Stop using bandit-baseline

bandit-baseline finds *new* issues introduced in a commit, by comparing results between two git commits. If the git repository has uncommitted changes, bandit-baseline refuses to run. This switches over to using plain bandit instead of bandit-baseline, and resolves or stifles existing bandit errors so we have a clean run. These updates apply to bandit running as part of `tox -e pep8` or `tox -e bandit`. * Have bandit runs from tox ignore the octavia/tests directory * Resolve several instances of `B701 jinja2_autoescape_false` * Stifle several instances of `B303 md5` * Resolve two instances of `B104 hardcoded_bind_all_interfaces` * Stifle one instance of `B104 hardcoded_bind_all_interfaces` (see https://bugs.launchpad.net/octavia/+bug/1489963) Closes-Bug: #1621251 Related-Bug: #1489963 Change-Id: Iad3cbe5762949a6311bdd361b1f12c5a24c40633
2016-09-07 21:30:38 +00:00 · 2016-09-07 21:30:38 +00:00 · e291a88210
parent ae870759b8
commit e291a88210
11 changed files with 18 additions and 15 deletions
--- a/etc/octavia.conf
+++ b/etc/octavia.conf
@ -3,7 +3,7 @@
 # verbose = False
 # Print debugging output (set logging level to DEBUG instead of default WARNING level).
 # debug = False
-# bind_host = 0.0.0.0
+# bind_host = 127.0.0.1
 # bind_port = 9876
 # api_handler = queue_producer
 #
@ -30,7 +30,7 @@
 # configuration file.

 [health_manager]
-# bind_ip = 0.0.0.0
+# bind_ip = 127.0.0.1
 # bind_port = 5555
 # controller_ip_port_list example: 127.0.0.1:5555, 127.0.0.1:5555
 # controller_ip_port_list =
--- a/octavia/amphorae/backends/agent/agent_jinja_cfg.py
+++ b/octavia/amphorae/backends/agent/agent_jinja_cfg.py
@ -33,7 +33,7 @@ class AgentJinjaTemplater(object):
    def __init__(self):
        template_loader = jinja2.FileSystemLoader(searchpath=os.path.dirname(
            TEMPLATES_DIR))
-        jinja_env = jinja2.Environment(loader=template_loader)
+        jinja_env = jinja2.Environment(loader=template_loader, autoescape=True)
        self.agent_template = jinja_env.get_template(
            constants.AGENT_CONF_TEMPLATE)

--- a/octavia/amphorae/backends/agent/api_server/keepalived.py
+++ b/octavia/amphorae/backends/agent/api_server/keepalived.py
@ -29,7 +29,7 @@ BUFFER = 100

 LOG = logging.getLogger(__name__)

-j2_env = jinja2.Environment(loader=jinja2.FileSystemLoader(
+j2_env = jinja2.Environment(autoescape=True, loader=jinja2.FileSystemLoader(
    os.path.dirname(os.path.realpath(__file__)) + consts.AGENT_API_TEMPLATES))
 template = j2_env.get_template(consts.KEEPALIVED_CONF)
 check_script_template = j2_env.get_template(consts.CHECK_SCRIPT_CONF)
--- a/octavia/amphorae/backends/agent/api_server/listener.py
+++ b/octavia/amphorae/backends/agent/api_server/listener.py
@ -38,6 +38,7 @@ UPSTART_CONF = 'upstart.conf.j2'
 SYSVINIT_CONF = 'sysvinit.conf.j2'

 JINJA_ENV = jinja2.Environment(
+    autoescape=True,
    loader=jinja2.FileSystemLoader(os.path.dirname(
        os.path.realpath(__file__)
    ) + consts.AGENT_API_TEMPLATES))
@ -53,7 +54,7 @@ class ParsingError(Exception):
 class Wrapped(object):
    def __init__(self, stream_):
        self.stream = stream_
-        self.hash = hashlib.md5()
+        self.hash = hashlib.md5()  # nosec

    def read(self, l):
        block = self.stream.read(l)
@ -79,7 +80,7 @@ def get_haproxy_config(listener_id):
    with open(util.config_path(listener_id), 'r') as file:
        cfg = file.read()
        resp = flask.Response(cfg, mimetype='text/plain', )
-        resp.headers['ETag'] = hashlib.md5(six.b(cfg)).hexdigest()
+        resp.headers['ETag'] = hashlib.md5(six.b(cfg)).hexdigest()  # nosec
        return resp


@ -346,7 +347,7 @@ def get_certificate_md5(listener_id, filename):

    with open(cert_path, 'r') as crt_file:
        cert = crt_file.read()
-        md5 = hashlib.md5(six.b(cert)).hexdigest()
+        md5 = hashlib.md5(six.b(cert)).hexdigest()  # nosec
        resp = flask.jsonify(dict(md5sum=md5))
        resp.headers['ETag'] = md5
        return resp
--- a/octavia/amphorae/backends/agent/api_server/plug.py
+++ b/octavia/amphorae/backends/agent/api_server/plug.py
@ -42,7 +42,7 @@ ETH_X_PORT_CONF = 'plug_port_ethX.conf.j2'

 LOG = logging.getLogger(__name__)

-j2_env = jinja2.Environment(loader=jinja2.FileSystemLoader(
+j2_env = jinja2.Environment(autoescape=True, loader=jinja2.FileSystemLoader(
    os.path.dirname(os.path.realpath(__file__)) + consts.AGENT_API_TEMPLATES))
 template_port = j2_env.get_template(ETH_X_PORT_CONF)
 template_vip = j2_env.get_template(ETH_X_VIP_CONF)
--- a/octavia/amphorae/drivers/haproxy/rest_api_driver.py
+++ b/octavia/amphorae/drivers/haproxy/rest_api_driver.py
@ -188,7 +188,7 @@ class HaproxyAmphoraLoadBalancerDriver(

        for cert in certs:
            pem = cert_parser.build_pem(cert)
-            md5 = hashlib.md5(six.b(pem)).hexdigest()
+            md5 = hashlib.md5(six.b(pem)).hexdigest()  # nosec
            name = '{cn}.pem'.format(cn=cert.primary_cn)
            self._apply(self._upload_cert, listener, pem, md5, name)

--- a/octavia/amphorae/drivers/keepalived/jinja/jinja_cfg.py
+++ b/octavia/amphorae/drivers/keepalived/jinja/jinja_cfg.py
@ -48,6 +48,7 @@ class KeepalivedJinjaTemplater(object):
            template_loader = jinja2.FileSystemLoader(
                searchpath=os.path.dirname(template_file))
            self._jinja_env = jinja2.Environment(
+                autoescape=True,
                loader=template_loader,
                trim_blocks=True,
                lstrip_blocks=True)
--- a/octavia/common/config.py
+++ b/octavia/common/config.py
@ -30,7 +30,7 @@ from octavia import version
 LOG = logging.getLogger(__name__)

 core_opts = [
-    cfg.IPOpt('bind_host', default='0.0.0.0',
+    cfg.IPOpt('bind_host', default='127.0.0.1',
              help=_("The host IP to bind to")),
    cfg.PortOpt('bind_port', default=9876,
                help=_("The port to bind to")),
@ -93,7 +93,7 @@ networking_opts = [
 ]

 healthmanager_opts = [
-    cfg.IPOpt('bind_ip', default='0.0.0.0',
+    cfg.IPOpt('bind_ip', default='127.0.0.1',
              help=_('IP address the controller will listen on for '
                     'heart beats')),
    cfg.PortOpt('bind_port', default=5555,
@ -169,7 +169,7 @@ haproxy_amphora_opts = [
                      'suffixes.  Example: 10k')),

    # REST server
-    cfg.IPOpt('bind_host', default='0.0.0.0',
+    cfg.IPOpt('bind_host', default='0.0.0.0',  # nosec
              help=_("The host IP to bind to")),
    cfg.PortOpt('bind_port', default=9443,
                help=_("The port to bind to")),
--- a/octavia/common/jinja/haproxy/jinja_cfg.py
+++ b/octavia/common/jinja/haproxy/jinja_cfg.py
@ -107,6 +107,7 @@ class JinjaTemplater(object):
            template_loader = jinja2.FileSystemLoader(
                searchpath=os.path.dirname(self.haproxy_template))
            JINJA_ENV = jinja2.Environment(
+                autoescape=True,
                loader=template_loader,
                trim_blocks=True,
                lstrip_blocks=True)
--- a/octavia/common/jinja/user_data_jinja_cfg.py
+++ b/octavia/common/jinja/user_data_jinja_cfg.py
@ -33,7 +33,7 @@ class UserDataJinjaCfg(object):
    def __init__(self):
        template_loader = jinja2.FileSystemLoader(searchpath=os.path.dirname(
            TEMPLATES_DIR))
-        jinja_env = jinja2.Environment(loader=template_loader)
+        jinja_env = jinja2.Environment(autoescape=True, loader=template_loader)
        self.agent_template = jinja_env.get_template(
            constants.USER_DATA_CONFIG_DRIVE_TEMPLATE)

--- a/tox.ini
+++ b/tox.ini
@ -41,7 +41,7 @@ commands = flake8
           doc8 specs doc/source octavia \
           CONSTITUTION.rst HACKING.rst README.rst
 	   # Run security linter
-           bandit-baseline -r octavia -ll -ii
+           bandit -r octavia -ll -ii -x octavia/tests

 [testenv:docs]
 commands =
@ -68,7 +68,7 @@ commands =


 [testenv:bandit]
-commands = bandit-baseline -r octavia -ll -ii
+commands = bandit -r octavia -ll -ii -x octavia/tests {posargs}

 [flake8]
 # Ignoring O321 because it's unnecessarily restricting use of json package.