Fixing Bandit findings and adding travis Bandit job (#759)

* Fixes for Bandit This commit fixes a couple of issues so that Bandit can run cleanly using medium+ severity and confidence filtering. * Adding Lemur Bandit job to TravisCI
2017-04-24 18:37:03 -07:00 · 2017-04-24 18:37:03 -07:00 · bc66ede9aa
parent 1c295896e6
commit bc66ede9aa
5 changed files with 11 additions and 5 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -34,9 +34,11 @@ before_script:

 install:
  - pip install coveralls
+  - pip install bandit

 script:
  - make test
+  - bandit -r . -ll -ii -x lemur/tests/,docs

 after_success:
  - coveralls
--- a/lemur/factory.py
+++ b/lemur/factory.py
@ -73,7 +73,8 @@ def from_file(file_path, silent=False):
    d.__file__ = file_path
    try:
        with open(file_path) as config_file:
-            exec(compile(config_file.read(), file_path, 'exec'), d.__dict__)
+            exec(compile(config_file.read(),  # nosec: config file safe
+                 file_path, 'exec'), d.__dict__)
    except IOError as e:
        if silent and e.errno in (errno.ENOENT, errno.EISDIR):
            return False
--- a/lemur/plugins/lemur_email/templates/config.py
+++ b/lemur/plugins/lemur_email/templates/config.py
@ -1,11 +1,12 @@
 import os
 import arrow
-from jinja2 import Environment, FileSystemLoader
+from jinja2 import Environment, FileSystemLoader, select_autoescape

 from lemur.plugins.utils import get_plugin_option

 loader = FileSystemLoader(searchpath=os.path.dirname(os.path.realpath(__file__)))
-env = Environment(loader=loader)
+env = Environment(loader=loader,  # nosec: potentially dangerous types esc.
+                  autoescape=select_autoescape(['html', 'xml']))


 def human_time(time):
--- a/lemur/plugins/lemur_kubernetes/plugin.py
+++ b/lemur/plugins/lemur_kubernetes/plugin.py
@ -11,6 +11,7 @@
 .. moduleauthor:: Mikhail Khodorovskiy <mikhail.khodorovskiy@jivesoftware.com>
 """
 import base64
+import os
 import urllib
 import requests
 import itertools
@ -139,7 +140,8 @@ class K8sSession(requests.Session):
            'Authorization': 'Bearer %s' % bearer
        })

-        k8_ca = '/tmp/k8.cert'
+        k8_ca = os.path.join(os.path.abspath(os.path.dirname(__file__)), 
+                             'k8.cert')

        with open(k8_ca, "w") as text_file:
            text_file.write(cert)
--- a/setup.py
+++ b/setup.py
@ -30,7 +30,7 @@ sys.path.insert(0, ROOT)

 about = {}
 with open(os.path.join(ROOT, "lemur", "__about__.py")) as f:
-    exec(f.read(), about)
+    exec(f.read(), about)  # nosec: about file is benign


 install_requires = [