This is an automated email from the ASF dual-hosted git repository. gcruz pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/allura.git
commit 0d48081e35daee8fc83f48dcad950e4a05459af7 Author: Dave Brondsema <dbronds...@slashdotmedia.com> AuthorDate: Wed Mar 20 16:37:16 2024 -0400 [#8539] add bandit checks --- Allura/allura/command/script.py | 2 +- Allura/allura/command/taskd.py | 2 +- Allura/allura/config/middleware.py | 2 +- Allura/allura/controllers/rest.py | 2 +- Allura/allura/lib/decorators.py | 2 +- Allura/allura/lib/helpers.py | 2 +- Allura/allura/lib/import_api.py | 2 +- Allura/allura/lib/phone/nexmo.py | 4 ++-- Allura/allura/lib/plugin.py | 5 +++-- Allura/allura/lib/project_create_helpers.py | 2 +- Allura/allura/model/index.py | 2 +- Allura/allura/model/notification.py | 4 ++-- Allura/allura/scripts/trac_export.py | 6 +++--- .../allura/tests/functional/test_neighborhood.py | 7 ++----- Allura/allura/tests/unit/phone/test_nexmo.py | 16 ++++++++++++---- Allura/allura/websetup/bootstrap.py | 2 +- Allura/ldap-setup.py | 2 +- Allura/setup.py | 2 +- ForgeImporters/forgeimporters/base.py | 2 +- .../forgetracker/tests/unit/test_ticket_model.py | 2 +- fuse/accessfs.py | 2 +- ruff.toml | 22 +++++++++++++++++++--- scripts/ApacheAccessHandler.py | 2 +- scripts/changelog.py | 2 +- scripts/new_ticket.py | 2 +- scripts/wiki-copy.py | 4 ++-- 26 files changed, 63 insertions(+), 41 deletions(-) diff --git a/Allura/allura/command/script.py b/Allura/allura/command/script.py index 52e58b2fb..78edd8746 100644 --- a/Allura/allura/command/script.py +++ b/Allura/allura/command/script.py @@ -73,7 +73,7 @@ class ScriptCommand(base.Command): pr = cProfile.Profile() pr.enable() - exec(code, ns) + exec(code, ns) # noqa: S102 if self.options.profile: pr.disable() diff --git a/Allura/allura/command/taskd.py b/Allura/allura/command/taskd.py index 9d6c42c67..782c216cd 100644 --- a/Allura/allura/command/taskd.py +++ b/Allura/allura/command/taskd.py @@ -160,7 +160,7 @@ class TaskdCommand(base.Command): if self.restart_when_done: base.log.info('taskd pid %s restarting itself' % os.getpid()) - os.execv(sys.argv[0], sys.argv) + os.execv(sys.argv[0], sys.argv) # noqa: S606 class TaskCommand(base.Command): diff --git a/Allura/allura/config/middleware.py b/Allura/allura/config/middleware.py index e481a1621..edf28a968 100644 --- a/Allura/allura/config/middleware.py +++ b/Allura/allura/config/middleware.py @@ -91,7 +91,7 @@ def make_app(global_conf: dict, **app_conf): class BeakerPickleSerializerWithLatin1(PickleSerializer): def loads(self, data_string): # need latin1 to decode py2 timestamps in py https://docs.python.org/3/library/pickle.html#pickle.Unpickler - return pickle.loads(data_string, encoding='latin1') + return pickle.loads(data_string, encoding='latin1') # noqa: S301 def _make_core_app(root, global_conf: dict, **app_conf): diff --git a/Allura/allura/controllers/rest.py b/Allura/allura/controllers/rest.py index ef4ae4ca5..f077b3d40 100644 --- a/Allura/allura/controllers/rest.py +++ b/Allura/allura/controllers/rest.py @@ -251,7 +251,7 @@ class OAuthNegotiator: return AlluraOauth1Server(Oauth1Validator()) def _authenticate(self): - bearer_token_prefix = 'Bearer ' + bearer_token_prefix = 'Bearer ' # noqa: S105 auth = request.headers.get('Authorization') if auth and auth.startswith(bearer_token_prefix): access_token = auth[len(bearer_token_prefix):] diff --git a/Allura/allura/lib/decorators.py b/Allura/allura/lib/decorators.py index eaf8016f8..a0fecc1f4 100644 --- a/Allura/allura/lib/decorators.py +++ b/Allura/allura/lib/decorators.py @@ -142,7 +142,7 @@ def reconfirm_auth(func, *args, **kwargs): session.save() kwargs.pop('password', None) else: - request.validation.errors['password'] = 'Invalid password.' + request.validation.errors['password'] = 'Invalid password.' # noqa: S105 allowed_timedelta = timedelta(seconds=asint(config.get('auth.reconfirm.seconds', 60))) last_reconfirm = session.get('auth-reconfirmed', datetime.min) diff --git a/Allura/allura/lib/helpers.py b/Allura/allura/lib/helpers.py index f0675e443..5f5c41bdf 100644 --- a/Allura/allura/lib/helpers.py +++ b/Allura/allura/lib/helpers.py @@ -1080,7 +1080,7 @@ def urlopen(url: str | urllib.request.Request, retries=3, codes=(408, 500, 502, attempts = 0 while True: try: - return urllib.request.urlopen(url, timeout=timeout) + return urllib.request.urlopen(url, timeout=timeout) # noqa: S310 except OSError as e: no_retry = isinstance(e, urllib.error.HTTPError) and e.code not in codes if attempts < retries and not no_retry: diff --git a/Allura/allura/lib/import_api.py b/Allura/allura/lib/import_api.py index 141c03c00..f6d6282ab 100644 --- a/Allura/allura/lib/import_api.py +++ b/Allura/allura/lib/import_api.py @@ -47,7 +47,7 @@ class AlluraImportApiClient: while True: try: - result = six.moves.urllib.request.urlopen(url, six.ensure_binary(urlencode(params))) + result = six.moves.urllib.request.urlopen(url, six.ensure_binary(urlencode(params))) # noqa: S310 resp = result.read() return json.loads(resp) except six.moves.urllib.error.HTTPError as e: diff --git a/Allura/allura/lib/phone/nexmo.py b/Allura/allura/lib/phone/nexmo.py index 653159da2..630d7b94f 100644 --- a/Allura/allura/lib/phone/nexmo.py +++ b/Allura/allura/lib/phone/nexmo.py @@ -75,13 +75,13 @@ class NexmoPhoneService(PhoneService): url = urljoin(url, 'json') headers = {'Content-Type': 'application/json'} params = self.add_common_params(params) - log_params = dict(params, api_key='...', api_secret='...') + log_params = dict(params, api_key='...', api_secret='...') # noqa: S106 if 'number' in log_params: log_params['number'] = phone_number_hash(log_params['number']) post_params = json.dumps(params, sort_keys=True) log.info('PhoneService (nexmo) request: %s %s', url, log_params) try: - resp = requests.post(url, data=post_params, headers=headers) + resp = requests.post(url, data=post_params, headers=headers, timeout=30) log.info('PhoneService (nexmo) response: %s', resp.content) resp = resp.json() except Exception: diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py index 03b6d61f2..d32227d13 100644 --- a/Allura/allura/lib/plugin.py +++ b/Allura/allura/lib/plugin.py @@ -27,7 +27,6 @@ import string import crypt import random from contextlib import contextmanager -from urllib.request import urlopen from urllib.parse import urlparse from io import BytesIO from random import randint @@ -36,6 +35,8 @@ from base64 import b64encode from datetime import datetime, timedelta import typing import calendar + +import requests import six try: @@ -1129,7 +1130,7 @@ class ProjectRegistrationProvider: troves.append( M.TroveCategory.query.get(trove_cat_id=trove_id)._id) if 'icon' in project_template: - icon_file = BytesIO(urlopen(project_template['icon']['url']).read()) + icon_file = BytesIO(requests.get(project_template['icon']['url'], timeout=30).content) p.save_icon(project_template['icon']['filename'], icon_file) if user_project: diff --git a/Allura/allura/lib/project_create_helpers.py b/Allura/allura/lib/project_create_helpers.py index 77c2c5adf..387eb0f68 100644 --- a/Allura/allura/lib/project_create_helpers.py +++ b/Allura/allura/lib/project_create_helpers.py @@ -309,7 +309,7 @@ def create_project_with_attrs(p, nbhd, update=False, ensure_tools=False): granted_by_neighborhood_id=nbhd._id) if p.icon_url: - req = requests.get(p.icon_url) + req = requests.get(p.icon_url, timeout=30) req.raise_for_status() project.save_icon(urlparse(p.icon_url).path, BytesIO(req.content), diff --git a/Allura/allura/model/index.py b/Allura/allura/model/index.py index 374fcb9cf..c778db3b3 100644 --- a/Allura/allura/model/index.py +++ b/Allura/allura/model/index.py @@ -93,7 +93,7 @@ class ArtifactReference(MappedClass): '''Look up the artifact referenced''' aref = self.artifact_reference try: - cls = loads(bytes(aref.cls)) + cls = loads(bytes(aref.cls)) # noqa: S301 with h.push_context(aref.project_id): return cls.query.get(_id=aref.artifact_id) except Exception: diff --git a/Allura/allura/model/notification.py b/Allura/allura/model/notification.py index d97f86ee3..164cee374 100644 --- a/Allura/allura/model/notification.py +++ b/Allura/allura/model/notification.py @@ -109,7 +109,7 @@ class Notification(MappedClass): ref = RelationProperty('ArtifactReference') - view = jinja2.Environment( + view = jinja2.Environment( # noqa: S701 loader=jinja2.PackageLoader('allura', 'templates'), auto_reload=asbool(config.get('auto_reload_templates', True)), ) @@ -688,7 +688,7 @@ class Mailbox(MappedClass): class MailFooter: - view = jinja2.Environment( + view = jinja2.Environment( # noqa: S701 loader=jinja2.PackageLoader('allura', 'templates'), auto_reload=asbool(config.get('auto_reload_templates', True)), ) diff --git a/Allura/allura/scripts/trac_export.py b/Allura/allura/scripts/trac_export.py index e40aa85f4..ce9d2c9e2 100644 --- a/Allura/allura/scripts/trac_export.py +++ b/Allura/allura/scripts/trac_export.py @@ -143,7 +143,7 @@ class TracExport: def csvopen(self, url): self.log_url(url) - f = urlopen(url) + f = urlopen(url) # noqa: S310 # Trac doesn't throw 403 error, just shows normal 200 HTML page # telling that access denied. So, we'll emulate 403 ourselves. # TODO: currently, any non-csv result treated as 403. @@ -166,7 +166,7 @@ class TracExport: html2text.BODY_WIDTH = 0 url = self.full_url(self.TICKET_URL % id) self.log_url(url) - d = BeautifulSoup(urlopen(url)) + d = BeautifulSoup(urlopen(url)) # noqa: S310 self.clean_missing_wiki_links(d) desc = d.find('div', 'description').find('div', 'searchable') ticket['description'] = html2text.html2text( @@ -195,7 +195,7 @@ class TracExport: # Scrape HTML to get ticket attachments url = self.full_url(self.ATTACHMENT_LIST_URL % id) self.log_url(url) - f = urlopen(url) + f = urlopen(url) # noqa: S310 soup = BeautifulSoup(f) attach = soup.find('div', id='attachments') list = [] diff --git a/Allura/allura/tests/functional/test_neighborhood.py b/Allura/allura/tests/functional/test_neighborhood.py index 13f46dfff..ec1633172 100644 --- a/Allura/allura/tests/functional/test_neighborhood.py +++ b/Allura/allura/tests/functional/test_neighborhood.py @@ -670,9 +670,6 @@ class TestNeighborhood(TestController): def test_project_template(self): setup_trove_categories() - icon_url = 'file://' + \ - os.path.join(allura.__path__[0], 'nf', 'allura', - 'images', 'neo-icon-set-454545-256x350.png') test_groups = [{ "name": "Viewer", # group will be created, all params are valid "permissions": ["read"], @@ -699,7 +696,7 @@ class TestNeighborhood(TestController): project_template="""{ "private":true, "icon":{ - "url":"%s", + "url":"https://httpbin.org/image/png", "filename":"icon.png" }, "tools":{ @@ -727,7 +724,7 @@ class TestNeighborhood(TestController): "developmentstatus":[11] }, "groups": %s - }""" % (icon_url, json.dumps(test_groups))), + }""" % (json.dumps(test_groups))), extra_environ=dict(username='root')) r = self.app.post( '/adobe/register', diff --git a/Allura/allura/tests/unit/phone/test_nexmo.py b/Allura/allura/tests/unit/phone/test_nexmo.py index f2e99dacd..8b27d4de1 100644 --- a/Allura/allura/tests/unit/phone/test_nexmo.py +++ b/Allura/allura/tests/unit/phone/test_nexmo.py @@ -95,7 +95,9 @@ class TestPhoneService: req.post.assert_called_once_with( 'https://api.nexmo.com/verify/json', data=data, - headers=headers) + headers=headers, + timeout=30, + ) req.post.reset_mock() req.post.return_value.json.return_value = { @@ -108,7 +110,9 @@ class TestPhoneService: req.post.assert_called_once_with( 'https://api.nexmo.com/verify/json', data=data, - headers=headers) + headers=headers, + timeout=30, + ) @patch('allura.lib.phone.nexmo.requests', autospec=True) def test_verify_exception(self, req): @@ -138,7 +142,9 @@ class TestPhoneService: req.post.assert_called_once_with( 'https://api.nexmo.com/verify/check/json', data=data, - headers=headers) + headers=headers, + timeout=30, + ) req.post.reset_mock() req.post.return_value.json.return_value = { @@ -151,7 +157,9 @@ class TestPhoneService: req.post.assert_called_once_with( 'https://api.nexmo.com/verify/check/json', data=data, - headers=headers) + headers=headers, + timeout=30, + ) @patch('allura.lib.phone.nexmo.requests', autospec=True) def test_check_exception(self, req): diff --git a/Allura/allura/websetup/bootstrap.py b/Allura/allura/websetup/bootstrap.py index 765c91228..eadd141e9 100644 --- a/Allura/allura/websetup/bootstrap.py +++ b/Allura/allura/websetup/bootstrap.py @@ -307,7 +307,7 @@ def clear_all_database_tables(): db.drop_collection(coll) -def create_user(display_name, username=None, password='foo', make_project=False): +def create_user(display_name, username=None, password='foo', make_project=False): # noqa: S107 if not username: username = display_name.lower().replace(' ', '-') user = M.User.register(dict(username=username, diff --git a/Allura/ldap-setup.py b/Allura/ldap-setup.py index baf5432ac..e91343048 100644 --- a/Allura/ldap-setup.py +++ b/Allura/ldap-setup.py @@ -95,7 +95,7 @@ def get_value(key, default): def run(command): - rc = os.system(command) + rc = os.system(command) # noqa: S605 if rc != 0: log.error('Error running %s', command) assert rc == 0 diff --git a/Allura/setup.py b/Allura/setup.py index e5c549376..63613d66a 100644 --- a/Allura/setup.py +++ b/Allura/setup.py @@ -17,7 +17,7 @@ from setuptools import setup, find_packages -exec(open('allura/version.py').read()) +exec(open('allura/version.py').read()) # noqa: S102 PROJECT_DESCRIPTION = ''' Allura is an open source implementation of a software "forge", a web site diff --git a/ForgeImporters/forgeimporters/base.py b/ForgeImporters/forgeimporters/base.py index e66cce270..79984d011 100644 --- a/ForgeImporters/forgeimporters/base.py +++ b/ForgeImporters/forgeimporters/base.py @@ -167,7 +167,7 @@ class ProjectExtractor: @staticmethod def urlopen(url, retries=3, codes=(408, 500, 502, 503, 504), timeout=120, unredirected_hdrs=None, **kw): - req = urllib.request.Request(url, **kw) + req = urllib.request.Request(url, **kw) # noqa: S310 if unredirected_hdrs: for key, val in unredirected_hdrs.items(): req.add_unredirected_header(key, val) diff --git a/ForgeTracker/forgetracker/tests/unit/test_ticket_model.py b/ForgeTracker/forgetracker/tests/unit/test_ticket_model.py index afd604678..9ea0c37a0 100644 --- a/ForgeTracker/forgetracker/tests/unit/test_ticket_model.py +++ b/ForgeTracker/forgetracker/tests/unit/test_ticket_model.py @@ -349,7 +349,7 @@ class TestTicketModel(TrackerTestWithModel): ticket.summary = 'test ticket' ticket.description = 'test description' assert len(ticket.attachments) == 0 - f = six.moves.urllib.request.urlopen('file://%s' % __file__) + f = six.moves.urllib.request.urlopen('file://%s' % __file__) # noqa: S310 TicketAttachment.save_attachment( 'test_ticket_model.py', ResettableStream(f), artifact_id=ticket._id) diff --git a/fuse/accessfs.py b/fuse/accessfs.py index 4d43e7e2e..d5e843622 100644 --- a/fuse/accessfs.py +++ b/fuse/accessfs.py @@ -341,7 +341,7 @@ class PermissionCache: repo_path=path, username=uname))) print(f'Checking access for {uname} at {url} ({path})') - fp = six.moves.urllib.request.urlopen(url) + fp = six.moves.urllib.request.urlopen(url) # noqa: S310 result = json.load(fp) print(result) entry = 0 diff --git a/ruff.toml b/ruff.toml index 2bfa1ec9e..7da944339 100644 --- a/ruff.toml +++ b/ruff.toml @@ -29,7 +29,7 @@ lint.select = [ "ISC001", # NIC001 in flake8 codes "B", "PGH", # https://github.com/pre-commit/pygrep-hooks - "S307", # eval + "S", # bandit "G010", # logging.warn "T10", # debugger breakpoints "T20", # print() @@ -47,13 +47,29 @@ lint.ignore = [ 'B007', # Loop control variable not used within the loop body 'B904', # use raise from 'B905', # zip(strict=True) would be good, but need to closely evaluate all existing cases first + 'S101', # assert + 'S103', # permissive filesystem mask + 'S104', # network binding, which doesn't apply to our code, and gives false-positive on test IPs + 'S108', # temp files + 'S110', # try-except-pass, too many exist already + 'S303', # md5 & sha1 + 'S311', # random + 'S324', # md5 & sha1 + 'S603', # subprocess + 'S607', # partial path ] [lint.per-file-ignores] '__init__.py' = ['F403'] # import * -'**/{alluratest,tests}/*' = [ +'{**/alluratest/*,**/tests/*,run_tests}' = [ 'B011', # assert False 'T20', # print + 'S105', # hard-coded secrets + 'S106', # hard-coded secrets + 'S107', # hard-coded password + 'S314', # XML parsing + 'S602', # subprocess shell=True + 'S604', # other shell=True ] '{scripts,Allura/allura/scripts,Allura/allura/command}/*' = ['T20'] # print -'{run_tests,fuse/accessfs.py,ForgeSVN/setup.py}' = ['T20'] # print +'{fuse/accessfs.py,ForgeSVN/setup.py}' = ['T20'] # print diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py index 63ed8431f..217e4ecf6 100644 --- a/scripts/ApacheAccessHandler.py +++ b/scripts/ApacheAccessHandler.py @@ -49,7 +49,7 @@ def load_requests_lib(req): if virtualenv_path: activate_this = '%s/bin/activate_this.py' % virtualenv_path try: - exec(compile(open(activate_this, "rb").read(), activate_this, 'exec'), {'__file__': activate_this}) + exec(compile(open(activate_this, "rb").read(), activate_this, 'exec'), {'__file__': activate_this}) # noqa: S102 except Exception as e: log(req, "Couldn't activate venv via {}: {}".format(activate_this, repr(e))) global requests diff --git a/scripts/changelog.py b/scripts/changelog.py index bdada653f..6d4c2a7e9 100755 --- a/scripts/changelog.py +++ b/scripts/changelog.py @@ -56,7 +56,7 @@ def get_tickets(from_ref, to_ref): def get_ticket_summaries(tickets): summaries = {} - r = requests.get(API_URL.format(' '.join(tickets))) + r = requests.get(API_URL.format(' '.join(tickets)), timeout=30) if r.status_code != 200: raise ValueError(f'Unexpected response code: {r.status_code}') for ticket in r.json()['tickets']: diff --git a/scripts/new_ticket.py b/scripts/new_ticket.py index 7588dbfd8..6dbf5cc73 100755 --- a/scripts/new_ticket.py +++ b/scripts/new_ticket.py @@ -51,7 +51,7 @@ if __name__ == '__main__': 'access_token': access_token, 'ticket_form.summary': summary, 'ticket_form.description': description, - }) + }, timeout=30) if r.status_code == 200: print('Ticket created at: %s' % r.url) pprint(r.json()) diff --git a/scripts/wiki-copy.py b/scripts/wiki-copy.py index ddb3187d3..c023684b0 100644 --- a/scripts/wiki-copy.py +++ b/scripts/wiki-copy.py @@ -41,12 +41,12 @@ def main(): base_url = options.to_wiki.split('/rest/')[0] oauth_client = make_oauth_client(base_url) - wiki_json = requests.get(options.from_wiki).json()['pages'] + wiki_json = requests.get(options.from_wiki, timeout=30).json()['pages'] for p in wiki_json: from_url = options.from_wiki.rstrip('/') + '/' + p to_url = options.to_wiki.rstrip('/') + '/' + p try: - page_json = requests.get(from_url).json() + page_json = requests.get(from_url, timeout=30).json() if options.debug: print(page_json['text']) break