From 575739d07cb0e7156b0301666f296bc968b20269 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 2 Jan 2020 13:41:49 +0100 Subject: [PATCH] ci: add bandit for static security checks --- .github/workflows/ci.yml | 17 +++++++++++++++++ passbook/lib/templatetags/utils.py | 4 ++-- passbook/root/monitoring.py | 8 ++++---- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 837b6e01a9..625cf94c27 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,6 +59,23 @@ jobs: run: pip install -U pip pipenv && pipenv install --dev - name: Lint with prospector run: pipenv run prospector + bandit: + runs-on: [ubuntu-latest] + steps: + - uses: actions/checkout@v1 + - uses: actions/setup-python@v1 + with: + python-version: '3.7' + - uses: actions/cache@v1 + with: + path: ~/.local/share/virtualenvs/ + key: ${{ runner.os }}-pipenv-${{ hashFiles('Pipfile.lock') }} + restore-keys: | + ${{ runner.os }}-pipenv- + - name: Install dependencies + run: pip install -U pip pipenv && pipenv install --dev + - name: Lint with bandit + run: pipenv run bandit -r passbook # Actual CI tests migrations: needs: diff --git a/passbook/lib/templatetags/utils.py b/passbook/lib/templatetags/utils.py index f472f431a4..43ce5dd95b 100644 --- a/passbook/lib/templatetags/utils.py +++ b/passbook/lib/templatetags/utils.py @@ -100,8 +100,8 @@ def gravatar(email, size=None, rating=None): # gravatar uses md5 for their URLs, so md5 can't be avoided gravatar_url = "%savatar/%s" % ( "https://secure.gravatar.com/", - md5(email.encode("utf-8")).hexdigest(), - ) # nosec + md5(email.encode("utf-8")).hexdigest(), # nosec + ) parameters = [p for p in (("s", size or "158"), ("r", rating or "g"),) if p[1]] diff --git a/passbook/root/monitoring.py b/passbook/root/monitoring.py index 33ffc0fca2..ff9c65a841 100644 --- a/passbook/root/monitoring.py +++ b/passbook/root/monitoring.py @@ -13,11 +13,11 @@ class MetricsView(View): def get(self, request: HttpRequest) -> HttpResponse: """Check for HTTP-Basic auth""" auth_header = request.META.get("HTTP_AUTHORIZATION", "") - token_type, _, credentials = auth_header.partition(" ") - creds = f"monitor:{settings.SECRET_KEY}" - expected = b64encode(str.encode(creds)).decode() + auth_type, _, credentials = auth_header.partition(" ") + credentials = f"monitor:{settings.SECRET_KEY}" + expected = b64encode(str.encode(credentials)).decode() - if token_type != "Basic" or credentials != expected: + if auth_type != "Basic" or credentials != expected: raise Http404 return ExportToDjangoView(request)