add bandit integration and fix its warnings

2025-07-14 22:45:47 +00:00 · 2021-08-11 02:45:13 +03:00
parent 375d7c55e5
commit 48e79ce39c
6 changed files with 17 additions and 3 deletions
--- a/src/ahriman/application/ahriman.py
+++ b/src/ahriman/application/ahriman.py
@ -19,6 +19,7 @@
 #
 import argparse
 import sys
+import tempfile

 from pathlib import Path

@ -44,7 +45,14 @@ def _parser() -> argparse.ArgumentParser:
                        action="append")
    parser.add_argument("-c", "--configuration", help="configuration path", type=Path, default=Path("/etc/ahriman.ini"))
    parser.add_argument("--force", help="force run, remove file lock", action="store_true")
-    parser.add_argument("-l", "--lock", help="lock file", type=Path, default=Path("/tmp/ahriman.lock"))
+    parser.add_argument(
+        "-l",
+        "--lock",
+        help="lock file",
+        type=Path,
+        default=Path(
+            tempfile.gettempdir()) /
+        "ahriman.lock")
    parser.add_argument("--no-log", help="redirect all log messages to stderr", action="store_true")
    parser.add_argument("--no-report", help="force disable reporting to web service", action="store_true")
    parser.add_argument("--unsafe", help="allow to run ahriman as non-ahriman user", action="store_true")
--- a/src/ahriman/core/upload/s3.py
+++ b/src/ahriman/core/upload/s3.py
@ -50,6 +50,7 @@ class S3(Upload):
        """
        calculate amazon s3 etag
        credits to https://teppen.io/2018/10/23/aws_s3_verify_etags/
+        For this method we have to define nosec because it is out of any security context and provided by AWS
        :param path: path to local file
        :param chunk_size: read chunk size, which depends on client settings
        :return: calculated entity tag for local file
@ -57,11 +58,11 @@ class S3(Upload):
        md5s = []
        with path.open("rb") as local_file:
            for chunk in iter(lambda: local_file.read(chunk_size), b""):
-                md5s.append(hashlib.md5(chunk))
+                md5s.append(hashlib.md5(chunk))  # nosec

        # in case if there is only one chunk it must be just this checksum
        # and checksum of joined digest otherwise (including empty list)
-        checksum = md5s[0] if len(md5s) == 1 else hashlib.md5(b"".join(md5.digest() for md5 in md5s))
+        checksum = md5s[0] if len(md5s) == 1 else hashlib.md5(b"".join(md5.digest() for md5 in md5s))  # nosec
        # in case if there are more than one chunk it should be appended with amount of chunks
        suffix = f"-{len(md5s)}" if len(md5s) > 1 else ""
        return f"{checksum.hexdigest()}{suffix}"