From 0a0e7e8bae76f0b54d1d8832ccabd7beb794f842 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 17 Aug 2015 23:57:40 -0700 Subject: [PATCH] Update bandit.yaml to the latest The existing bandit.yaml was based on 0.10.1 version of bandit. Commit I9504c44ac575b47b256496e833dd53a9dce113d2 adopts version 0.13.2 of bandit. As a result, the bandit.yaml needs to be synced with the standard version. Also, with the newest bandit, some #nosec tags can be removed. Change-Id: I503cd33d401b104aa502e7909f949c438a6248e6 --- bandit.yaml | 125 +++++++++++++++++++++++++++++-- oslo_vmware/objects/datastore.py | 5 +- oslo_vmware/service.py | 4 +- tox.ini | 2 +- 4 files changed, 122 insertions(+), 14 deletions(-) diff --git a/bandit.yaml b/bandit.yaml index 5a436a45..bb46478a 100644 --- a/bandit.yaml +++ b/bandit.yaml @@ -11,9 +11,9 @@ plugin_name_pattern: '*.py' #output_colors: # DEFAULT: '\033[0m' # HEADER: '\033[95m' -# INFO: '\033[94m' -# WARN: '\033[93m' -# ERROR: '\033[91m' +# LOW: '\033[94m' +# MEDIUM: '\033[93m' +# HIGH: '\033[91m' # optional: log format string #log_format: "[%(module)s]\t%(levelname)s\t%(message)s" @@ -21,6 +21,7 @@ plugin_name_pattern: '*.py' # globs of files which should be analyzed include: - '*.py' + - '*.pyw' # a list of strings, which if found in the path will cause files to be excluded # for example /tests/ - to remove all all files in tests directory @@ -28,6 +29,36 @@ exclude_dirs: - '/tests/' profiles: + All: + include: + - any_other_function_with_shell_equals_true + - assert_used + - blacklist_calls + - blacklist_import_func + - blacklist_imports + - exec_used + - execute_with_run_as_root_equals_true + - hardcoded_bind_all_interfaces + - hardcoded_password + - hardcoded_sql_expressions + - hardcoded_tmp_directory + - jinja2_autoescape_false + - linux_commands_wildcard_injection + - paramiko_calls + - password_config_option_not_marked_secret + - request_with_no_cert_validation + - set_bad_file_permissions + - subprocess_popen_with_shell_equals_true + - subprocess_without_shell_equals_true + - start_process_with_a_shell + - start_process_with_no_shell + - start_process_with_partial_path + - ssl_with_bad_defaults + - ssl_with_bad_version + - ssl_with_no_version + - try_except_pass + - use_of_mako_templates + XSS: include: - jinja2_autoescape_false @@ -40,6 +71,7 @@ profiles: - any_other_function_with_shell_equals_true - start_process_with_a_shell - start_process_with_no_shell + - start_process_with_partial_path exclude: SqlInjection: @@ -56,8 +88,8 @@ blacklist_calls: qualnames: [marshal.load, marshal.loads] message: "Deserialization with the marshal module is possibly dangerous." - md5: - qualnames: [hashlib.md5] - message: "Use of insecure MD5 hash function." + qualnames: [hashlib.md5, Crypto.Hash.MD2.new, Crypto.Hash.MD4.new, Crypto.Hash.MD5.new, cryptography.hazmat.primitives.hashes.MD5] + message: "Use of insecure MD2, MD4, or MD5 hash function." - mktemp_q: qualnames: [tempfile.mktemp] message: "Use of insecure and deprecated function (mktemp)." @@ -76,6 +108,55 @@ blacklist_calls: - urllib_urlopen: qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request] message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected." + - random: + qualnames: [random.random, random.randrange, random.randint, random.choice, random.uniform, random.triangular] + message: "Standard pseudo-random generators are not suitable for security/cryptographic purposes." + level: "LOW" + + # Most of this is based off of Christian Heimes' work on defusedxml: + # https://pypi.python.org/pypi/defusedxml/#defusedxml-sax + + - xml_bad_cElementTree: + qualnames: [xml.etree.cElementTree.parse, + xml.etree.cElementTree.iterparse, + xml.etree.cElementTree.fromstring, + xml.etree.cElementTree.XMLParser] + message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." + - xml_bad_ElementTree: + qualnames: [xml.etree.ElementTree.parse, + xml.etree.ElementTree.iterparse, + xml.etree.ElementTree.fromstring, + xml.etree.ElementTree.XMLParser] + message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." + - xml_bad_expatreader: + qualnames: [xml.sax.expatreader.create_parser] + message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." + - xml_bad_expatbuilder: + qualnames: [xml.dom.expatbuilder.parse, + xml.dom.expatbuilder.parseString] + message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." + - xml_bad_sax: + qualnames: [xml.sax.parse, + xml.sax.parseString, + xml.sax.make_parser] + message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." + - xml_bad_minidom: + qualnames: [xml.dom.minidom.parse, + xml.dom.minidom.parseString] + message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." + - xml_bad_pulldom: + qualnames: [xml.dom.pulldom.parse, + xml.dom.pulldom.parseString] + message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." + - xml_bad_etree: + qualnames: [lxml.etree.parse, + lxml.etree.fromstring, + lxml.etree.RestrictedElement, + lxml.etree.GlobalParserTLS, + lxml.etree.getDefaultParser, + lxml.etree.check_docinfo] + message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." + shell_injection: # Start a process using the subprocess module, or one of its wrappers. @@ -95,15 +176,40 @@ blacklist_imports: bad_import_sets: - telnet: imports: [telnetlib] - level: ERROR + level: HIGH message: "Telnet is considered insecure. Use SSH or some other encrypted protocol." - info_libs: imports: [pickle, cPickle, subprocess, Crypto] - level: INFO + level: LOW message: "Consider possible security implications associated with {module} module." + # Most of this is based off of Christian Heimes' work on defusedxml: + # https://pypi.python.org/pypi/defusedxml/#defusedxml-sax + + - xml_libs: + imports: [xml.etree.cElementTree, + xml.etree.ElementTree, + xml.sax.expatreader, + xml.sax, + xml.dom.expatbuilder, + xml.dom.minidom, + xml.dom.pulldom, + lxml.etree, + lxml] + message: "Using {module} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {module} with the equivilent defusedxml package." + level: LOW + - xml_libs_high: + imports: [xmlrpclib] + message: "Using {module} to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities." + level: HIGH + +hardcoded_tmp_directory: + tmp_dirs: ['/tmp', '/var/tmp', '/dev/shm'] + hardcoded_password: - word_list: "wordlist/default-passwords" + # Support for full path, relative path and special "%(site_data_dir)s" + # substitution (/usr/{local}/share) + word_list: "%(site_data_dir)s/wordlist/default-passwords" ssl_with_bad_version: bad_protocol_versions: @@ -127,3 +233,6 @@ execute_with_run_as_root_equals_true: - neutron.agent.linux.utils.execute - nova.utils.execute - nova.utils.trycmd + +try_except_pass: + check_typed_exception: True diff --git a/oslo_vmware/objects/datastore.py b/oslo_vmware/objects/datastore.py index 4f1e0e1e..87e7c914 100644 --- a/oslo_vmware/objects/datastore.py +++ b/oslo_vmware/objects/datastore.py @@ -14,7 +14,7 @@ import logging import posixpath -import random as _random # nosec +import random import six.moves.http_client as httplib import six.moves.urllib.parse as urlparse @@ -25,7 +25,6 @@ from oslo_vmware import exceptions from oslo_vmware import vim_util LOG = logging.getLogger(__name__) -random = _random.SystemRandom() # nosec def get_datastore_by_ref(session, ds_ref): @@ -157,7 +156,7 @@ class Datastore(object): @staticmethod def choose_host(hosts): - i = random.randrange(0, len(hosts)) # nosec + i = random.SystemRandom().randrange(0, len(hosts)) return hosts[i] diff --git a/oslo_vmware/service.py b/oslo_vmware/service.py index 51ca5041..ac341b16 100644 --- a/oslo_vmware/service.py +++ b/oslo_vmware/service.py @@ -380,8 +380,8 @@ class SudsLogFilter(logging.Filter): if login.childAtPath('userName') is not None: login.childAtPath('userName').setText('***') - if login.childAtPath('password') is not None: - login.childAtPath('password').setText('***') + if login.childAtPath('password') is not None: # nosec + login.childAtPath('password').setText('***') # nosec session_id = login.childAtPath('sessionID') if session_id is not None: diff --git a/tox.ini b/tox.ini index 58c5c13c..403dc857 100644 --- a/tox.ini +++ b/tox.ini @@ -18,7 +18,7 @@ commands = pylint oslo [testenv:bandit] deps = -r{toxinidir}/test-requirements.txt -commands = bandit -c bandit.yaml -r oslo_vmware -n 5 -ll +commands = bandit -c bandit.yaml -r oslo_vmware -n 5 [testenv:docs] commands = python setup.py build_sphinx