diff --git a/.bandit-test.yml b/.bandit-test.yml new file mode 100644 index 00000000..c71cb1be --- /dev/null +++ b/.bandit-test.yml @@ -0,0 +1 @@ +skips: ['B101', 'B306', 'B404'] \ No newline at end of file diff --git a/.bandit.yml b/.bandit.yml new file mode 100644 index 00000000..dca96960 --- /dev/null +++ b/.bandit.yml @@ -0,0 +1 @@ +skips: ['B404', 'B603'] \ No newline at end of file diff --git a/Makefile b/Makefile index b91911cc..c32351d3 100644 --- a/Makefile +++ b/Makefile @@ -26,6 +26,8 @@ archlinux: archive check: clean mypy find "src/$(PROJECT)" "tests/$(PROJECT)" -name "*.py" -execdir autopep8 --exit-code --max-line-length 120 -aa -i {} + cd src && pylint --rcfile=../.pylintrc "$(PROJECT)" + cd src && bandit -c ../.bandit.yml -r "$(PROJECT)" + cd tests && bandit -c ../.bandit-test.yml -r "$(PROJECT)" clean: find . -type f -name "$(PROJECT)-*-src.tar.xz" -delete diff --git a/setup.py b/setup.py index e669f8a9..6d1e792e 100644 --- a/setup.py +++ b/setup.py @@ -74,6 +74,7 @@ setup( extras_require={ "check": [ "autopep8", + "bandit", "mypy", "pylint", ], diff --git a/src/ahriman/application/ahriman.py b/src/ahriman/application/ahriman.py index 02e061e2..9d591ee7 100644 --- a/src/ahriman/application/ahriman.py +++ b/src/ahriman/application/ahriman.py @@ -19,6 +19,7 @@ # import argparse import sys +import tempfile from pathlib import Path @@ -44,7 +45,14 @@ def _parser() -> argparse.ArgumentParser: action="append") parser.add_argument("-c", "--configuration", help="configuration path", type=Path, default=Path("/etc/ahriman.ini")) parser.add_argument("--force", help="force run, remove file lock", action="store_true") - parser.add_argument("-l", "--lock", help="lock file", type=Path, default=Path("/tmp/ahriman.lock")) + parser.add_argument( + "-l", + "--lock", + help="lock file", + type=Path, + default=Path( + tempfile.gettempdir()) / + "ahriman.lock") parser.add_argument("--no-log", help="redirect all log messages to stderr", action="store_true") parser.add_argument("--no-report", help="force disable reporting to web service", action="store_true") parser.add_argument("--unsafe", help="allow to run ahriman as non-ahriman user", action="store_true") diff --git a/src/ahriman/core/upload/s3.py b/src/ahriman/core/upload/s3.py index b1c1c6f8..008d6831 100644 --- a/src/ahriman/core/upload/s3.py +++ b/src/ahriman/core/upload/s3.py @@ -50,6 +50,7 @@ class S3(Upload): """ calculate amazon s3 etag credits to https://teppen.io/2018/10/23/aws_s3_verify_etags/ + For this method we have to define nosec because it is out of any security context and provided by AWS :param path: path to local file :param chunk_size: read chunk size, which depends on client settings :return: calculated entity tag for local file @@ -57,11 +58,11 @@ class S3(Upload): md5s = [] with path.open("rb") as local_file: for chunk in iter(lambda: local_file.read(chunk_size), b""): - md5s.append(hashlib.md5(chunk)) + md5s.append(hashlib.md5(chunk)) # nosec # in case if there is only one chunk it must be just this checksum # and checksum of joined digest otherwise (including empty list) - checksum = md5s[0] if len(md5s) == 1 else hashlib.md5(b"".join(md5.digest() for md5 in md5s)) + checksum = md5s[0] if len(md5s) == 1 else hashlib.md5(b"".join(md5.digest() for md5 in md5s)) # nosec # in case if there are more than one chunk it should be appended with amount of chunks suffix = f"-{len(md5s)}" if len(md5s) > 1 else "" return f"{checksum.hexdigest()}{suffix}"