popen(['/usr/sbin/sgdisk', '-i', part,  # nosec [0]
+                                parent],
                               stdout=subprocess.PIPE).communicate()
        match = re.search(r'Partition name: \'(\w+)\'', out[0])
        if match:
--- a/docker/kolla-toolbox/kolla_sanity.py
+++ b/docker/kolla-toolbox/kolla_sanity.py
@ -22,6 +22,7 @@
 # in upstream shade we will be able to use more of the shade module. Until then
 # if we want to be 'stable' we really need to be using it as a passthrough

+import tempfile
 import traceback

 import shade
@ -34,9 +35,9 @@ class SanityChecks(object):

    @staticmethod
    def glance(cloud):
-        open("/tmp/blank.qcow2", 'a').close()
-        cloud.create_image("test", filename="/tmp/blank.qcow2",
-                           disk_format="qcow2", container_format="bare")
+        with tempfile.NamedTemporaryfile(suffix='qcow2') as image:
+            cloud.create_image("test", filename=image.name,
+                               disk_format="qcow2", container_format="bare")
        testid = cloud.get_image_id("test")
        cloud.delete_image(testid)

--- a/docker/neutron/neutron-base/ip_wrapper.py
+++ b/docker/neutron/neutron-base/ip_wrapper.py
@ -24,7 +24,7 @@
 # at this time. Once Docker updates with this feature we will usre this again.

 import nsenter
-import subprocess
+import subprocess  # nosec
 import sys


@ -36,7 +36,7 @@ def host_mnt_exec(cmd):
                    '1',
                    'mnt',
                    proc='/var/lib/kolla/host_proc/'))
-            process_ = subprocess.Popen(cmd)
+            process_ = subprocess.Popen(cmd)  # nosec

    except Exception as e:
        print(
@ -64,5 +64,5 @@ else:
    if len(sys.argv) == 2:
        cmd = cmd + sys.argv[1:]

-process_ = subprocess.Popen(cmd)
+process_ = subprocess.Popen(cmd)  # nosec
 sys.exit(process_.returncode)
--- a/docker/rabbitmq/rabbitmq_get_gospel_node.py
+++ b/docker/rabbitmq/rabbitmq_get_gospel_node.py
@ -13,7 +13,7 @@
 # limitations under the License.

 import json
-import subprocess
+import subprocess  # nosec
 import traceback


@ -23,9 +23,11 @@ def extract_gospel_node(term):

 def main():
    try:
+        # TODO(pbourke): see if can get gospel node without requiring shell
        raw_status = subprocess.check_output(
-            "rabbitmqctl eval 'rabbit_clusterer:status().'",
-            shell=True, stderr=subprocess.STDOUT
+            "/usr/sbin/rabbitmqctl eval 'rabbit_clusterer:status().'",
+            shell=True, stderr=subprocess.STDOUT  # nosec: this command appears
+                                                  # to require a shell to work
        )
        if "Rabbit is running in cluster configuration" not in raw_status:
            raise AttributeError
--- a/docker/swift/swift-base/build-swift-ring.py
+++ b/docker/swift/swift-base/build-swift-ring.py
@ -19,7 +19,7 @@ This script is a simple wrapper used to create and rebalance Swift ring files.
 """

 import argparse
-import subprocess
+import subprocess  # nosec
 import sys


@ -54,7 +54,10 @@ def setup_args():

 def run_cmd(cmd):
    print(' '.join(cmd))
-    subprocess.call(cmd)
+    # NOTE(sdake): [0] we expect Operators to run this command and for their
+    # environment to be properly secured.  Since this is not a network
+    # facing tool, there is no risk of untrusted input.
+    subprocess.call(cmd)  # nosec [0]


 def run(args):
--- a/kolla/cmd/genpwd.py
+++ b/kolla/cmd/genpwd.py
@ -22,7 +22,7 @@ import yaml
 from Crypto.PublicKey import RSA


-def generate_RSA(bits=2048):
+def generate_RSA(bits=4096):
    new_key = RSA.generate(bits, os.urandom)
    private_key = new_key.exportKey("PEM")
    public_key = new_key.publickey().exportKey("OpenSSH")
@ -52,7 +52,7 @@ def main():
    length = 40

    with open(passwords_file, 'r') as f:
-        passwords = yaml.load(f.read())
+        passwords = yaml.safe_load(f.read())

    for k, v in passwords.items():
        if (k in ssh_keys and
--- a/tools/validate-yaml.py
+++ b/tools/validate-yaml.py
@ -32,7 +32,7 @@ def main():
    for filename in args.input:
        with open(filename) as fd:
            try:
-                yaml.load(fd)
+                yaml.safe_load(fd)
            except yaml.error.YAMLError as error:
                res = 1
                logging.error('%s failed validation: %s',
--- a/tox.ini
+++ b/tox.ini
@ -26,7 +26,7 @@ commands =
  {toxinidir}/tools/validate-all-dockerfiles.sh

 [testenv:bandit]
-commands = bandit -r ansible/library dev docker kolla tests tools
+commands = bandit -r ansible/library docker kolla tests tools

 [testenv:venv]
 commands = {posargs}