Public bug reported: Keystone currently has the keystone_conservative profile in bandit.yaml defined as follows:
keystone_conservative: include: - blacklist_functions - blacklist_imports - request_with_no_cert_validation - exec_used - set_bad_file_permissions - subprocess_popen_with_shell_equals_true - linux_commands_wildcard_injection - ssl_with_bad_version The keystone_conservative profile is the default profile run when using bandit in the keystone project. The problem is that blacklist_functions is not actually a bandit plugin. There is a plugin called blacklist_calls, but not blacklist_functions. To recreate: - Edit bandit.yaml, comment out - '/tests/' in the exclude_dirs - Run 'tox -e bandit' - Notice you get no errors - Edit bandit.yaml again, search/replace blacklist_functions to blacklist_calls - Rerun 'tox -e bandit' - Notice you get an error now: >> Issue: Use of possibly insecure function - consider using safer >> ast.literal_eval. Severity: Medium Confidence: High Location: keystone/tests/unit/test_wsgi.py:104 103 resp = req.get_response(app) 104 self.assertIn('X-Foo', eval(resp.body)) 105 So basically, the blacklist_calls are never checked. ** Affects: keystone Importance: Low Assignee: Eric Brown (ericwb) Status: In Progress ** Changed in: keystone Assignee: (unassigned) => Eric Brown (ericwb) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1460839 Title: bandit: blacklist_functions not a valid plugin Status in OpenStack Identity (Keystone): In Progress Bug description: Keystone currently has the keystone_conservative profile in bandit.yaml defined as follows: keystone_conservative: include: - blacklist_functions - blacklist_imports - request_with_no_cert_validation - exec_used - set_bad_file_permissions - subprocess_popen_with_shell_equals_true - linux_commands_wildcard_injection - ssl_with_bad_version The keystone_conservative profile is the default profile run when using bandit in the keystone project. The problem is that blacklist_functions is not actually a bandit plugin. There is a plugin called blacklist_calls, but not blacklist_functions. To recreate: - Edit bandit.yaml, comment out - '/tests/' in the exclude_dirs - Run 'tox -e bandit' - Notice you get no errors - Edit bandit.yaml again, search/replace blacklist_functions to blacklist_calls - Rerun 'tox -e bandit' - Notice you get an error now: >> Issue: Use of possibly insecure function - consider using safer ast.literal_eval. Severity: Medium Confidence: High Location: keystone/tests/unit/test_wsgi.py:104 103 resp = req.get_response(app) 104 self.assertIn('X-Foo', eval(resp.body)) 105 So basically, the blacklist_calls are never checked. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1460839/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp