From bc66ede9aaa6583c489f4ee943e43a5534b6ea2f Mon Sep 17 00:00:00 2001
From: Travis McPeak <travis.mcpeak@gmail.com>
Date: Mon, 24 Apr 2017 18:37:03 -0700
Subject: [PATCH] Fixing Bandit findings and adding travis Bandit job (#759)

* Fixes for Bandit

This commit fixes a couple of issues so that Bandit can run
cleanly using medium+ severity and confidence filtering.

* Adding Lemur Bandit job to TravisCI
---
 .travis.yml                                   | 2 ++
 lemur/factory.py                              | 3 ++-
 lemur/plugins/lemur_email/templates/config.py | 5 +++--
 lemur/plugins/lemur_kubernetes/plugin.py      | 4 +++-
 setup.py                                      | 2 +-
 5 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 5e39c8c9..37ec1434 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -34,9 +34,11 @@ before_script:
 
 install:
   - pip install coveralls
+  - pip install bandit
 
 script:
   - make test
+  - bandit -r . -ll -ii -x lemur/tests/,docs
 
 after_success:
   - coveralls
diff --git a/lemur/factory.py b/lemur/factory.py
index 3edce17a..2029667a 100644
--- a/lemur/factory.py
+++ b/lemur/factory.py
@@ -73,7 +73,8 @@ def from_file(file_path, silent=False):
     d.__file__ = file_path
     try:
         with open(file_path) as config_file:
-            exec(compile(config_file.read(), file_path, 'exec'), d.__dict__)
+            exec(compile(config_file.read(),  # nosec: config file safe
+                 file_path, 'exec'), d.__dict__)
     except IOError as e:
         if silent and e.errno in (errno.ENOENT, errno.EISDIR):
             return False
diff --git a/lemur/plugins/lemur_email/templates/config.py b/lemur/plugins/lemur_email/templates/config.py
index 5c9b1f8e..2ec8a6c2 100644
--- a/lemur/plugins/lemur_email/templates/config.py
+++ b/lemur/plugins/lemur_email/templates/config.py
@@ -1,11 +1,12 @@
 import os
 import arrow
-from jinja2 import Environment, FileSystemLoader
+from jinja2 import Environment, FileSystemLoader, select_autoescape
 
 from lemur.plugins.utils import get_plugin_option
 
 loader = FileSystemLoader(searchpath=os.path.dirname(os.path.realpath(__file__)))
-env = Environment(loader=loader)
+env = Environment(loader=loader,  # nosec: potentially dangerous types esc.
+                  autoescape=select_autoescape(['html', 'xml']))
 
 
 def human_time(time):
diff --git a/lemur/plugins/lemur_kubernetes/plugin.py b/lemur/plugins/lemur_kubernetes/plugin.py
index 2938effc..47c15e25 100644
--- a/lemur/plugins/lemur_kubernetes/plugin.py
+++ b/lemur/plugins/lemur_kubernetes/plugin.py
@@ -11,6 +11,7 @@
 .. moduleauthor:: Mikhail Khodorovskiy <mikhail.khodorovskiy@jivesoftware.com>
 """
 import base64
+import os
 import urllib
 import requests
 import itertools
@@ -139,7 +140,8 @@ class K8sSession(requests.Session):
             'Authorization': 'Bearer %s' % bearer
         })
 
-        k8_ca = '/tmp/k8.cert'
+        k8_ca = os.path.join(os.path.abspath(os.path.dirname(__file__)), 
+                             'k8.cert')
 
         with open(k8_ca, "w") as text_file:
             text_file.write(cert)
diff --git a/setup.py b/setup.py
index 8f12da64..0c375240 100644
--- a/setup.py
+++ b/setup.py
@@ -30,7 +30,7 @@ sys.path.insert(0, ROOT)
 
 about = {}
 with open(os.path.join(ROOT, "lemur", "__about__.py")) as f:
-    exec(f.read(), about)
+    exec(f.read(), about)  # nosec: about file is benign
 
 
 install_requires = [