Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Add security linting #6703

Merged
merged 9 commits into from
May 21, 2024
Merged

Security: Add security linting #6703

merged 9 commits into from
May 21, 2024

Conversation

rdimaio
Copy link
Contributor

@rdimaio rdimaio commented Apr 19, 2024

Part of #6620

Please see the extended commit message of each commit for more information

@rdimaio
Security: Mark token checks as safe (S105); rucio#6620
5e14c76 
hardcoded-password-string (S105) checks for possible
hardcoded password strings in the code.
"token" is a keyword that triggers this check,
but it is safe in the context of our usage.

See also:
- https://docs.astral.sh/ruff/rules/hardcoded-password-string/
- astral-sh/ruff#7816
@rdimaio
Security: Mark statement as safe (S104); rucio#6620
69e9baa 
hardcoded-bind-all-interfaces (S104) checks for
hardcoded bindings to all network interfaces.
In our case, we are setting the client IP to 0.0.0.0.

See also:
- https://docs.astral.sh/ruff/rules/hardcoded-bind-all-interfaces/
@rdimaio
Security: Mark statement as safe (S606); rucio#6620
587fed7 
S606: Starting a process without a shell
There seems to be no direct `subprocess` equivalent to `os.execvp`
that also retains the feature of replacing the current process.
In this context, it is better to ignore S606 and keep using `os.execvp`.

See also:
- https://stackoverflow.com/a/6743663
- https://docs.astral.sh/ruff/rules/start-process-with-no-shell/
@rdimaio
Security: Mark statements as safe (S605); rucio#6620
3a54bf7 
S605: start-process-with-a-shell

No injection risks are expected in the usages that have been identified
by the linter.

See also:
- https://docs.astral.sh/ruff/rules/start-process-with-a-shell/
@rdimaio
Security: Mark statements as safe (S607); rucio#6620
2ad373e 
S607: start-process-with-partial-path

The usages identified by the linter are safe from the risks associated
with this issue, and have been marked with an inline comment.

See also:
- https://docs.astral.sh/ruff/rules/start-process-with-partial-path/
@rdimaio
Security: Mark statement as safe (S202); rucio#6620
67b9cf0 
S202: tarfile-unsafe-members

In this context, we use data from a trusted source (MaxMind), and the
statement has been marked as safe. For added safety, `filter='data'` can
be added when we reach Python 3.12
(https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall).

See also:
- https://docs.astral.sh/ruff/rules/tarfile-unsafe-members/
@rdimaio
Security: Mark statements as safe (S106); rucio#6620
0219da0 
S106: hardcoded-password-func-arg

The statements involving the token_type assignments are false positives.

The `add_account_identity()` call in `vo.py` creates the userpass
identity for the first root user for a VO. Ideally, we would probably
want to let the user select a password when creating a VO (or randomly
generate a password), but this usage can still be considered safe, as
long as the root password is later changed.

See also:
- https://docs.astral.sh/ruff/rules/hardcoded-password-func-arg/
@rdimaio
Security: Mark statements as S314 and S318 safe; rucio#6620
b2ea441 
S314: suspicious-xml-element-tree-usage
and
S318: suspicious-xml-mini-dom-usage

These error codes check for XML parser usage.
In the statements marked, we are parsing from safe sources,
so no risks are expected.

See also:
- https://docs.astral.sh/ruff/rules/suspicious-xml-element-tree-usage/
https://docs.astral.sh/ruff/rules/suspicious-xml-mini-dom-usage/
@rdimaio
Security: Add security linting; rucio#6620
0173ff7 
Extending the ruff configuration to include bandit for security linting.
Some security checks are temporarily ignored - for each, a pending issue is added,
and the check should stop being ignored once the issue is resolved.

Configured some security checks to always be ignored for test files.
@rdimaio
Copy link
Contributor Author

rdimaio commented Apr 26, 2024

Rebased in latest forcepush

@bari12 bari12 merged commit efefdcd into rucio:master May 21, 2024
27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bari12 bari12 bari12 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rdimaio @bari12