Skip to content

Commit

Permalink
Review Bandit findings
Browse files Browse the repository at this point in the history
  • Loading branch information
alxndr42 committed Feb 27, 2022
1 parent 8664dbc commit 4830f39
Show file tree
Hide file tree
Showing 4 changed files with 103 additions and 15 deletions.
1 change: 1 addition & 0 deletions Pipfile
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ click = "*"
pydantic = "*"

[dev-packages]
bandit = "*"
build = "*"
pycodestyle = "*"
pytest = "*"
Expand Down
89 changes: 88 additions & 1 deletion Pipfile.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

26 changes: 13 additions & 13 deletions src/icepack/helper.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
import os
from pathlib import Path
from shutil import copyfileobj, rmtree, which
import subprocess
import subprocess # nosec
import tempfile

from zipfile import ZIP_STORED, is_zipfile, ZipFile, ZipInfo
Expand All @@ -13,7 +13,7 @@

_BUFFER_SIZE = 64 * 1024
_PUBLIC_KEY_PREFIX = 'age'
_SECRET_KEY_PREFIX = 'AGE-SECRET-KEY-'
_SECRET_KEY_PREFIX = 'AGE-SECRET-KEY-' # nosec No secret


class Age():
Expand All @@ -24,7 +24,7 @@ def keygen():
"""Return a (secret_key, public_key) from age-keygen."""
secret_key = None
public_key = None
result = subprocess.run(
result = subprocess.run( # nosec Trusted input
['age-keygen'],
capture_output=True,
text=True,
Expand All @@ -36,7 +36,7 @@ def keygen():
break
else:
raise Exception('No secret key in age-keygen output.')
result = subprocess.run(
result = subprocess.run( # nosec Trusted input
['age-keygen', '-y'],
input=secret_key,
capture_output=True,
Expand All @@ -52,7 +52,7 @@ def keygen():
@staticmethod
def encrypt(src_path, dst_path, secret_key):
"""Encrypt src_path to dst_path, pass secret_key to age STDIN."""
subprocess.run(
subprocess.run( # nosec Trusted input
['age', '-e', '-i', '-', '-o', str(dst_path), str(src_path)],
input=secret_key,
text=True,
Expand All @@ -61,7 +61,7 @@ def encrypt(src_path, dst_path, secret_key):
@staticmethod
def decrypt(src_path, dst_path, secret_key):
"""Decrypt src_path to dst_path, pass secret_key to age STDIN."""
subprocess.run(
subprocess.run( # nosec Trusted input
['age', '-d', '-i', '-', '-o', str(dst_path), str(src_path)],
input=secret_key,
text=True,
Expand All @@ -73,12 +73,12 @@ def encrypt_bytes(data, dst_path, recipients):
args = ['age', '-e', '-o', str(dst_path)]
for recipient in recipients:
args.extend(['-r', recipient])
subprocess.run(args, input=data, check=True)
subprocess.run(args, input=data, check=True) # nosec Trusted input

@staticmethod
def decrypt_bytes(src_path, identity):
"""Decrypt src_path via age STDOUT."""
result = subprocess.run(
result = subprocess.run( # nosec Trusted input
['age', '-d', '-i', str(identity), str(src_path)],
capture_output=True,
check=True)
Expand All @@ -89,7 +89,7 @@ def version():
"""Return the age version and age-keygen presence as a tuple."""
age_version = None
if which('age'):
result = subprocess.run(
result = subprocess.run( # nosec Trusted input
['age', '--version'],
capture_output=True,
text=True,
Expand Down Expand Up @@ -145,7 +145,7 @@ def keygen(key_path):
secret_key = key_path / SECRET_KEY
if secret_key.is_file():
raise Exception(f'{secret_key} already exists.')
subprocess.run(
subprocess.run( # nosec Trusted input
[
'ssh-keygen',
'-t', 'ed25519',
Expand All @@ -162,7 +162,7 @@ def keygen(key_path):
@staticmethod
def sign(data_path, secret_key):
"""Sign data_path with ssh-keygen."""
subprocess.run(
subprocess.run( # nosec Trusted input
[
'ssh-keygen',
'-Y', 'sign',
Expand All @@ -180,7 +180,7 @@ def sign(data_path, secret_key):
@staticmethod
def verify(data_path, sig_path, allowed_signers):
"""Verify the signature with ssh-keygen."""
subprocess.run(
subprocess.run( # nosec Trusted input
[
'ssh-keygen',
'-Y', 'verify',
Expand All @@ -198,7 +198,7 @@ def version():
"""Return the SSH version and ssh-keygen presence as a tuple."""
ssh_version = None
if which('ssh'):
result = subprocess.run(
result = subprocess.run( # nosec Trusted input
['ssh', '-V'],
capture_output=True,
text=True,
Expand Down
2 changes: 1 addition & 1 deletion src/icepack/meta.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
NAME = 'icepack'
VERSION = '0.5.0'

SECRET_KEY = 'identity'
SECRET_KEY = 'identity' # nosec No secret
PUBLIC_KEY = 'identity.pub'
ALLOWED_SIGNERS = 'allowed_signers'

0 comments on commit 4830f39

Please sign in to comment.