Add a "bandit" target to tox.ini
This will allow us to find potential security issues, such as those fixed by52e624891f
andc4a7ac0b65
. Change-Id: I21aa0ca79232784069e55da46920eb43250d8939
This commit is contained in:
parent
9e5fb5697d
commit
2786a9ded3
362
bandit.yaml
Normal file
362
bandit.yaml
Normal file
@ -0,0 +1,362 @@
|
||||
# optional: after how many files to update progress
|
||||
#show_progress_every: 100
|
||||
|
||||
# optional: plugins directory name
|
||||
#plugins_dir: plugins
|
||||
|
||||
# optional: plugins discovery name pattern
|
||||
plugin_name_pattern: '*.py'
|
||||
|
||||
# optional: terminal escape sequences to display colors
|
||||
#output_colors:
|
||||
# DEFAULT: \033[0m
|
||||
# HEADER: \033[95m
|
||||
# LOW: \033[94m
|
||||
# MEDIUM: \033[93m
|
||||
# HIGH: \033[91m
|
||||
|
||||
# optional: log format string
|
||||
#log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
|
||||
|
||||
# globs of files which should be analyzed
|
||||
include:
|
||||
- '*.py'
|
||||
- '*.pyw'
|
||||
|
||||
# a list of strings, which if found in the path will cause files to be excluded
|
||||
# for example /tests/ - to remove all files in tests directory
|
||||
exclude_dirs:
|
||||
- '/tests/'
|
||||
|
||||
profiles:
|
||||
oslo.messaging:
|
||||
include:
|
||||
- any_other_function_with_shell_equals_true
|
||||
# Some occurrences in the olso.messaging code, but not much to do
|
||||
# to get rid of these warnings, so just skip this.
|
||||
# - assert_used
|
||||
- blacklist_calls
|
||||
- blacklist_import_func
|
||||
- blacklist_imports
|
||||
- exec_used
|
||||
- execute_with_run_as_root_equals_true
|
||||
- hardcoded_bind_all_interfaces
|
||||
- hardcoded_password_string
|
||||
- hardcoded_password_funcarg
|
||||
- hardcoded_password_default
|
||||
- hardcoded_sql_expressions
|
||||
- hardcoded_tmp_directory
|
||||
- jinja2_autoescape_false
|
||||
- linux_commands_wildcard_injection
|
||||
- paramiko_calls
|
||||
- password_config_option_not_marked_secret
|
||||
- request_with_no_cert_validation
|
||||
- set_bad_file_permissions
|
||||
- subprocess_popen_with_shell_equals_true
|
||||
- subprocess_without_shell_equals_true
|
||||
- start_process_with_a_shell
|
||||
- start_process_with_no_shell
|
||||
- start_process_with_partial_path
|
||||
- ssl_with_bad_defaults
|
||||
- ssl_with_bad_version
|
||||
- ssl_with_no_version
|
||||
# This might be nice to have, but we currently ignore a lot of
|
||||
# exceptions during the cleanup phases, so this throws a lot
|
||||
# false positives.
|
||||
# - try_except_pass
|
||||
- use_of_mako_templates
|
||||
- weak_cryptographic_key
|
||||
|
||||
XSS:
|
||||
include:
|
||||
- jinja2_autoescape_false
|
||||
- use_of_mako_templates
|
||||
|
||||
ShellInjection:
|
||||
include:
|
||||
- subprocess_popen_with_shell_equals_true
|
||||
- subprocess_without_shell_equals_true
|
||||
- any_other_function_with_shell_equals_true
|
||||
- start_process_with_a_shell
|
||||
- start_process_with_no_shell
|
||||
- start_process_with_partial_path
|
||||
exclude:
|
||||
|
||||
SqlInjection:
|
||||
include:
|
||||
- hardcoded_sql_expressions
|
||||
|
||||
blacklist_calls:
|
||||
bad_name_sets:
|
||||
- pickle:
|
||||
qualnames:
|
||||
- pickle.loads
|
||||
- pickle.load
|
||||
- pickle.Unpickler
|
||||
- cPickle.loads
|
||||
- cPickle.load
|
||||
- cPickle.Unpickler
|
||||
message: >
|
||||
Pickle library appears to be in use, possible security issue.
|
||||
- marshal:
|
||||
qualnames: [marshal.load, marshal.loads]
|
||||
message: >
|
||||
Deserialization with the marshal module is possibly dangerous.
|
||||
- md5:
|
||||
qualnames:
|
||||
- hashlib.md5
|
||||
- Crypto.Hash.MD2.new
|
||||
- Crypto.Hash.MD4.new
|
||||
- Crypto.Hash.MD5.new
|
||||
- cryptography.hazmat.primitives.hashes.MD5
|
||||
message: Use of insecure MD2, MD4, or MD5 hash function.
|
||||
- ciphers:
|
||||
qualnames:
|
||||
- Crypto.Cipher.ARC2.new
|
||||
- Crypto.Cipher.ARC4.new
|
||||
- Crypto.Cipher.Blowfish.new
|
||||
- Crypto.Cipher.DES.new
|
||||
- Crypto.Cipher.XOR.new
|
||||
- cryptography.hazmat.primitives.ciphers.algorithms.ARC4
|
||||
- cryptography.hazmat.primitives.ciphers.algorithms.Blowfish
|
||||
- cryptography.hazmat.primitives.ciphers.algorithms.IDEA
|
||||
message: >
|
||||
Use of insecure cipher {func}. Replace with a known secure
|
||||
cipher such as AES.
|
||||
level: HIGH
|
||||
- cipher_modes:
|
||||
qualnames:
|
||||
- cryptography.hazmat.primitives.ciphers.modes.ECB
|
||||
message: Use of insecure cipher mode {func}.
|
||||
- mktemp_q:
|
||||
qualnames: [tempfile.mktemp]
|
||||
message: Use of insecure and deprecated function (mktemp).
|
||||
- eval:
|
||||
qualnames: [eval]
|
||||
message: >
|
||||
Use of possibly insecure function - consider using safer
|
||||
ast.literal_eval.
|
||||
- mark_safe:
|
||||
names: [mark_safe]
|
||||
message: >
|
||||
Use of mark_safe() may expose cross-site scripting
|
||||
vulnerabilities and should be reviewed.
|
||||
- httpsconnection:
|
||||
qualnames: [httplib.HTTPSConnection]
|
||||
message: >
|
||||
Use of HTTPSConnection does not provide security, see
|
||||
https://wiki.openstack.org/wiki/OSSN/OSSN-0033
|
||||
- yaml_load:
|
||||
qualnames: [yaml.load]
|
||||
message: >
|
||||
Use of unsafe yaml load. Allows instantiation of arbitrary
|
||||
objects. Consider yaml.safe_load().
|
||||
- urllib_urlopen:
|
||||
qualnames:
|
||||
- urllib.urlopen
|
||||
- urllib.urlretrieve
|
||||
- urllib.URLopener
|
||||
- urllib.FancyURLopener
|
||||
- urllib2.urlopen
|
||||
- urllib2.Request
|
||||
message: >
|
||||
Audit url open for permitted schemes. Allowing use of file:/ or
|
||||
custom schemes is often unexpected.
|
||||
- telnetlib:
|
||||
qualnames:
|
||||
- telnetlib.*
|
||||
message: >
|
||||
Telnet-related funtions are being called. Telnet is considered
|
||||
insecure. Use SSH or some other encrypted protocol.
|
||||
level: HIGH
|
||||
# Most of this is based off of Christian Heimes' work on defusedxml:
|
||||
# https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
|
||||
- xml_bad_cElementTree:
|
||||
qualnames:
|
||||
- xml.etree.cElementTree.parse
|
||||
- xml.etree.cElementTree.iterparse
|
||||
- xml.etree.cElementTree.fromstring
|
||||
- xml.etree.cElementTree.XMLParser
|
||||
message: >
|
||||
Using {func} to parse untrusted XML data is known to be
|
||||
vulnerable to XML attacks. Replace {func} with its defusedxml
|
||||
equivalent function.
|
||||
- xml_bad_ElementTree:
|
||||
qualnames:
|
||||
- xml.etree.ElementTree.parse
|
||||
- xml.etree.ElementTree.iterparse
|
||||
- xml.etree.ElementTree.fromstring
|
||||
- xml.etree.ElementTree.XMLParser
|
||||
message: >
|
||||
Using {func} to parse untrusted XML data is known to be
|
||||
vulnerable to XML attacks. Replace {func} with its defusedxml
|
||||
equivalent function.
|
||||
- xml_bad_expatreader:
|
||||
qualnames: [xml.sax.expatreader.create_parser]
|
||||
message: >
|
||||
Using {func} to parse untrusted XML data is known to be
|
||||
vulnerable to XML attacks. Replace {func} with its defusedxml
|
||||
equivalent function.
|
||||
- xml_bad_expatbuilder:
|
||||
qualnames:
|
||||
- xml.dom.expatbuilder.parse
|
||||
- xml.dom.expatbuilder.parseString
|
||||
message: >
|
||||
Using {func} to parse untrusted XML data is known to be
|
||||
vulnerable to XML attacks. Replace {func} with its defusedxml
|
||||
equivalent function.
|
||||
- xml_bad_sax:
|
||||
qualnames:
|
||||
- xml.sax.parse
|
||||
- xml.sax.parseString
|
||||
- xml.sax.make_parser
|
||||
message: >
|
||||
Using {func} to parse untrusted XML data is known to be
|
||||
vulnerable to XML attacks. Replace {func} with its defusedxml
|
||||
equivalent function.
|
||||
- xml_bad_minidom:
|
||||
qualnames:
|
||||
- xml.dom.minidom.parse
|
||||
- xml.dom.minidom.parseString
|
||||
message: >
|
||||
Using {func} to parse untrusted XML data is known to be
|
||||
vulnerable to XML attacks. Replace {func} with its defusedxml
|
||||
equivalent function.
|
||||
- xml_bad_pulldom:
|
||||
qualnames:
|
||||
- xml.dom.pulldom.parse
|
||||
- xml.dom.pulldom.parseString
|
||||
message: >
|
||||
Using {func} to parse untrusted XML data is known to be
|
||||
vulnerable to XML attacks. Replace {func} with its defusedxml
|
||||
equivalent function.
|
||||
- xml_bad_etree:
|
||||
qualnames:
|
||||
- lxml.etree.parse
|
||||
- lxml.etree.fromstring
|
||||
- lxml.etree.RestrictedElement
|
||||
- lxml.etree.GlobalParserTLS
|
||||
- lxml.etree.getDefaultParser
|
||||
- lxml.etree.check_docinfo
|
||||
message: >
|
||||
Using {func} to parse untrusted XML data is known to be
|
||||
vulnerable to XML attacks. Replace {func} with its defusedxml
|
||||
equivalent function.
|
||||
|
||||
|
||||
shell_injection:
|
||||
# Start a process using the subprocess module, or one of its wrappers.
|
||||
subprocess:
|
||||
- subprocess.Popen
|
||||
- subprocess.call
|
||||
- subprocess.check_call
|
||||
- subprocess.check_output
|
||||
- utils.execute
|
||||
- utils.execute_with_timeout
|
||||
# Start a process with a function vulnerable to shell injection.
|
||||
shell:
|
||||
- os.system
|
||||
- os.popen
|
||||
- os.popen2
|
||||
- os.popen3
|
||||
- os.popen4
|
||||
- popen2.popen2
|
||||
- popen2.popen3
|
||||
- popen2.popen4
|
||||
- popen2.Popen3
|
||||
- popen2.Popen4
|
||||
- commands.getoutput
|
||||
- commands.getstatusoutput
|
||||
# Start a process with a function that is not vulnerable to shell injection.
|
||||
no_shell:
|
||||
- os.execl
|
||||
- os.execle
|
||||
- os.execlp
|
||||
- os.execlpe
|
||||
- os.execv
|
||||
- os.execve
|
||||
- os.execvp
|
||||
- os.execvpe
|
||||
- os.spawnl
|
||||
- os.spawnle
|
||||
- os.spawnlp
|
||||
- os.spawnlpe
|
||||
- os.spawnv
|
||||
- os.spawnve
|
||||
- os.spawnvp
|
||||
- os.spawnvpe
|
||||
- os.startfile
|
||||
|
||||
blacklist_imports:
|
||||
bad_import_sets:
|
||||
- telnet:
|
||||
imports: [telnetlib]
|
||||
level: HIGH
|
||||
message: >
|
||||
A telnet-related module is being imported. Telnet is
|
||||
considered insecure. Use SSH or some other encrypted protocol.
|
||||
- info_libs:
|
||||
imports: [pickle, cPickle, subprocess, Crypto]
|
||||
level: LOW
|
||||
message: >
|
||||
Consider possible security implications associated with
|
||||
{module} module.
|
||||
|
||||
# Most of this is based off of Christian Heimes' work on defusedxml:
|
||||
# https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
|
||||
|
||||
- xml_libs:
|
||||
imports:
|
||||
- xml.etree.cElementTree
|
||||
- xml.etree.ElementTree
|
||||
- xml.sax.expatreader
|
||||
- xml.sax
|
||||
- xml.dom.expatbuilder
|
||||
- xml.dom.minidom
|
||||
- xml.dom.pulldom
|
||||
- lxml.etree
|
||||
- lxml
|
||||
message: >
|
||||
Using {module} to parse untrusted XML data is known to be
|
||||
vulnerable to XML attacks. Replace {module} with the equivalent
|
||||
defusedxml package.
|
||||
level: LOW
|
||||
- xml_libs_high:
|
||||
imports: [xmlrpclib]
|
||||
message: >
|
||||
Using {module} to parse untrusted XML data is known to be
|
||||
vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch()
|
||||
function to monkey-patch xmlrpclib and mitigate XML
|
||||
vulnerabilities.
|
||||
level: HIGH
|
||||
|
||||
hardcoded_tmp_directory:
|
||||
tmp_dirs: [/tmp, /var/tmp, /dev/shm]
|
||||
|
||||
hardcoded_password:
|
||||
# Support for full path, relative path and special "%(site_data_dir)s"
|
||||
# substitution (/usr/{local}/share)
|
||||
word_list: "%(site_data_dir)s/wordlist/default-passwords"
|
||||
|
||||
ssl_with_bad_version:
|
||||
bad_protocol_versions:
|
||||
- PROTOCOL_SSLv2
|
||||
- SSLv2_METHOD
|
||||
- SSLv23_METHOD
|
||||
- PROTOCOL_SSLv3 # strict option
|
||||
- PROTOCOL_TLSv1 # strict option
|
||||
- SSLv3_METHOD # strict option
|
||||
- TLSv1_METHOD # strict option
|
||||
|
||||
password_config_option_not_marked_secret:
|
||||
function_names:
|
||||
- oslo.config.cfg.StrOpt
|
||||
- oslo_config.cfg.StrOpt
|
||||
|
||||
execute_with_run_as_root_equals_true:
|
||||
function_names:
|
||||
- ceilometer.utils.execute
|
||||
- cinder.utils.execute
|
||||
- neutron.agent.linux.utils.execute
|
||||
- nova.utils.execute
|
||||
- nova.utils.trycmd
|
@ -36,3 +36,6 @@ oslosphinx>=2.5.0 # Apache-2.0
|
||||
# AMQP 1.0 support depends on the Qpid Proton AMQP 1.0
|
||||
# development libraries.
|
||||
pyngus>=2.0.0 # Apache-2.0
|
||||
|
||||
# Bandit security code scanner
|
||||
bandit>=0.13.2
|
||||
|
6
tox.ini
6
tox.ini
@ -1,5 +1,5 @@
|
||||
[tox]
|
||||
envlist = py34,py27,pep8
|
||||
envlist = py34,py27,pep8,bandit
|
||||
|
||||
[testenv]
|
||||
setenv =
|
||||
@ -38,6 +38,10 @@ commands = {toxinidir}/setup-test-env-qpid.sh 1.0 python setup.py testr --slowes
|
||||
[testenv:py27-func-zeromq]
|
||||
commands = {toxinidir}/setup-test-env-zmq.sh python setup.py testr --slowest --testr-args='oslo_messaging.tests.functional'
|
||||
|
||||
[testenv:bandit]
|
||||
deps = -r{toxinidir}/test-requirements.txt
|
||||
commands = bandit -c bandit.yaml -r oslo_messaging -n5 -p oslo.messaging
|
||||
|
||||
[flake8]
|
||||
show-source = True
|
||||
ignore = H237,H402,H405,H904
|
||||
|
Loading…
Reference in New Issue
Block a user