diff --git a/docker/kolla-toolbox/find_disks.py b/docker/kolla-toolbox/find_disks.py
index d1a6055f06..3a7fa4602c 100644
--- a/docker/kolla-toolbox/find_disks.py
+++ b/docker/kolla-toolbox/find_disks.py
@@ -67,7 +67,7 @@ EXAMPLES = '''
import json
import pyudev
import re
-import subprocess
+import subprocess # nosec
def get_id_part_entry_name(dev):
@@ -84,7 +84,10 @@ def get_id_part_entry_name(dev):
part = re.sub(r'.*[^\d]', '', dev.device_node)
parent = dev.find_parent('block').device_node
# NOTE(Mech422): Need to use -i as -p truncates the partition name
- out = subprocess.Popen(['/usr/sbin/sgdisk', '-i', part, parent],
+ # TODO(pbourke): Consider some form of validation to be performed on
+ # part/parent [0]
+ out = subprocess.Popen(['/usr/sbin/sgdisk', '-i', part, # nosec [0]
+ parent],
stdout=subprocess.PIPE).communicate()
match = re.search(r'Partition name: \'(\w+)\'', out[0])
if match:
diff --git a/docker/kolla-toolbox/kolla_sanity.py b/docker/kolla-toolbox/kolla_sanity.py
index d2d2d4e481..b950204f40 100644
--- a/docker/kolla-toolbox/kolla_sanity.py
+++ b/docker/kolla-toolbox/kolla_sanity.py
@@ -22,6 +22,7 @@
# in upstream shade we will be able to use more of the shade module. Until then
# if we want to be 'stable' we really need to be using it as a passthrough
+import tempfile
import traceback
import shade
@@ -34,9 +35,9 @@ class SanityChecks(object):
@staticmethod
def glance(cloud):
- open("/tmp/blank.qcow2", 'a').close()
- cloud.create_image("test", filename="/tmp/blank.qcow2",
- disk_format="qcow2", container_format="bare")
+ with tempfile.NamedTemporaryfile(suffix='qcow2') as image:
+ cloud.create_image("test", filename=image.name,
+ disk_format="qcow2", container_format="bare")
testid = cloud.get_image_id("test")
cloud.delete_image(testid)
diff --git a/docker/neutron/neutron-base/ip_wrapper.py b/docker/neutron/neutron-base/ip_wrapper.py
index b7c77c3d11..3496be768f 100644
--- a/docker/neutron/neutron-base/ip_wrapper.py
+++ b/docker/neutron/neutron-base/ip_wrapper.py
@@ -24,7 +24,7 @@
# at this time. Once Docker updates with this feature we will usre this again.
import nsenter
-import subprocess
+import subprocess # nosec
import sys
@@ -36,7 +36,7 @@ def host_mnt_exec(cmd):
'1',
'mnt',
proc='/var/lib/kolla/host_proc/'))
- process_ = subprocess.Popen(cmd)
+ process_ = subprocess.Popen(cmd) # nosec
except Exception as e:
print(
@@ -64,5 +64,5 @@ else:
if len(sys.argv) == 2:
cmd = cmd + sys.argv[1:]
-process_ = subprocess.Popen(cmd)
+process_ = subprocess.Popen(cmd) # nosec
sys.exit(process_.returncode)
diff --git a/docker/rabbitmq/rabbitmq_get_gospel_node.py b/docker/rabbitmq/rabbitmq_get_gospel_node.py
index 4ab7dee9f8..9f40c92ace 100644
--- a/docker/rabbitmq/rabbitmq_get_gospel_node.py
+++ b/docker/rabbitmq/rabbitmq_get_gospel_node.py
@@ -13,7 +13,7 @@
# limitations under the License.
import json
-import subprocess
+import subprocess # nosec
import traceback
@@ -23,9 +23,11 @@ def extract_gospel_node(term):
def main():
try:
+ # TODO(pbourke): see if can get gospel node without requiring shell
raw_status = subprocess.check_output(
- "rabbitmqctl eval 'rabbit_clusterer:status().'",
- shell=True, stderr=subprocess.STDOUT
+ "/usr/sbin/rabbitmqctl eval 'rabbit_clusterer:status().'",
+ shell=True, stderr=subprocess.STDOUT # nosec: this command appears
+ # to require a shell to work
)
if "Rabbit is running in cluster configuration" not in raw_status:
raise AttributeError
diff --git a/docker/swift/swift-base/build-swift-ring.py b/docker/swift/swift-base/build-swift-ring.py
index 7889ad4754..ca42205f8e 100644
--- a/docker/swift/swift-base/build-swift-ring.py
+++ b/docker/swift/swift-base/build-swift-ring.py
@@ -19,7 +19,7 @@ This script is a simple wrapper used to create and rebalance Swift ring files.
"""
import argparse
-import subprocess
+import subprocess # nosec
import sys
@@ -54,7 +54,10 @@ def setup_args():
def run_cmd(cmd):
print(' '.join(cmd))
- subprocess.call(cmd)
+ # NOTE(sdake): [0] we expect Operators to run this command and for their
+ # environment to be properly secured. Since this is not a network
+ # facing tool, there is no risk of untrusted input.
+ subprocess.call(cmd) # nosec [0]
def run(args):
diff --git a/kolla/cmd/genpwd.py b/kolla/cmd/genpwd.py
index ad77a77c0f..612fb25d1c 100755
--- a/kolla/cmd/genpwd.py
+++ b/kolla/cmd/genpwd.py
@@ -22,7 +22,7 @@ import yaml
from Crypto.PublicKey import RSA
-def generate_RSA(bits=2048):
+def generate_RSA(bits=4096):
new_key = RSA.generate(bits, os.urandom)
private_key = new_key.exportKey("PEM")
public_key = new_key.publickey().exportKey("OpenSSH")
@@ -52,7 +52,7 @@ def main():
length = 40
with open(passwords_file, 'r') as f:
- passwords = yaml.load(f.read())
+ passwords = yaml.safe_load(f.read())
for k, v in passwords.items():
if (k in ssh_keys and
diff --git a/tools/validate-yaml.py b/tools/validate-yaml.py
index c4e4326d96..6df84ff07d 100755
--- a/tools/validate-yaml.py
+++ b/tools/validate-yaml.py
@@ -32,7 +32,7 @@ def main():
for filename in args.input:
with open(filename) as fd:
try:
- yaml.load(fd)
+ yaml.safe_load(fd)
except yaml.error.YAMLError as error:
res = 1
logging.error('%s failed validation: %s',
diff --git a/tox.ini b/tox.ini
index aabd118ae4..d627b630f2 100644
--- a/tox.ini
+++ b/tox.ini
@@ -26,7 +26,7 @@ commands =
{toxinidir}/tools/validate-all-dockerfiles.sh
[testenv:bandit]
-commands = bandit -r ansible/library dev docker kolla tests tools
+commands = bandit -r ansible/library docker kolla tests tools
[testenv:venv]
commands = {posargs}