diff --git a/docker/kolla-toolbox/find_disks.py b/docker/kolla-toolbox/find_disks.py index d1a6055f06..3a7fa4602c 100644 --- a/docker/kolla-toolbox/find_disks.py +++ b/docker/kolla-toolbox/find_disks.py @@ -67,7 +67,7 @@ EXAMPLES = ''' import json import pyudev import re -import subprocess +import subprocess # nosec def get_id_part_entry_name(dev): @@ -84,7 +84,10 @@ def get_id_part_entry_name(dev): part = re.sub(r'.*[^\d]', '', dev.device_node) parent = dev.find_parent('block').device_node # NOTE(Mech422): Need to use -i as -p truncates the partition name - out = subprocess.Popen(['/usr/sbin/sgdisk', '-i', part, parent], + # TODO(pbourke): Consider some form of validation to be performed on + # part/parent [0] + out = subprocess.Popen(['/usr/sbin/sgdisk', '-i', part, # nosec [0] + parent], stdout=subprocess.PIPE).communicate() match = re.search(r'Partition name: \'(\w+)\'', out[0]) if match: diff --git a/docker/kolla-toolbox/kolla_sanity.py b/docker/kolla-toolbox/kolla_sanity.py index d2d2d4e481..b950204f40 100644 --- a/docker/kolla-toolbox/kolla_sanity.py +++ b/docker/kolla-toolbox/kolla_sanity.py @@ -22,6 +22,7 @@ # in upstream shade we will be able to use more of the shade module. Until then # if we want to be 'stable' we really need to be using it as a passthrough +import tempfile import traceback import shade @@ -34,9 +35,9 @@ class SanityChecks(object): @staticmethod def glance(cloud): - open("/tmp/blank.qcow2", 'a').close() - cloud.create_image("test", filename="/tmp/blank.qcow2", - disk_format="qcow2", container_format="bare") + with tempfile.NamedTemporaryfile(suffix='qcow2') as image: + cloud.create_image("test", filename=image.name, + disk_format="qcow2", container_format="bare") testid = cloud.get_image_id("test") cloud.delete_image(testid) diff --git a/docker/neutron/neutron-base/ip_wrapper.py b/docker/neutron/neutron-base/ip_wrapper.py index b7c77c3d11..3496be768f 100644 --- a/docker/neutron/neutron-base/ip_wrapper.py +++ b/docker/neutron/neutron-base/ip_wrapper.py @@ -24,7 +24,7 @@ # at this time. Once Docker updates with this feature we will usre this again. import nsenter -import subprocess +import subprocess # nosec import sys @@ -36,7 +36,7 @@ def host_mnt_exec(cmd): '1', 'mnt', proc='/var/lib/kolla/host_proc/')) - process_ = subprocess.Popen(cmd) + process_ = subprocess.Popen(cmd) # nosec except Exception as e: print( @@ -64,5 +64,5 @@ else: if len(sys.argv) == 2: cmd = cmd + sys.argv[1:] -process_ = subprocess.Popen(cmd) +process_ = subprocess.Popen(cmd) # nosec sys.exit(process_.returncode) diff --git a/docker/rabbitmq/rabbitmq_get_gospel_node.py b/docker/rabbitmq/rabbitmq_get_gospel_node.py index 4ab7dee9f8..9f40c92ace 100644 --- a/docker/rabbitmq/rabbitmq_get_gospel_node.py +++ b/docker/rabbitmq/rabbitmq_get_gospel_node.py @@ -13,7 +13,7 @@ # limitations under the License. import json -import subprocess +import subprocess # nosec import traceback @@ -23,9 +23,11 @@ def extract_gospel_node(term): def main(): try: + # TODO(pbourke): see if can get gospel node without requiring shell raw_status = subprocess.check_output( - "rabbitmqctl eval 'rabbit_clusterer:status().'", - shell=True, stderr=subprocess.STDOUT + "/usr/sbin/rabbitmqctl eval 'rabbit_clusterer:status().'", + shell=True, stderr=subprocess.STDOUT # nosec: this command appears + # to require a shell to work ) if "Rabbit is running in cluster configuration" not in raw_status: raise AttributeError diff --git a/docker/swift/swift-base/build-swift-ring.py b/docker/swift/swift-base/build-swift-ring.py index 7889ad4754..ca42205f8e 100644 --- a/docker/swift/swift-base/build-swift-ring.py +++ b/docker/swift/swift-base/build-swift-ring.py @@ -19,7 +19,7 @@ This script is a simple wrapper used to create and rebalance Swift ring files. """ import argparse -import subprocess +import subprocess # nosec import sys @@ -54,7 +54,10 @@ def setup_args(): def run_cmd(cmd): print(' '.join(cmd)) - subprocess.call(cmd) + # NOTE(sdake): [0] we expect Operators to run this command and for their + # environment to be properly secured. Since this is not a network + # facing tool, there is no risk of untrusted input. + subprocess.call(cmd) # nosec [0] def run(args): diff --git a/kolla/cmd/genpwd.py b/kolla/cmd/genpwd.py index 5ea950d167..fd15fbf583 100755 --- a/kolla/cmd/genpwd.py +++ b/kolla/cmd/genpwd.py @@ -22,7 +22,7 @@ import yaml from Crypto.PublicKey import RSA -def generate_RSA(bits=2048): +def generate_RSA(bits=4096): new_key = RSA.generate(bits, os.urandom) private_key = new_key.exportKey("PEM") public_key = new_key.publickey().exportKey("OpenSSH") @@ -52,7 +52,7 @@ def main(): length = 40 with open(passwords_file, 'r') as f: - passwords = yaml.load(f.read()) + passwords = yaml.safe_load(f.read()) for k, v in passwords.items(): if (k in ssh_keys and diff --git a/tools/validate-yaml.py b/tools/validate-yaml.py index c4e4326d96..6df84ff07d 100755 --- a/tools/validate-yaml.py +++ b/tools/validate-yaml.py @@ -32,7 +32,7 @@ def main(): for filename in args.input: with open(filename) as fd: try: - yaml.load(fd) + yaml.safe_load(fd) except yaml.error.YAMLError as error: res = 1 logging.error('%s failed validation: %s', diff --git a/tox.ini b/tox.ini index aabd118ae4..d627b630f2 100644 --- a/tox.ini +++ b/tox.ini @@ -26,7 +26,7 @@ commands = {toxinidir}/tools/validate-all-dockerfiles.sh [testenv:bandit] -commands = bandit -r ansible/library dev docker kolla tests tools +commands = bandit -r ansible/library docker kolla tests tools [testenv:venv] commands = {posargs}