add bandit integration and fix its warnings

2025-04-24 07:17:17 +00:00 · 2021-08-11 02:45:13 +03:00 · 2021-08-11 02:45:13 +03:00 · 62661c9fb1
commit 62661c9fb1
parent 78636c2035
6 changed files with 17 additions and 3 deletions
--- a/.bandit-test.yml
+++ b/.bandit-test.yml
@ -0,0 +1 @@
+skips: ['B101', 'B306', 'B404']
--- a/.bandit.yml
+++ b/.bandit.yml
@ -0,0 +1 @@
+skips: ['B404', 'B603']
--- a/2
+++ b/2
@ -26,6 +26,8 @@ archlinux: archive
 check: clean mypy
 	find "src/$(PROJECT)" "tests/$(PROJECT)" -name "*.py" -execdir autopep8 --exit-code --max-line-length 120 -aa -i {} +
 	cd src && pylint --rcfile=../.pylintrc "$(PROJECT)"
+	cd src && bandit -c ../.bandit.yml -r "$(PROJECT)"
+	cd tests && bandit -c ../.bandit-test.yml -r "$(PROJECT)"

 clean:
 	find . -type f -name "$(PROJECT)-*-src.tar.xz" -delete
--- a/setup.py
+++ b/setup.py
@ -74,6 +74,7 @@ setup(
    extras_require={
        "check": [
            "autopep8",
+            "bandit",
            "mypy",
            "pylint",
        ],
--- a/src/ahriman/application/ahriman.py
+++ b/src/ahriman/application/ahriman.py
@ -19,6 +19,7 @@
 #
 import argparse
 import sys
+import tempfile

 from pathlib import Path

@ -44,7 +45,14 @@ def _parser() -> argparse.ArgumentParser:
                        action="append")
    parser.add_argument("-c", "--configuration", help="configuration path", type=Path, default=Path("/etc/ahriman.ini"))
    parser.add_argument("--force", help="force run, remove file lock", action="store_true")
-    parser.add_argument("-l", "--lock", help="lock file", type=Path, default=Path("/tmp/ahriman.lock"))
+    parser.add_argument(
+        "-l",
+        "--lock",
+        help="lock file",
+        type=Path,
+        default=Path(
+            tempfile.gettempdir()) /
+        "ahriman.lock")
    parser.add_argument("--no-log", help="redirect all log messages to stderr", action="store_true")
    parser.add_argument("--no-report", help="force disable reporting to web service", action="store_true")
    parser.add_argument("--unsafe", help="allow to run ahriman as non-ahriman user", action="store_true")
--- a/src/ahriman/core/upload/s3.py
+++ b/src/ahriman/core/upload/s3.py
@ -50,6 +50,7 @@ class S3(Upload):
        """
        calculate amazon s3 etag
        credits to https://teppen.io/2018/10/23/aws_s3_verify_etags/
+        For this method we have to define nosec because it is out of any security context and provided by AWS
        :param path: path to local file
        :param chunk_size: read chunk size, which depends on client settings
        :return: calculated entity tag for local file
@ -57,11 +58,11 @@ class S3(Upload):
        md5s = []
        with path.open("rb") as local_file:
            for chunk in iter(lambda: local_file.read(chunk_size), b""):
-                md5s.append(hashlib.md5(chunk))
+                md5s.append(hashlib.md5(chunk))  # nosec

        # in case if there is only one chunk it must be just this checksum
        # and checksum of joined digest otherwise (including empty list)
-        checksum = md5s[0] if len(md5s) == 1 else hashlib.md5(b"".join(md5.digest() for md5 in md5s))
+        checksum = md5s[0] if len(md5s) == 1 else hashlib.md5(b"".join(md5.digest() for md5 in md5s))  # nosec
        # in case if there are more than one chunk it should be appended with amount of chunks
        suffix = f"-{len(md5s)}" if len(md5s) > 1 else ""
        return f"{checksum.hexdigest()}{suffix}"