Stop using bandit-baseline
bandit-baseline finds *new* issues introduced in a commit, by comparing results between two git commits. If the git repository has uncommitted changes, bandit-baseline refuses to run. This switches over to using plain bandit instead of bandit-baseline, and resolves or stifles existing bandit errors so we have a clean run. These updates apply to bandit running as part of `tox -e pep8` or `tox -e bandit`. * Have bandit runs from tox ignore the octavia/tests directory * Resolve several instances of `B701 jinja2_autoescape_false` * Stifle several instances of `B303 md5` * Resolve two instances of `B104 hardcoded_bind_all_interfaces` * Stifle one instance of `B104 hardcoded_bind_all_interfaces` (see https://bugs.launchpad.net/octavia/+bug/1489963) Closes-Bug: #1621251 Related-Bug: #1489963 Change-Id: Iad3cbe5762949a6311bdd361b1f12c5a24c40633
This commit is contained in:
parent
ae870759b8
commit
e291a88210
|
@ -3,7 +3,7 @@
|
|||
# verbose = False
|
||||
# Print debugging output (set logging level to DEBUG instead of default WARNING level).
|
||||
# debug = False
|
||||
# bind_host = 0.0.0.0
|
||||
# bind_host = 127.0.0.1
|
||||
# bind_port = 9876
|
||||
# api_handler = queue_producer
|
||||
#
|
||||
|
@ -30,7 +30,7 @@
|
|||
# configuration file.
|
||||
|
||||
[health_manager]
|
||||
# bind_ip = 0.0.0.0
|
||||
# bind_ip = 127.0.0.1
|
||||
# bind_port = 5555
|
||||
# controller_ip_port_list example: 127.0.0.1:5555, 127.0.0.1:5555
|
||||
# controller_ip_port_list =
|
||||
|
|
|
@ -33,7 +33,7 @@ class AgentJinjaTemplater(object):
|
|||
def __init__(self):
|
||||
template_loader = jinja2.FileSystemLoader(searchpath=os.path.dirname(
|
||||
TEMPLATES_DIR))
|
||||
jinja_env = jinja2.Environment(loader=template_loader)
|
||||
jinja_env = jinja2.Environment(loader=template_loader, autoescape=True)
|
||||
self.agent_template = jinja_env.get_template(
|
||||
constants.AGENT_CONF_TEMPLATE)
|
||||
|
||||
|
|
|
@ -29,7 +29,7 @@ BUFFER = 100
|
|||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
j2_env = jinja2.Environment(loader=jinja2.FileSystemLoader(
|
||||
j2_env = jinja2.Environment(autoescape=True, loader=jinja2.FileSystemLoader(
|
||||
os.path.dirname(os.path.realpath(__file__)) + consts.AGENT_API_TEMPLATES))
|
||||
template = j2_env.get_template(consts.KEEPALIVED_CONF)
|
||||
check_script_template = j2_env.get_template(consts.CHECK_SCRIPT_CONF)
|
||||
|
|
|
@ -38,6 +38,7 @@ UPSTART_CONF = 'upstart.conf.j2'
|
|||
SYSVINIT_CONF = 'sysvinit.conf.j2'
|
||||
|
||||
JINJA_ENV = jinja2.Environment(
|
||||
autoescape=True,
|
||||
loader=jinja2.FileSystemLoader(os.path.dirname(
|
||||
os.path.realpath(__file__)
|
||||
) + consts.AGENT_API_TEMPLATES))
|
||||
|
@ -53,7 +54,7 @@ class ParsingError(Exception):
|
|||
class Wrapped(object):
|
||||
def __init__(self, stream_):
|
||||
self.stream = stream_
|
||||
self.hash = hashlib.md5()
|
||||
self.hash = hashlib.md5() # nosec
|
||||
|
||||
def read(self, l):
|
||||
block = self.stream.read(l)
|
||||
|
@ -79,7 +80,7 @@ def get_haproxy_config(listener_id):
|
|||
with open(util.config_path(listener_id), 'r') as file:
|
||||
cfg = file.read()
|
||||
resp = flask.Response(cfg, mimetype='text/plain', )
|
||||
resp.headers['ETag'] = hashlib.md5(six.b(cfg)).hexdigest()
|
||||
resp.headers['ETag'] = hashlib.md5(six.b(cfg)).hexdigest() # nosec
|
||||
return resp
|
||||
|
||||
|
||||
|
@ -346,7 +347,7 @@ def get_certificate_md5(listener_id, filename):
|
|||
|
||||
with open(cert_path, 'r') as crt_file:
|
||||
cert = crt_file.read()
|
||||
md5 = hashlib.md5(six.b(cert)).hexdigest()
|
||||
md5 = hashlib.md5(six.b(cert)).hexdigest() # nosec
|
||||
resp = flask.jsonify(dict(md5sum=md5))
|
||||
resp.headers['ETag'] = md5
|
||||
return resp
|
||||
|
|
|
@ -42,7 +42,7 @@ ETH_X_PORT_CONF = 'plug_port_ethX.conf.j2'
|
|||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
j2_env = jinja2.Environment(loader=jinja2.FileSystemLoader(
|
||||
j2_env = jinja2.Environment(autoescape=True, loader=jinja2.FileSystemLoader(
|
||||
os.path.dirname(os.path.realpath(__file__)) + consts.AGENT_API_TEMPLATES))
|
||||
template_port = j2_env.get_template(ETH_X_PORT_CONF)
|
||||
template_vip = j2_env.get_template(ETH_X_VIP_CONF)
|
||||
|
|
|
@ -188,7 +188,7 @@ class HaproxyAmphoraLoadBalancerDriver(
|
|||
|
||||
for cert in certs:
|
||||
pem = cert_parser.build_pem(cert)
|
||||
md5 = hashlib.md5(six.b(pem)).hexdigest()
|
||||
md5 = hashlib.md5(six.b(pem)).hexdigest() # nosec
|
||||
name = '{cn}.pem'.format(cn=cert.primary_cn)
|
||||
self._apply(self._upload_cert, listener, pem, md5, name)
|
||||
|
||||
|
|
|
@ -48,6 +48,7 @@ class KeepalivedJinjaTemplater(object):
|
|||
template_loader = jinja2.FileSystemLoader(
|
||||
searchpath=os.path.dirname(template_file))
|
||||
self._jinja_env = jinja2.Environment(
|
||||
autoescape=True,
|
||||
loader=template_loader,
|
||||
trim_blocks=True,
|
||||
lstrip_blocks=True)
|
||||
|
|
|
@ -30,7 +30,7 @@ from octavia import version
|
|||
LOG = logging.getLogger(__name__)
|
||||
|
||||
core_opts = [
|
||||
cfg.IPOpt('bind_host', default='0.0.0.0',
|
||||
cfg.IPOpt('bind_host', default='127.0.0.1',
|
||||
help=_("The host IP to bind to")),
|
||||
cfg.PortOpt('bind_port', default=9876,
|
||||
help=_("The port to bind to")),
|
||||
|
@ -93,7 +93,7 @@ networking_opts = [
|
|||
]
|
||||
|
||||
healthmanager_opts = [
|
||||
cfg.IPOpt('bind_ip', default='0.0.0.0',
|
||||
cfg.IPOpt('bind_ip', default='127.0.0.1',
|
||||
help=_('IP address the controller will listen on for '
|
||||
'heart beats')),
|
||||
cfg.PortOpt('bind_port', default=5555,
|
||||
|
@ -169,7 +169,7 @@ haproxy_amphora_opts = [
|
|||
'suffixes. Example: 10k')),
|
||||
|
||||
# REST server
|
||||
cfg.IPOpt('bind_host', default='0.0.0.0',
|
||||
cfg.IPOpt('bind_host', default='0.0.0.0', # nosec
|
||||
help=_("The host IP to bind to")),
|
||||
cfg.PortOpt('bind_port', default=9443,
|
||||
help=_("The port to bind to")),
|
||||
|
|
|
@ -107,6 +107,7 @@ class JinjaTemplater(object):
|
|||
template_loader = jinja2.FileSystemLoader(
|
||||
searchpath=os.path.dirname(self.haproxy_template))
|
||||
JINJA_ENV = jinja2.Environment(
|
||||
autoescape=True,
|
||||
loader=template_loader,
|
||||
trim_blocks=True,
|
||||
lstrip_blocks=True)
|
||||
|
|
|
@ -33,7 +33,7 @@ class UserDataJinjaCfg(object):
|
|||
def __init__(self):
|
||||
template_loader = jinja2.FileSystemLoader(searchpath=os.path.dirname(
|
||||
TEMPLATES_DIR))
|
||||
jinja_env = jinja2.Environment(loader=template_loader)
|
||||
jinja_env = jinja2.Environment(autoescape=True, loader=template_loader)
|
||||
self.agent_template = jinja_env.get_template(
|
||||
constants.USER_DATA_CONFIG_DRIVE_TEMPLATE)
|
||||
|
||||
|
|
4
tox.ini
4
tox.ini
|
@ -41,7 +41,7 @@ commands = flake8
|
|||
doc8 specs doc/source octavia \
|
||||
CONSTITUTION.rst HACKING.rst README.rst
|
||||
# Run security linter
|
||||
bandit-baseline -r octavia -ll -ii
|
||||
bandit -r octavia -ll -ii -x octavia/tests
|
||||
|
||||
[testenv:docs]
|
||||
commands =
|
||||
|
@ -68,7 +68,7 @@ commands =
|
|||
|
||||
|
||||
[testenv:bandit]
|
||||
commands = bandit-baseline -r octavia -ll -ii
|
||||
commands = bandit -r octavia -ll -ii -x octavia/tests {posargs}
|
||||
|
||||
[flake8]
|
||||
# Ignoring O321 because it's unnecessarily restricting use of json package.
|
||||
|
|
Loading…
Reference in New Issue