From aebecbffcb7149756dcab9bc00dd85f6e1e6bb88 Mon Sep 17 00:00:00 2001 From: Steven Dake Date: Wed, 8 Apr 2015 10:18:24 -0700 Subject: [PATCH] Add Bandit security lint checking via tox The idea is to make the codebase gate on Bandit. Bandit is produced by the OpenStack security team to do static code analysis for security implementation failures. It tests the code base for ~30 common security problems in Python with more to come. run with: tox -e bandit Partially-Implements: blueprint gate-bandit Change-Id: Iade9936268a539384d6067104f02f9a9001c3627 --- bandit.yaml | 134 ++++++++++++++++++++++++++++++++++++++++++++++++++++ tox.ini | 4 ++ 2 files changed, 138 insertions(+) create mode 100644 bandit.yaml diff --git a/bandit.yaml b/bandit.yaml new file mode 100644 index 0000000000..2eff4ae233 --- /dev/null +++ b/bandit.yaml @@ -0,0 +1,134 @@ +# optional: after how many files to update progress +#show_progress_every: 100 + +# optional: plugins directory name +#plugins_dir: 'plugins' + +# optional: plugins discovery name pattern +plugin_name_pattern: '*.py' + +# optional: terminal escape sequences to display colors +#output_colors: +# DEFAULT: '\033[0m' +# HEADER: '\033[95m' +# INFO: '\033[94m' +# WARN: '\033[93m' +# ERROR: '\033[91m' + +# optional: log format string +#log_format: "[%(module)s]\t%(levelname)s\t%(message)s" + +# globs of files which should be analyzed +include: + - '*.py' + - '*.pyw' + +# a list of strings, which if found in the path will cause files to be excluded +# for example /tests/ - to remove all all files in tests directory +exclude_dirs: + - '/tests/' + +profiles: + magnum_conservative: + include: + - blacklist_functions + - blacklist_imports + - request_with_no_cert_validation + - exec_used + - set_bad_file_permissions + - subprocess_popen_with_shell_equals_true + - linux_commands_wildcard_injection + - ssl_with_bad_version + + + magnum_verbose: + include: + - blacklist_functions + - blacklist_imports + - request_with_no_cert_validation + - exec_used + - set_bad_file_permissions + - hardcoded_tmp_directory + - subprocess_popen_with_shell_equals_true + - any_other_function_with_shell_equals_true + - linux_commands_wildcard_injection + - ssl_with_bad_version + - ssl_with_bad_defaults + +blacklist_functions: + bad_name_sets: + - pickle: + qualnames: [pickle.loads, pickle.load, pickle.Unpickler, + cPickle.loads, cPickle.load, cPickle.Unpickler] + message: "Pickle library appears to be in use, possible security issue." + - marshal: + qualnames: [marshal.load, marshal.loads] + message: "Deserialization with the marshal module is possibly dangerous." + - md5: + qualnames: [hashlib.md5] + message: "Use of insecure MD5 hash function." + - mktemp_q: + qualnames: [tempfile.mktemp] + message: "Use of insecure and deprecated function (mktemp)." + - eval: + qualnames: [eval] + message: "Use of possibly insecure function - consider using safer ast.literal_eval." + - mark_safe: + names: [mark_safe] + message: "Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed." + - httpsconnection: + qualnames: [httplib.HTTPSConnection] + message: "Use of HTTPSConnection does not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033" + - yaml_load: + qualnames: [yaml.load] + message: "Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load()." + - urllib_urlopen: + qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request] + message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected." + +shell_injection: + # Start a process using the subprocess module, or one of its wrappers. + subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, + subprocess.check_output, utils.execute, utils.execute_with_timeout] + # Start a process with a function vulnerable to shell injection. + shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, + popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3, + popen2.Popen4, commands.getoutput, commands.getstatusoutput] + # Start a process with a function that is not vulnerable to shell injection. + no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve, + os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp, + os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe, + os.startfile] + +blacklist_imports: + bad_import_sets: + - telnet: + imports: [telnetlib] + level: ERROR + message: "Telnet is considered insecure. Use SSH or some other encrypted protocol." + +hardcoded_password: + word_list: "wordlist/default-passwords" + +ssl_with_bad_version: + bad_protocol_versions: + - 'PROTOCOL_SSLv2' + - 'SSLv2_METHOD' + - 'SSLv23_METHOD' + - 'PROTOCOL_SSLv3' # strict option + - 'PROTOCOL_TLSv1' # strict option + - 'SSLv3_METHOD' # strict option + - 'TLSv1_METHOD' # strict option + +password_config_option_not_marked_secret: + function_names: + - oslo.config.cfg.StrOpt + - oslo_config.cfg.StrOpt + +execute_with_run_as_root_equals_true: + function_names: + - ceilometer.utils.execute + - cinder.utils.execute + - neutron.agent.linux.utils.execute + - nova.utils.execute + - nova.utils.trycmd diff --git a/tox.ini b/tox.ini index 8f6b237d17..16cfd5e58a 100644 --- a/tox.ini +++ b/tox.ini @@ -25,6 +25,10 @@ commands = flake8 [testenv:venv] commands = {posargs} +[testenv:bandit] +deps = bandit~=0.10.0 +commands = bandit -c bandit.yaml -r magnum -n5 -p magnum_conservative + [testenv:cover] commands = python setup.py testr --coverage --testr-args='{posargs}'