From ee3fc98be34eb330b6a6e31c7442b9cb2c951356 Mon Sep 17 00:00:00 2001 From: madurranjani Date: Thu, 29 Nov 2018 12:44:10 -0600 Subject: [PATCH] Bandit scan changes for ranger Change-Id: Ieb0f8656b7d5a3124e1f487c9a550e9c0c19bb82 --- bandit.yaml | 92 +++++++++++++++++++ .../client/audit/audit_client/api/audit.py | 8 +- orm/common/config.py | 2 +- orm/orm_client/db_clear/db_comander.py | 14 +-- .../data/sql_alchemy/cms_user_record.py | 2 +- .../data/sql_alchemy/customer_record.py | 6 +- .../sql_alchemy/customer_region_record.py | 4 +- .../data/sql_alchemy/region_record.py | 2 +- .../data/sql_alchemy/user_role_record.py | 7 +- .../data/sql_alchemy/flavor/flavor_record.py | 4 +- .../fms_rest/data/wsme/models.py | 3 +- .../sql_alchemy/image/image_record.py | 6 +- .../region_manager/rms/model/model.py | 9 +- test-requirements.txt | 2 +- tox.ini | 8 +- 15 files changed, 136 insertions(+), 33 deletions(-) create mode 100644 bandit.yaml diff --git a/bandit.yaml b/bandit.yaml new file mode 100644 index 00000000..35384763 --- /dev/null +++ b/bandit.yaml @@ -0,0 +1,92 @@ +### Bandit config file generated from: +# '/usr/local/bin/bandit-config-generator -o bandit.yaml' + +### This config may optionally select a subset of tests to run or skip by +### filling out the 'tests' and 'skips' lists given below. If no tests are +### specified for inclusion then it is assumed all tests are desired. The skips +### set will remove specific tests from the include set. This can be controlled +### using the -t/-s CLI options. Note that the same test ID should not appear +### in both 'tests' and 'skips', this would be nonsensical and is detected by +### Bandit at runtime. + +# Available tests: +# B101 : assert_used +# B102 : exec_used +# B103 : set_bad_file_permissions +# B104 : hardcoded_bind_all_interfaces +# B105 : hardcoded_password_string +# B106 : hardcoded_password_funcarg +# B107 : hardcoded_password_default +# B108 : hardcoded_tmp_directory +# B109 : password_config_option_not_marked_secret +# B110 : try_except_pass +# B111 : execute_with_run_as_root_equals_true +# B112 : try_except_continue +# B201 : flask_debug_true +# B301 : pickle +# B302 : marshal +# B303 : md5 +# B304 : ciphers +# B305 : cipher_modes +# B306 : mktemp_q +# B307 : eval +# B308 : mark_safe +# B309 : httpsconnection +# B310 : urllib_urlopen +# B311 : random +# B312 : telnetlib +# B313 : xml_bad_cElementTree +# B314 : xml_bad_ElementTree +# B315 : xml_bad_expatreader +# B316 : xml_bad_expatbuilder +# B317 : xml_bad_sax +# B318 : xml_bad_minidom +# B319 : xml_bad_pulldom +# B320 : xml_bad_etree +# B321 : ftplib +# B322 : input +# B401 : import_telnetlib +# B402 : import_ftplib +# B403 : import_pickle +# B404 : import_subprocess +# B405 : import_xml_etree +# B406 : import_xml_sax +# B407 : import_xml_expat +# B408 : import_xml_minidom +# B409 : import_xml_pulldom +# B410 : import_lxml +# B411 : import_xmlrpclib +# B412 : import_httpoxy +# B501 : request_with_no_cert_validation +# B502 : ssl_with_bad_version +# B503 : ssl_with_bad_defaults +# B504 : ssl_with_no_version +# B505 : weak_cryptographic_key +# B506 : yaml_load +# B601 : paramiko_calls +# B602 : subprocess_popen_with_shell_equals_true +# B603 : subprocess_without_shell_equals_true +# B604 : any_other_function_with_shell_equals_true +# B605 : start_process_with_a_shell +# B606 : start_process_with_no_shell +# B607 : start_process_with_partial_path +# B608 : hardcoded_sql_expressions +# B609 : linux_commands_wildcard_injection +# B701 : jinja2_autoescape_false +# B702 : use_of_mako_templates + +# (optional) list included test IDs here, eg '[B101, B406]': +tests: + +# (optional) list skipped test IDs here, eg '[B101, B406]': +skips: [B101, B404, B603, B606] + +# globs of files which should be analyzed +include: + - '*.py' + - '*.pyw' + +# a list of strings, which if found in the path will cause files to be excluded +# for example /tests/ - will exclude all files in test folder. +exclude_dirs: + - '/tests/' diff --git a/orm/common/client/audit/audit_client/api/audit.py b/orm/common/client/audit/audit_client/api/audit.py index 9077d8d6..dc0d9904 100755 --- a/orm/common/client/audit/audit_client/api/audit.py +++ b/orm/common/client/audit/audit_client/api/audit.py @@ -169,13 +169,13 @@ def _post_data(data): # Validate that the configuration was initialized _validate() # Send the data - req = urllib2.Request(config['AUDIT_SERVER_URL']) + req = urllib2.Request(config['AUDIT_SERVER_URL']) # nosec req.add_header('Content-Type', 'application/json') # Retry to send the data to the audit server success = False for retry_number in range(config['NUM_OF_SEND_RETRIES']): try: - urllib2.urlopen(req, json.dumps(data)) + urllib2.urlopen(req, json.dumps(data)) # nosec success = True break except Exception as error: @@ -197,13 +197,13 @@ def _get_data(query): # Send the data audit_server_url_with_query = "{}?{}".format(config['AUDIT_SERVER_URL'], query) - req = urllib2.Request(audit_server_url_with_query) + req = urllib2.Request(audit_server_url_with_query) # nosec # Retry to get the data from the audit server success = False response = None for retry_number in range(config['NUM_OF_SEND_RETRIES']): try: - response = urllib2.urlopen(req) + response = urllib2.urlopen(req) # nosec success = True break except Exception as error: diff --git a/orm/common/config.py b/orm/common/config.py index 1eaa8f44..889ea8de 100644 --- a/orm/common/config.py +++ b/orm/common/config.py @@ -22,7 +22,7 @@ CONF = cfg.CONF api_opts = [ cfg.HostAddressOpt( 'host', - default='0.0.0.0', + default='0.0.0.0', # nosec help='Ranger API server host' ), cfg.BoolOpt('ssl_verify', default=False, help='Enable HTTPS') diff --git a/orm/orm_client/db_clear/db_comander.py b/orm/orm_client/db_clear/db_comander.py index 930125e5..9b283118 100644 --- a/orm/orm_client/db_clear/db_comander.py +++ b/orm/orm_client/db_clear/db_comander.py @@ -60,7 +60,7 @@ def _build_delet_resource_status_query(resource_id, table_name): query = ''' DELETE from %s WHERE resource_id = '%s' - ''' % (table_name, resource_id) + ''' % (table_name, resource_id) # nosec return query @@ -70,7 +70,7 @@ def _build_delete_image_metadata(resource_id, image_metadata_table, DELETE from %s WHERE image_meta_data_id in (SELECT id from %s where resource_id = '%s') - ''' % (image_metadata_table, resource_table, resource_id) + ''' % (image_metadata_table, resource_table, resource_id) # nosec return query @@ -78,7 +78,7 @@ def _build_delete_resource_query(resource_id, table_col, table_name): query = ''' DELETE from %s WHERE %s.%s = '%s' - ''' % (table_name, table_name, table_col, resource_id) + ''' % (table_name, table_name, table_col, resource_id) # nosec return query @@ -86,7 +86,7 @@ def _build_get_cms_regions_query(resource_id, table_name): query = ''' select region_id from %s WHERE customer_id = '%s' and region_id != '-1' - ''' % (table_name, resource_id) + ''' % (table_name, resource_id) # nosec return query @@ -94,7 +94,7 @@ def _build_get_fms_regions_query(resource_id, table_name): query = ''' select region_name from %s WHERE flavor_internal_id = '%s' - ''' % (table_name, resource_id) + ''' % (table_name, resource_id) # nosec return query @@ -102,7 +102,7 @@ def _build_get_ims_regions_query(resource_id, table_name): query = ''' select region_name from %s WHERE image_id = '%s' - ''' % (table_name, resource_id) + ''' % (table_name, resource_id) # nosec return query @@ -110,7 +110,7 @@ def _build_get_resource_id_query(resource_id, table_col, table_name): query = ''' select * from %s WHERE %s.%s = '%s' - ''' % (table_name, table_name, table_col, resource_id) + ''' % (table_name, table_name, table_col, resource_id) # nosec return query diff --git a/orm/services/customer_manager/cms_rest/data/sql_alchemy/cms_user_record.py b/orm/services/customer_manager/cms_rest/data/sql_alchemy/cms_user_record.py index 3b8ab57a..a6494eb0 100755 --- a/orm/services/customer_manager/cms_rest/data/sql_alchemy/cms_user_record.py +++ b/orm/services/customer_manager/cms_rest/data/sql_alchemy/cms_user_record.py @@ -38,7 +38,7 @@ class CmsUserRecord: raise def get_cms_user_id_from_name(self, cms_user_name): - result = self.session.connection().scalar("SELECT id from cms_user WHERE name = \"%s\"" % (cms_user_name)) + result = self.session.connection().scalar("SELECT id from cms_user WHERE name = \"%s\"", (cms_user_name,)) if result is not None: return int(result) return result diff --git a/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_record.py b/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_record.py index 2e375aae..fe2e7d60 100755 --- a/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_record.py +++ b/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_record.py @@ -42,7 +42,7 @@ class CustomerRecord: raise def delete_by_primary_key(self, customer_id): - result = self.session.connection().execute("delete from customer where id = {}".format(customer_id)) + result = self.session.connection().execute("delete from customer where id = {}".format(customer_id)) # nosec return result def read_by_primary_key(self): @@ -69,7 +69,7 @@ class CustomerRecord: raise def get_customer_id_from_uuid(self, uuid): - result = self.session.connection().scalar("SELECT id from customer WHERE uuid = \"{}\"".format(uuid)) + result = self.session.connection().scalar("SELECT id from customer WHERE uuid = \"{}\"".format(uuid)) # nosec if result: return int(result) @@ -77,7 +77,7 @@ class CustomerRecord: return None def get_customers_status_by_uuids(self, uuid_str): - results = self.session.connection().execute("SELECT id, resource_id, region, status" + results = self.session.connection().execute("SELECT id, resource_id, region, status" # nosec " FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str)) cust_region_dict = {} if results: diff --git a/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_region_record.py b/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_region_record.py index d742444a..c3573107 100755 --- a/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_region_record.py +++ b/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_region_record.py @@ -68,7 +68,7 @@ class CustomerRegionRecord: 'region with the region name {0} not found'.format( region_name)) result = self.session.connection().execute( - "delete from customer_region where customer_id = {} and region_id = {}".format(customer_id, region_id)) + "delete from customer_region where customer_id = {} and region_id = {}".format(customer_id, region_id)) # nosec self.session.flush() if result.rowcount == 0: @@ -86,6 +86,6 @@ class CustomerRegionRecord: customer_id = customer_record.get_customer_id_from_uuid(customer_id) result = self.session.connection().execute( - "delete from customer_region where customer_id = {} and region_id <> -1 ".format(customer_id)) + "delete from customer_region where customer_id = {} and region_id <> -1 ".format(customer_id)) # nosec # print "num records deleted from customer regions: " + str(result.rowcount) return result diff --git a/orm/services/customer_manager/cms_rest/data/sql_alchemy/region_record.py b/orm/services/customer_manager/cms_rest/data/sql_alchemy/region_record.py index 0bf5dcc0..07154a2f 100755 --- a/orm/services/customer_manager/cms_rest/data/sql_alchemy/region_record.py +++ b/orm/services/customer_manager/cms_rest/data/sql_alchemy/region_record.py @@ -37,7 +37,7 @@ class RegionRecord: raise def get_region_id_from_name(self, region_name): - result = self.session.connection().scalar("SELECT id from cms_region WHERE name = \"{}\"".format(region_name)) + result = self.session.connection().scalar("SELECT id from cms_region WHERE name = \"{}\"".format(region_name)) # nosec if result is not None: return int(result) return result diff --git a/orm/services/customer_manager/cms_rest/data/sql_alchemy/user_role_record.py b/orm/services/customer_manager/cms_rest/data/sql_alchemy/user_role_record.py index ceb94971..aaf11112 100755 --- a/orm/services/customer_manager/cms_rest/data/sql_alchemy/user_role_record.py +++ b/orm/services/customer_manager/cms_rest/data/sql_alchemy/user_role_record.py @@ -64,9 +64,10 @@ class UserRoleRecord: # additional logic for delete_user only: check if the provided user id # is associated with the customer and region in cms delete_user request elif region_id > -1: - user_check = "SELECT DISTINCT user_id from user_role " \ - "WHERE customer_id =%d AND region_id =%d " \ - "AND user_id =%d" % (customer_id, region_id, user_id) + user_check = ''' + SELECT DISTINCT user_id from user_role + WHERE customer_id =%d AND region_id =%d AND user_id =%d" + ''' % (customer_id, region_id, user_id) # nosec result = self.session.connection().execute(user_check) if result.rowcount == 0: diff --git a/orm/services/flavor_manager/fms_rest/data/sql_alchemy/flavor/flavor_record.py b/orm/services/flavor_manager/fms_rest/data/sql_alchemy/flavor/flavor_record.py index a1255839..aef20afd 100755 --- a/orm/services/flavor_manager/fms_rest/data/sql_alchemy/flavor/flavor_record.py +++ b/orm/services/flavor_manager/fms_rest/data/sql_alchemy/flavor/flavor_record.py @@ -53,7 +53,7 @@ class FlavorRecord: def delete_by_uuid(self, flavor_uuid): try: - result = self.session.connection().execute("delete from flavor where id = \"{0}\"".format(flavor_uuid)) + result = self.session.connection().execute("delete from flavor where id = \"{0}\"".format(flavor_uuid)) # nosec return result except Exception as exception: @@ -148,7 +148,7 @@ class FlavorRecord: raise def get_flavors_status_by_uuids(self, uuid_str): - results = self.session.connection().execute("SELECT id, resource_id, region, status" + results = self.session.connection().execute("SELECT id, resource_id, region, status" # nosec " FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str)) flvr_region_dict = {} diff --git a/orm/services/flavor_manager/fms_rest/data/wsme/models.py b/orm/services/flavor_manager/fms_rest/data/wsme/models.py index 4254f921..07d4efa3 100755 --- a/orm/services/flavor_manager/fms_rest/data/wsme/models.py +++ b/orm/services/flavor_manager/fms_rest/data/wsme/models.py @@ -1,3 +1,4 @@ +import ast import wsme from orm.common.orm_common.utils.cross_api_utils import (set_utils_conf, @@ -254,7 +255,7 @@ class Flavor(Model): if self.series == 'p1': if {'n0'}.issubset(self.options.keys()) and \ - eval(self.options.get('n0').lower().capitalize()): + ast.literal_eval(self.options.get('n0').lower().capitalize()): vcpu_limit = int(conf.flavor_limits.p1_n0_vcpu_limit) vram_limit = int(conf.flavor_limits.p1_n0_vram_limit) else: diff --git a/orm/services/image_manager/ims/persistency/sql_alchemy/image/image_record.py b/orm/services/image_manager/ims/persistency/sql_alchemy/image/image_record.py index 58ea3775..a16aa16a 100755 --- a/orm/services/image_manager/ims/persistency/sql_alchemy/image/image_record.py +++ b/orm/services/image_manager/ims/persistency/sql_alchemy/image/image_record.py @@ -9,7 +9,7 @@ LOG = get_logger(__name__) class ImageRecord(Record): def __init__(self, session): - # this model is uses only for the parameters of access mothods, not an instance of model in the database + # this model is uses only for the parameters of access methods, not an instance of model in the database self.__image = Image() # self.set_record_data(self.__image) # self.__image.clear() @@ -48,7 +48,7 @@ class ImageRecord(Record): def delete_image_by_id(self, id): try: - result = self.session.connection().execute("delete from image where id = '{0}'".format(id)) + result = self.session.connection().execute("delete from image where id = '{0}'".format(id)) # nosec return result except Exception as exception: @@ -95,7 +95,7 @@ class ImageRecord(Record): raise def get_images_status_by_uuids(self, uuid_str): - results = self.session.connection().execute("SELECT id, resource_id, region, status" + results = self.session.connection().execute("SELECT id, resource_id, region, status" # nosec " FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str)) img_region_dict = {} if results: diff --git a/orm/services/region_manager/rms/model/model.py b/orm/services/region_manager/rms/model/model.py index fc20e355..b6d1d85f 100755 --- a/orm/services/region_manager/rms/model/model.py +++ b/orm/services/region_manager/rms/model/model.py @@ -1,8 +1,10 @@ """model module.""" +from orm.services.region_manager.rms.logger import get_logger from orm.services.region_manager.rms.services import error_base - from pecan import conf +logger = get_logger(__name__) + class Address(object): """address class.""" @@ -123,8 +125,9 @@ class RegionData(object): "type {}".format(endpoint.type)) try: endpoints_types_must_have.remove(endpoint.type) - except Exception: - pass + except Exception as exp: + # pass + logger.debug(exp) if len(endpoints_types_must_have) > 0: raise error_base.InputValueError( message="Invalid endpoints. Endpoint type '{}' " diff --git a/test-requirements.txt b/test-requirements.txt index ee4cf7cb..f3685245 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -3,7 +3,7 @@ # process, which may cause wedges in the gate later. hacking>=0.12.0,<0.13 # Apache-2.0 - +bandit>=1.5.1 coverage>=4.0,!=4.4 # Apache-2.0 openstackdocstheme>=1.11.0 # Apache-2.0 oslotest>=1.10.0 # Apache-2.0 diff --git a/tox.ini b/tox.ini index b4e33a9a..7d579ea4 100644 --- a/tox.ini +++ b/tox.ini @@ -21,8 +21,14 @@ whitelist_externals = bash find +[testenv:bandit] +deps = .[bandit] +commands = bandit-baseline -r orm -n5 -c bandit.yaml + [testenv:pep8] -commands = flake8 {posargs} +commands = + flake8 {posargs} + {[testenv:bandit]commands} [testenv:venv] commands = {posargs}