-
Notifications
You must be signed in to change notification settings - Fork 301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Add security linting #6703
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hardcoded-password-string (S105) checks for possible hardcoded password strings in the code. "token" is a keyword that triggers this check, but it is safe in the context of our usage. See also: - https://docs.astral.sh/ruff/rules/hardcoded-password-string/ - astral-sh/ruff#7816
hardcoded-bind-all-interfaces (S104) checks for hardcoded bindings to all network interfaces. In our case, we are setting the client IP to 0.0.0.0. See also: - https://docs.astral.sh/ruff/rules/hardcoded-bind-all-interfaces/
S606: Starting a process without a shell There seems to be no direct `subprocess` equivalent to `os.execvp` that also retains the feature of replacing the current process. In this context, it is better to ignore S606 and keep using `os.execvp`. See also: - https://stackoverflow.com/a/6743663 - https://docs.astral.sh/ruff/rules/start-process-with-no-shell/
S605: start-process-with-a-shell No injection risks are expected in the usages that have been identified by the linter. See also: - https://docs.astral.sh/ruff/rules/start-process-with-a-shell/
S607: start-process-with-partial-path The usages identified by the linter are safe from the risks associated with this issue, and have been marked with an inline comment. See also: - https://docs.astral.sh/ruff/rules/start-process-with-partial-path/
S202: tarfile-unsafe-members In this context, we use data from a trusted source (MaxMind), and the statement has been marked as safe. For added safety, `filter='data'` can be added when we reach Python 3.12 (https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall). See also: - https://docs.astral.sh/ruff/rules/tarfile-unsafe-members/
S106: hardcoded-password-func-arg The statements involving the token_type assignments are false positives. The `add_account_identity()` call in `vo.py` creates the userpass identity for the first root user for a VO. Ideally, we would probably want to let the user select a password when creating a VO (or randomly generate a password), but this usage can still be considered safe, as long as the root password is later changed. See also: - https://docs.astral.sh/ruff/rules/hardcoded-password-func-arg/
S314: suspicious-xml-element-tree-usage and S318: suspicious-xml-mini-dom-usage These error codes check for XML parser usage. In the statements marked, we are parsing from safe sources, so no risks are expected. See also: - https://docs.astral.sh/ruff/rules/suspicious-xml-element-tree-usage/ https://docs.astral.sh/ruff/rules/suspicious-xml-mini-dom-usage/
Extending the ruff configuration to include bandit for security linting. Some security checks are temporarily ignored - for each, a pending issue is added, and the check should stop being ignored once the issue is resolved. Configured some security checks to always be ignored for test files.
rdimaio
force-pushed
the
patch-6620-bandit
branch
from
April 26, 2024 15:23
795e04c
to
0173ff7
Compare
Rebased in latest forcepush |
bari12
approved these changes
May 21, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Part of #6620
Please see the extended commit message of each commit for more information